EnCase 是數位鑑識領域中,非常有名的一套軟體,為Guidance Software公司生產, 該公司成立於1997年,開發團隊的成員多半是具有數位鑑識人員(專家)背景. EnCase支援各種作業系統及檔案系統,為國際間普遍被採用的專業電腦鑑識軟體。
- Forensics report (產生鑑識報告)
- Image gallery (圖片檔案快速瀏覽)
- View Registry (檢視登錄檔)
- CDFS support (支援CDFS格式)
- Password recovery (密碼破解,為PLSP選購模組)
- Keyword search (關鍵字搜尋)
- E-mail search (電子郵件搜尋)
- NTFS support (支援NTFS格式)
- FAT 16/32 support (支援FAT16/32格式)
- EXT2/3 support (支援EXT2/3格式)
- File Recovery (刪除檔案復原)
- Validate Image (映像檔驗證)
- Duplicate (建立數位證物映像檔)
- Wipe Disk (清理磁碟紀錄)
- Web History/Cookie/Cache/URLtyped (網路瀏覽紀錄檢視)
- Text indexing (檔案建立索引)
- Encase 64-Bit support
- DBX/PST/EDB/NSF (電子郵件檢視及搜尋功能)
EnCase Forensic 8.07：超越性能
macOS APFS Support
EnCase Forensic now supports APFS, the file system used in the Apple High Sierra operating system
The following APFS features are not yet supported in this release: snapshots, crash protection,
checkpoints, fast directory sizing, and encryption support.
Support for Symantec PGP Version 10.3
EnCase Forensic now supports Symantec PGP Version 10.3.
Support for Dell Data Protection 8.17
EnCase Forensic now supports Dell Data Protection Version 8.17.
Support for Microsoft BitLocker XTS-AES
EnCase Forensic now supports decryption of the Microsoft BitLocker XTS-AES encryption algorithm.
Auto Refresh Added to Enhanced Agent Monitor Tab
The Enhanced Agent Monitor tab in EnCase Forensic now has auto refresh functionality and will
refresh jobs every five minutes by default. You can manually refresh from the title bar using the
Refresh button, or you can change settings by clicking the Auto Refresh button in the Enhanced Agent
Monitor tab title bar and making changes in the dialog box that displays.
Add Word Delimiters to Search Index
You can now add word delimiters to your search index in addition to the default delimiters used with
each language analyzer. Word delimiters are used to identify breaks between words in indexed data.
Each Language analyzer has one or more standard delimiters it uses by default. There is no need to
enter a delimiter if the language you are indexing uses that delimiter by default.
The indexing engine in EnCase Forensic uses the following delimiters for all analyzers by default. There
is no need to add a delimiter if it is in this list.
Acquire from Almost Anywhere
Forensically Sound Acquisition
Automated de-NISTing Capabilities
Multiple File Viewer Support
Customizable and Extensible with EnScript®
Integration to Passware Kit Forensic
Enhanced Windows Operating System Support
Version 7.06 supports Windows 8 and Server 2012 operating systems. This support allows you
to perform dead-box investigations and aids in the deployment of servlets to live-boxes. EnCase
Forensic also provides support for:
- Servlet for Windows 8 and Windows Server 2012
- Windows 8 artifact support:
＊System information parsing
- Windows 8 BitLocker
- Parsing Windows 7 Automatic Destinations (jump lists) and their link files
- Windows 7 thumbs.db parsing
Macintosh Operating System Enhancements
Version 7.06 includes support for the following Macintosh artifacts:
- Displays all HFS+ file system compressed files as uncompressed
- Supports Finder information and extended file attributes
- Displays security Access Control Lists (ACLs)
- Improved support for OS X Trash items
Macintosh OS X and Installer
EnCase Forensic now supports Mac OS X 10.8. This update includes an enhanced Mac installer
that supports “launchd”, a unified, open-source service management framework for starting,
stopping, and managing daemons, applications, processes, and scripts.
Macintosh Logical Volumes
EnCase Forensic now supports logical volumes for Macintosh systems. When connecting to
systems via servlets, the servlet interacts with the operating system to address the volume.
Macintosh logical volumes can include single disks, RAIDs, and encrypted volumes.
Enhanced Tablet Support
EnCase Forensic Version 7.06 adds support for the following tablets:
- Google Nexus 7
- Acer Iconia Tab A500
- Samsung Galaxy Tab 2
- Kindle Fire HD (support for Lightspeed browser artifacts and social media)
Android OS and Device Acquisition Support
EnCase Forensic supports logical and physical acquisition of devices, including phones and
tablets, running Android OS Version 4, Ice Cream Sandwich, Version 4.1-2, and Jelly Bean.
Artifact support has been expanded to include the ability to process Android physical evidence
files (E01) and produce logical evidence files (L01) containing common smartphone categories:
contacts, messages, call logs, and calendars. The result is a byte-for-byte copy of the device data
partition and a navigable file/folder hierarchy.
EnCase Basic (原名EnCase Enterprise)
- Reduce costs and improve efficiencies with a centralized digital investigation capability
- Increase confidence in findings by using the #1 solution for remote investigations
- Achieve compliance with regulatory investigation requirements
- Uncover potential evidence faster than ever using advance searching capabilities
- Improve efficiency by automating common investigation tasks
- Preserve evidence integrity with the court vetted EnCase® evidence file format
- Enable the foundation for digital investigation, incident response, and electronic data discovery
Investigators can be confident in their findings when using the proven, trusted, industry-leading forensic solution.
Uncover critical evidence using advanced search capabilities to identify data that would be irretrievable with other computer forensic applications.
Improved efficiency by automating investigative tasks with EnScript®; the scripting extension built-into EnCase Enterprise.
EnCase Enterprise preserves data in an evidence file format (LEF or E01) with an unsurpassed record of court acceptance.
Version 5 is the latest release of EnCase® eDiscovery, the leading enterprise e-discovery solution that provides everything from legal-hold and collection to review and production, delivering potentially relevant electronically stored evidence (ESI) and results that are accurate, defensible, and repeatable. EnCase eDiscovery V5 includes several new features and enhancements to help you and your e-discovery team significantly lower costs, reduce risk, and swiftly gather more types of information in more languages and from more locations than before.
Key Features for Legal
|Key Feature||Function / Description||Advantages|
Legal Hold Module
|ENHANCED: Foreign Language Index Support||
Key Features for IT
|Key Feature||Function / Description||Benefits|
|ENHANCED: Centralized Examiner Management||
|ENHANCED: Foreign Language Index Support||Improved Unicode support enables the following for data in all known foreign languages:
|NEW: Additional Connectors||
|ENHANCED: Web API Methods||
|NEW: Support for MS-Office Metadata Field||
|NEW: Encrypted Evidence Formats||
|ENHANCED: Desktop Application Workflows||
EnCase Portable is a powerful solution, delivered on a USB device, that allows forensic professionals and non-experts to quickly and easily triage and collect vital data in a forensically sound and court-proven manner
Increase Your Reach
Extend the reach of your investigation, e-discovery, incident response, or IT teams without sending experts into the field. Based on the situation, EnCase® Portable can be used in Easy Mode for non-experts, or Advanced Mode to create and edit configurations in the field.
Forensically Sound Triage and Collection
Triage and collect while preserving metadata and maintaining evidence integrity. Collected data is preserved in the court-vetted EnCase® evidence file format; the most trusted format in the forensic community.
Fast, Powerful Triage
Instantly and easily view images, documents, and other digital evidence found on a target computer.
Customizable Collection Configuration
Use keywords, metadata, hash values, and other criteria to perform targeted collection, as well as full-disk imaging and memory acquisition.
Dual Triage and Collection Modes
Live mode – collect memory from running computers
Boot mode – collect from computers that are turned off
EnCase® Risk Manager
EnCase® Endpoint Security
Earlier Detection, Faster Decisions and Unprecedented Threat Response.
OpenText™EnCase™Endpoint Security的取證檢測和響應功能。這種無代理和基於雲的技術通過簡化的部署實現了企業範圍的威脅評估，並具有經過驗證的可擴展性和靈活性。重要警報將傳遞給Endpoint Security，以提供同類最佳的自動響應功能。
使用時間緊迫的終結點遙測, 您可以在安全事件發生時對其進行驗證或關閉, 消除丟失該重要警示的可能性, 並確保從安全投資中獲得持續回報。
單一、靈活的平臺, 可提供自動和按需回應, 簡化工作流程, 並輕鬆將終結點恢復到受信任狀態。
EnCase® Endpoint Investigator
EnCase® Mobile Investigator
EnCase Mobile Investigator augments the mobile acquisition capabilities of EnCase Forensic with the ability to intuitively view, analyze, and report on critical mobile evidence that is relevant to their case. With mobile-first workflows, in-depth evidence analysis, and flexible report generation, investigators can feel confident in their results.
EnCase Cybersecurity is the endpoint incident response and data auditing software solution designed to reduce costs and complexities associated with the incident response process and reduce the risk of exposing sensitive data to loss or theft.
EnCase Cybersecurity helps prioritize analysis of potentially infected systems, determine source and scope of an incident, identify potential data loss scenarios and minimize time to remediation.
When integrated with the alerting or event management solution of your choice, the power of EnCase Cybersecurity shines — the moment an alert or event is generated, real-time response automatically captures critical endpoint information before it has a chance to decay or disappear altogether — giving you the information you need to quickly and accurately determine what actually happened.
The EnCase Cybersecurity Advantage:
- From the initial investigation through triage to remediation, EnCase Cybersecurity fully addresses endpoint incident response and is the preferred solution for government agencies and leading financial, retail and entertainment organizations
- Integrates with any security event management or alerting system to enable automated, real-time response, allowing you to capture critical endpoint data the moment an alert is generated, even if it happens at 2 a.m.
- Built upon gold-standard EnCase Forensic technology, EnCase Cybersecurity exposes both unknown threats, artifacts related to an incident and sensitive data residing on endpoints, no matter how well hidden
- Backed by our incident response expert services that provide industry best practices, integration services, training and the industry recognized EnCE® certification
|Vendor||Product||Supported Versions||64-bit Support|
|Check Point||Check Point Full Disk Encryption
(formerly Pointsec PC)
|6.3.1 up to 7.4||Yes|
|Credant||Mobile Guardian||5.2.1, 5.3, 5.4.1, 5.4.2,
6.1 through 6.8, 7.3
|GuardianEdge||Encryption Plus/Anywhere||7 and 8||No|
|GuardianEdge||Hard Disk Encryption||9.1.5, 9.2.2 , 9.3.0, 9.4.0,
|McAfee||EndPoint Encryption (formerly SafeBoot)||4, 5, 6 (for Windows and Macintosh computers)||Yes (for Versions4 and 5)|
|Microsoft||BitLocker and BitLocker To Go||Vista, 7, Server 2008||Yes|
|Sophos||SafeGuard Easy and Enterprise
|4.5, 5.5, 5.6||Yes (only for SafeGuard Easy, not for Enterprise)|
|Symantec||PGP Whole Disk Encryption||9.8, 9.9, 10, 10.1, 10.2||Yes|
|Symantec||Endpoint Encryption||7.0.2, 7.0.3, 7.0.4, 7.0.5,
7.0.6, 7.0.7, 7.0.8, 8.0, 8.2
|WinMagic||SecureDoc Full Disk Encryption||4.5, 4.6||No|