Sometimes people ask me: why do I like EnCase Forensic, and I always answer – for me EnCase Forensic is like the Answerer from Robert Sheckley’s “Ask a Foolish Question”. It is able to solve the forensic problems, we don’t even think about, until we face them. This can easily be proven if we turn away from Windows. The best thing other tools can offer you is hex viewer. But not EnCase Forensic.
It will help you. All you need is to ask the right question.To save a forensic analyst from wasting time performing routine tasks, like text indexing, keyword searches and parsing OS artifacts, EnCase Forensic offers the EnCase Processor.
All you need is to configure searching tasks you need for the particular case, select processing options (for example, to create thumbnails for all image files) and start the Processor. After that you can go about your business while EnCase doing the job. Due to the fact, that this process is resource-intensive, the EnCase Processor can be run on a stand-alone computer (server). To process data on a stand-alone computer (server), you’ll need an additional dongle, which you should request from Guidance Software. Unlike the main dongle, this has plastic casing.Figure 1. EnCase Processor (left) and EnCase Forensic (right) donglesIn this article we’ll speak about using the EnCase Processor on a local computer.After adding images or devices to the case, you should click Process (also, you can start the EnCase Processor via EnScript: EnScript – EnCase Processor).Figure 2. Process buttonYou’ll see EnCase Processor Options dialog, where you should choose options you need.Figure 3.
EnCase Processor Options dialogBe very careful choosing options. If you choose too many options, or very resource-intensive options, processing could take too much time.If you choose an option, you see its description in the right pane:Figure 4. System Info Parser module descriptionIf you double click on module’s name, you see additional options.Figure 5. System Info Parser module additional optionsClick OK and processing will be started; its progress bar is located in the bottom right corner. Also, you can view processing details in Processor Manager (View – Processor Manager).Figure 6. Processor Manager tabWhen the process is finished, you should run Case Analyzer EnScript.
Encase Forensic Imager Free Download
In opened dialog box double click Case – it’ll start adding processed data to the report.Figure 7. Adding data to the reportIn the next dialog, opened after the task is finished, choose data you need and click Save Report.Figure 8. Case Analyzer tabNow you can customize you report according to your needs, clicking Manage Saved Reports.Figure 9. Manage Saved Reports windowIf you click View Report, you can view its final version.Figure 10.
The report fragmentIf you need to save the report to a file, right-click on Analysis Report Preview window.More info about EnCase Processor you can find in the official EnCase Forensic User Guide.About the authors:Interests: Computer, Cell Phone & Chip-Off ForensicsInterests: iOS forensics, Android forensics, Mac OS X forensics, Windows forensics, Linux forensics.