More on EnCase Portable

At CEIC Guidance announced their two latest products, one of which was EnCase Portable.

Aside from a few vague details we were given very little information about this new product, but the Guidance website has now been updated to provide some additional information and a new YouTube video has also been posted.

Starting with the information from the Guidance website we can see that EnCase Portable kit includes:

  • 4GB USB drive with EnCase Portable preinstalled
  • 16GB drive for additional storage
  • 4 port USB hub
  • EnCase Portable security key
  • User guide
  • EnCase Portable installation CD
  • Carrying Case

Guidance also state key benefits and features on its website:

Key Benefits

  • Police, civilian investigators and parole officers can acquire data without requiring an onsite forensic expert
  • Military and other government personnel can quickly and accurately collect data during covert operations
  • Corporate IT or law firm personnel can acquire information at any location for eDiscovery or corporate investigations purposes

Key Features

  • Plug in and collect data immediately
  • Enable novice computer users to be data collectors in matter of minutes
  • Acquire data anywhere with EnCase Portable’s pocket-sized kit
  • Search and collect cyber-intelligence without leaving a trace
  • Store collected data in the forensically sound, court-validated EnCase® Logical Evidence File format
  • Capture data from running or powered-off systems
  • Customize search and collection jobs to create and configure more complex search criteria
  • Easily install EnCase Portable on any USB drive

These details obviously raise more questions than they answer and I’m sure that Guidance will reveal more details as the release become imminent.

The YouTube video, on the other hand, provides quite a lot in terms of answers. The video can be found here. The video shows the contents of EnCase Portable and some of the potential capabilities of the software.

As is noted in the video the software is booted to, what appears to be, a live Windows environment and is capable of performing the following:

  • Collect Internet Artifacts
  • Collect Windows Event Logs
  • Collect all Word Documents
  • Collect all Images
  • All PST
  • All MPG
  • Collect all Archive Files
  • Capture Registry
  • Collect EXE Files
  • Collect all Email Archives
  • Collect Mail Archives
  • Collect TEMP Files

I suspect that, given that some of this information is quite repetitive and/or ambiguous (such as ‘Collect all Images’) that users will be able to preconfigure the software to capture whatever data they wish. They then select the required options and capture that data to the relevant device in an EnCase logical evidence file. It appears quite simple and straight forward. Once I’m able to see one of these things up close I’ll give a more indepth review.

9 responses to “More on EnCase Portable”

    • Someone still has to do the investigation at the other end. However can you imagine having a case thrown out because someone asked their secretary to get the data?

  1. Eh..Been there.. This is just a Commercial version of Forensic Boot CD’s have been around for awhile. It just makes things “EASIER” for the lay person. But if you are a newb…would you even know what you are looking for?? For this I will stick with SPADA, Helix, 10-23 or whatever flavor Linux Boot CD I can find at the time.. Gotta save money for EnCase 7!!

  2. From one site it is commercial preasure to create “simple and widely used” tool for not-trained people, but crucial in forensic examination is to gather data properly. Once you have not enough data, you are not able to do correct forensic exanination. EnCase Portable seems to be more appropriate for quick search, where you need first information if there is something or not (for border points, intelligence, etc.).
    …but we have not enough information for such conclusions yet.

  3. Seems like they are competing against COFEE. I disagree with the arguments that somehow this is going to let untrained folks mess with computer evidence-anymore than any other tool.

    Plus, since it is from Guidance. You just know it is going to cost several thousands bucks for the kit, then several thousand knicker to keep up with the license.

  4. Other comments…

    If the target PC is not USB bootable, then you have to use the CD. All of this kind of takes away from the ‘stealthiness” aspect of the tool.

    Likewise, I am guessing that there some sort of write blocking going on through the device or software, but is that guaranteed?

    Finally, once you get the data, is it in some bizarro Encase only format that you need Encase enterprise to analyze?

  5. A lot of details left out of the video:

    – Note minimal reference to the system having to be “off” (even though his demo machine is on) at the time of “data” extraction.
    – Repeated use of the the term “data” vice evidence.
    – Does the size of the repository USB device indicate estaimated amount of extracted “data”.
    – No mention on the form this data would be extracted in.
    – No mention of collection of system metadata associated with extraction.
    – But to name a few … issues ….

  6. I used Spada last week to retrieve images. I crashed when trying to axcess deleted images and data. Anybody had this happen before and would it affect our evidence gathering and subsequent court matters.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.