EnCase Forensic 7

I hope that, by now, everyone realised that my post yesterday was for April Fools and that I have no intention of quitting Forensic 4cast or becoming a professional wrestler.

The good news is that next Sunday I’m going to be recording a special episode of Forensic 4cast with two people from Guidance Software. They are going to be talking about EnCase Forensic version 7.

You may have seen some of the publicity surrounding the new version of Guidance’s flagship product or maybe even been to an event where it was demoed. This episode will hopefully help us to find out a little more about the new software.

Do you have any questions that you want to ask the Guidance guys about the upcoming release? There are no guarantees that I will ask all of your questions, or if they’ll answer them, but there’s no harm in trying is there? If  you have a question please either comment here, post them on the 4cast Facebook page, or message @4cast on Twitter.

5 responses to “EnCase Forensic 7”

  1. A question for the Guidance guys, if time allows…

    – Any new tools in Encase 7 to break into a fully encrypted disk? Can it be used for a cold boot attack?

  2. A couple of questions for the Guidance Guys:

    — Rumors had it that pre-release versions of EnCase v. 7 required more than 12 GB of RAM. Has that requirement been reduced to a more manageable level? What are the overall hardware requirements?

    — Is it able to mount Volume Shadow copies?

    — Have the timeline tools been improved to include other system dates in addition to the file metadata (e.g., event logs, Registry hives, Prefetch files, etc.)?

    — Have the EnScripts that find webmail been updated? It’s a shame that EnCase cannot pull webmail remnants, whereas a cheap tool like IEF can get tons of those artifacts and present them in a usable format.

    — How does v.7 improve the handling, searching and examination of email?

    I can go on and on. As you can tell, I have a love/hate relationship with EnCase…


    Best regards, Phil
    P.S. Professional wrestling can’t be much worse than the virtual wrestling forensic examiners undergo with these examination tools that are always in a beta state…

  3. The thing we’d appreciate most in a new major release of EnCase would be support for multithreading.
    ~3GHz CPUs is the maximum you can buy these days, and having an 8-core system sitting around with 1 core on full load and the others idling, makes me cry every day 😉

    So if the Guidance guys would be so kind as to talk about their plans for having single tasks (like “mount compound files”, keyword searches, checksum verification) use multiple cores, I’d be really happy. Thanks!

  4. From a lab manager/former examiner’s perspective:

    What has GSI done to solve performance issues associated with large datasets? Have they employed a database backend, or have they found alternative methods to address performance?

    Will they offer a stable, selective pre-processing option? If so, does it sandbox the processes so a single failure doesn’t stop or crash the entire process? Will it report that failure?

    Has GSI include tightly integrated indexing with the next version of EnCase?

    Will EnCase 7 de-duplicate email?

    GSI was smart to offer EnScript capabilities, effectively extending the platform. However, a less troublesome language will certainly increase its utility and value. Will we see a more user friendly Enscript language?

    An enormous amount of time and money has been spent by one segment of the digital forensic community to develop the means by which minimally trained investigators can harmlessly access and select evidence from a live forensic environment. The idea has merit; after all, who wants an expensively trained examiner picking through graphics all day, or trying to glean which emails might be important to an investigator when they can’t possibly know all of the details? It would be a valuable tool to use with restraint if it were that simple, cheap, and effective. In my opinion, much of that time and money may have been better spent improving functionality and usability, allowing highly trained examiners to realize significant increases in efficiency and quality. It sounds like GSI is making a big move in this direction. How would they describe their efforts in both these areas?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.