The procedures we use for forensic examination include several unique functions that have revolutionized the practice of computer forensics. The following are some of the features
• Search and analyze media from all of the different file systems simultaneously, including FAT12, FAT16, FAT32, NTFS, Linux, UNIX, Macintosh, CDROM and DVD-R.
• Macro Language capability allows you to write powerful filters and programs to customize the software and apply advanced techniques for automated analysis of all the data contained in the case
• Picture Gallery automatically identifies all graphics files contained on a piece of media and displays them as thumbnails that can easily be bookmarked or copied onto a CD-ROM
• Restore physical disk images to new hard drives in Windows
• Support for Striped NT RAID volumes
• Non-invasive preview of a computer through either a parallel-port, Network Interface Card (NIC), or FastBloc, for a quick determination as to whether a computer system contains evidence within the scope of your investigation
• Generate or import custom sets of file hashes
• Acquire, authenticate and build a Case out of the most common types of media. Read floppies, Zip and Jaz drives, MO and all IDE and SCSI hard drives
• Acquire hard drives in DOS or in Windows with the hardware write block acquisition device.
• View files without changing the file contents or time stamps
• Conduct a basic keyword search of the entire case using any number of search terms
• Conduct advanced searchs using powerful UNIX GREP syntax
• Search hits automatically highlighted and archived
• Sort files according to any number of fields, including time stamps
• View Compound files, such as the Windows Registry, E-Mail attachments and Zip Files
• View all relevant time stamps of all files in case with a powerful graphical timeline viewer
• Bookmark interesting files, file segments or images and save for future reference and automatically include in final report
• Export any part of a file, selected file or entire folder trees
• Restore disk or volume images on to other hard drives
• Recognize and validate file signatures and add your own signatures
• Browse basic file system artifacts such as swap files, file slack, spooler files, and files located in the Recycle Bin
• Build libraries of known files and have EnCase recognize them automatically
• Formatted reports that show the contents of the Case, dates, times and investigator involved
• Graphical map showing disk allocation by cluster or sector including the layout of any file in the case
• Hex/text viewer shows the contents of any file (file slack shown in red)