EnCase
What is EnCase?
EnCaseEnCase is a commercial digital-forensics product family from OpenText (originally Guidance Software) widely used by law-enforcement and corporate investigators since the late 1990s.
EnCase is one of the oldest and most established commercial digital-forensics platforms. Originally developed by Guidance Software starting in 1998 and acquired by OpenText in 2017, EnCase covers the full DFIR workflow with EnCase Forensic (analysis), EnCase Endpoint Investigator (remote enterprise collection), EnCase Endpoint Security (DFIR/EDR), and EnCase eDiscovery. The product introduced and popularised the Expert Witness Format (E01/Ex01) for forensic disk images, which has become a de-facto industry standard. EnCase is regularly accepted by courts and is a common counterpart to FTK and open-source tools such as Autopsy and The Sleuth Kit. OpenText also maintains the EnCE certification for trained practitioners.
● Examples
- 01
An investigator imaging a corporate laptop to E01 with EnCase Forensic and producing a court-ready report.
- 02
An incident-response team performing a remote enterprise collection across 200 endpoints with EnCase Endpoint Investigator.
● Frequently asked questions
What is EnCase?
EnCase is a commercial digital-forensics product family from OpenText (originally Guidance Software) widely used by law-enforcement and corporate investigators since the late 1990s. It belongs to the Forensics & IR category of cybersecurity.
What does EnCase mean?
EnCase is a commercial digital-forensics product family from OpenText (originally Guidance Software) widely used by law-enforcement and corporate investigators since the late 1990s.
How does EnCase work?
EnCase is one of the oldest and most established commercial digital-forensics platforms. Originally developed by Guidance Software starting in 1998 and acquired by OpenText in 2017, EnCase covers the full DFIR workflow with EnCase Forensic (analysis), EnCase Endpoint Investigator (remote enterprise collection), EnCase Endpoint Security (DFIR/EDR), and EnCase eDiscovery. The product introduced and popularised the Expert Witness Format (E01/Ex01) for forensic disk images, which has become a de-facto industry standard. EnCase is regularly accepted by courts and is a common counterpart to FTK and open-source tools such as Autopsy and The Sleuth Kit. OpenText also maintains the EnCE certification for trained practitioners.
How do you defend against EnCase?
Defences for EnCase typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for EnCase?
Common alternative names include: EnCase Forensic, OpenText EnCase, Guidance Software EnCase.
● Related terms
- forensics-ir№ 426
Forensic Imaging
Creating a bit-for-bit copy of a storage medium, verified by cryptographic hashes, for use in forensic analysis and as legally admissible evidence.
- forensics-ir№ 162
Chain of Custody
The chronological, documented trail showing every person, location, and action affecting a piece of evidence from seizure through final disposition.
- forensics-ir№ 436
FTK
Forensic Toolkit (FTK) is a commercial digital-forensics suite developed by AccessData and now owned by Exterro, used to acquire, index and analyse computer evidence.
- forensics-ir№ 078
Autopsy
Open-source digital-forensics platform developed by Brian Carrier and Basis Technology that provides a graphical front end to The Sleuth Kit and a rich set of analysis modules.
- forensics-ir№ 1142
The Sleuth Kit
An open-source library and collection of command-line tools for low-level analysis of disk images and file systems, maintained by Brian Carrier.
- forensics-ir№ 425
Forensic Hash Verification
The practice of computing and comparing cryptographic hashes (typically MD5 and SHA-256) of forensic images and source media to prove evidence integrity.
● See also
- № 428Forensic Toolkit