Forensic tool for data recovery and because it is paid you have to pay for full access

1. By Megha Sahu

2. Introduction
• EnCase is a pack of digital forensics developed by guidance software system.
• This software system has numerous forms designed for cyber security, e-discover
use, and forensics.
• This software recover data and the use it various court system.
• EnCase comprise of tools utilized in varied areas of the
digital forensic process like analysis, acquisition, and reporting
• It includes EnScript, a scripting facility, with various APIs for evidence interactions.
• It searches an opening laptop and copy information which includes pictures ,
internet history, artifacts, documents, even the whole disk drive,
and different digital evidences.

3. Encase Processor
• Recover folder
1. FAT volume
2. NTFS folder
3. UFS and Ext2/3 partition
4. Formatted Driver
• File signature analysis
• Protected file analysis
• Hash analysis : MD5 and SHA-1 supported
• Expand Compound Files

4. Continue..
• Find Email
• Find internet Artifacts
• Search for Keyword
• En-script Modules: Run proper script to recover artifacts from
the device.
• Custom Modules: Custom En-script modules can be added to
the processor.

5. Download and Installation
• Just go to the below link and start download encase version 8.
• https://www.guidancesoftware.com/support/downloads/encas
e-forensic?utm_campaign=12541-EnCase_Forensic_8.06-
20180207&utm_medium=Email&utm_source=Eloqua&cmpid=E
mail-Eloqua-12541-EnCase_Forensic_8.06-
20180207&partnerref=12541-EnCase_Forensic_8.06-
20180207&elqTrackId=c71f16df125842f5bd7e6b122d155e15&
elq=77c149376c874e85ad6cde927a2bfd1a&elqaid=5441&elqat
=1&elqCampaignId=2212
• When the Encase get downloaded just run as administrator the
file and choose the default setting or you can customized them.
• After successful installation it will show you the GUI of Encase
version8.

7. Encase Image file format
• To store various kind of evidence Encase used Encase image
file format(extension .E01) and it also referred as Expert
Witness (Compression) Format.
1. Disk formt
2. Volume image
3. Logical files
4. Memory

8. Create image file bit by bit
I. Go to Add Evidence
II. Choose add local devices
III. Now check the only device for which you want to make .e01
file

9. After completion of the process the window look like this

10. Now there is some field that
you have to fillled to create
Encase Image file after
completion of this navigate to
the folder where you save it
and will show you the file with
extension

11. Index – Syntax Example
• Keyword Search-
• Phrase Search-
• Find any word in a document-
• All word must appear in document-
• Exclude the second search term-
• Operators as keyword –
• wildcard
X(fail)
“fail error”
fail OR error OR 404
fail AND error
fail NOT 404
fail “and” error
? , *

12. Create New Case

13. After creating the case it look something like that

14. Now add avidence to the case

16. Operation
1) Evidence process
2) Case processor