EnCase Forensic 是一套旗舰级电脑犯罪鉴识软体，目前为全球多数法庭将EnCase作为电脑犯罪侦查之认证工具，已有超过百万件之公开使用案例。该软体被设计为以鉴识角度来取得电磁资料，并有强大的比对与分析工具可供使用，不仅可复原被抹除的资料档案，还能进行各种资料的分析作业，帮助检调人员取得犯罪证据。
支持各种文件系统，如FAT16，FAT32，NTFS，Macintosh HFS，HSF+，Sun Solaris UFS，Linux EXT23，Reiser，BSD FFS，Palm，TiVo Series One Two，AIX JFS，CDFS，Joliet，DVD，UDF和ISO 9660等
支持多种邮件格式，如Outlook，Outlook Express，Yahoo，Hotmail，Netscape Mail和MBOX，还支持AOL 6.0，7.0，8.0，9.0和PFCs等
支持多种浏览器格式，如IE，Mozilla Firefox，Opera和Apple Safari等
EnCase V6支持的文件系统： Windows: FAT12/FAT16/FAT32/NTFS/exFAT
IBM AIX: JFS/JFS2/LVM8
Novell : ZFS/NWFSNSS/
Sun Solaris: SUN ZFS/ SUN UFS
TiVo: TiVo 1/TiVo2
EnCase® Enterprise has changed the landscape of enterprise and computer investigations by providing complete network visibility, immediate response and comprehensive, forensic-level analysis of servers and workstations anywhere on a network. EnCase® Enterprise is a scalable platform that integrates seamlessly with your existing systems to create an enterprise investigative infrastructure. This cutting-edge solution can be tailored to meet your unique needs, including the automation of time-consuming investigative processes, auditing endpoints for sensitive information and eDiscovery.
Securely investigate/analyze many machines simultaneously over the LAN/WAN at the disk and memory level.
Acquire data in a forensically sound manner, using software that has an unparalleled record in courts worldwide.
Limit incident impact and eliminate system downtime with immediate response capabilities.
Investigate and analyze multiple platforms — Windows, Linux, AIX, OS X, Solaris and more — using a single tool.
Efficiently collect only potentially relevant data upon EnCase eDiscovery requests.
Proactively audit large groups of machines for sensitive or classified information, as well as unauthorized processes and network connections.
Identify fraud, security events and employee integrity issues wherever they are taking place — then investigate/remediate with immediacy and without alerting targets.
Identify and remediate zero-day events, injected dlls, rootkits and hidden/rogue processes.
EnCase® V6 introduces our new patent-pending, powerful indexing engine which indexes text extracted from the Stellent™ Outside In Technology. You can now build a complete index of words from multiple languages based on your evidence file and then create fast and easy queries using EnCase® Conditions and Filters. These indices can be chained together to find possible keywords in common with other investigations. The Unicode-supported index is built from the contents of personal documents, deleted files, file system artifacts, file slack, swap files, unallocated space, emails and web pages.
EnCase® Forensic now comes in 32 bit and 64 bit. Common investigations are now involving hundreds of gigabytes to tens of terabytes of static data requiring analysis. The amount of this data easily exceeds the memory addresses in 32-bit software. In today's 32-bit desktop systems, there can be up to 4GB of RAM (provided the motherboard can handle that much RAM) which is split between the applications and the operating system. Users will note a performance increase, because a 64-bit CPU can handle more memory and larger files. One of the most attractive features of 64-bit processors is the amount of memory the system can support. 64-bit architecture will allow systems to address up to 1 terabyte (1000GB) of memory. The new 64-bit version of EnCase® Forensic v6 delivers improved multi-threading and a more efficient use of all available memory.
Native File Viewer
EnCase® Examiner v6 has incorporated the Stellent™ Outside In file-viewing technology and now displays over 400 file formats natively in the Doc panel.
Enhanced Email Support to Natively Parse
Guidance Software has added the following NEW email formats to EnCase® v6 and now natively presents their contents without their application:
MS Exchange 2000/2003 EDBs
Lotus Notes NSFs versions 5, 6, 6.5 and 7
Hard Disk Caching for Email Parsing
In v6, EnCase® Forensic now uses disk caching to quickly open large and complex compound files, such as Lotus Notes NSFs and Microsoft EDBs and PSTs.
Additional File System Support
Guidance Software has added the following NEW file systems to EnCase® v6 and now presents the folder/file structures:
FreeBSD’s Fast File System 2 (FFS2)
Although the NWFS file system has been used by Novell since NetWare version 2x, EnCase only currently supports NetWare versions 5.1, 6.0 and 6.5 with either the NWFS or NSS file system.
Support for Apple® DMG Files
The file extension, dmg, is for Macintosh® OS X Disk Copy disk image files. Treated like a real disk, these files can now be added to EnCase® Forensic, displaying the internal file/folder structure
Support for Apple / Unix Files Compressed with PAX
Files compressed in a Macintosh / Unix environment using the PAX (Portable Archive Exchange) command can be saved in either tar or cpio format. EnCase® Forensic v6 now includes support for the parsing of BOTH cpio and tar PAX compressed files.
Support for Gzip Compressed Archive Files
EnCase® Forensic v6 adds Gzip (zlib) support for regular (non-compressed) files. EnCase® software does NOT yet support bzip or adc formats.
How may times have you set up your equipment to acquire a drive image, only to have run out of drive space? EnCase® Forensic v6 now allows you to set an alternate destination volume for evidence files at the start of the media acquisition.
Display of Hard Disk Serial Number
Are you tired of removing the suspect hard drive to document the serial number from the label? Hard disk acquisitions with EnCase® Forensic now read and document the true serial number and the volume serial number for the media. NOTE: Acquisitions made with versions 1–5 will NOT display this information.
Guidance Software recommends the following minimum hardware requirements for EnCase®
• Windows 2000 or 2003 Server
• 1.5+ GHz Pentium IV Processor (2.4 GHz Pentium IV Processor or better recommended)
• 512 MB of RAM (1 GB or more recommended)
• 1 dedicated USB Port / Gigabit Network Card
• Not recommended for Evidence storage
• Windows 2000, XP, Vista or 2003 Server
• 2.0 GHz Pentium IV Processor (3.0 GHz Pentium IV Processor or better recommended)
• 1 GB of RAM (2 GB or more recommended)
• 1 dedicated USB Port (when not using NAS) / Gigabit Network Card
• Ample data storage for evidence file acquisitions recommended (500GB or more)
• Available for Windows, NT, 2000, XP, Vista and 2003 Server; Linux kernel 2.4 and above, designed for Red Hat, SuSE & Mandrake; Sun Solaris 8 & 9, both 32- and 64-bit processors, AIX 4.3, 5.1,5.2 & 5.3 and MAC OSX version 10.2,10.3, & 10.4.