Articles
Now Reading
How to use the EnCase Processor
0

How to use the EnCase Processor

    Sometimes people ask me: why do I like EnCase Forensic, and I always answer – for me EnCase Forensic is like the Answerer from Robert Sheckley’s “Ask a Foolish Question”. It is able to solve the forensic problems, we don’t even think about, until we face them. This can easily be proven if we turn away from Windows computer forensics. The best thing other tools can offer you is hex viewer. But not EnCase Forensic. It will help you. All you need is to ask the right question.

    To save a forensic analyst from wasting time performing routine tasks, like text indexing, keyword searches and parsing OS artifacts, EnCase Forensic offers the EnCase Processor. All you need is to configure searching tasks you need for the particular case, select processing options (for example, to create thumbnails for all image files) and start the Processor. After that you can go about your business while EnCase doing the job. Due to the fact, that this process is resource-intensive, the EnCase Processor can be run on a stand-alone computer (server). To process data on a stand-alone computer (server), you’ll need an additional dongle, which you should request from Guidance Software. Unlike the main dongle, this has plastic casing.

    EP1

    Figure 1. EnCase Processor (left) and EnCase Forensic (right) dongles

    In this article we’ll speak about using the EnCase Processor on a local computer.

    After adding images or devices to the case, you should click Process (also, you can start the EnCase Processor via EnScript: EnScript – EnCase Processor).

    EP2

    Figure 2. Process button

    You’ll see EnCase Processor Options dialog, where you should choose options you need.

    EP3

    Figure 3. EnCase Processor Options dialog

    Be very careful choosing options. If you choose too many options, or very resource-intensive options, processing could take too much time.

    If you choose an option, you see its description in the right pane:

    EP4

    Figure 4. System Info Parser module description

    If you double click on module’s name, you see additional options.

    EP5

    Figure 5. System Info Parser module additional options

    Click OK and processing will be started; its progress bar is located in the bottom right corner. Also, you can view processing details in Processor Manager (View – Processor Manager).

    EP6

    Figure 6. Processor Manager tab

    When the process is finished, you should run Case Analyzer EnScript. In opened dialog box double click Case – it’ll start adding processed data to the report.

    EP7

    Figure 7. Adding data to the report

    In the next dialog, opened after the task is finished, choose data you need and click Save Report.

    EP8

    Figure 8. Case Analyzer tab

    Now you can customize you report according to your needs, clicking Manage Saved Reports.

    EP9

    Figure 9. Manage Saved Reports window

    If you click View Report, you can view its final version.

    EP10

    Figure 10. The report fragment

    If you need to save the report to a file, right-click on Analysis Report Preview window.

    More info about EnCase Processor you can find in the official EnCase Forensic User Guide.

    About the authors:

    Igor Mikhaylov

    Interests: Computer, Cell Phone & Chip-Off Forensics

    Oleg Skulkin

    Interests: iOS forensics, Android forensics, Mac OS X forensics, Windows forensics, Linux forensics

Leave a Response