EnCase is capable of making forensic quality recordings of data stored on PCs, and of recovering some insecurely deleted data. Special training is usually required to operate the software in a law enforcement capacity.
The first thing a user of Encase will normally do is use the software to create images of suspect media (hard drives, CDs etc). Images are stored in proprietary formats and contain an MD5 checksum to validate their authenticity. Unlike typical imaging software such as Norton Ghost, Encase makes images that are exact copies of the original, byte for byte, in order to be able to fully examine unused parts of the media for deleted files and so forth.
After imaging, Encase can be used to examine the files stored on the image using common tools such as a document viewer and hex editor. It can also examine parts of the filesystem not normally exposed to the user, such as deleted file entries, on-disk checksums and log/journaling data. It can also search for and attempt to recover deleted files.
Finally, any relevant files can be saved to the users PC, along with checksums and other metadata, for use as evidence.
It should be noted that Encase only uses common tools to perform its analysis, the main benefit to the user being that the tools are all tied together and are of forensic (i.e. verifiable) quality.
Data recovered by Encase has been used successfully in various court systems around the world. However, there are questions regarding the validity of evidence recovered by Encase. For example, MD5 checksums are used to ensure data has not been altered or tampered with, however MD5 checksums are known to be forgeable. See the main MD5 article for details.
Another issue with data recovered by Encase is that typically there is no way to determine who created or accessed the data. Although user account data can provide some clues, the ease with which anyone who has physical access to the machine or who has control of the machine remotely (e.g. by a trojan or remote administration tool) make positive identification of the owner, or even those who knew of the data's existence difficult.
Because EnCase is well known and popular with law enforcement, considerable research has been conducted into defeating it (as well as counter forensics in general). The Metasploit Project produces an anti-forensics toolkit. Manual defences are possible too, for example by modifying the file system
Furthermore, because law enforcement procedures involving Encase have to be documented and available for public scrutiny in many judicial systems, those wishing to defend themselves against its use have a considerable pool of information to study.
Copies of EnCase have been widely leaked on to P2P networks, allowing full analysis of the software. Proof-of-concept code exists that can cause EnCase to crash, or even use buffer overflow exploits to run arbitrary code on the investigators computer. It is known that EnCase is vulnerable to compression bombs, for example 42.zip.
Guidance Software Releases EnCase[R] Portable Version 4, the Industry's Simplest and Most Powerful Portable Forensic Triage Solution
Dec 27, 2012; By a News Reporter-Staff News Editor at Computer Weekly News -- Guidance Software Inc. (NASDAQ:GUID), the World Leader in Digital...