How to use the EnCase Processor
Sometimes people ask me: why do I like EnCase Forensic, and I always answer – for me EnCase Forensic is like the Answerer from Robert Sheckley’s “Ask a Foolish Question”. It is able to solve the forensic problems, we don’t even think about, until we face them. This can easily be proven if we turn away from Windows forensics. The best thing other tools can offer you is hex viewer. But not EnCase Forensic. It will help you. All you need is to ask the right question.
To save a forensic analyst from wasting time performing routine tasks, like text indexing, keyword searches and parsing OS artifacts, EnCase Forensic offers the EnCase Processor. All you need is to configure searching tasks you need for the particular case, select processing options (for example, to create thumbnails for all image files) and start the Processor. After that you can go about your business while EnCase doing the job. Due to the fact, that this process is resource-intensive, the EnCase Processor can be run on a stand-alone computer (server). To process data on a stand-alone computer (server), you’ll need an additional dongle, which you should request from Guidance Software. Unlike the main dongle, this has plastic casing.
Figure 1. EnCase Processor (left) and EnCase Forensic (right) dongles
In this article we’ll speak about using the EnCase Processor on a local computer.
After adding images or devices to the case, you should click Process (also, you can start the EnCase Processor via EnScript: EnScript – EnCase Processor).
Figure 2. Process button
You’ll see EnCase Processor Options dialog, where you should choose options you need.
Figure 3. EnCase Processor Options dialog
Be very careful choosing options. If you choose too many options, or very resource-intensive options, processing could take too much time.
If you choose an option, you see its description in the right pane:
Figure 4. System Info Parser module description
If you double click on module’s name, you see additional options.
Figure 5. System Info Parser module additional options
Click OK and processing will be started; its progress bar is located in the bottom right corner. Also, you can view processing details in Processor Manager (View – Processor Manager).
Figure 6. Processor Manager tab
When the process is finished, you should run Case Analyzer EnScript. In opened dialog box double click Case – it’ll start adding processed data to the report.
Figure 7. Adding data to the report
In the next dialog, opened after the task is finished, choose data you need and click Save Report.
Figure 8. Case Analyzer tab
Now you can customize you report according to your needs, clicking Manage Saved Reports.
Figure 9. Manage Saved Reports window
If you click View Report, you can view its final version.
Figure 10. The report fragment
If you need to save the report to a file, right-click on Analysis Report Preview window.
More info about EnCase Processor you can find in the official EnCase Forensic User Guide.
About the authors:
Interests: Computer, Cell Phone & Chip-Off Forensics
Interests: iOS forensics, Android forensics, Mac OS X forensics, Windows forensics, Linux forensics