OpenText™ EnCase™ Forensic software is one of the longest established digital forensic platforms on the market. It has been the primary tool of choice for many investigations and has a long track record of withstanding cross-examination in courts of law and tribunals.
In this latest ‘EnCase Forensics tips and tricks’ blog, we are going to explain how the Review Package functionality can help a forensic examiner in their investigations. This long-standing feature allows examiners to extract and package evidence in a secure manner that enables investigators or specialist teams to review case-specific evidence, without requiring additional licenses or overhead. Recently, EnCase has incorporated a stronger, more resilient Review Package option.
The review of evidence in a forensic investigation is normally conducted in isolation from the main EnCase environment, without the distraction from the other details of the case. Reviewers would typically use their specialist field of knowledge or intimacy with a case and/or suspects to tag either content that is relevant to the investigation, or to exclude items that have no importance. Anything that is visible in the EnCase case environment can be packaged this way and may include, but is not limited to, picture and video content, legal documents, files within a date range or similar items that would potentially require additional analysis effort to determine relevancy. Having created a package of these elements and the subsequent reviewing of their contents, the reviewed data is imported back into Encase, to facilitate further lines of analysis and subsequent reporting.
To export pertinent data for external review, the examiner would select items from the evidence and then choose Review Package -> Export from the top menu bar.
The resulting dialogue box presents the examiner with further options to export tagging information, as well as any default or custom Tags to accompany the exported data.
Previous versions of the Review Package could be opened using a web browser. This has now been replaced with the trusted EnCase Logical Evidence File format (Lx01) providing improved data integrity and enhanced security.
Once the Logical Evidence container has been created, the examiner may wish to additionally make the EnCase Evidence Viewer installer available, which forms part of a standard installation of EnCase. The setup executable is located under:
%Program Files%\EnCase22\Lib\EnCaseEvidenceViewer
After installation by the reviewer, the EnCase Evidence Viewer offers a secure environment to load the evidence container and browse the data without requiring an EnCase licence. To facilitate the tagging of content, the reviewer may elect to use any of the exported Tags or even create new custom Tags on the fly.
Once the review process has been concluded, the reviewed package can be saved as an import file to be ingested, complete with any custom tags, back into EnCase for further processing and reporting. Alternative output options allow for file formats as Comma Separated Values (CSV) or Tab Separated Values (TSV), making this feature truly versatile.
In short, the Review Package function offers a secure means to effortlessly make the required data available for external review. The EnCase Evidence Viewer enables the examiner to conduct the review in a clear and precise manner, thanks to the intuitive user interface.
Interested in learning more about Digital Forensics, Security and eDiscovery using EnCase? Please see our in-class, virtual and OnDemand offerings.
Author: Jasper Rowe is a Lead Training Consultant in OpenText Learning Services, UK Security division. He has always been an avid proponent of customer success using EnCase products.
