The superman of digital investigations

Meet the new and improved OpenText EnCase Forensic

Recently, we’ve been talking about the evidence processing performance of OpenText^TM EnCase^TM Forensic and how it stacks up against its leading competitor. The results were significant. In each case we looked at, EnCase performed faster than “the other guy” by an order of magnitude, saving digital forensic investigators valuable time by helping them process cases faster and more efficiently.

Accelerating the pace of digital forensic investigations

This discussion about performance reveals the development work that’s gone into EnCase Forensic and OpenText™ EnCase ™ Endpoint Investigator over the last year. Many of of the features added to EnCase were focused on performance and helping investigators save time in the investigation process:

• Code Meter Licensing: saving the customer time during the licensing process
• Live Directory Preview: improving the pace of endpoint investigations
• UNC (universal naming convention) path collection: providing faster access to evidence
• Social Media Artifacts: helping quickly review online content
• OCR (optical character recognition) support: helping quickly identify written text
• Automated Evidence Processing: simplifying workflow by reducing 20 steps to two
• Case Categorization: saving time by helping investigators narrow their focus
• Intuitive Navigation:  speeding evidence collection
• Faster Network Evidence Preview:  helping more quickly examine a drive across a network
• Focused Processing:  saving time by initiating processing of a specific set of evidence
• Cloud Deployment: taking advantage of the speed capabilities of the cloud
• User Interface Modernization: saving time by providing streamlined workflows and a more intuitive interface
• AFF4: allows evidence from other forensic tools to be easily ingested into EnCase 
• New Google Chrome artifacts: helps investigators find additional suspect data within the browser 
• New image analysis categories: helps investigators quickly find image evidence contained in chats, maps, QR codes, facial pictures, tattoos, text and license plates. 
• Mobile iOS & Android support: helps investigators easily find evidence in the latest OS’s when conducting mobile device investigations 
• Improved report generation: delivers improved efficiency, allowing reports to be generated in the background while other tasks are running 
• Improved file acquisition performance: allows investigators to more quickly access Lx01 logical evidence files across the network 
• Improved SAFE agent performance: enables investigators to work more efficiently with improved and simplified workflows 
• Updated browser support: allows investigators to quickly locate evidence contained in modern Google, Microsoft and Firefox browsers 
• Updated browser support for 14 languages: allows investigators to be more efficient by conducting their investigation in their native language 

Whew! I knew our dev team had been hard at work over the last year providing enhanced investigation capabilities, but it really opened my eyes when I sat down and made a list of the specific things the team has been doing to help improve the performance and efficiency of investigations.

To validate these points, I took some time to delve into some of the testing data provided by our Development and Quality Assurance teams that are gathered during the software release process. Like the performance test results we looked at in previous blogs, the results from this testing were impressive.

First, a bit about the testing environment. The testing was conducted on forensic computers configured with 64-bit processors, 256GB of memory and running Windows 10. Data volumes ranged from 465GB to 3.63TB.  The tests were first conducted on EnCase Cloud Edition (CE) 21.1 (released in the first quarter of the 2021 calendar year) and were then run again on EnCase CE 22.1 (released in the first quarter of the 2022 calendar year) to gain the comparison data we were looking for. The tests were run numerous times to ensure the consistency of the results. 

Putting EnCase to the test

In the first test, the team looked at how long it took to conduct an off-network collection, creating a LEF (logical evidence file) with a variety of file types and a data size of 3.67TB. LEF files help investigators extract the digital image respective to the evidence present on the local system of a user. The main purpose of a LEF is to keep a record of evidence maintained in the file and deliver a replica of the evidence without influencing or manipulating the original data. This, of course, ensures the consistency and integrity of the evidence and is one of the reasons EnCase is known as the court standard for digital forensic investigations.

The performance improvements between EnCase CE 21.2 and 22.1 were significant. EnCase CE 21.1 took 169 minutes to create the LEF, while the newer version of EnCase (CE 22.1) took just 52 minutes. That equates to a 69% improvement in LEF creation speed.

Similarly, a second test was conducted using the same parameters. However, this time the team was evaluating how long it took the different versions of EnCase to create a LEF from the network preview using Bitlocker on 3.62TB of data. Once again, the latest release of EnCase showed significant improvements compared to the earlier version, creating the LEF in just six minutes on CE 22.1, compared to creating that same LEF in 11 minues on CE 21.1. The latest version of EnCase created the LEF 45% faster.

Working to make the world a safer, more secure place

There are two important takeaways from this analysis. First, it doesn’t matter whether they’re being compared to their competition or against earlier versions of the software itself, EnCase Forensic and EnCase Endpoint Investigator show significant performance advantages. This performance benefit provides investigators with the ability to conduct investigations faster and more efficiently.

Second, there are tens of thousands of digital forensic investigators across the globe who utilize EnCase for their investigations, and more new users are being added every day. OpenText continues to put a great deal of development focus on delivering features that help investigators in law enforcement, government agencies and corporations speed the pace of their investigations. It’s important important to stay current on the latest version of the software to benefit from features designed to make investigations more efficient.

If you are on an earlier version of the software, contact your OpenText sales representative to find out how you can take advantage of the myriad features that come with latest version EnCase. 

Helping improve the pace of investigations results in reduced case backlogs, improved case closure rates, more efficient use of investigative resources and getting to the truth faster.  At OpenText, we’re working to make the world a safer, more secure place by finding the truth in data.