GUIDANCE SOFTWARE
EnCase Portable
EnCase Portable
Extend Your Forensic Reach
with Powerful Triage and Data Collection
�GUIDANCE SOFTWARE
EnCase Portable
EnCase Portable
Triage and Collect with EnCase Portable
EnCase Portable is designed to address the challenge of completing forensic triage and
data collection in the field, for both forensic professionals and non-technical personnel. The
solution is composed of two components, Triage and Collect.
Triage allows forensic experts and non-experts alike to quickly review information stored
on a computer in the field, in real time, without altering or damaging the information. By
executing pre-configured triage searches, users can quickly browse pictures, view internet
history, see who has been using a computer, and much more. Advanced users of Triage can
also create new triage searches, in the field, in a matter of minutes, meaning no situation is
out of reach of EnCase Portable Triage.
Who Can Use
EnCase Portable
Police Officers
Probation and Parole Officers
Civilian Investigators
Military Personnel
Government Personnel
IT Professionals
Law-firm Personnel
Litigation Support Personnel
Non-technical Personnel
With Collect, anyone can become an extension of an organizations computer forensic,
incident response, or e-discovery team. Running collection searches, pre-configured by the
experts, anyone can use EnCase Portable to perform forensically sound collections in the
field. Collect can be used to create a bit-by-bit copy of a computers hard drive or perform
a targeted collection based on the criteria required for the specific situation. In addition,
with Collect users can collect an exact copy of a computers memory, which can contain
valuable information pertinent to an investigation.
With EnCase Portable, forensic professionals can get a handle on their case backlogs
by attacking the issue at the source, reducing the total amount of evidence brought
in for analysis. For field personnel, EnCase Portable gives immediate access to critical
information stored on a computer, without having to be an expert in computer forensics.
For corporations, EnCase Portable enables easy, forensically sound collection of data from
remote offices or locations without requiring expert personnel. The combination of Triage
and Collect make EnCase Portable the most powerful, flexible, and field-ready solution for
handling computer forensic tasks.
EnCase Portable Features at a Glance
CORE CAPABILITIES
Both Triage and Collect share these fundamental capabilities:
EnCase Expert
Workflow:
1. Insert EnCase Portable USB (and storage drive if required) into computer
2. Launch EnCase Portable from the USB device
3. Select a job to execute
4. EnCase Portable runs the selected job, collecting data or performing
a triage search
5. User, once satisfied with triage results or collection job has completed,
closes EnCase Portable
6. Collected data can be made available to the forensic professional for full
analysis as required
Operating Modes:
Execute EnCase Portable on an already running computer (Live Mode)
Boot a computer with EnCase Portable (Boot Mode)
In either mode, no EnCase Portable files are installed on the suspects computer
Non-Expert
0101010001011101010111101010101111101010110100110
1010101101010100011011110010101001
101010111110111101000101110111011110100010
Default Jobs:
Every EnCase Portable device contains a combination of default Triage and
Collect jobs, including:
Collect Document Files
Collect Mail Files
Collect Picture Files
Collect Copy of Drive or Memory
Create Internet Artifacts Report
Triage or Create Personally
Identifiable Information (PII) Report
Triage Pictures
Job Creation:
Create new jobs or edit existing jobs to meet specific case needs
New jobs can be created using EnCase Forensic or EnCase Enterprise
New jobs can also be created in the field, in real time without using EnCase
Forensic or EnCase Enterprise
Transferrable from one device to another
Collected Data:
Collected data is managed with EnCase Forensic or EnCase Enterprise
Other solutions that support E01, L01, Ex01, or Lx01 can be used
to review collected data
Easy import of collected data into current case.
Search and Collection Methodology:
Valuable file attributes (metadata) and contents not altered during
search and collection
Folder structures maintained for collected data
Collected data stored in EnCase Evidence File Formats
(E01, L01, Ex01, Lx01)
Encryption of collected data possible
Triage Specific Capabilities
n
Triage Options:
Search for files that may contain Personally Identifiable Information (PII)
Credit Cards (Visa, MasterCard, American Express, Discover)
Phone Numbers (with or without area codes)
E-mail addresses
U.S. Social Security Numbers
Review Images in a Gallery View
Search based on file extensions (.jpg, .bmp, .png, etc.)
Search based on file signature
Limit number of images and/or the minimum image file size
EnCase Portable now gives any
lawyer, paralegal, and litigation
support specialist the ability to
easily collect and preserve ESI
anywhere, anytime.
-John J. Rosenthal,
Partner and Chairman,
e-Discovery and Electronic Information
Practice Group,
Winston & Strawn LLP
Identify files based on hash-value matches
Preview files based on metadata
Create new hash sets
Use hash sets available in EnCase Forensic or EnCase Enterprise
Customize search by creating an Entry Condition to focus the search
Focus searches based on any properties of a file (size, type, dates, etc.)
Specific search criteria is entered as an Entry Condition
Matching files can be reviewed instantly
Locate and review files that contain specific keywords
Import a list of English or foreign language keywords or add keywords manually
Customize search by creating an Entry Condition to focus the search
Review the keyword search results for all files on the suspect computer
Reporting and Analysis:
Perform a quick analysis on the collected data
Prepare a report on the triage and collection results in the field
Encryptions Support:
Utilizing the EnCase Decryption Suite, the following encryption
products are supported:
PGP Whole Disk Encryption
Microsoft Bitlocker
Guardian Edge Encryption Plus, Hard Disk, and Encryption Anywhere
Utimaco/Sophos Safeguard Easy
McAfee SafeBoot Offline (challenge/response not supported)
WinMagic SecureDoc
Checkpoint/PointSec Full Disk Encryption
Credentials required for each supported encryption product
EnCase Portable lets anyone
with minimal technical knowledge
collect electronic evidence, with a
chain of custody, from computers
in the field. This will free up time
for computer forensic experts and
allow them to focus their attention
on analysis and reporting, rather
than initial collection.
- Collect Evidence With EnCase Portable,
Product Review, Law Technology News
�Collection-Specific Capabilities
n
Collection Options:
Acquisition
Acquisition Configuration
Collects system from artifacts related to
Network information
Operating system information
Installed software
Installed hardware
User/Account information
Shared/mapped drives
User activity (Linux Only)
Startup routines (Linux Only)
Supports Ubuntu 8 Fedora 8 Linux distributions, in addition to Windows operating systems.
Linux System Logs
Collects and parses Linux system log files and their system messages
Windows Artifacts
Collects the following windows system files
MFT transaction logs
Link Files
Recycle Bin items
Search for windows artifacts can include the unallocated space of the hard drive
Unix Login
Identify and parse information left on the computer related to instant messaging
Search for instant message artifacts can include the unallocated space of the hard drive
AOL, MSN, and Yahoo instant messaging clients supported
System Information
Collect history of visited websites
Collect user cache and bookmarks
Collect information on cookies and downloaded files
Instant Messages
Calculate hash values for executables that are currently running
Identify processes that have been hidden from the operating system
Collect list of currently loaded dynamic link libraries (DLLs)
Gather information on currently logged-on users
Detect whether the MAC address of any Network Interface has been altered
Internet History
Set segment file and block size
Select compression and error granularity settings
View calculated MD5 and/or SHA1 acquisition hashes
Snapshot Information
Collect logical, physical, and/or removable drives
Acquire computer memory
Configure imaging job to prompt for desired drive at time of collection
Parses the Unix systems WTMP and UTMP files, which hold all login activities
Windows Event Logs
Parses and collects information pertaining to Windows events recorded in the system logs,
including application, system, and security logs
Entry condition may be used to target the search based on the entry properties
Included EVT and/or EVTX conditions to limit the search and collection further
ILTAs Distinguished Peer Award for
the Innovative Vendor Category
�www.encase.com
Our Customers
Guidance Softwares customers are corporations and government agencies in a wide variety of industries, such as financial and insurance services, technology,
defense contracting, pharmaceutical, manufacturing, and retail. Representative customers include Allstate, Chevron, FBI, Ford, General Electric, Honeywell, NATO,
Northrop Grumman, Pfizer, SEC, UnitedHealth Group, and Viacom.
About Guidance Software (NASDAQ: GUID)
Guidance Software is recognized worldwide as the industry leader in digital investigative solutions. Its EnCase Enterprise platform is used by numerous government
agencies, more than 65 percent of the Fortune 100, and more than 40 percent of the Fortune 500, to conduct digital investigations of servers, laptops, desktops
and mobile devices. Built on the EnCase Enterprise platform are market-leading electronic discovery and cyber security solutions, EnCase eDiscovery, EnCase
Cybersecurity, and EnCase Analytics, which empower organizations to respond to litigation discovery requests, perform sensitive data discovery for compliance
purposes, conduct speedy and thorough security incident response, and reveal previously hidden advanced persistent threats or malicious insider activity. For more
information about Guidance Software, visit www.encase.com.
EnCase, EnScript, FastBloc, EnCE, EnCEP, Guidance Software and Tableau are registered trademarks or trademarks owned by Guidance Software in the United States and other jurisdictions and may not be
used without prior written permission. All other trademarks and copyrights referenced in this press release are the property of their respective owners.
