电子数据取证分析软件

EnCase V6电子数据取证分析软件

EnCase Forensic 是一套旗舰级电脑犯罪鉴识软体，目前为全球多数法庭将EnCase作为电脑犯罪侦查之认证工具，已有超过百万件之公开使用案例。该软体被设计为以鉴识角度来取得电磁资料，并有强大的比对与分析工具可供使用，不仅可复原被抹除的资料档案，还能进行各种资料的分析作业，帮助检调人员取得犯罪证据。

EnCase软件被司法、政府、军队、公司监查等部门广泛采用，查找并管理计算机中的数据。通过EnCase，调查员可以轻松管理计算机中的大量证据，包括已经删除的文件、闲散文件以及未分配空间中的数据。

产品特点：
使用方便，可以获取各种系统的镜像文件
自动生成详细报告，以RTF或HTML形式导出
方便的图片查看器，支持ATR，BMP，GIF，JPG，PNG和TIFF等多种格式
扩展时间标签，可以查看文件的创建时间，最近访问或修改时间等活动
支持各种文件系统，如FAT16，FAT32，NTFS，Macintosh HFS，HSF+，Sun Solaris UFS，Linux EXT23，Reiser，BSD FFS，Palm，TiVo Series One Two，AIX JFS，CDFS，Joliet，DVD，UDF和ISO 9660等
支持RAID磁盘阵列
支持多种邮件格式，如Outlook，Outlook Express，Yahoo，Hotmail，Netscape Mail和MBOX，还支持AOL 6.0，7.0，8.0，9.0和PFCs等
支持多种浏览器格式，如IE，Mozilla Firefox，Opera和Apple Safari等

计算机取证分析软件的核心技术之一在于它对各种文件系统的支持。只要取证软件支持文件系统的解析，那么就无需熟悉操作系统运行环境，即可读取、分析硬盘中所存储的文件夹/文件列表，甚至是删除文件。

EnCase作为老牌的计算机取证分析软件，它在文件系统支持方面相当全面，可以用卓越来形容。目前也是全球取证分析软件中对文件系统支持最为全面的。

EnCase V6支持的文件系统： Windows: FAT12/FAT16/FAT32/NTFS/exFAT
Macintosh: HFS/HFS+
Linux: EXT2/EXT3/Reiser/LVM2
FreeBSD: FFS/UFS2
IBM AIX: JFS/JFS2/LVM8
Novell : ZFS/NWFSNSS/
Sun Solaris: SUN ZFS/ SUN UFS
HP-UX: vxfs
TiVo: TiVo 1/TiVo2
光盘系统：ISO 9660/Joliet/UDF
其它：Palm (PDA)

EnCase目前还不支持Ext4文件系统。

EnCase® Enterprise has changed the landscape of enterprise and computer investigations by providing complete network visibility, immediate response and comprehensive, forensic-level analysis of servers and workstations anywhere on a network. EnCase® Enterprise is a scalable platform that integrates seamlessly with your existing systems to create an enterprise investigative infrastructure. This cutting-edge solution can be tailored to meet your unique needs, including the automation of time-consuming investigative processes, auditing endpoints for sensitive information and eDiscovery.

Securely investigate/analyze many machines simultaneously over the LAN/WAN at the disk and memory level.
Acquire data in a forensically sound manner, using software that has an unparalleled record in courts worldwide.
Limit incident impact and eliminate system downtime with immediate response capabilities.
Investigate and analyze multiple platforms — Windows, Linux, AIX, OS X, Solaris and more — using a single tool.
Efficiently collect only potentially relevant data upon EnCase eDiscovery requests.
Proactively audit large groups of machines for sensitive or classified information, as well as unauthorized processes and network connections.
Identify fraud, security events and employee integrity issues wherever they are taking place — then investigate/remediate with immediacy and without alerting targets.
Identify and remediate zero-day events, injected dlls, rootkits and hidden/rogue processes.

Case Indexer
EnCase® V6 introduces our new patent-pending, powerful indexing engine which indexes text extracted from the Stellent™ Outside In Technology. You can now build a complete index of words from multiple languages based on your evidence file and then create fast and easy queries using EnCase® Conditions and Filters. These indices can be chained together to find possible keywords in common with other investigations. The Unicode-supported index is built from the contents of personal documents, deleted files, file system artifacts, file slack, swap files, unallocated space, emails and web pages.

64-bit Support
EnCase® Forensic now comes in 32 bit and 64 bit. Common investigations are now involving hundreds of gigabytes to tens of terabytes of static data requiring analysis. The amount of this data easily exceeds the memory addresses in 32-bit software. In today’s 32-bit desktop systems, there can be up to 4GB of RAM (provided the motherboard can handle that much RAM) which is split between the applications and the operating system. Users will note a performance increase, because a 64-bit CPU can handle more memory and larger files. One of the most attractive features of 64-bit processors is the amount of memory the system can support. 64-bit architecture will allow systems to address up to 1 terabyte (1000GB) of memory. The new 64-bit version of EnCase® Forensic v6 delivers improved multi-threading and a more efficient use of all available memory.

Native File Viewer
EnCase® Examiner v6 has incorporated the Stellent™ Outside In file-viewing technology and now displays over 400 file formats natively in the Doc panel.

Enhanced Email Support to Natively Parse
Guidance Software has added the following NEW email formats to EnCase® v6 and now natively presents their contents without their application:

MS Exchange 2000/2003 EDBs
Lotus Notes NSFs versions 5, 6, 6.5 and 7

Hard Disk Caching for Email Parsing
In v6, EnCase® Forensic now uses disk caching to quickly open large and complex compound files, such as Lotus Notes NSFs and Microsoft EDBs and PSTs.

Additional File System Support
Guidance Software has added the following NEW file systems to EnCase® v6 and now presents the folder/file structures:

FreeBSD’s Fast File System 2 (FFS2)
FreeBSD’s UFS2
Novell NWFS
Novell NSS

Although the NWFS file system has been used by Novell since NetWare version 2x, EnCase only currently supports NetWare versions 5.1, 6.0 and 6.5 with either the NWFS or NSS file system.

Support for Apple® DMG Files
The file extension, dmg, is for Macintosh® OS X Disk Copy disk image files. Treated like a real disk, these files can now be added to EnCase® Forensic, displaying the internal file/folder structure

Support for Apple / Unix Files Compressed with PAX
Files compressed in a Macintosh / Unix environment using the PAX (Portable Archive Exchange) command can be saved in either tar or cpio format. EnCase® Forensic v6 now includes support for the parsing of BOTH cpio and tar PAX compressed files.

Support for Gzip Compressed Archive Files
EnCase® Forensic v6 adds Gzip (zlib) support for regular (non-compressed) files. EnCase® software does NOT yet support bzip or adc formats.

Alternate Path
How may times have you set up your equipment to acquire a drive image, only to have run out of drive space? EnCase® Forensic v6 now allows you to set an alternate destination volume for evidence files at the start of the media acquisition.

Display of Hard Disk Serial Number
Are you tired of removing the suspect hard drive to document the serial number from the label? Hard disk acquisitions with EnCase® Forensic now read and document the true serial number and the volume serial number for the media. NOTE: Acquisitions made with versions 1–5 will NOT display this information.

引用No NFO available Forensic Toolkit as used in a Police Station near you

引用EnCase® Enterprise System Requirements

Guidance Software recommends the following minimum hardware requirements for EnCase®
Enterprise Edition:

SAFE
• Windows 2000 or 2003 Server
• 1.5+ GHz Pentium IV Processor (2.4 GHz Pentium IV Processor or better recommended)
• 512 MB of RAM (1 GB or more recommended)
• 1 dedicated USB Port / Gigabit Network Card
• Not recommended for Evidence storage

EXAMINER
• Windows 2000, XP, Vista or 2003 Server
• 2.0 GHz Pentium IV Processor (3.0 GHz Pentium IV Processor or better recommended)
• 1 GB of RAM (2 GB or more recommended)
• 1 dedicated USB Port (when not using NAS) / Gigabit Network Card
• Ample data storage for evidence file acquisitions recommended (500GB or more)

SERVLET
• Available for Windows, NT, 2000, XP, Vista and 2003 Server; Linux kernel 2.4 and above, designed for Red Hat, SuSE & Mandrake; Sun Solaris 8 & 9, both 32- and 64-bit processors, AIX 4.3, 5.1,5.2 & 5.3 and MAC OSX version 10.2,10.3, & 10.4.

下载链接来自STF
未经过安装测试与安全检测，使用者后果自负与本论坛无关
软体版权归原作者及其公司所有，如果你喜欢，请购买正版

本文链接: http://www.books51.com/304729.html

上一篇: 欧特克二维机械设计

下一篇: 汉化工具2

(0 次顶, 0 人已投票)
你必须注册后才能投票！

Loading...