This report presents evaluation and testing results for the EnCase Portable 2.2, which can be configured to automatically search a targeted computer and collect data, including documents, Internet history and artifacts, images, and other digital evidence.
Encase Portable is a pocket-sized USB data-collection and triage solution that leverages the capabilities of EnCase. Unlike other solutions, Encase Portable can be used by non-experts, enabling scarce specialist resources to focus on case management, processing, detailed analysis, and reporting. The testing determined that EnCase Portable performed as expected and advertised, with the exception of its incorrectly identifying phone numbers in one of the tests. In another test, it was determined that the actions of booting a machine, logging onto the operating system, inserting the EnCase Portable USB stick, and executing the program resulted in some changes to files on the computer. Analysis of these changes determined that the files that were altered or added as a result of this test were operating-system and application files, not user data. In order to prepare for testing and evaluation of EnCase Portable, staff designed and configured a test bed that simulated realistic conditions. Having knowledge of what "evidence" exists on the test bed enables easy evaluation of EnCase Portable. The testing of EnCase Portable was performed in three phases. Each phase is described in detail. 3 tables and 2 figures