Home > EnCase Forensic > Modules

• EnCase Virtual File System (VFS)
• EnCase Physical Disk Emulator (PDE)
• EnCase Decryption Suite (EDS)
• FastBloc® Software Edition (SE)
• CD-DVD Module

EnCase Virtual File System*

• Mounts evidence at the cases, case, device, volume, or folder level as a read-only network share. (It appears as a network share to the local operating system but the share is not available to other users over the network).
• VFS provides an easy platform for information or evidence review in a read-only state outside of the EnCase environment.
• Provides an intuitive platform for evidence to be reviewed by case agents/investigators, opposition experts, prosecutors and defense counsel.
• Files contain the same file system artifacts as contained in EnCase, including all allocated files, deleted files, internal system files as well as alternate data streams and unallocated space.
• Once mounted, the read-only media is available to any native application, including Windows Explorer and third-party Windows applications or computer forensic tools such as file carving utilities, virus checkers, spyware detectors, trojan detectors, steganography detectors, word indexers, undelete software and encryption detection software.
• Review evidence with non-EnCase users.
• File Systems supported: DOS (FAT 12/16/32, NTFS), Linux (EXT2, EXT3, Reiser), UNIX (Solaris UFS), Macintosh (HFS, HFS+), BSD (FFS), CD/DVD (Joliet, ISO 9660, UDF, DVD) and Palm (Palm OS).
• Easily mounts Windows RAIDS, Dynamics Disks rebuilt by EnCase and drives compressed or encrypted by NTFS.

▲top

• Mounts images of hard drives or CDs as read-only local drives.
• Enables the use of third party tools on forensic data exposed by EnCase.
• When using VMware, PDE enables the examiner to boot and interact with the computer in the same state as it was when the evidence was captured.
• Provides a platform for juries to view digital evidence in a way that they may better understand.
• Reduces the number of drive restores, saving time and money needed to stock hard drives.
• PDE can mount a number of file systems not recognized by Windows Explorer, but still recognized and bootable by VMware. While Windows does not read the Linux and Free BSD formats, the following file system formats are still bootable with VMware: Windows (DOS, FAT 12/16/32, NTFS), Linux (SuSE, Red Hat and Mandrake), Free BSD and NetWare.

▲top

• Support for Microsoft® Encrypting File System (EFS) encrypted files and folders, including domain-authenticated accounts.
• Support for decryption of PC Guardian® and Utimaco® disk-based encryption products.
• Support for Outlook® PST passwords, (Except Outlook 2004).
• Enables the automatic decryption and analysis of the Windows registry protected storage area for Internet Explorer®.

▲top

*The above three modules (VFS, PDE and EDS) are only available through the purchase of ProSuite for EnCase Enterprise users. EnCase Forensic and FIM users may purchase each module seperately.

FastBloc® Software Edition

FastBloc SE provides speed, reliability and versatility — as well as the convenience of being able to conduct a forensically sound acquisition or investigation without hardware devices.

IDE/SATA Support on a number of popular PCI controller cards:


• Promise Ultra 133 TX2
• Promise SATA 150 TX2plus
• SIIG UltraATA/133 PCI
• Promise Ultra100 TX2
• SIIG Ultra ATA 100 PCI RAID


• Safely acquire every sector on hard drives, outside the number normally presented by Windows, to overcome the issues involving Host Protected Areas (HPAs) and Device Configuration Overlays (DCOs) on IDE and SATA hard drives.
• Wipe every sector of IDE hard drives, outside the number normally presented by Windows.
• Restore IDE hard drives to identical-size IDE hard drives.

SCSI Support with the following:
• Adaptec 29160 Controller Card
• Granite Digital SCSIVue Removeable 68-pin Hot-Swap SCSI Drive Bay (P/N 5153)

Plug and Play Support:
• Safely acquire IDE hard drives, using common read/write PnP adaptors.
• Safely acquire USB thumb drives — especially useful for those drives lacking write protection switches.
• Safely acquire USB external storage drives, without having to remove the enclosed IDE hard drive.
• Safely acquire FireWire external storage drives, without having to remove the enclosed IDE hard drive.

Fastbloc SE supports HPA and DCO as well as a combination of the two. Of note, the HPA is removed temporarily so the disk is not modified at the end, but DCO and the combination of HPA and DCO permanently alters the disk.
FastBloc SE users must note that EnCase can only reach HPAs and DCOs through supported IDE and SATA channels.
Please note that FastBloc SE is designed as a write-block technology for Windows acquisitions and not a decryption technology. Thumb drives using security technologies to encrypt data may still have to be overcome before an image acquisition takes place.

▲top

CD-DVD Module

• Acquire suspect media to a hard drive, verify the evidence (image) files and archive it to CD or DVD simultaneously.
• Conduct an investigation, copying/un-erasing the evidentiary findings to CD or DVD on the fly.
• Verify evidence and archive it to CD or DVD, while conducting analysis.
• Create logical evidence files of specific evidentiary files, then archive and verify the logical evidence files simultaneously.
• Export EnCase reports of evidentiary findings, bookmarks and notes straight to CD or DVD.

▲top