Belkasoft Evidence Center EnCase Integration
Users of Guidance Software's powerful EnCase product can take advantage of the
BelkasoftDataImport script which allows importing Instant Messenger
chats, Browser histories, Emails, Social Networ, Cloud Applications, Multi-user
online games and other data, extracted by
Evidence Center, to EnCase. BelkasoftDataImport is an EnCase
package, available for FREE.
In order to use BelkasoftDataImport package, you should install
the following products to your computer:
- EnCase 7.xx (the package has been tested with version 7.02-7.10)
Belkasoft Evidence Center
5.0 build 413 and later, any edition
Copy BelkasoftDataImport.EnPack file from EnScript subfolder of Belkasoft Evidence Center installation folder to your EnCase script folder.
By default, it is
"<Encase installation directory>\EnScript\EvidenceProcessor", e.g. "C:\Program
package file under the scripts EnCase folder
Copy the script license file BelkasoftIntegration.EnLicense
to your EnCase license folder. By default, it is
"<EnCase installation directory>\License", e.g. "C:\Program Files\EnCase7\License\"
Belkasoft license file under the licenses EnCase folder
In your "<EnCase installation directory>\EnScript\EvidenceProcessor" folder open
"ModuleList.EnScript" file. If this file does not exist, create it.
Add the following code string there: include "BelkasoftDataImport.EnPack":
Add some evidence files to your case and open "Evidence Processor". In "Evidence
Processor" select evidence file you would like to analyze. You should see "Belkasoft
Data Import" module in module list. Click on OK button.
Belkasoft Evidence Center will start. You will be asked twice for carving and existing
files analysis. You can skip one of these by clicking on Cancel button in a corresponding
Wait untill all tasks are finished. During analysis you can cancel any task you
like in the Task Manager window. When all tasks are finished or canceled, close
Evidence Center. Once you've done that, data is imported to EnCase.
In EnCase navigate to Records node, select analyzed drive image and open "Belkasoft
Data Import – Records":
Under "Belkasoft Data Import – Records" you will find all the results extracted
by Belkasoft Evidence Center: