skip navigation


Register for Latest Research

Stay Informed
Register with NCJRS to receive NCJRS's biweekly e-newsletter JUSTINFO and additional periodic emails from NCJRS and the NCJRS federal sponsors that highlight the latest research published or sponsored by the Office of Justice Programs.

NCJRS Abstract

The document referenced below is part of the NCJRS Virtual Library collection. To conduct further searches of the collection, visit the Virtual Library. See the Obtain Documents page for direction on how to access resources online, via mail, through interlibrary loans, or in a local library.


NCJ Number: 228226 Add to Shopping cart Find in a Library
Title: Test Results for Digital Data Acquisition Tool: EnCase 6.5
Corporate Author: National Institute of Standards and Technology (NIST)
United States of America
Date Published: September 2009
Page Count: 122
Sponsoring Agency: National Institute of Justice (NIJ)
Washington, DC 20531
National Institute of Justice/NCJRS
Rockville, MD 20849
National Institute of Standards and Technology (NIST)
Gaithersburg, MD 20899-3460
NCJRS Photocopy Services
Rockville, MD 20849-6000
Grant Number: 2003-IJ-R-029
Sale Source: National Institute of Justice/NCJRS
Box 6000
Rockville, MD 20849
United States of America

NCJRS Photocopy Services
Box 6000
Rockville, MD 20849-6000
United States of America
Document: PDF
Type: Test/Measurement
Format: Document
Language: English
Country: United States of America
Annotation: Test results are presented on the Guidance Software, EnCase, version 6.5, a digital data acquisition tool, under the Computer Forensics Tool Testing (CFTT) program.
Abstract: Except for four test cases, the EnCase acquired all visible and hidden sectors completely and accurately from the test media without any anomalies. The following six anomalies were observed: 1) if a logical acquisition is made of an NTFS partition, a small number of sectors, seven in the executed test, appear in the image file twice, replacing seven other sectors that fail to be acquired; 2) if a logical acquisition is made of an NTFS partition, the last physical sector of the partition is not acquired; 3) if the tool attempts to acquire a defective sector with an error granularity greater than one sector, some readable sectors near the defective sector are replaced by zeros in the created image file; 4) HPA and DCO hidden sectors can be acquired completely if FastBlock SE is used as a write blocker during an acquisition; 5) for some partition types when imaged as a logical acquisition, if a logical restore is performed there may be a small number of differences in file system metadata between the image file and the restored partition; and 6) for some removable USB devices that have been physically acquired, there may be a small number of differences in file system metadata between the image file and the restored device. The CFTT program, a joint project of the National Institute of Justice (NIJ) and the National Institute of Standards and Technology's, Office of Law Enforcement Standards and Information Technology Laboratory seeks to provide measurable assurance to practitioners, researchers, and other applicable users that the tools used in computer forensics investigations provide accurate results. This document reports the results from testing EnCase, version 6.5, against the Digital Data Acquisition Tool Assertions and Test Plan Version 1.0. Figures
Main Term(s): Data collections
Index Term(s): Computer software; Computers; Criminal investigation; Forensic sciences; Investigations; Testing and measurement
Note: NIJ Special Report
To cite this abstract, use the following link:

*A link to the full-text document is provided whenever possible. For documents not available online, a link to the publisher's website is provided. Tell us how you use the NCJRS Library and Abstracts Database - send us your feedback.