EnCase Forensic & EnCase Mobile Investigation Evaluation Installation Process

1. Download EnCase from the link provided.

2. When downloading EnCase you will see a screen simialr to below; select the download
button - there is no requirement to sign up

3. Once the download is complete install EnCase Forensic selecting the default settings.

4. EnCase will run automatically but will display in the top left corner “Acquisition mode only”,
so close the program as the respective license and cert files provided need to be installed.
5. Copy the provided “Evaluation License [DATE].WibuCmRau” file to the newly created
Documents\EnCase folder

6. If you wish to enable the EDS (EnCase Decryption Suite) support within EnCase please copy
the provided “Evaluation License [DATE]_EI.cert” file to the newly created C:Program
Files\EnCase20\Certs folder shown below. This will show in the About section of EnCase as
“Exported Restricted -Yes” meaning support for the Encrypted modules displayed are
supported and “EnCase Endpoint Investigator” in the top left corner of the UI will also be
displayed. The product will still have all the functionality of Encase Forensic.
7. If you wish to install EnCase without evaluating the EDS functionality do not copy the
“Evaluation License [DATE]_EI.cert” to the Certs folder. EnCase Forensic will appear in the
top left corner of the UI.

8. Media Analyzer module

For those of you who want to evaluate the new Media Analyzer module please copy the
provided “Evaluation License [DATE]_MA.Cert” to the same certs folder shown above. If you
include both cert files you will not get the “Export restricted” flag due to the fact that the
MA cert does not have it installed. Once installed the Media Analyzer module will be
displayed in the Modules list.

The OpenText Media Analyzer for Encase module is an AI computer vision technology that
scans images for content that matches certain threat categories such as pornography, CSAM
or Extremism. OpenText Media Analyzer for Encase dramatically improves productivity by
quickly identifying case relevant images. This saves valuable time by reducing the amount of
content investigators need to review to find actionable intelligence by up to 99%.

Please see the Release Notes and User Guide for more information.

9. During the installation process the CodeMeter Control Center is installed. This can be
accessed via All Apps on the start menu or from Windows system tray which will be initially
grey in colour if not previously installed.
10. Right click on the Codemeter icon and select “Show”

11. This will present to you the Codemeter Control Center. Select the File tab and Import License
option and browse to the location of the Evaluation License [DATE].wibucmrau file
(Documents\EnCase folder)

12. Once the “Evaluation License [DATE].WibuCmRau” file is installed you will notice the
presence of the EnCase license and the Codemeter icon on the Windows system tray is now
blue in colour which indicates it has been installed successfully. You can now close the
Codemeter Control Center; this will continue to run as a service
13. Run EnCase and all functionality is available to you for the term of the temporary licence 30 days
(max). The reference to Acquisition mode in the top left-hand corner should now been replaced
by EnCase Forensic.

14. Select the “About” link and that will display information about the license and expiration date.
15. License and expiration date.
 EnCase Mobile Investigator Installation.

1. If you are installing EnCase Mobile Investigator (EMI) PLEASE NOTE the installation of the
core EnCase® software as well as EnCase Mobile Investigator is required. There are also
additional dependences in this model; the complete solution requires:

• EnCase® Forensic / EnCase® Endpoint Investigator software to have been installed

• EnCase® Mobile Driver Pack
• EnCase® Recovery Collection
• .NET 4.6.1
• EnCase Mobile Investigator

In addition, if the examination computer is running Windows 7, there are additional security
hotfixes that should be installed before the Mobile Driver Pack. These are:

• Windows6.1 KB3033929
• Windows6.1 KB2921916

While the order of installation is not critical, some components need to be installed in order.
Furthermore, Microsoft .NET should already be installed as part of the Windows operating
system. If it is not, or the version installed is < .NET 4.6.1, it would be advisable to meet this
requirement as soon as possible in the installation process.

2. EnCase Mobile Driver Pack and Recovery Collection

A successful EnCase® installation is critical before progressing to the next stage of the
process that being the EnCase Mobile Driver Pack.

A point of note at this stage relates to the version of Windows installed on the Forensic
Workstation. If this is Windows 7 the Security Hot Fixes must be installed before the Mobile
Drive Pack, if Windows 10, however, this step can be ignored.

The acquisition of mobile devices is one of the most critical steps as it is with any forensic
examination. Mobile devices have many different variants, many with third-party drivers or
applications required to access the device. An example of this is Apple iTunes, required to
interface and backup iOS devices. To provide a “one-stop-shop” and to eliminate the need to
install applications, such as iTunes, the Mobile Driver Pack is required.
If EnCase Mobile Acquisition is not detected the install will notify of this requirement and end
prematurely.

With EnCase Mobile Acquisition installed, this notification will not be received; instead the
installer will progress providing the option to customize setup. At this point it is best to keep
the default options.
3. The next part of this process is optional and relates to the Samsung Android bootloader, which is
provided by the EnCase Mobile Recovery Collection install (RecoveryCollectionInstall.msi).
As in the previous steps install taking the default options with the installation directory being:

\Program Files (x86)\Guidance Software\Mobile Acquisition\EnCase Mobile Recovery Collection

Following this process will result in the below directories being present in Program Files (x86).

Next select the appropriate download link for EnCase Mobile Investigator, after a short while
you will see a similar screen and information as below; select download button, there is no
requirement to sign up. Run the EMI installer and follow the defaults.
4. Copy the provided “Evaluation License [DATE]_EMI.WibuCmRau” file to the same
Documents\EnCase folder

5. Right click on the Codemeter icon once again and select “Show”

6. Select the File tab within the Codemeter Control Center. and Import License option and browse
to the location of the “Evaluation License [DATE]_EMI.WibuCmRau” file (Documents\EnCase
folder)
7. Once the “Evaluation License [DATE]_EMI.WibuCmRau” file is installed close the Codemeter
Control Center
 8. Run EnCase Mobile Investigator and all functionality is available to you for the time of your
demo licence.

9. Select on Case for the drop-down menu and then select the Help icon.

This will display the expiration date of the licence.

That’s it, you are good to go.