Home > EnCase Field Intelligence Model > How it Works

How EnCase® Field Intelligence Model Works

EnCase Field Intelligence Model is based on the EnCase Enterprise technology and consists of the same five components; i.e. the SAFE, Examiner, Servlet, Enterprise Connection and Snapshot capability.

The first two (2) components are installed and managed on the same laptop:

SAFE (Secure Authentication For EnCase)
The component used to authenticate users, administer access rights, retain logs of EnCase transactions, broker communications and provide for secure data transmission. The SAFE communicates with the Examiner and target node using 128 bit AES encrypted data streams to protect inter-component communication

The Examiner
Software installed on a computer where authorized investigators perform live investigations on designated systems. This software leverages the robust functionality of the world's leading standard in investigative enforcement, EnCase Forensic, with network-enhanced capabilities to conduct investigations on live machines with little or no disruption.

Servlet
A non-intrusive, auto-updating, passive software agent that is installed on workstations and servers to be investigated. Connectivity is established between the SAFE/Examiner, and the Servlet to analyze and acquire devices that have the Servlet installed. The Servlet has special stealth capabilities for the most challenging environments. Servlets run on the following operating systems: All Windows operating systems, Linux kernel 2.4 and above, Solaris 8/9 both 32 & 64 bit and Macintosh OSX.

Enterprise Connection
A secure virtual connection that is established between the laptop (SAFE/Examiner) and the target machine.

Snapshot
Snapshot quickly captures volatile data, providing detailed information on what was occurring on a system at a given point in time.