Austin Police Department Uses EnCase ®

Enterprise Edition to Investigate Large-

Scale Fraud Case
Interview with Roy Rector, Computer Forensics Examiner, Austin Police Department, Austin, Texas USA.

The Austin Police Department (APD) covers a geographic area of 270 square miles and over 650,000+ residents of greater Austin,
Texas. Austin is the state capitol, and the government offices employ approximately 20% of the population.

Detective Roy Rector has been handling computer forensics investigations for the APD for over three years. APD’s two-person team
of examiners is responsible for computer investigations and data analysis of all crimes involving computers for the city. Detective
Rector is also a certified EnCase Examiner with extensive training in Guidance Software’s EnCase® product line.

“I first learned about EnCase® in 1998 when it first came to the market,” explains Detective Rector, “Once you get into forensics, you
learn very fast that the examiner’s tool of choice is EnCase®.” After having met a Guidance Software trainer at an IASIS
organization event, Detective Rector was convinced that EnCase® Forensic Edition was the computer forensic solution that the APD
had been searching for. With grant funding and donations from the Travis County Children’s Advocacy Center, Detective Rector
purchased two copies of the software for the APD.“

“The case load at the APD is so high that it’s very difficult to do ongoing research and development. My department allowed me to
take the software home to expand my knowledge base further. With approval from the Chief’s office, I was able to utilize my training
to start an off-duty part-time business working on cases for civil litigation in the city of Austin. The more experience I’m getting in my
off-duty hours, the more I have to offer my police department in my on-duty hours. My Lieutenant, Troy Gay has been extremely
supportive of my education in the field of forensics and the development of our current forensics lab,” says Detective Rector.

“With the size of today’s hard drives averaging anywhere from 60 to 80 gigabytes, I just don’t know how you would accurately analyze
them in a timely manner with anything other than EnCase®,” he states. Recently, the APD purchased a copy of Guidance Software’s
EnCase Enterprise Edition FIM (Field Intelligence Model) to investigate a small business that was accused of defrauding the City of Austin.

In discussing the use of EnCase Enterprise Edition, Detective Rector says, “We knew we had a Windows 2000/2003 file server and
at least 12 workstations that needed to be analyzed. We also had a System Administrator that was located out of state, and we
weren’t sure he was trustworthy. I approached my chain-of-command about purchasing a copy of Guidance Software’s EnCase
Enterprise Edition. In order to properly conduct the investigation, minimizing the city’s liability to the company under investigation,
we’d need the most efficient and accurate tool available. If we would have pulled the server from this business, shutting them down,
the business could have sued the city and possibly won for the loss of productivity.”
AUSTIN POLICE DEPARTMENT
“I provided data on industry best practices which demonstrates how shutting down the server is no longer the best practice with
the advent of EnCase Enterprise Edition. My chain of command made the decision to purchase the software as the initial outlay
was going to be far less costly than a lawsuit may have been.”

“We did have the authority from the court to seize the server in this case. We were able to secure the scene and I called the System
Administrator and requested administrative access to the server. I knew I could do the acquisition on scene and I offered the company
the ability to cooperate with us while we conducted our investigation in the least intrusive manner available. If they didn’t agree to my
having system access, we would have had the authority to seize the hardware and any loss of productivity and/or data would have
been their own responsibility. After having received access to the company’s system, I was able to install Guidance Software’s
servlets and conduct a live acquisition using a portable forensic computer plugged into an available port on their 36-port switch.”

“I ended up downloading two 33.6 SCSI drives full of data. I had brought with me enough target media for 720 gigabytes worth of
data. I walked onto the scene with six 120-gigabyte drives not knowing what to expect. We seized the workstations and conducted
the acquisition of these computers back at the APD, where we had the ability of doing four acquisitions at a time with our four
EnCase® keys. We executed the search warrant at 7am on Monday morning and had every system processed, reinstalled and up
again by noon on Wednesday. In two and a half days we had that business back up and running. We’re now working on the
analysis after having conducted a triage of the emails.”

“If it wasn’t for EnCase Enterprise Edition’s speed and efficiency and ability to acquire data through a network, the city of Austin
would be looking at a huge liability. We did everything possible to limit that company’s loss of productivity. Basically, we conducted
the data seizure in a manner which was in the best interest of the city and this company.”

“Interestingly enough, on that Wednesday afternoon the case agent called me and said that the company’s attorney was
demanding that we return their computers immediately. I told him that the computers had already been returned and have been up and
running in their business since noon! We had already done everything we needed to do by the time their attorney was calling us and
demanding that we finish. It’s great the way that EnCase® works, without it, we wouldn’t have been able to process all that information
in that short of a time period, especially with the file server on scene. While we were processing the rest of the crime scene,
EnCase Enterprise Edition was acquiring data from the server at a rate of 7 gigabytes an hour through the company’s network.”

Detective Rector concludes, “EnCase® has been a big plus for us. It limits our liability, and it makes us more efficient in the lab.
On top of that, I run two copies at once so that as I am wrapping up one case I can began processing another. I think every
forensic examiner should have at least two copies of EnCase Forensic Edition as a minimum. If you can get the administrative
pre-analysis procedures out of the way on your next case while you’re analyzing the current case, it saves you so much time.
My immediate superiors are very supportive and know how much more productive I am using EnCase®.”

About Guidance Software

Guidance Software is the leader in computer forensics and incident response solutions. Founded in 1997 and headquartered
in Pasadena, CA, Guidance Software has offices and training facilities in California, Virginia and the United Kingdom. More
than 12,000 corporate and government investigators depend on EnCase® software, while more than 3,500 investigators attend
Guidance Software's forensic methodology training annually. Accepted by numerous courts and honored with eWEEK’s
Excellence Award and SC Magazine’s Annual Award, EnCase® software is considered the standard forensic tool. For more
information, visit Guidance Software’s Web site at www.guidancesoftware.com.

215 North Marengo Avenue, Second Floor TM

Pasadena, California 91101 Guidance

Software
T: 626.229.9191, F: 626.229.9199