New Today: 0
New Yesterday: 4
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
Encase 7 - Refund
you can express here your opinion
Re speed issues I have kept on thinking it must be something to do with my VM's or some need to defragment, but honestly as soon as I startup V6.19 the processing appears to be so much quicker there. But I have 8Gb allocated, Win7x64, 4 cores of a Dual X5570XEON (HPZ800).
Is it really just an issue with V7 or is there some kind of tweaks that must be inputted to my VM (WIndows7x64)?
Seeing your criticism makes me wonder to cut my losses (in time and expense) and just use V6.19
So nice to know we are not alone
As of last week we have upgraded from version 7 to version 6.19. And, no, that is not me being tongue in cheek. “Upgrading” back to the previous version actually allowed us to get something done. I'm not sure about looking for a refund because we already have SMS support and did not pay extra for the new version. But, I know people here internally are questioning if we will stay with EnCase if version 7 is what the future holds. I find that sad, we have always been pretty much exclusively and EnCase shop.
Anyway, I thought I'd at least share my experiences with others, for what it is worth.
We switched to the new version in November and used it until last week. The main reason for the switch, I liked the idea of the upfront process explorer feature. Of course, this is the one feature that had the most problems. We found ourselves waiting weeks for one component of process explorer to finish, or more than likely, crash after running for weeks. Did not matter which component it was, they all had problems of one sort or another.
We followed a lot of advice from several support cases we opened. Including placing the EnCase cache file on a dedicated drive, and ultimately upgrading the motherboard, processor, and memory of the forensic hardware. We tried everything, even spending more money to try to remove any roadblocks.
Simple things like the ability to refresh a manual search so you could examine the results while the search was still running are completely gone. You now have to wait until the searching is done. Did I mention the issues with process explorer? And now that we have gone back to 6 I realize how much I appreciate all my evidence showing up in the screen and not having to go from one screen to the next or wait for it to load so I could view it.
I found the directed searches a bit confusing, but could have learned that. It’s a new interface, I expect a bit of a learning curve. However, the software wants you to focus on creating an index to speed searching up. Well, that would be great if indexing actually completed in a timely manner, or at all. And I was not trying to index evidence that I would consider large. I had indexing failing on 500GB of data and less. Both in the old evidence format, and the new.
The final straw for us was support closing a ticket, because they could not replicate the issue. The issue - recovery of folders. I had tried to avoid the recover folders option of the process explorer and do it the way I did in version 6. Right-click, recover folder structure. Worked in 6, should work in 7, it's a menu option right? Well, I did that and then could not get the evidence to “mount” again (unless I deleted the cache). It was still there in the case itself, just could not open\mount it to do anything. Support told me that was not the preferred method to recover folders, and had always been problematic (news to me). So, at their request I used process explorer to attempt to recover folders. Same result. Response from support was then to close the ticket.
Bottom line for us - now that we are back at version 6 we have been able to perform forensic engagements again. When we began to look at how much time it would take to manage the use of the product, or create a methodology to deal with the shortcomings (i.e. use only one component of process explorer on one piece of evidence at a time, copy the cache if the process completed so you have a fall back point, start next component of process explorer on same evidence, rinse repeat) instead of actually using it for investigations, it became obvious we could not move forward.
I wonder how wide spread the issues are, -other users...
When I have some more time here (we are not a large forensic lab) I will try to work through the 702 issues.
I will keep an eye on this thread for possible help with the miriad of issues.
- Senior Member
I find that Digital Forensic research and results are a specific field of "critical" data.
We all know how - in theory - each and every investigator should be in first instance a "scientist", be almost "all knowing" and validate him/herself each and every single bit of evidence and method that was used to acquire data or interpret them.
But we also all know how - in practice - time allowed, budget and a number of other reasons - including (judging from some of the posts on this Forum which is I think one of the most "respectable" ones) the presence in the profession of people that have not in the least the mentality of investigators, let alone of scientists - a large amount of processing is done through the use of software similar to the one discussed here, "taking as good" whatever the software provides.
Should my perception on this be correct, the issue is very serious (and not limited to this specific app).
I mean, if the tools used are not "reliable" or "too difficult" for the average user, there is a great risk of having either:
- a case (where the suspect is actually guilty) dismissed or not even brought to Court for incompleteness of the collected data or errors in the procedure creating exception by the defense
- a case (where the suspect is innocent) brought forward on the basis of incomplete or erroneus interpretation of the data
If the amount of such cases (hopefully later find out and corrected/re-considered) is going to increase due to "issues" with the used tools, the risk is that the entire field of "Digital Forensics" loses importance or "image" in the eyes of the LE officers and/or magistrates.
The specific reports in this thread are from knowledgeable users of the tool in a previous version that suddenly find out that procedures the were used to are not anymore possible or create errors and what not.
If you prefer these people are allowed to make a comparison between their previous experience and the new version of the tool.
What will happen to a new user that starts learning with this specific version for the first time?
Will he/she "skip" some steps because this version does not create the expected result correctly?
AFAICU the reason why lots of professionals use these proprietary tools (besides the fact that they are familiar with them, and that they have useful capabilities) is also - and I will risk to say "mainly" in some cases - because they represent a "de facto standard" and thus a report made through them is rarely challenged/counterexamined/reviewed in detail by the "other party" in a trial, i.e. the validation of the tool and methods used is assumed to have been carried extensively by the software maker.
Surely this is not a very "ethical" approach, but it is the way I suspect things go in real life.
If you take reliability out of a "mission critical" tool, you are left with really nothing in your hands, and I am surprised that the "switch" between two versions of a same product can be so difficult.
Why didn't Guidance make an extensive Beta test (with beta testers being people really "on the field" and expert)?
Or this was done and none of the reported issues were found?
Maybe a possible solution for the future of this and similar Commercial tools would be to actually hire a few of the most expert members of the Digiatal Forensics community (and pay them for theur time) to have them test and troubleshoot (and - somehow - validate) new releases?
- In theory there is no difference between theory and practice, but in practice there is. -
- Senior Member
many times, there are specific software tools that will carry out the specialist tasks and when you want a tool to provide an overall forensic analysis of the operating system, you just want the thing to work, be reliable and accurate. Is that too much to ask?
- Senior Member