±Your Account
Membership:
New Today: 0
New Yesterday: 7
Overall: 24203
Visitors: 30±Latest Webinar
±Latest Articles
· Android Forensics
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
±Follow Us
±Latest Jobs
Back to top
Skip to content
Skip to menu
Back to top
Back to main
Skip to menu
Go to page Previous 1, 2, 3, 4, 5, 6 Next
Out of pure curiosity, what would this - if the guess is correct - change?
I mean from a pure "scientifical" or "knowledge" point of view?
This bug (whatever it is/was related to) either was there or it wasn't, and was either resolved or it was not (and this fix - if it was implemented - was either cited in the release notes for later version or it was not), no matter what the reasons asking for information about it are.
@Pete
Personally, I don't think that whining or hinting that expert members of the board familiar with Encase are incompetent will help to get an answer (or better answers).
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -
Well, Guidance release notes are not exactly easy to read or search, or useful even when you do find what you look for. There's no way to search for '24149' and get a hit -- you have to read the pages. And they are/were all named 'new.chm' so they tended to get overwritten, unless you were paranoid, and always installed encase in separate directories yourself.
Anyway, the entry for 24149 says only 'IM Archive Parser' Yahoo date/time incorrect.
Nothing more.
Presumably refers to interpretation of logs from Yahoo Messenger, but that's just my guess.
Nothing in relation to the bug - but if this was an expert with an issue I expect the replies already posted would have cut this thread down by about 50%, as it is we see the same person, who "seems" to have an axe to grid, not allowing the thead to die.
I have seen this many times over the years when working for both prosecution and defence, where a suspect fixates on a minor point/bug/whatever which has no impact on the strength of the ecase against him and an inordinate amount of time (and money) is spent going over old ground.
_________________
Paul Sanderson
Reconnoitre, VSC processing made easy - www.sandersonforensics...oitre.html
www.twitter.com/sandersonforens
I see.
But then, wouldn't the "standard" procedure be to re-process the "original" hard disk image again, TWO times, first with the older version, and then with the one that supposedly fixed the bug (if any) and look for differences in results?
I mean, the guys who (inadvertently) introduced the bug are most probably the same ones that "solved/fixed" it later, there is no guarantee of any kind that the solution or fix has been effective or 100% effective, no matter at which length the bug and it's fix are documented in a change log or release note.
@athulin
Nice to know about the "new.chm" naming, a rather smart approach 8O, if I may, since the documents are "release notes" not including previous history, I mean, a "plain", "normal" changelog is "progressive" includes (logs) ALL changes since at least first public release, that is what "allows" to name it "fixed" as changelog.txt.
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -
EnCase Bug?
Re: EnCase Bug?
Posted: Tue Jan 29, 2013 7:26 am
I'm both amazed and disappointed that nobody seems to know anything about this defect.
-
Pete - Newbie
Re: EnCase Bug?
Posted: Tue Jan 29, 2013 2:25 pm
Pete, what difference does it make what bugs were in a long-superseded version of EnCase? The comments posted in this thread demonstrate that forensic examiners recognize that all software has bugs, so we don't place our trust in any one tool. There are lots of ways to examine file metadata in the MFT and elsewhere, so again, what difference does it make what defects existed in an old version of EnCase?
_________________
Scott Tucker
Aptegra Consulting, LLC
www.aptegra.com
_________________
Scott Tucker
Aptegra Consulting, LLC
www.aptegra.com
-
TuckerHST - Senior Member
Re: EnCase Bug?
Posted: Tue Jan 29, 2013 4:46 pm
Pete
As mentioned it was a bug that was apparent in two minor releases of Encase and a minor bug at that. 99.99% of cases wont rely on the time being right to that accuracy and if they did then a competent examiner would probably double check.
Of course what is interesting is that all your posts are on this thread, you dont seem to want to let the matter drop and your profile records you as an out of work engineer - now I may be totally off the mark and overly suspicious (apologies in advance if I am) but that makes me wonder whether you have been on the wrong side of an investigation where you think this bug was relevant.
_________________
Paul Sanderson
Reconnoitre, VSC processing made easy - www.sandersonforensics...oitre.html
www.twitter.com/sandersonforens
As mentioned it was a bug that was apparent in two minor releases of Encase and a minor bug at that. 99.99% of cases wont rely on the time being right to that accuracy and if they did then a competent examiner would probably double check.
Of course what is interesting is that all your posts are on this thread, you dont seem to want to let the matter drop and your profile records you as an out of work engineer - now I may be totally off the mark and overly suspicious (apologies in advance if I am) but that makes me wonder whether you have been on the wrong side of an investigation where you think this bug was relevant.
_________________
Paul Sanderson
Reconnoitre, VSC processing made easy - www.sandersonforensics...oitre.html
www.twitter.com/sandersonforens
-
PaulSanderson - Senior Member
Re: EnCase Bug?
Posted: Wed Jan 30, 2013 7:03 am
- PaulSanderson... makes me wonder whether you have been on the wrong side of an investigation where you think this bug was relevant.
Out of pure curiosity, what would this - if the guess is correct - change?
I mean from a pure "scientifical" or "knowledge" point of view?
This bug (whatever it is/was related to) either was there or it wasn't, and was either resolved or it was not (and this fix - if it was implemented - was either cited in the release notes for later version or it was not), no matter what the reasons asking for information about it are.
@Pete
Personally, I don't think that whining or hinting that expert members of the board familiar with Encase are incompetent will help to get an answer (or better answers).
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -
-
jaclaz - Senior Member
Re: EnCase Bug?
Posted: Wed Jan 30, 2013 8:29 am
- PeteI'm both amazed and disappointed that nobody seems to know anything about this defect.
Well, Guidance release notes are not exactly easy to read or search, or useful even when you do find what you look for. There's no way to search for '24149' and get a hit -- you have to read the pages. And they are/were all named 'new.chm' so they tended to get overwritten, unless you were paranoid, and always installed encase in separate directories yourself.
Anyway, the entry for 24149 says only 'IM Archive Parser' Yahoo date/time incorrect.
Nothing more.
Presumably refers to interpretation of logs from Yahoo Messenger, but that's just my guess.
-
athulin - Senior Member
Re: EnCase Bug?
Posted: Wed Jan 30, 2013 8:45 am
- jaclazOut of pure curiosity, what would this - if the guess is correct - change?
Nothing in relation to the bug - but if this was an expert with an issue I expect the replies already posted would have cut this thread down by about 50%, as it is we see the same person, who "seems" to have an axe to grid, not allowing the thead to die.
I have seen this many times over the years when working for both prosecution and defence, where a suspect fixates on a minor point/bug/whatever which has no impact on the strength of the ecase against him and an inordinate amount of time (and money) is spent going over old ground.
_________________
Paul Sanderson
Reconnoitre, VSC processing made easy - www.sandersonforensics...oitre.html
www.twitter.com/sandersonforens
-
PaulSanderson - Senior Member
Re: EnCase Bug?
Posted: Thu Jan 31, 2013 8:09 am
- PaulSanderson
I have seen this many times over the years when working for both prosecution and defence, where a suspect fixates on a minor point/bug/whatever which has no impact on the strength of the ecase against him and an inordinate amount of time (and money) is spent going over old ground.
I see.
But then, wouldn't the "standard" procedure be to re-process the "original" hard disk image again, TWO times, first with the older version, and then with the one that supposedly fixed the bug (if any) and look for differences in results?
I mean, the guys who (inadvertently) introduced the bug are most probably the same ones that "solved/fixed" it later, there is no guarantee of any kind that the solution or fix has been effective or 100% effective, no matter at which length the bug and it's fix are documented in a change log or release note.
@athulin
Nice to know about the "new.chm" naming, a rather smart approach 8O, if I may, since the documents are "release notes" not including previous history, I mean, a "plain", "normal" changelog is "progressive" includes (logs) ALL changes since at least first public release, that is what "allows" to name it "fixed" as changelog.txt.
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -
-
jaclaz - Senior Member