±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 2
New Yesterday: 3
Overall: 27483
Visitors: 44

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

EnCase Bug?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3, 4, 5, 6  Next 
  

Re: EnCase Bug?

Post Posted: Tue Jan 29, 2013 6:26 am

I'm both amazed and disappointed that nobody seems to know anything about this defect.  

Pete
Newbie
 
 
  

Re: EnCase Bug?

Post Posted: Tue Jan 29, 2013 1:25 pm

Pete, what difference does it make what bugs were in a long-superseded version of EnCase? The comments posted in this thread demonstrate that forensic examiners recognize that all software has bugs, so we don't place our trust in any one tool. There are lots of ways to examine file metadata in the MFT and elsewhere, so again, what difference does it make what defects existed in an old version of EnCase?
_________________
Scott Tucker
Aptegra Consulting, LLC
www.aptegra.com 

TuckerHST
Senior Member
 
 
  

Re: EnCase Bug?

Post Posted: Tue Jan 29, 2013 3:46 pm

Pete

As mentioned it was a bug that was apparent in two minor releases of Encase and a minor bug at that. 99.99% of cases wont rely on the time being right to that accuracy and if they did then a competent examiner would probably double check.

Of course what is interesting is that all your posts are on this thread, you dont seem to want to let the matter drop and your profile records you as an out of work engineer - now I may be totally off the mark and overly suspicious (apologies in advance if I am) but that makes me wonder whether you have been on the wrong side of an investigation where you think this bug was relevant.
_________________
Paul Sanderson
Forensic Toolkit for SQLite
sandersonforensics.com...ic-Toolkit
www.twitter.com/sandersonforens
www.facebook.com/recon...resoftware 

PaulSanderson
Senior Member
 
 
  

Re: EnCase Bug?

Post Posted: Wed Jan 30, 2013 6:03 am

- PaulSanderson
... makes me wonder whether you have been on the wrong side of an investigation where you think this bug was relevant.

Out of pure curiosity, what would this - if the guess is correct - change? Question

I mean from a pure "scientifical" or "knowledge" point of view?

This bug (whatever it is/was related to) either was there or it wasn't, and was either resolved or it was not (and this fix - if it was implemented - was either cited in the release notes for later version or it was not), no matter what the reasons asking for information about it are.

@Pete
Personally, I don't think that whining or hinting that expert members of the board familiar with Encase are incompetent will help to get an answer (or better answers). Rolling Eyes

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: EnCase Bug?

Post Posted: Wed Jan 30, 2013 7:29 am

- Pete
I'm both amazed and disappointed that nobody seems to know anything about this defect.


Well, Guidance release notes are not exactly easy to read or search, or useful even when you do find what you look for. There's no way to search for '24149' and get a hit -- you have to read the pages. And they are/were all named 'new.chm' so they tended to get overwritten, unless you were paranoid, and always installed encase in separate directories yourself.

Anyway, the entry for 24149 says only 'IM Archive Parser' Yahoo date/time incorrect.

Nothing more.

Presumably refers to interpretation of logs from Yahoo Messenger, but that's just my guess.  

athulin
Senior Member
 
 
  

Re: EnCase Bug?

Post Posted: Wed Jan 30, 2013 7:45 am

- jaclaz
Out of pure curiosity, what would this - if the guess is correct - change? Question


Nothing in relation to the bug - but if this was an expert with an issue I expect the replies already posted would have cut this thread down by about 50%, as it is we see the same person, who "seems" to have an axe to grid, not allowing the thead to die.

I have seen this many times over the years when working for both prosecution and defence, where a suspect fixates on a minor point/bug/whatever which has no impact on the strength of the ecase against him and an inordinate amount of time (and money) is spent going over old ground.
_________________
Paul Sanderson
Forensic Toolkit for SQLite
sandersonforensics.com...ic-Toolkit
www.twitter.com/sandersonforens
www.facebook.com/recon...resoftware 

PaulSanderson
Senior Member
 
 
  

Re: EnCase Bug?

Post Posted: Thu Jan 31, 2013 7:09 am

- PaulSanderson


I have seen this many times over the years when working for both prosecution and defence, where a suspect fixates on a minor point/bug/whatever which has no impact on the strength of the ecase against him and an inordinate amount of time (and money) is spent going over old ground.

I see. Smile

But then, wouldn't the "standard" procedure be to re-process the "original" hard disk image again, TWO times, first with the older version, and then with the one that supposedly fixed the bug (if any) and look for differences in results?

I mean, the guys who (inadvertently) introduced the bug are most probably the same ones that "solved/fixed" it later, there is no guarantee of any kind that the solution or fix has been effective or 100% effective, no matter at which length the bug and it's fix are documented in a change log or release note.

@athulin
Nice to know about the "new.chm" naming, a rather smart approach 8O, if I may, since the documents are "release notes" not including previous history, I mean, a "plain", "normal" changelog is "progressive" includes (logs) ALL changes since at least first public release, that is what "allows" to name it "fixed" as changelog.txt.



jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 5 of 6
Go to page Previous  1, 2, 3, 4, 5, 6  Next