Notifications
Clear all

EnCase can't recognize Chinese characters filenames on Linux

11 Posts
7 Users
0 Likes
1,247 Views
(@gorvq7222)
Posts: 229
Reputable Member
Topic starter
 

Hi,

Last week my friend brought me an evidence file duplicated from a Linux server, which distribution is CentOS 5.0 and the i18n is zh-tw. She wanna know whether there is any malware on this Linux server or not. OK. Let's get to work. I add this evidence and do Evidence Process. Guess what??? EnCase could not recognize Chinese character folder names / filenames, and those folder names / filenames become Hieroglyphics. I am very disappointed and don't know what to say to my friend… I guess I have to explain why EnCase may need night vision goggles when examining Linux platform evidence files. It's too ridiculous!

You guys could take a look at my blog to see what's going on.
http//www.cnblogs.com/pieces0310/p/4525846.html

Needless to say, my friend also could not believe the #1 forensic tool - EnCase should have problems like that. Fortunately I still have another options like FTK or X-Ways Forensics to take over this case. You guys could take a look at screenshot in my blog. I mount these evidence files by using FTK Imager Lite. You could see the Chinese character folder names / filenames now. I'd like to remind you that FTK Imager Lite is a free tool…

 
Posted : 24/05/2015 12:06 pm
TuckerHST
(@tuckerhst)
Posts: 175
Estimable Member
 

Last week my friend brought me an evidence file duplicated from a Linux server, which distribution is CentOS 5.0 and the i18n is zh-tw.

Hmmm. What is Thumbs.db doing there?

 
Posted : 25/05/2015 9:23 pm
(@gorvq7222)
Posts: 229
Reputable Member
Topic starter
 

Hi,

There is a Samba service providing file and printer sharing on the Linux server. As you could see in the screenshot, the mount point is "share" and there are lots of Chinese character folders/files in it.

What will you do if EnCase could not show those Chinese character folder names / filenames? I bet forensic guys will go crazy and start to smash computers(or EnCase)… Also forensic guys need to find some excuse when in court…like "Your Honor, that's not my problem…it's a bug and I've told Guidance to solve this bug ASAP…" But guess what? People will believe what their eyes see, so do the Judge. Don't expect the Judge will understand and accept this "bug".

 
Posted : 27/05/2015 5:21 am
EricZimmerman
(@ericzimmerman)
Posts: 222
Estimable Member
 

#1 forensics tool? says who? guidance website??!

 
Posted : 27/05/2015 6:48 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

Hello, Ni Hao Ma?

You may want to try a Linux based version of Autopsy/The Sleuth Kit.

I use DEFT (www.deftlinux.com) which has The Sleuth Kit built in.

DEFT is free to use.

I do not perform malware analysis, but I believe DEFT has some malware analysis tools built in as well.

One very helpful and powerful feature of DEFT's The Sleuth Kit is the Super Timeline Creation tool.

One can use The Sleuth Kit to create an Excel spreadsheet of all of the files on your forensic image and sort them in chronological order.

You will need to ask true experts like Harlan Carvey about malware analysis, but perhaps having a super timeline will allow you to pinpoint when the malware was introduced to the server.

One important note is that Linux does not have a Windows type registry to analyze.

Instead, Linux creates a fixed number of index nodes ("iNodes") for each storage device and then assigns newly created files iNode numbers.

Also, Linux tracks CTIME, or Change Time, which can be the time a file is first assigned an iNode value but also can represent the time a file grows or shrinks in size a significant amount.

Regards,

Larry

 
Posted : 27/05/2015 8:39 pm
(@athulin)
Posts: 1156
Noble Member
 

Guess what??? EnCase could not recognize Chinese character folder names / filenames, and those folder names / filenames become Hieroglyphics. I am very disappointed and don't know what to say to my friend…

Haven't used v7, so I can't say. Might be something simple, like not having the correct font installed, and getting a bad replacement by the font machinery. Something is wrong with your screen dumps, as they certainly do not show hieroglyphics.

But your first stop should be the EnCase support forum.

When you do, remember to identify the file system.

 
Posted : 27/05/2015 9:02 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

[…]

But your first stop should be the EnCase support forum.

[…]

HAHAHAHAHAHA! Hahahahaha! Haha… wait… you are serious? mrgreen
(my emphasis)

 
Posted : 28/05/2015 5:22 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

HAHAHAHAHAHA! Hahahahaha! Haha… wait… you are serious? mrgreen
(my emphasis)

I find the sentence extremely accurate

[…]

But your first stop should be the EnCase support forum.

[…]

though it could be more accurate if the definition of "stop" could be clarified.

There are "stops" meaning "stop (temporarily) then continue" and "stops" meaning "stop and never progress anymore", the second definition is IMHO more suitable to the sentence, possibly it could be bettered as
But your first, only and last stop should be the EnCase support forum.

OT 😯 , but as often happens not that much, it is possible that the OP has not taken the full training by Guidance Software wink
http//www.forensicfocus.com/Forums/viewtopic/t=10736/

jaclaz

 
Posted : 28/05/2015 7:31 pm
(@athulin)
Posts: 1156
Noble Member
 

HAHAHAHAHAHA! Hahahahaha! Haha… wait… you are serious? mrgreen
(my emphasis)

Most certainly. The postings from Guidance on topics that they have not seen or somehow are blind to for other reasons usually fail to impress me, but they have some experience in discovering where people assume to much of their product, and they have seen quite a number common faults and known bugs.

There are, however, several other posters with wide experience and exposure to various situations. I was also thinking of those.

So I must naturally assume your immoderate laughter applies also to them.

 
Posted : 29/05/2015 6:07 pm
(@gorvq7222)
Posts: 229
Reputable Member
Topic starter
 

Actually this issue has been submit to Guidance but no positive response so far…they just said that they have to do some test and debug…

I won't stop takling about bugs of EnCase/FTK until those bugs to be fixed…That would be good for forensic guys.

 
Posted : 12/06/2015 8:07 pm
Page 1 / 2
Share: