±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 2
New Yesterday: 10
Overall: 27382
Visitors: 63

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

EnCase Bug?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2, 3, 4, 5, 6  Next 
  

EnCase Bug?

Post Posted: Fri Dec 10, 2010 9:58 am

Has anyone heard of a bug in EnCase which would alter file times? I am working on an appeal which hinges on an alibi where the original prosecution report states that file access times were an hour later than on the image, and specifically that this has been changed by a bug in EnCase. No forensic expert was called to rebutt this and the client was convicted pretty much on this statement.

I've never herard of it, nor can I repeat in the lab what the original prosecution report says has happened - that is, that the file times hve been changed by a 'known bug'. This is NOT a BST/GMT issue, nor an interpretation issue between US and UK date format. Prosecution evidence is that it is a bug within EnCase. I can't see it myself as it seems to call the integrity of EnCase itself into question

I wondered if anyone has seen this or has any ideas?

Steve  

haforn
Newbie
 
 
  

Re: EnCase Bug?

Post Posted: Fri Dec 10, 2010 10:04 am

Not come across it myself. Have you raised this with Guidance? If not, why? Am sure they'd be keen to bottom it out.
_________________
Forensic Control
twitter.com/ForensicControl 

Jonathan
Senior Member
 
 
  

Re: EnCase Bug?

Post Posted: Fri Dec 10, 2010 10:09 am

Earlier versions of EnCase had a date/time bug AFAIK. But surely the easiest way to find out the facts would be to examine and interpret the $MFT entry yourself?

Edit: unless the prosecution is talking about DST, which isn't a bug with EnCase, it is an option which is enabled by default and can be turned off.  

Chris_Ed
Senior Member
 
 
  

Re: EnCase Bug?

Post Posted: Fri Dec 10, 2010 11:02 am

EnCase doesn't have "bugs" - like Windows it has "features" j/k There is the view IMO that EnCase like any other program, "forensic" or otherwise, still has to make interpretations and parse raw data to present easily readable information for people. This process is not with out its flaws and this is why it is advisable to use multiple programs to verify results. Was EnCAse the only program used?

One question, when you say "an hour later than on the image" what does that mean? By the file time stamping of the image file or in EnCase under the times and dates acquired.  

douglasbrush
Senior Member
 
 
  

Re: EnCase Bug?

Post Posted: Fri Dec 10, 2010 11:56 am

If its a "known bug" then simply ask the prosecution to show it to you. Failing that just go into the MFT entry for the files in question and work it out manually, ten minute job. Or virtualise the image and look at the properties in windows, screenshot -> print -> exhibit A.

Im amazed that anyone got convicted on a last accessed time, I tend to avoid them like the plague because they're so unreliable.  

Xennith
Senior Member
 
 
  

Re: EnCase Bug?

Post Posted: Fri Dec 10, 2010 7:18 pm

From Guidance Software Knowledge Base

Critical Time Error in Logical Evidence File
Affected Products

EnCase
Summary

Some users have experienced a one hour time shift in Logical Evidence Files.
Explanation/Resolution
Prerequisites/Assumptions
Prior to v6.6, when files were added to an LEF, EnCase applied the current device/volume time zone adjustments to the time that was stored in the LEF.

Therefore, if the time zone for the device supported DST, file times in the LEF would be written to include that offset. We believed this was the best way to store the time so that user settings would be preserved. In certain instances it allowed for DST offsets to be applied twice. Because date/times in an LEF are not stored with time zone references, when an examiner’s system interpreted them relative to GMT, it could apply the DST offset again, even though it had already been applied when the file was added.

In v6.6, we changed the way EnCase stores the date, and simply pass through the time as it relates to GMT, with no offset. The date will then be displayed from the LEF with the DST adjustments exactly as it would have in the original evidence.

Although we believed that the original implementation was the best, users pointed out the potential problems, so we made the change in v6.6.
_________________
EnCE 

Earn
Senior Member
 
 
  

Re: EnCase Bug?

Post Posted: Thu Dec 16, 2010 9:14 am

I'm horrified to think that anyone could ever be convicted of anything more serious than jaywalking because of a 1 hour time shift in last accessed times. Hopefully there is far more evidence involved in this conviction.

I tend to treat timestamps as a tolerance range, i.e. the event occurred sometime +/- 24 hours within the listed timestamp. Coming down to an hour, especially on a flimsy last accessed timestamp, is setting oneself up to fail.

There's far too little information in this post to speculate about a "bug" in EnCase--in defense of all forensics tools and their timestamp handling, a lot of timestamp analysis depends on interpretation, point of view, and obscure design decisions. I think it is very important in this instance to understand the precise data, at a binary level; what kind of a timestamp it is (e.g., NTFS last accessed, MS Word OLE timestamp, etc.); the OS version of the computer; the timezone and DST settings on the computer; the operating system, timezone, and DST settings on the examiner's computer; the version of EnCase; whether the event occurred in summer vs winter; how the timestamp was presented in evidence; the interpretation of that timestamp, etc., etc.

When the matters come down this level of precision, it's important to understand that all these variables play a role, and the only way to be sure is to test the impact they all have and present those findings.


Jon
_________________
Jon Stewart, Principal
(646) 719-0317 | jon @ lightboxtechnologies.com | Arlington, VA
Fash search for EnCase: www.lightgrep.com 

jonstewart
Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 6
Go to page 1, 2, 3, 4, 5, 6  Next