Notifications
Clear all

EnCase Bug?

37 Posts
19 Users
0 Likes
2,707 Views
(@haforn)
Posts: 1
New Member
Topic starter
 

Has anyone heard of a bug in EnCase which would alter file times? I am working on an appeal which hinges on an alibi where the original prosecution report states that file access times were an hour later than on the image, and specifically that this has been changed by a bug in EnCase. No forensic expert was called to rebutt this and the client was convicted pretty much on this statement.

I've never herard of it, nor can I repeat in the lab what the original prosecution report says has happened - that is, that the file times hve been changed by a 'known bug'. This is NOT a BST/GMT issue, nor an interpretation issue between US and UK date format. Prosecution evidence is that it is a bug within EnCase. I can't see it myself as it seems to call the integrity of EnCase itself into question

I wondered if anyone has seen this or has any ideas?

Steve

 
Posted : 10/12/2010 7:58 pm
(@jonathan)
Posts: 878
Prominent Member
 

Not come across it myself. Have you raised this with Guidance? If not, why? Am sure they'd be keen to bottom it out.

 
Posted : 10/12/2010 8:04 pm
Chris_Ed
(@chris_ed)
Posts: 314
Reputable Member
 

Earlier versions of EnCase had a date/time bug AFAIK. But surely the easiest way to find out the facts would be to examine and interpret the $MFT entry yourself?

Edit unless the prosecution is talking about DST, which isn't a bug with EnCase, it is an option which is enabled by default and can be turned off.

 
Posted : 10/12/2010 8:09 pm
(@douglasbrush)
Posts: 812
Prominent Member
 

EnCase doesn't have "bugs" - like Windows it has "features" j/k There is the view IMO that EnCase like any other program, "forensic" or otherwise, still has to make interpretations and parse raw data to present easily readable information for people. This process is not with out its flaws and this is why it is advisable to use multiple programs to verify results. Was EnCAse the only program used?

One question, when you say "an hour later than on the image" what does that mean? By the file time stamping of the image file or in EnCase under the times and dates acquired.

 
Posted : 10/12/2010 9:02 pm
(@xennith)
Posts: 177
Estimable Member
 

If its a "known bug" then simply ask the prosecution to show it to you. Failing that just go into the MFT entry for the files in question and work it out manually, ten minute job. Or virtualise the image and look at the properties in windows, screenshot -> print -> exhibit A.

Im amazed that anyone got convicted on a last accessed time, I tend to avoid them like the plague because they're so unreliable.

 
Posted : 10/12/2010 9:56 pm
 Earn
(@earn)
Posts: 146
Estimable Member
 

From Guidance Software Knowledge Base

Critical Time Error in Logical Evidence File
Affected Products

EnCase
Summary

Some users have experienced a one hour time shift in Logical Evidence Files.
Explanation/Resolution
Prerequisites/Assumptions
Prior to v6.6, when files were added to an LEF, EnCase applied the current device/volume time zone adjustments to the time that was stored in the LEF.

Therefore, if the time zone for the device supported DST, file times in the LEF would be written to include that offset. We believed this was the best way to store the time so that user settings would be preserved. In certain instances it allowed for DST offsets to be applied twice. Because date/times in an LEF are not stored with time zone references, when an examiner’s system interpreted them relative to GMT, it could apply the DST offset again, even though it had already been applied when the file was added.

In v6.6, we changed the way EnCase stores the date, and simply pass through the time as it relates to GMT, with no offset. The date will then be displayed from the LEF with the DST adjustments exactly as it would have in the original evidence.

Although we believed that the original implementation was the best, users pointed out the potential problems, so we made the change in v6.6.

 
Posted : 11/12/2010 5:18 am
(@jonstewart)
Posts: 47
Eminent Member
 

I'm horrified to think that anyone could ever be convicted of anything more serious than jaywalking because of a 1 hour time shift in last accessed times. Hopefully there is far more evidence involved in this conviction.

I tend to treat timestamps as a tolerance range, i.e. the event occurred sometime +/- 24 hours within the listed timestamp. Coming down to an hour, especially on a flimsy last accessed timestamp, is setting oneself up to fail.

There's far too little information in this post to speculate about a "bug" in EnCase–in defense of all forensics tools and their timestamp handling, a lot of timestamp analysis depends on interpretation, point of view, and obscure design decisions. I think it is very important in this instance to understand the precise data, at a binary level; what kind of a timestamp it is (e.g., NTFS last accessed, MS Word OLE timestamp, etc.); the OS version of the computer; the timezone and DST settings on the computer; the operating system, timezone, and DST settings on the examiner's computer; the version of EnCase; whether the event occurred in summer vs winter; how the timestamp was presented in evidence; the interpretation of that timestamp, etc., etc.

When the matters come down this level of precision, it's important to understand that all these variables play a role, and the only way to be sure is to test the impact they all have and present those findings.

Jon

 
Posted : 16/12/2010 7:14 pm
chrisdavies
(@chrisdavies)
Posts: 55
Trusted Member
 

EnCase doesn't have "bugs" - like Windows it has "features" j/k .

brilliant

 
Posted : 16/12/2010 10:20 pm
 Pete
(@pete)
Posts: 8
Active Member
 

Not sure if this is the same case, but in a case I was involved in the prosecution claimed that a bug in Encase V6.12 caused an adjustment for BST to be made in the wrong direction, resulting in a 2 hour error.

Has anyone heard of this.

Does the software even make an automatic adjustment or is it user error.

 
Posted : 25/08/2011 2:51 pm
(@rich2005)
Posts: 535
Honorable Member
 

I think it would help if there was a little more info to what actually happened. Are the timestamps wrong when the image is viewed in other tools, FTK/FTKI/Xways/etc rather than EnCase, and so forth.
Wouldn't seem like a hard problem to narrow down for an examiner, as from a physical evidence file it would seem odd for timestamps to be wrong, so can only presume it's the interpretation of those timestamps (based on the minimal info given). Sounds like the biggest problem in this case was that if this was a key point then a defence forensic examiner should have been instructed (or should be now).

 
Posted : 25/08/2011 3:03 pm
Page 1 / 4
Share: