±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 3 Overall: 35765
New Yesterday: 3 Visitors: 154

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Encase question

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

calimelo
Senior Member
 

Encase question

Post Posted: May 03, 08 12:34

Hi all,

Does the 32-bit Encase software work with 64-bit windows? Or should i buy the 64 bit version? I am not sure they upgrade the 64-bit v. as often as the 32 bit v.

Thanks a lot  
 
  

keydet89
Senior Member
 

Re: Encase question

Post Posted: May 03, 08 16:20

A quick call to the sales office at GSI would've answered that question for you.  
 
  

seanmcl
Senior Member
 

Re: Encase question

Post Posted: May 03, 08 17:30

I don't speak for GSI but Encase V6 is the first version to support 64-bit Windows (Vista will not be supported until V6.11).

What you may be referring to is the fact that some of the modules were not supported in earlier 64-bit V6 versions but that is no longer the case.

A more important issue, as far as I am concerned, is that there have been some ongoing issues with V6 (not specific to 64-bit, AFAIK), which have forced some users to downgrade to V5. I have had no problems with 6.10 on Windows 2003 64-bit but, as the saying goes, your mileage may vary.

If you did need to go to V5 I would check to make sure that it is supported in 32-bit mode on a 64-bit OS or configure a system for dual boot so that it isn't an issue.  
 
  

calimelo
Senior Member
 

Re: Encase question

Post Posted: May 04, 08 19:28

Thanks for the replies,

I am about to buy a xeon 3.2 quad computer with 8 gbs of ram and i thought since the system is 64 bit, buying encase 6 64 bit version would be a logical choice. I made up my mind on buying the new apple mac pro, thus i'd have a dual boot machine with both unix and windows flavors. As i ordered a demo machine, the salesman reminded me that i couldn't use more than 2 gigs of memory in windows xp 32 bit version. Then i decided to post this post here. From my earlier readings i recall some of the forum readers use opteron and/or xeon machines. I am just curious what are your choices for encase software?

Thank you once again

Kaan  
 
  

Jegham
Member
 

Re: Encase question

Post Posted: May 04, 08 21:49

I have vista home and i installed encase 6.8 and it s working perfectly

Under Vista:
Right click EnCase.exe, click on the compatibility tab and select "Run this program in compatibility mode for Windows XP".  
 
  

seanmcl
Senior Member
 

Re: Encase question

Post Posted: May 05, 08 19:44

- Jegham
I have vista home and i installed encase 6.8 and it s working perfectly.


At the risk of repeating myself, in the US anyway, this would be risky under the best of circumstances.

One of the core concepts regarding the admissibility of digital forensic evidence is that the process be validated and repeatable. This is especially true where proprietary systems such as EnCase are used. Even if you were to do validation testing, yourself, and I doubt that any client would pay for that, you'd be up against the fact that Guidance Software has stated that EnCase running on Vista will NOT be supported until 6.11, which is not out yet.

So, the vendor, themselves, will not certify the configuration you are running. Furthermore, GSI will not say and we cannot know, for certain, what are the issues with versions of EnCase prior to 6.11. We could guess, but I wouldn't want to do that in a court of law. So you are left with the vendor stating that your configuration is unsupported and you are going to argue that you know better?

Supposing, on the basis of your representing yourself as a forensic expert and qualifed EnCase examiner, that I hired you to image the computer of one of my employees, a sales agent who, I believe, is selling product to our distributors at lower than market prices and then taking kickbacks on the retail sales of product.

I sue him in court and your evidence is introduced. At pretrial hearings the admissibility of your evidence is successfully challeged on the basis of the fact that even Guidance Software won't say your acquisition/analysis is valid because they don't support your configuration.

I lose the case. Now I sue you for negligence (you knew the configuration was unsupported but you used it, anyway) and fraud (you represented that you were a skilled forensic examiner while failing to mention that you used configurations which were unverifiable).

I ask for damages, including your fees, as well as the Defendant's legal fees that I was forced to pay when I lost the case.

Are you really willing to take that chance because I can tell you that I have seen evidence challenged on exactly the basis of the scenario I outlined?

We're dealing with issues of evidence. Whether or not we can hack the system to work in an unsupported configuration is not the point if we're thrown out of court.  
 
  

Jonathan
Senior Member
 

Re: Encase question

Post Posted: May 05, 08 21:11

seanmcl, I understand your point, however it appears that supported copies of EnCase are the only tools that people should use otherwise they stand a good chance of having their work rejected by the courts. I like EnCase but I don't think it should be given that much kudos.

Any version of EnCase running on XP/Vista/Server 2003 or whatever is not going to put files (or meta-data about those files) there that didn't previously exist. At worst it may miss something - and this is to the 'other' sides' benefit, not yours. Dual-tool verification carried out in every case an examiner does would also go quite a way in backing up the examiner in the scenario you paint. For example it takes 5 minutes in WinHex to check the physical starting sector of the key items of evidence you've found. Now, that's not entirely comprehensive but shows the court you have verified the existence and location of major evidential artefacts with a completely separate tool.

Also, one of the main tenets that forensic examiners follow (in the UK at least) is that any evidence you produce must be repeatable by a fellow examiner. So whether you use EnCase, FTK, iLook, Linux tools, etc and on whatever platform one of your peers is able to reproduce the same results. Assuming you have a decent report backed up by sufficient contemporaneous notes this wouldn’t be problem.

Rigorous methodology vs. lawyer’s bull basically. Sometimes the lawyer's bull wins but we as forensic specialists shouldn't concede the fight to them too easily.  
 

Page 1 of 2
Page 1, 2  Next