±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36300
New Yesterday: 2 Visitors: 127

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Encase question

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

keydet89
Senior Member
 

Re: Encase question

Post Posted: May 03, 08 16:20

A quick call to the sales office at GSI would've answered that question for you.  
 
  

seanmcl
Senior Member
 

Re: Encase question

Post Posted: May 03, 08 17:30

I don't speak for GSI but Encase V6 is the first version to support 64-bit Windows (Vista will not be supported until V6.11).

What you may be referring to is the fact that some of the modules were not supported in earlier 64-bit V6 versions but that is no longer the case.

A more important issue, as far as I am concerned, is that there have been some ongoing issues with V6 (not specific to 64-bit, AFAIK), which have forced some users to downgrade to V5. I have had no problems with 6.10 on Windows 2003 64-bit but, as the saying goes, your mileage may vary.

If you did need to go to V5 I would check to make sure that it is supported in 32-bit mode on a 64-bit OS or configure a system for dual boot so that it isn't an issue.  
 
  

Jegham
Member
 

Re: Encase question

Post Posted: May 04, 08 21:49

I have vista home and i installed encase 6.8 and it s working perfectly

Under Vista:
Right click EnCase.exe, click on the compatibility tab and select "Run this program in compatibility mode for Windows XP".  
 
  

seanmcl
Senior Member
 

Re: Encase question

Post Posted: May 05, 08 19:44

- Jegham
I have vista home and i installed encase 6.8 and it s working perfectly.


At the risk of repeating myself, in the US anyway, this would be risky under the best of circumstances.

One of the core concepts regarding the admissibility of digital forensic evidence is that the process be validated and repeatable. This is especially true where proprietary systems such as EnCase are used. Even if you were to do validation testing, yourself, and I doubt that any client would pay for that, you'd be up against the fact that Guidance Software has stated that EnCase running on Vista will NOT be supported until 6.11, which is not out yet.

So, the vendor, themselves, will not certify the configuration you are running. Furthermore, GSI will not say and we cannot know, for certain, what are the issues with versions of EnCase prior to 6.11. We could guess, but I wouldn't want to do that in a court of law. So you are left with the vendor stating that your configuration is unsupported and you are going to argue that you know better?

Supposing, on the basis of your representing yourself as a forensic expert and qualifed EnCase examiner, that I hired you to image the computer of one of my employees, a sales agent who, I believe, is selling product to our distributors at lower than market prices and then taking kickbacks on the retail sales of product.

I sue him in court and your evidence is introduced. At pretrial hearings the admissibility of your evidence is successfully challeged on the basis of the fact that even Guidance Software won't say your acquisition/analysis is valid because they don't support your configuration.

I lose the case. Now I sue you for negligence (you knew the configuration was unsupported but you used it, anyway) and fraud (you represented that you were a skilled forensic examiner while failing to mention that you used configurations which were unverifiable).

I ask for damages, including your fees, as well as the Defendant's legal fees that I was forced to pay when I lost the case.

Are you really willing to take that chance because I can tell you that I have seen evidence challenged on exactly the basis of the scenario I outlined?

We're dealing with issues of evidence. Whether or not we can hack the system to work in an unsupported configuration is not the point if we're thrown out of court.  
 
  

Jonathan
Senior Member
 

Re: Encase question

Post Posted: May 05, 08 21:11

seanmcl, I understand your point, however it appears that supported copies of EnCase are the only tools that people should use otherwise they stand a good chance of having their work rejected by the courts. I like EnCase but I don't think it should be given that much kudos.

Any version of EnCase running on XP/Vista/Server 2003 or whatever is not going to put files (or meta-data about those files) there that didn't previously exist. At worst it may miss something - and this is to the 'other' sides' benefit, not yours. Dual-tool verification carried out in every case an examiner does would also go quite a way in backing up the examiner in the scenario you paint. For example it takes 5 minutes in WinHex to check the physical starting sector of the key items of evidence you've found. Now, that's not entirely comprehensive but shows the court you have verified the existence and location of major evidential artefacts with a completely separate tool.

Also, one of the main tenets that forensic examiners follow (in the UK at least) is that any evidence you produce must be repeatable by a fellow examiner. So whether you use EnCase, FTK, iLook, Linux tools, etc and on whatever platform one of your peers is able to reproduce the same results. Assuming you have a decent report backed up by sufficient contemporaneous notes this wouldn’t be problem.

Rigorous methodology vs. lawyer’s bull basically. Sometimes the lawyer's bull wins but we as forensic specialists shouldn't concede the fight to them too easily.  
 
  

seanmcl
Senior Member
 

Re: Encase question

Post Posted: May 05, 08 22:09

Jonathan:

I was not trying to put too much weight on EnCase, rather, I was saying that in the US, various rules of evidence and civil procedure, clarified by case law, have become increasingly more specific about what constitues evidence. Just as Daubert, Frye and Kumho have raised the bar with respect to who can qualify as an expert, case law has also started to clarify the notion of what constitutes digital forensic evidence.

It is a fairly clear principle that if you use a tool for other than its intended, warranteed, purpose, the burden of proof is on you to show why the evidence gathered through the use of that tool should be admitted. Even if the court allowed me to present evidence obtained by using a software configuration which the vendor has explicitly stated is not supported, I would be sure to get a legal challenge and the result would be that my client would pay more in legal fees than they would have if I had just done it the way the vendor intended it.

Clients are not particularly happy to pay to defend arguments which could have been avoided if one had simply followed the instructions. Moreover, "experts" have been sued by their formed clients for malpractice, fraud and negligence for showing up in court with "evidence" that was subsequently declared inadmissible because the expert had not prepared or handled it in a way consistent with standard operating practice.

I'm not saying that these rules apply outside the US. What I am saying is that it is prudent to consider what the other side might throw at you when you are making your case. To give them something as simple as the fact that you used a product in a manner which the developer/vendor does not support is handing them an opportunity that they wouldn't, otherwise, have.  
 
  

Jonathan
Senior Member
 

Re: Encase question

Post Posted: May 05, 08 22:36

- seanmcl

What I am saying is that it is prudent to consider what the other side might throw at you when you are making your case.


I certainly agree with you on this basic principle. I've had plenty of discussions with fellow examiners on things which could fall into this catergory, such as 'do you need to wipe clean a hdd before putting an image on it?'. The answer being no, but it can make things easier for you in court.

What it seems to come down to is that non-computer forensic people (i.e., lawyers) are deciding how we should work, what tools we should use and on what platform rather than us. Perhaps this is inevitable though?
_________________
Forensic Control
twitter.com/ForensicControl
St Bride Foundation, 14 Bride Lane, London, EC4Y 8EQ 
 

Page 1 of 2
Page 1, 2  Next