±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35886
New Yesterday: 2 Visitors: 115

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Does EnCE cover tool validation?

Computer forensics training and education issues. If you are looking for topic suggestions for your project, thesis or dissertation please post here rather than the general discussion forum.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Patrick4n6
Senior Member
 

Does EnCE cover tool validation?

Post Posted: Jul 11, 09 21:29

I have had a copy of the study guide for EnCE for quite a while, and I've gone over it, and never found a section on tool validation.

To the EnCEs out there, did you cover tool validation at all in your Guidance provided training, or in the EnCE testing process?
_________________
Tony Patrick, B. Inf Tech, CFCE
www.patrickcomputerfor...s.com/blog
www.twitter.com/Patrick4n6 
 
  

douglasbrush
Senior Member
 

Re: Does EnCE cover tool validation?

Post Posted: Jul 11, 09 21:49

I have not come across any tool validation from my Guidance training courses. I am testing in August and from what I understand the test would not cover it either.  
 
  

binarybod
Senior Member
 

Re: Does EnCE cover tool validation?

Post Posted: Jul 14, 09 20:50

- douglasbrush
I have not come across any tool validation from my Guidance training courses. I am testing in August and from what I understand the test would not cover it either.


Maybe that would uncover too many inconsistencies Wink  
 
  

hogfly
Senior Member
 

Re: Does EnCE cover tool validation?

Post Posted: Jul 14, 09 21:16

You won't see tool validation in a course that is vendor specific..because tool validation is commonly done by comparing against another tool. No vendor will recommend a competitor....  
 
  

Patrick4n6
Senior Member
 

Re: Does EnCE cover tool validation?

Post Posted: Jul 16, 09 09:13

- hogfly
You won't see tool validation in a course that is vendor specific..because tool validation is commonly done by comparing against another tool. No vendor will recommend a competitor....


Validation against another tool is one method, however you can validate instead against a known data set, which doesn't require a second tool. Most of my initial validations were done against a hex editor, which isn't really a competitor... well until WinHex was made into X-Ways. My imaging tool validations were done against good old dd.
_________________
Tony Patrick, B. Inf Tech, CFCE
www.patrickcomputerfor...s.com/blog
www.twitter.com/Patrick4n6 
 
  

seanmcl
Senior Member
 

Re: Does EnCE cover tool validation?

Post Posted: Jul 16, 09 17:29

I am unclear about the meaning of "validation". Encase performs many functions. Acquisition and restore, for example, can be validated through such methods as bitwise comparison and MD5 checksums.

But other functions that Encase (or any tool), performs may be more difficult to "validate" and, perhaps, unnecessary. After all, the evidence is not what Encase finds (or does not find), but what you, as the examiner, conclude from the findings.

For example, suppose that you use Encase to carve out web mail. Does the fact that Encase does not find a particular message indicate that it doesn't exist or never existed on the system? No. That would be your conclusion as the examiner.

The Encase training courses emphasize how to manually do what Encase automates before teaching you the way to automate some functions in Encase. The reason, of course, is so that trainees can learn and be able to explain how Encase does what it does. But it also helps trainees to understand the limits of the technology. Encase (or FTK or ProDiscover or xxx), helps the examiner to locate and organize data as part of an investigation. But it isn't a substitute for the experience of the investigator.

Validation comes from being able to demonstrate that what you have found and/or concluded from an Encase examination, could be found and/or concluded, independantly, using a different method or tool.  
 

Page 1 of 1