±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 32909
New Yesterday: 2 Visitors: 152

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

EnCase Bug?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3, 4, 5, 6  Next 
  

Re: EnCase Bug?

Post Posted: Thu Aug 25, 2011 11:37 am

- Pete
Hi Rich2005
Is it possibly a bug or is it most likely human error. As I say, I have no knowledge of the workings of Encase, and neither of course did the judge and jury. Does it even make an automatic adjustment.


Good question. I know a few investigators that have passed off errors as 'software bugs'. I would say get him to repeat it and show how to replicate it yourself. If he can't or won't you may have your answer...
_________________
The views expressed by me do not reflect on my employer or the quality of work I produce Wink
www.forensic4cast.com 

DFICSI
Senior Member
 
 
  

Re: EnCase Bug?

Post Posted: Thu Aug 25, 2011 12:04 pm

Can I just make sure that we are all singing from the same hymn sheet?

I understood, from the EnCase info, that the bug/feature/phenomenon applies to LEF (Logical Evidence Files) exhibt.L01 not to image files exhibit.E01.

Is this correct?  

GlosSteveC
Member
 
 
  

Re: EnCase Bug?

Post Posted: Thu Aug 25, 2011 12:07 pm

- Pete
Then, like the opening post say, doesn't this bring the whole integrity of Encase into question


Integrity is a property of people, not software.

At the risk of flaming, this thread is ridiculous. Someone somewhere had some case where some timestamp in some format on some filesystem in some evidence from some computer running some operating system set to some timezone using some form of daylight savings time adjustment interpreted by some examiner's computer running some operating system set to some timezone using some form of daylight savings time adjustment parsed by some version of some tool may have been off by an hour, and therefore there's a bug in the tool???

I'd need to understand and control for all these variables, doing lots of experiments, before commenting, let alone testifying.


Jon
_________________
Jon Stewart, Principal
(646) 719-0317 | jon @ lightboxtechnologies.com | Arlington, VA
Fash search for EnCase: www.lightgrep.com 

jonstewart
Member
 
 
  

Re: EnCase Bug?

Post Posted: Thu Aug 25, 2011 1:46 pm

Jon, thanks for your response on this matter.

There are many meanings of the word integrity. It is not just a property of people. Integrity can be applied to many things. In computing terms I see no reason why it can't be applied to software or data, to mean consistency and free from corruption.

I understand from your reply, and your comments earlier in this thread, that there are a number of variables that need to be considered. In fact this has been an education to me and I much appreciate your input. However surely if there was a bug within Encase that produced a 2 hour error, as suggested by this computer forensic expert, someone on here would have heard of it by now.  

Pete
Newbie
 
 
  

Re: EnCase Bug?

Post Posted: Thu Aug 25, 2011 1:56 pm

Right on Jon. There may be all sorts of errors, flaws, omissions, misleading and poorly understood facts that could lead to an incorrect and unsupportable conclusion. But we do not have enough to go on here.

I think the question is a valid question, but it requires an expert analysis of all the facts and issues involved. Even if the error or flaw exists or an examiner error is involved it sounds like the prosecution has identified and explained it to the satisfaction of the judge. The proper analysis of the facts sounds like it is obtainable, but the lack of an opposing expert potentially prevented that from occurring.

Maybe the EnCase bug or examiner error was an issue in this ruling but it would require more data and facts for an expert to get to it in my opinion.
However tools have faults, examiners make mistakes, but these can be overcome by knowledgeable examiners what ever side they are on.

- jonstewart
- Pete
Then, like the opening post say, doesn't this bring the whole integrity of Encase into question


Integrity is a property of people, not software.
<<<snipped>>
Jon
 

rwuiuc
Member
 
 
  

Re: EnCase Bug?

Post Posted: Thu Aug 25, 2011 2:07 pm

- Pete
However surely if there was a bug within Encase that produced a 2 hour error, as suggested by this computer forensic expert, someone on here would have heard of it by now.


I wouldn't make that assumption either. Very Happy It makes sense to ask, of course, but careful testing would reveal the truth. I once discovered what I believe was a +/- 1 hour bug in OLE timestamps (old-format MS Office docs); I've never seen anything about this before or since. Sadly, I did not write things down and validate at a later time.


Jon
_________________
Jon Stewart, Principal
(646) 719-0317 | jon @ lightboxtechnologies.com | Arlington, VA
Fash search for EnCase: www.lightgrep.com 

jonstewart
Member
 
 
  

Re: EnCase Bug?

Post Posted: Thu Aug 25, 2011 8:35 pm

- haforn
Has anyone heard of a bug in EnCase which would alter file times? I am working on an appeal which hinges on an alibi where the original prosecution report states that file access times were an hour later than on the image, and specifically that this has been changed by a bug in EnCase. No forensic expert was called to rebutt this and the client was convicted pretty much on this statement.


This doesn't make a whole lot of sense. MFT timestamps are in UTC. For viewing purposes, EnCase (and other software) allows you to set the timezone so that the MAC dates are displayed in local time.

It is possible that there could be a flaw, here, but to actually change the MFT timestamps would require that EnCase altered every MFT record.

Not very likely.

In any event, as others have mentioned, you can always carve out the MFT records, yourself, and use something like Craig Wilson's decode to get the UTC times then apply the offset, yourself.

As an aside, I ALWAYS do that as a sanity check. That is to say, I always confirm the displayed timestamp with the timestamp in the MFT just to make sure that they match.  

Last edited by seanmcl on Fri Aug 26, 2011 2:16 pm; edited 1 time in total

seanmcl
Senior Member
 
 

Page 3 of 6
Go to page Previous  1, 2, 3, 4, 5, 6  Next