±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 32923
New Yesterday: 6 Visitors: 214

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

EnCase Bug?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3, 4, 5, 6  Next 
  

Re: EnCase Bug?

Post Posted: Fri Aug 26, 2011 12:40 am

Really to emphasis what Sean is saying - there is no reason in 2011 for someone doing forensics not to have multiple tools for checking MAC times off an MFT. As a habit/SOP I always dump out the MFT and run in another program: MFT Analyzer, MFT Ripper, MFT Parser (just to name a few) as well as create a file/dir listing in FTK Imager to cross check and do independent MFT verification. Takes little time (you can do while other things are running) and these programs are low cost or free. And if you are using EnCase you can see the stampings in the raw view to decode - again to reiterate what Sean said.

Part of the forensic process is setting a controlled environment and being skeptical about what you are seeing. You need to take a few minutes as you start each case analysis to gather a few data points and outputs to confirm that what you are seeing in one program is accurate in comparison in another. Most, if not all, programs geared towards forensics are still translating and interpreting very raw data glomned together. You should take the time to know how the program unglomns it. Apologize for the use of such technical terms.  

douglasbrush
Senior Member
 
 
  

Re: EnCase Bug?

Post Posted: Fri Aug 26, 2011 9:38 pm

It's all very interesting, and very useful, information.

Thanks guys  

Pete
Newbie
 
 
  

Re: EnCase Bug?

Post Posted: Fri Aug 26, 2011 9:53 pm

There are probably a lot of people who are just not as skilled as you are or are new to the business, and could use some help in this particular area.

Maybe you could post a small step by step to help others


- douglasbrush
Really to emphasis what Sean is saying - there is no reason in 2011 for someone doing forensics not to have multiple tools for checking MAC times off an MFT. As a habit/SOP I always dump out the MFT and run in another program: MFT Analyzer, MFT Ripper, MFT Parser (just to name a few) as well as create a file/dir listing in FTK Imager to cross check and do independent MFT verification. Takes little time (you can do while other things are running) and these programs are low cost or free. And if you are using EnCase you can see the stampings in the raw view to decode - again to reiterate what Sean said.

Part of the forensic process is setting a controlled environment and being skeptical about what you are seeing. You need to take a few minutes as you start each case analysis to gather a few data points and outputs to confirm that what you are seeing in one program is accurate in comparison in another. Most, if not all, programs geared towards forensics are still translating and interpreting very raw data glomned together. You should take the time to know how the program unglomns it. Apologize for the use of such technical terms.
 

forensicakb
Senior Member
 
 
  

Re: EnCase Bug?

Post Posted: Sat Aug 27, 2011 11:52 am

- forensicakb


Maybe you could post a small step by step to help others


I thought he pretty much did - if a new forensic bod couldnt follow what was said using the free tools that were mentioned then possibly they need to have a career rethink.

If somethin is crucial to a case then it needs to be verified with a second tool.
_________________
Paul Sanderson
Forensic Toolkit for SQLite
sandersonforensics.com...for-SQLite 

PaulSanderson
Senior Member
 
 
  

Re: EnCase Bug?

Post Posted: Mon Aug 29, 2011 8:48 pm

Ok, I'll take a stab at it (for NTFS). Disclaimer: This is a an example, only, and I won't guarantee that it will work for ALL NTFS implementations now or in the future, but it should.

Download dcode from here:

www.digital-detective....decode.asp

Load your image into whatever forensic tool you are using and go to the Master File Table. Each record should begin with the characters "FILE" and be 1024 bytes in length. In EnCase there are scripts to identify the MFT record associated with the file or you can search for the file name within the MFT (but you'll need to know a bit more about the MFT to be sure you have the correct record).

Each MFT record consists of a number of attributes. Two of these, the STANDARD_INFORMATION and FILE_NAME attribues contain date records. The offset to the start of the attributes is contained in the two bytes starting at offset 20 of the MFT record (usually either 48 or 56 bytes).

The STANDARD_INFORMATION attribute has a header and resident attributes starting with "10 00 00 00" for 24 bytes after which the next 24 bytes are the four 8 byte dates. If you bookmark these in EnCase and choose "Windows Date/Time" as the Data Type you'll see the records displayed as UTC times (or you can chose "Windows Date/Time(Localtime)" to see the dates and times with whatever timezone offset you have selected).

The FILE_NAME attributes (there may be more than one; why is left to the reader), begin "30 00 00 00". The file dates are the four 8 byte records at offset 8 from the start of the attribute stream which, again, is described by the two bytes starting at offset 20 of the attribute record.

Now, the question was whether EnCase had a bug which altered these attributes and I know of no such bug but it would be difficult to imagine since it would mean that EnCase would have to change every STANDARD_INFORMATION and FILE_NAME attribute for all files supposedly corrupted. But it is possible that there could be a bug in the way that these timestamps were rendered by some part of the program (I have seen that for some EnScripts that carve MFT records).

The above method will let you look at the raw data to decode the dates if you suspect an EnCase error.

Dcode is a nice little program if you want to verify EnCase formatting or if you are using a hex editor that does not have the formatting options of EnCase.

Either way, the actual dates are so easily verified, manually, that there is no excuse for NOT doing it when dealing with timestamps which are critical to the expert's opinion. Certainly, this should not have been an issue at trial (though it is unfunny what passes for expertise in this field).  

seanmcl
Senior Member
 
 
  

Re: EnCase Bug?

Post Posted: Sun Apr 08, 2012 5:37 pm

Can anyone tell me what defect reference 24149 found in version 6.11 of encase is. Apparently the defect was corrected in version 6.13. Can anyone tell me what the release notes for v6.13 said about this correction.  

Pete
Newbie
 
 
  

Re: EnCase Bug?

Post Posted: Wed Apr 25, 2012 6:24 am

- Pete
Can anyone tell me what defect reference 24149 found in version 6.11 of encase is. Apparently the defect was corrected in version 6.13. Can anyone tell me what the release notes for v6.13 said about this correction.



Bump.

Can anyone please tell me anything about this "defect" and the correction.  

Pete
Newbie
 
 

Page 4 of 6
Go to page Previous  1, 2, 3, 4, 5, 6  Next