I have had a copy of the study guide for EnCE for quite a while, and I've gone over it, and never found a section on tool validation.
To the EnCEs out there, did you cover tool validation at all in your Guidance provided training, or in the EnCE testing process?
I have not come across any tool validation from my Guidance training courses. I am testing in August and from what I understand the test would not cover it either.
I have not come across any tool validation from my Guidance training courses. I am testing in August and from what I understand the test would not cover it either.
Maybe that would uncover too many inconsistencies wink
You won't see tool validation in a course that is vendor specific..because tool validation is commonly done by comparing against another tool. No vendor will recommend a competitor….
You won't see tool validation in a course that is vendor specific..because tool validation is commonly done by comparing against another tool. No vendor will recommend a competitor….
Validation against another tool is one method, however you can validate instead against a known data set, which doesn't require a second tool. Most of my initial validations were done against a hex editor, which isn't really a competitor… well until WinHex was made into X-Ways. My imaging tool validations were done against good old dd.
I am unclear about the meaning of "validation". Encase performs many functions. Acquisition and restore, for example, can be validated through such methods as bitwise comparison and MD5 checksums.
But other functions that Encase (or any tool), performs may be more difficult to "validate" and, perhaps, unnecessary. After all, the evidence is not what Encase finds (or does not find), but what you, as the examiner, conclude from the findings.
For example, suppose that you use Encase to carve out web mail. Does the fact that Encase does not find a particular message indicate that it doesn't exist or never existed on the system? No. That would be your conclusion as the examiner.
The Encase training courses emphasize how to manually do what Encase automates before teaching you the way to automate some functions in Encase. The reason, of course, is so that trainees can learn and be able to explain how Encase does what it does. But it also helps trainees to understand the limits of the technology. Encase (or FTK or ProDiscover or xxx), helps the examiner to locate and organize data as part of an investigation. But it isn't a substitute for the experience of the investigator.
Validation comes from being able to demonstrate that what you have found and/or concluded from an Encase examination, could be found and/or concluded, independantly, using a different method or tool.