Hi, we are using Caine 12.4 and acquiring some evidence with guymager. But every E01 that we create and try to open with Encase, it requires a password, with Caine 11 it wasn't required, and with FTK Imager it seems to open well, no asking for password. Is there a default password to open those E01??
Â
Thank you.
As far as I know, E01 files do not natively support encryption and therefore there should be no way that it would be encrypted.
Ex01 files do support it, so are you sure that Guymager is not producing these? If it is definitely an E01, try opening with some other software such as FTK Imager (free) and see if that opens it correctly.
If it does, its likely an Encase Error, if not its possibly a guymager error.
Have you checked the guymager.conf file to see if a password is set?
It opens with FTK Imager and Encase Imager (free). The error is with Encase Forensic 21. We will still use Caine 11, sometimes we aquire imacs that only mount on Encase Forensic.
As a general rule, Encase is usually the problem. Got rid of it around version 7 and never looked back!
The E01 evidence file with EnCase can support an access control password, however that is normally set at the point of acquisition and is optional.
Naturally if this has been set at acquisition EnCase will prompt for the password.Â
This may sound very silly, but if you just hit enter (so no password entered) does EnCase load the E01.
I wonder if that field/flag for some reason has been set by the acquisition tool and hence why EnCase is prompting for it.
Are the versions of guymager the same on both versions of Caine?
As mentioned in a previous post the EX01 supports AES256 encryption.
Just some thoughts
Â
If i hit enter it says that it cant be empty. With FTK Imager and Encase Imager it opens fine, so I think its Encase the problem.
Â
Caine 11:
Guymager
========
Version : 0.8.11-1
Version timestamp : 2019-06-26-09.00.00 UTC
Compiled with : gcc 6.3.0 20170516
libewf version : 20140608 (not used as Guymager is configured to use its own EWF module)
libguytools version: 2.1.0
Host name : caine
Domain name : (none)
System : Linux caine 5.0.0-32-generic #34~18.04.2-Ubuntu SMP Thu Oct 10 10:36:02 UTC 2019 x86_64
Â
Caine 12.4
Guymager
========
Version : 0.8.13-1
Version timestamp : 2021-08-04-17.00.00 UTC
Compiled with : gcc 8.3.0
libewf version : 20140804 (not used as Guymager is configured to use its own EWF module)
libguytools version: 2.1.0
Host name : caine
Domain name : (none)
System : Linux caine 5.4.0-90-generic #101-Ubuntu SMP Fri Oct 15 20:00:55 UTC 2021 x86_64
The other obvious question would be when you say the other tools open it, do you see all of the user data, or are they just "loaded" without user data folders viewable. I'm obviously wondering if you're seeing a prompt for something like a BitLocker password (which FTKI wouldn't recognise/prompt you for - off the top of my head without checking - I may be out of date on that).
@rich2005 Its no bitlocker because when I aquire with Caine 11, Encase Forensic no asks for password and mounts everything, as ftk and encase imager.
