Does EnCase have any weak spots ?
All software has its Achilles heel, right ? Some employers/spy ware merchants are using the profile of Encase to effectively put the fear of god into their employees; this I believe is on the basis that fear works better than investigation â€“ thus rendering all employees as potentially guilty of something as yet undefined - but it has led many of us to wonder; just how bullet-proof is Encase ?
I would be very keen to hear from anyone who has a working knowledge of this product and to learn of any known weaknesses that versions 4 or 5 are know to be prone to.
Any info sent to [email protected] would be gratefully received and will of course be treated in strictest confidence.
Some employers/spy ware merchants are using the profile of Encase to effectively put the fear of god into their employees;
Can you give an example of what you mean by this?
Keep in mind…EnCase is a tool, and like any tool, is only as good/effective as the person using it. The Barrett .50-cal sniper rifle is an awesome and powerful tool, but can easily be reduced to a paperweight in the hands of someone with no idea how to use it. Likewise, EnCase has a lot of nice features, and some cool buttons to click on, but if the analyst doesn't know what's going on under the hood, or what the information means, then it ends up being a very expensive waste of time.
Its support for handling data embedded inside arbitrary formats isn't so good. It's one thing to be able to find a deleted NSF file from a hard drive, but another thing entirely to be able to decipher email communciations from inside that file.
Dirk… surely that applies to all forensic tools though, not just EnCase? Merely highlight the fact that there is no one stop solution & sometime we need to use Brain Ver. 1.0 also…
You're absolutely correct in that. Different tools have different strengths and weaknesses. Some tools are really good at parsing formats (FTK comes to mind), others aren't so good. However, that should not be a limiting factor. If you're doing push-button, Nintendo forensics, then it would be pretty clear that the common weak point in all tools is the analyst using the tool…
Are you asking, "how does someone beat encase?"
I think these folks hit it on the head…you beat the person using the tool, not the tool.
So, in short, the answer is who cares if the tool has an Achilles heel. An examiner will follow a sound, standard, defendable, precedented, process. He/she will use multiple tools and document everything that happens.
What angle are you coming from?
You're assessing various products before purchase?
You/ your client is faced with EnCase produced evidence?
You're the developer of a competing product?
> Your assessing various products before purchase?
If that's the case, it definitely sounds as if the wrong questions are being asked.
I think the motive or angle is merely to arm themselves with information to discredit the tool in the face of its advocates and operators. Of course I could be wrong and it could be a serious research orientated question.
> …it could be a serious research orientated question.
It may have already been taken on as research…
The purpose of the DFTT site (and the associated CFTT site at NIST) is to provide standard images for testing forensic tools, such as EnCase, etc.
I know a while back, ILook v.7.0 had an issue with not being able to recognize directory entries with names that were in Unicode. However, ILook was certified for use by the federal gov't.
Again, I don't think that the point is really inherent weaknesses in tools…nor should it be.
I look is a tough example because the Feds wont let everyone play in their sandbox.
Not even sure why anyone still uses that with all the discounts that LE get on software.
> I look is a tough example because the Feds wont let everyone play in their sandbox.
But why would anyone want to play in their sandbox? It's not sand they're playing in…it's kitty litter. 😉
> Not even sure why anyone still uses that with all the discounts that LE get on software.
ILook is a tool. Like a Barrett .50 cal sniper rifle, it's only as good as the person using it. If someone blindly uses ILook 7.0 to examine a Win98 hard drive with Unicode characters in file and directory names…well, that's their issue as the examiner.
I've been using Encase for 3 years. Now I'm facing a situation that two workstation with Encase software show different hash for the same storage device viz. CD-ROM and Floppy. I would like to what will be the cause for this?
I can not see how an image of a floppy or CD will have a different hash value on different machines, unless you have not made an image but are accessing them as a preview. If this is the case there could be a number of reasons why your getting different hashes, not write protecting the floppy may be one, or EnCase is encountering variable bad sectors on either of the devices.
Have you tried posting on the Guidance bbs with the problem, or using the support offered to registered users?