Encase 7 - Refund
 
Notifications
Clear all

Encase 7 - Refund

45 Posts
26 Users
0 Likes
1,885 Views
RobertCyber
(@robertcyber)
Posts: 15
Active Member
 

I have experienced no end of speed issues in general navigation of, and in processing times in V7. In addition I have found a steep learning curve to use it, -the menu's are unfamiliar (I have been on V6 for 3 years) and apparently not intuitive.

Re speed issues I have kept on thinking it must be something to do with my VM's or some need to defragment, but honestly as soon as I startup V6.19 the processing appears to be so much quicker there. But I have 8Gb allocated, Win7x64, 4 cores of a Dual X5570XEON (HPZ800).

Is it really just an issue with V7 or is there some kind of tweaks that must be inputted to my VM (WIndows7x64)?

Seeing your criticism makes me wonder to cut my losses (in time and expense) and just use V6.19

 
Posted : 16/03/2012 8:20 am
jtw586
(@jtw586)
Posts: 1
New Member
 

I was beginning to think we were the only ones that were experiencing issues with EnCase 7 - probably because I was spending all my time working with the product instead of having time to do anything else, like seeing what other people's reactions were.

So nice to know we are not alone 😯

As of last week we have upgraded from version 7 to version 6.19. And, no, that is not me being tongue in cheek. β€œUpgrading” back to the previous version actually allowed us to get something done. I'm not sure about looking for a refund because we already have SMS support and did not pay extra for the new version. But, I know people here internally are questioning if we will stay with EnCase if version 7 is what the future holds. I find that sad, we have always been pretty much exclusively and EnCase shop.

Anyway, I thought I'd at least share my experiences with others, for what it is worth.

We switched to the new version in November and used it until last week. The main reason for the switch, I liked the idea of the upfront process explorer feature. Of course, this is the one feature that had the most problems. We found ourselves waiting weeks for one component of process explorer to finish, or more than likely, crash after running for weeks. Did not matter which component it was, they all had problems of one sort or another.

We followed a lot of advice from several support cases we opened. Including placing the EnCase cache file on a dedicated drive, and ultimately upgrading the motherboard, processor, and memory of the forensic hardware. We tried everything, even spending more money to try to remove any roadblocks.

Simple things like the ability to refresh a manual search so you could examine the results while the search was still running are completely gone. You now have to wait until the searching is done. Did I mention the issues with process explorer? And now that we have gone back to 6 I realize how much I appreciate all my evidence showing up in the screen and not having to go from one screen to the next or wait for it to load so I could view it.

I found the directed searches a bit confusing, but could have learned that. It’s a new interface, I expect a bit of a learning curve. However, the software wants you to focus on creating an index to speed searching up. Well, that would be great if indexing actually completed in a timely manner, or at all. And I was not trying to index evidence that I would consider large. I had indexing failing on 500GB of data and less. Both in the old evidence format, and the new.

The final straw for us was support closing a ticket, because they could not replicate the issue. The issue - recovery of folders. I had tried to avoid the recover folders option of the process explorer and do it the way I did in version 6. Right-click, recover folder structure. Worked in 6, should work in 7, it's a menu option right? Well, I did that and then could not get the evidence to β€œmount” again (unless I deleted the cache). It was still there in the case itself, just could not open\mount it to do anything. Support told me that was not the preferred method to recover folders, and had always been problematic (news to me). So, at their request I used process explorer to attempt to recover folders. Same result. Response from support was then to close the ticket.

Bottom line for us - now that we are back at version 6 we have been able to perform forensic engagements again. When we began to look at how much time it would take to manage the use of the product, or create a methodology to deal with the shortcomings (i.e. use only one component of process explorer on one piece of evidence at a time, copy the cache if the process completed so you have a fall back point, start next component of process explorer on same evidence, rinse repeat) instead of actually using it for investigations, it became obvious we could not move forward.

 
Posted : 19/03/2012 10:19 pm
RobertCyber
(@robertcyber)
Posts: 15
Active Member
 

We will probably move back to 619 for the time being, -do not have the space in schedule to nut out the V702 issues right now. It just seems to be a hurdle at every turn to use it.
I wonder how wide spread the issues are, -other users…
When I have some more time here (we are not a large forensic lab) I will try to work through the 702 issues.
I will keep an eye on this thread for possible help with the miriad of issues.

 
Posted : 20/03/2012 2:37 am
pbeardmore
(@pbeardmore)
Posts: 289
Reputable Member
 

There is a larger issue on the overall impact this has on the reputation of the computer forensic industry as a whole. I would be surprised if there are other areas of forensics where practitioners are openly (and justifiably) complaining that the tools they have been sold to do the job simply dont work.

 
Posted : 20/03/2012 3:00 pm
jaclaz
(@jaclaz)
Posts: 5135
Illustrious Member
 

I would like to take this specific issue in a "wider" set of considerations, maybe risking to go Off Topic (a Mod may split this if appropriate).
I find that Digital Forensic research and results are a specific field of "critical" data.
We all know how - in theory - each and every investigator should be in first instance a "scientist", be almost "all knowing" and validate him/herself each and every single bit of evidence and method that was used to acquire data or interpret them.
But we also all know how - in practice - time allowed, budget and a number of other reasons - including (judging from some of the posts on this Forum which is I think one of the most "respectable" ones) the presence in the profession of people that have not in the least the mentality of investigators, let alone of scientists - a large amount of processing is done through the use of software similar to the one discussed here, "taking as good" whatever the software provides.

Should my perception on this be correct, the issue is very serious (and not limited to this specific app).

I mean, if the tools used are not "reliable" or "too difficult" for the average user, there is a great risk of having either

  1. a case (where the suspect is actually guilty) dismissed or not even brought to Court for incompleteness of the collected data or errors in the procedure creating exception by the defense
  2. a case (where the suspect is innocent) brought forward on the basis of incomplete or erroneus interpretation of the data
  3. [/listo]

    If the amount of such cases (hopefully later find out and corrected/re-considered) is going to increase due to "issues" with the used tools, the risk is that the entire field of "Digital Forensics" loses importance or "image" in the eyes of the LE officers and/or magistrates.

    The specific reports in this thread are from knowledgeable users of the tool in a previous version that suddenly find out that procedures the were used to are not anymore possible or create errors and what not.

    If you prefer these people are allowed to make a comparison between their previous experience and the new version of the tool.

    What will happen to a new user that starts learning with this specific version for the first time?
    Will he/she "skip" some steps because this version does not create the expected result correctly?

    AFAICU the reason why lots of professionals use these proprietary tools (besides the fact that they are familiar with them, and that they have useful capabilities) is also - and I will risk to say "mainly" in some cases - because they represent a "de facto standard" and thus a report made through them is rarely challenged/counterexamined/reviewed in detail by the "other party" in a trial, i.e. the validation of the tool and methods used is assumed to have been carried extensively by the software maker.

    Surely this is not a very "ethical" approach, but it is the way I suspect things go in real life.

    If you take reliability out of a "mission critical" tool, you are left with really nothing in your hands, and I am surprised that the "switch" between two versions of a same product can be so difficult.

    Why didn't Guidance make an extensive Beta test (with beta testers being people really "on the field" and expert)?

    Or this was done and none of the reported issues were found?

    Maybe a possible solution for the future of this and similar Commercial tools would be to actually hire a few of the most expert members of the Digiatal Forensics community (and pay them for theur time) to have them test and troubleshoot (and - somehow - validate) new releases?

    jaclaz

 
Posted : 22/03/2012 4:06 pm
pbeardmore
(@pbeardmore)
Posts: 289
Reputable Member
 

One thing I simply don't understand is why the software vendors (the 2 big ones in any case) always seem to under value how important reliability is compared to all of the new bells and whistles. If you look at their marketing material, they are always talking about the new features built into the new version but very little about how stable and reliable the actual product is.
many times, there are specific software tools that will carry out the specialist tasks and when you want a tool to provide an overall forensic analysis of the operating system, you just want the thing to work, be reliable and accurate. Is that too much to ask?

 
Posted : 23/03/2012 1:56 pm
AngryBadger
(@angrybadger)
Posts: 164
Estimable Member
 

One thing I simply don't understand is why the software vendors (the 2 big ones in any case) always seem to under value how important reliability is compared to all of the new bells and whistles. If you look at their marketing material, they are always talking about the new features built into the new version but very little about how stable and reliable the actual product is.
many times, there are specific software tools that will carry out the specialist tasks and when you want a tool to provide an overall forensic analysis of the operating system, you just want the thing to work, be reliable and accurate. Is that too much to ask?

To be fair "It still works" doesn't make for very good advertisement copy does it?

 
Posted : 23/03/2012 2:26 pm
joethomas
(@joethomas)
Posts: 65
Trusted Member
 

Apple have made several fortunes by using "It Just Works" as both an advertising slogan and a product vision. Accessdata and Guidance appear to have forgotten that most of their end users are computer experts and putting a nice GUI on their products but hampering their function is not the best way to go.

 
Posted : 23/03/2012 2:39 pm
PhillHatton
(@phillhatton)
Posts: 3
New Member
 

Not much to add re En7 as we still use En 6. However you will find that most Sale of Goods type legislation only applies to consumers, not businesses (or organisations such as the police). Business transactions are generally assumed to be between "grown ups" and the state does not wish to get involved and expects the civil courts to be used should what are, effectively, contractural disputes ocurr. However the Business Protection from Misleading Marketing Regulations 2008 might possibly apply!

 
Posted : 29/03/2012 7:16 pm
Giggitti
(@giggitti)
Posts: 2
New Member
 

We have 4 licenses and will not be paying the support fees for this year. Version 6.19 works fine for us and we will continue to monitor Version 7.0, but when, or if, it is fixed we will re-evaulate. Until then why pay support for a broken product, or for version 6.19 when it works but won't be supported with upgrades or training?

 
Posted : 29/03/2012 7:39 pm
PLF5403
(@plf5403)
Posts: 2
New Member
 

I am part of a digital forensic training team and we have put EnCase V 7.X through our internal testing using thoroughly tested and vetted training images which hundreds of student examiners have reviewed over the past three years. (Note not all of our examiners are new to the field, some have been doing this since the '90's) Version 7.1(.2) &(.3) were all tested with these known images. While version 7.1 was totally unusable, we have seen some progress with the current release. But, taken from the baseline of completely unusable, it was not a high bar. If we only run one module at a time, we can nurse the program to perform without crashing, most of the time now. However, some things are still broken, like reviewing EFS files in Windows XP systems. Additionally, processing times are still nowhere near where they were in version 6.19. If you've been around since version 3.X, as many of you appear to be, then you may remember that Guidance has a long history of pushing betaware out with each major version release. Version 4 was horrible and I believe it took them nearly a year to get it stable. The point is this behavior by Guidance is nothing new, what is different this time is forums like this where we practitioners can now all compare notes and realize "the emperor has no clothes". Guidance can't control the message anymore. You would think after the AccessData debacle with version 2 that all forensic vendors would have learned their lesson. Apparently not. In good conscience, I cannot train any new practitioners into this field with the current version of EnCase, our shop will stick with version 6.X unless/until version 7 becomes stable.

In case you missed it, here's a blog from Steve Salinas, Forensic Business Unit Product Marketing Manager, Guidance Software. There's a place to comment directly to him at the bottom of the blog. Unless you know someone in GSI management, this may be your best bet for getting your message to the powers-that-be in Guidance.

http//encase-forensic-blog.guidancesoftware.com/2012/03/whats-encase-processor.html

 
Posted : 30/03/2012 2:36 am
finbarr
(@finbarr)
Posts: 26
Eminent Member
 

One point to note with respect to SMS is that if you decide to not renew (cancel it) and continue with v6 - all well and good. However, in a year or so when E7 does become usable, and it's the only version of EnCase that supports the new ReFS file system in Windows 8, you will still have to pay for the missed SMS between cancelling and the point at which you re-engage. Guidance gets your money regardless.

It's fair to say that a whole boatload of us refusing to renew our SMS now, will make a financial point which will hopefully focus their attention, but other than that I'm not sure what it achieves.

Trying to get a refund for those of us who purchased the upgrade from 6 to 7 is, in my opinion, a fools errand.
Any civil litigation will focus on the point that you paid for 6 and your SMS gave you access to 7 - if you aren't happy with 7, go back to 6. Not sure about the situation with purchasing 7 from scratch, you may have a case, but I'm no lawyer!

Ultimately, the best way to beat them is with your wallet. Don't renew your SMS until E7 is working and look carefully at alternatives, especially X-Ways Forensics - can't say enough good things about this tool.

Kind regards,
Fin.

 
Posted : 05/04/2012 7:17 pm
PLF5403
(@plf5403)
Posts: 2
New Member
 

I am part of a digital forensic training team and we have put EnCase V 7.X through our internal testing using thoroughly tested and vetted training images which hundreds of student examiners have reviewed over the past three years. Version 7.01(.02) &(.03) were all tested with these known images…

In the interests of fairness and timeliness, we just ran Version 7.03.02 over our baseline image and so far, everything we have tried seems to work. This is a limited test, obviously. The image is a baselined XP 32-bit system with Internet Explorer 6.X. It has not crashed once running the scripts. Indexing functions, etc. Additionally, the EFS functionality seems to be repaired and working now. We'll run it across a Win7 64-bit system next and keep our fingers crossed. This is following the same paradigm as the version 4 release. Nothing new is under the sun…

 
Posted : 05/04/2012 7:34 pm
Challenger
(@challenger)
Posts: 14
Active Member
 

This is the second forum I have encountered where people are having troubles with EnCase V7. I wonder if any of you are using the recommended 64 bit platforms, or are you using 32 bit platforms?

V 7.03.02 seems to get better 'press' than any other version, so, is everyone current?

Also, you do know about the free training, correct?

I am not trying to discount your feedback, just want to make sure that you have the information from the other forum.

We are waiting to buy but at the level of feedback we are seeing, V7 is not ready for Prime Time.

 
Posted : 19/04/2012 11:16 pm
johnny
(@johnny)
Posts: 21
Eminent Member
Topic starter
 

Hi,

I cannot comment on anyone else but we are using 64b Windows 7, dual E5630 CPU, 24GB ram, SSD system drive, separate sata3 drive for cache, separate raid0 for .e01 and the latest available release of v7.

Regards

John

 
Posted : 20/04/2012 12:41 pm
Page 2 / 3
Share:
Share to...