Forums
Main Category
General (Technical,...
Dissadavantages of ...
 
Notifications
Clear all

Dissadavantages of Forensic Software

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by LarryDaniel 17 years ago
10 Posts
7 Users
0 Reactions
644 Views
RSS
 verified
(@verified)
New Member
Joined: 17 years ago
Posts: 2
Topic starter 28/07/2008 3:53 am  

It seems that the majority of people use Encase as there forensic software, however what are the disadvantages using Encase ?
I watched the presentation from Paul Henry and he give a few examples what Encase (and FTK) couldn't even pick up (therefore they should be really picking up on these things).
However if anyone can help from there personal experience that would be great.

Thanks! )


   
Quote
JonN
 JonN
(@jonn)
Trusted Member
Joined: 20 years ago
Posts: 73
28/07/2008 1:20 pm  

I haven't seen the presentation you mention, do you have a link?

What particular examples did he mention that forensic software doesn't pick up?


   
ReplyQuote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
28/07/2008 5:12 pm  

verified may be referring to the following

http//www.youtube.com/watch?v=q9VUbiFdx7w&mode=related&search=

Not the best quality video, but Mr. Henry discusses anti-forensics. Anti-forensics techniques are used to target analysts, not forensic applications or tools.


   
ReplyQuote
 verified
(@verified)
New Member
Joined: 17 years ago
Posts: 2
Topic starter 28/07/2008 11:08 pm  

So what Mr Henry explained about the Timestmop 30.37, Timestomp on FTK 32.33, Timestomp on Encase 33.45. Where the dates were changed which he explains is a problem, in my view thats a problem for FTK and Encase.
So I just wondered if there were any more bugs in these commerical forensic software?


   
ReplyQuote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
28/07/2008 11:30 pm  

So what Mr Henry explained about the Timestmop 30.37, Timestomp on FTK 32.33, Timestomp on Encase 33.45. Where the dates were changed which he explains is a problem, in my view thats a problem for FTK and Encase.

Couple of things…

First off, what is "Timestmop 30.37, Timestomp on FTK 32.33, Timestomp on Encase 33.45."??

Second of all, the application known as "timestomp" is not a problem for FTK or EnCase…because timestomp changes the file MAC times, and FTK and EnCase (and other forensic analysis apps) simply read the data.

So I just wondered if there were any more bugs in these commerical forensic software?

Yes, there are a number of bugs…as with any software. However, applications like timestomp do not exploit these bugs.


   
ReplyQuote
 keeper
(@keeper)
Estimable Member
Joined: 17 years ago
Posts: 106
29/07/2008 12:04 am  

Couple of things…

First off, what is "Timestmop 30.37, Timestomp on FTK 32.33, Timestomp on Encase 33.45."??

Timestomp is a program to modify the timestamp values modified, accessed, created, and entry modified of any file.
Download it here http//metasploit.com/research/projects/antiforensics/

verified may be referring to the following

http//www.youtube.com/watch?v=q9VUbiFdx7w&mode=related&search=

Not the best quality video, but Mr. Henry discusses anti-forensics. Anti-forensics techniques are used to target analysts, not forensic applications or tools.

There's also a "High-Quality" version in http//www.youtube.com/watch?v=q9VUbiFdx7w&fmt=18

And btw, the PDF is also available http//layerone.info/archives/2006/Anti-Forensics-LayerOne-Paul_Henry.pdf


   
ReplyQuote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
29/07/2008 12:39 am  

Couple of things…

First off, what is "Timestmop 30.37, Timestomp on FTK 32.33, Timestomp on Encase 33.45."??

Timestomp is a program to modify the timestamp values modified, accessed, created, and entry modified of any file.
Download it here http//metasploit.com/research/projects/antiforensics/

I'm aware of what Timestomp is…what I asked is, what are "Timestmop 30.37" and "Timestomp on FTK 32.33", and "Timestomp on Encase 33.45."?


   
ReplyQuote
 pvissers
(@pvissers)
Active Member
Joined: 20 years ago
Posts: 11
29/07/2008 12:50 am  

I reckon 30.37 et al are timestamps in the vid he posted.


   
ReplyQuote
 gmarshall139
(@gmarshall139)
Reputable Member
Joined: 21 years ago
Posts: 378
29/07/2008 8:22 pm  

I don't think the software really "misses" any of the things mentioned in the video. Some of the automated processes that are features of the software may miss it, but any properly trained examiner should know that no automated process can be considered 100% reliable.

As far as Encase not showing dates and times after timestomp is used… If that feature was not put in intentionally it should have been. That is a CLUE that something is wrong with the dates and times. I am not going to look for Timestomp on every analysis. But I certainly would if I encountered this.

I think that the term "anti-forensics" is a misnomer. We are looking at the data that is there in it's current state. Manipulation of that data is part of the bigger picture. Most automated forensic tools still allow you to work at the disk level. While the automated features are nice, a competent examiner needs to understand where the data comes from.

Maybe I just don't expect enough from my forensic software, but I don't consider the inability to recover wiped data or to defeat strong encryption as deficiencies.


   
ReplyQuote
 LarryDaniel
(@larrydaniel)
Reputable Member
Joined: 17 years ago
Posts: 229
31/07/2008 5:14 am  

I consider the automated steps performed by the forensics software as the starting point in an examination, not the ending point.

I gather a lot of information from computers that is not captured by automated tools made by anyone.

Anyone who depends on just what the tool can do, is not doing a very thorough job.


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: