All software has its Achilles heel, right ? Some employers/spy ware merchants are using the profile of Encase to effectively put the fear of god into their employees; this I believe is on the basis that fear works better than investigation – thus rendering all employees as potentially guilty of something as yet undefined - but it has led many of us to wonder; just how bullet-proof is Encase ?
I would be very keen to hear from anyone who has a working knowledge of this product and to learn of any known weaknesses that versions 4 or 5 are know to be prone to.
Any info sent to chas_clifton@yahoo.co.uk would be gratefully received and will of course be treated in strictest confidence.
Many thanks.
Some employers/spy ware merchants are using the profile of Encase to effectively put the fear of god into their employees;
Can you give an example of what you mean by this?
Keep in mind…EnCase is a tool, and like any tool, is only as good/effective as the person using it. The Barrett .50-cal sniper rifle is an awesome and powerful tool, but can easily be reduced to a paperweight in the hands of someone with no idea how to use it. Likewise, EnCase has a lot of nice features, and some cool buttons to click on, but if the analyst doesn't know what's going on under the hood, or what the information means, then it ends up being a very expensive waste of time.
Harlan
Its support for handling data embedded inside arbitrary formats isn't so good. It's one thing to be able to find a deleted NSF file from a hard drive, but another thing entirely to be able to decipher email communciations from inside that file.
Dirk… surely that applies to all forensic tools though, not just EnCase? Merely highlight the fact that there is no one stop solution & sometime we need to use Brain Ver. 1.0 also…
Paul,
You're absolutely correct in that. Different tools have different strengths and weaknesses. Some tools are really good at parsing formats (FTK comes to mind), others aren't so good. However, that should not be a limiting factor. If you're doing push-button, Nintendo forensics, then it would be pretty clear that the common weak point in all tools is the analyst using the tool…
Harlan
Are you asking, "how does someone beat encase?"
I think these folks hit it on the head…you beat the person using the tool, not the tool.
So, in short, the answer is who cares if the tool has an Achilles heel. An examiner will follow a sound, standard, defendable, precedented, process. He/she will use multiple tools and document everything that happens.
Interesting topic,
Skip
What angle are you coming from?
Just interested?
You're assessing various products before purchase?
You/ your client is faced with EnCase produced evidence?
You're the developer of a competing product?
> Your assessing various products before purchase?
If that's the case, it definitely sounds as if the wrong questions are being asked.
Harlan
I think the motive or angle is merely to arm themselves with information to discredit the tool in the face of its advocates and operators. Of course I could be wrong and it could be a serious research orientated question.
> …it could be a serious research orientated question.
It may have already been taken on as research…
http//dftt.sourceforge.net/
The purpose of the DFTT site (and the associated CFTT site at NIST) is to provide standard images for testing forensic tools, such as EnCase, etc.
I know a while back, ILook v.7.0 had an issue with not being able to recognize directory entries with names that were in Unicode. However, ILook was certified for use by the federal gov't.
Again, I don't think that the point is really inherent weaknesses in tools…nor should it be.
Harlan