Notifications
Clear all

EnCase Portable  

Page 1 / 2
  RSS
ronanmagee
(@ronanmagee)
Active Member

I'd like to pick up on Jamies post and the recent news from Guidance on Encase Portabe

Even personnel untrained in computer forensics can forensically acquire documents …

Is this something that should be encouraged? I do see the benefits of such a tool but to aim it specifically at the untrained is a recipe for disaster IMO.

Thoughts?

P.S. Wonder do you need a dongle to use it ? 😉

Quote
Posted : 22/05/2009 7:47 pm
DFICSI
(@dficsi)
Active Member

I say that people are free to employ whoever they want to take images. So what if the evidence gets crushed in court?

Also, I would suspect that the device has its own anti-piracy mechanism built in, otherwise what would stop people from just putting it on as many USB drives as they wish?

ReplyQuote
Posted : 22/05/2009 7:53 pm
Rich2005
(@rich2005)
Senior Member

If there was some way in which it could be plugged in on any computer, make no changes, and retrieve an exact copy. Yeah fine.
However i dont see how thats going to be possible, as we know the minute you start plugging things in, things change, so in that case is it a power off and back on? Are they then changing the boot order to boot from USB? Untrained people doing that?
Sounds like a recipe for disaster as you say thought up by marketing types p
There may be more logic to it, but couldnt find any specifics in that doc 😉

ReplyQuote
Posted : 22/05/2009 7:57 pm
jhup
 jhup
(@jhup)
Community Legend

The question is "Should untrained personnel be acquiring images, regardless of which tool is used?"
The answer is no.

But, reality is they will. If my company can use a person already on site to make an image, it is highly unlikely they would fly me out if management believes the case does not warrant it.

I know we should always do everything as if it is a court case, but business does not, and will cut corners until burned. Then, there will be an upswing in policies and enforcements, then it will ebb away over time again.

ReplyQuote
Posted : 22/05/2009 8:54 pm
pbeardmore
(@pbeardmore)
Active Member

I look forward to any forum member voting yes, rather a one sided discussion I think! (and rightly so)

ReplyQuote
Posted : 22/05/2009 9:56 pm
Patrick4n6
(@patrick4n6)
Senior Member

There are degrees of training I think. Back when I worked for police, we used a linux based forensic boot disk for onsite preview of contraband images. We trained detectives over the course of 2 days and had competency testing at the end. I would be quite comfortable with those who were found competent performing this specific function. There's not a chance in hell that I'd be happy with someone using the boot disk without training.

So perhaps it's just really bad wording on the part of Guidance. Perhaps they mean people who are not FULLY trained in forensics can use this tool if they are properly trained in the usage of this tool. I'd hate to think that they are suggesting that any Joe could go use the tool in the field without training.

ReplyQuote
Posted : 22/05/2009 11:36 pm
douglasbrush
(@douglasbrush)
Senior Member

"It is easy to use, fast and preserves digital evidence in the court-vetted evidence file format"

It does seem that it is geared towards a fast acquisition with minimal training but not as an end all alternative to full data & memory acquisition. Just another tool. However, it is worded through out the release a little to infomercialish "anyone can do it!". And here I am reading, researching and testing everyday like a sucker….

ReplyQuote
Posted : 22/05/2009 11:51 pm
kovar
(@kovar)
Senior Member

Greetings,

If I understand the press release correctly, this will boot the computer into an OS on the USB drive, ala Helix et al. There's no reason that data on the system under examination would change.

I can definitely see a use for this sort of device. At one client site, we have images going uncollected because we cannot get someone out to get the image. And with each day that passes, data is changing, I assure you.

I voted "yes". With the right tool and procedures, "untrained" people can be very useful.

-David

ReplyQuote
Posted : 23/05/2009 1:01 am
clifmeister
(@clifmeister)
New Member

If by trained you mean some type of certified forensic examiner (CFCE, EnCE, CCE, etc.), and by untrained you mean anyone who is not certified then I would vote yes, I can see a use for a simplified tool that I could have several users employing.

If by untrained you mean someone who has never been shown any information on using the tool in question and the consequences of using it incorrectly, then of course the answer is no.

I currently use FTK imager and it requires neither a dongel nor a license. It is available for download from accessdata. If that were placed on a bootable disk, say a BartPE disk and booted with a usb drive attached one could do exactly what Guidence is suggesting their tool will be able to do.

I am not a fan of polls that have been written in a way to preclude all but the answer one is seeking.

ReplyQuote
Posted : 23/05/2009 1:03 am
keydet89
(@keydet89)
Community Legend

However i dont see how thats going to be possible, as we know the minute you start plugging things in, things change, so in that case is it a power off and back on?

Okay…agreed, things change…but if one can document that, what is wrong with the resulting data?

Are they then changing the boot order to boot from USB? Untrained people doing that?

This changes the contents of the hard drive…how? On the systems I've worked with, boot order is maintained in the BIOS, and changing it hasn't (so far) made any changes to the contents of the HDD itself.

I do not recommend that untrained personnel do anything…but I do recommend training customer IT staff in proper procedures and methodologies for data acquisition, which includes proper documentation.

ReplyQuote
Posted : 23/05/2009 2:10 am
keydet89
(@keydet89)
Community Legend

If by trained you mean some type of certified forensic examiner (CFCE, EnCE, CCE, etc.), and by untrained you mean anyone who is not certified then I would vote yes, I can see a use for a simplified tool that I could have several users employing.

I don't hold any of those certifications…and yet I have trained (but not certified) people that DO hold those certs (including others, such as GCFA) in proper data acquisition methodologies, procedures and documentation…

I currently use FTK imager and it requires neither a dongel nor a license. It is available for download from accessdata. If that were placed on a bootable disk, say a BartPE disk and booted with a usb drive attached one could do exactly what Guidence is suggesting their tool will be able to do.

Like you, I have used FTK Imager…in a number of instances on live machines. Why? Because there was no other way. In one instance, the RAID mirror was broken and a drive removed from a system…upon hooking it up to a write-blocker, no tool (FTK Imager, EnCase, etc.) could discern a readable file structure. The drive had to be returned to the system, added back to the RAID, and imaged live.

I have worked with boot-from-SAN devices…no drives to acquire.

However, more often than not, the system that needs to be acquired cannot be brought down, per the customer's orders.

The key to performing a live acquisition is documentation.

ReplyQuote
Posted : 23/05/2009 2:15 am
ronanmagee
(@ronanmagee)
Active Member

If by trained you mean some type of certified forensic examiner (CFCE, EnCE, CCE, etc.), and by untrained you mean anyone who is not certified then I would vote yes, I can see a use for a simplified tool that I could have several users employing.

It's not me who is saying 'untrained', it's Guidance. I'm unsure of their definition but if anyone has clarification of this please pass it on.

If by untrained you mean someone who has never been shown any information on using the tool in question and the consequences of using it incorrectly, then of course the answer is no.

I think this is more common than we perceive. I'm sure there are instances where some investigators have dabbled in a tool without fully understanding what it does. I'm not saying that I understand what every tool out there is capable off but I've seen posts on here where people are clearly dabbling in tool use - I just wonder if they're deploying it on an investigation.

I'm very much in favour of learning and knowledge management and do see the advantage of such a tool but in order to use it I think there should be some form of compulsory training - not necessarily run by Guidance - but certainly run by the company/organisation who will receive the image file.

I also often worry about the forensic mindset becoming diluted. As investigators and forensic technologists we appreciate the need to preserve evidence, test tools and bring integrity to our work. This is not always appreciated outside of the profession.

I agree with the common chain of thought running through this post and that is 'Document, Document, Document', a skill most of us have mastered as we've become more experienced.

ReplyQuote
Posted : 23/05/2009 5:29 am
jaclaz
(@jaclaz)
Community Legend

I think that most of the things I wrote about COFEE may apply to this item as well
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=2488

As I see it it all revolves around the level of competence of the person using the tool.

A lesser competence is needed to just acquire data, but still SOME competence is needed.

jaclaz

ReplyQuote
Posted : 24/05/2009 12:21 am
jhup
 jhup
(@jhup)
Community Legend

Our industry is fraught with the risk of automation to the point where it is presumed to be as good or better than human expertise.

ReplyQuote
Posted : 24/05/2009 5:20 am
douglasbrush
(@douglasbrush)
Senior Member

Our industry is fraught with the risk of automation to the point where it is presumed to be as good or better than human expertise.

Do we have a date yet for when Skynet becomes self aware? twisted

ReplyQuote
Posted : 24/05/2009 6:05 am
Page 1 / 2
Share: