Notifications
Clear all

EnCase Portable

20 Posts
14 Users
0 Likes
2,163 Views
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

If by trained you mean some type of certified forensic examiner (CFCE, EnCE, CCE, etc.), and by untrained you mean anyone who is not certified then I would vote yes, I can see a use for a simplified tool that I could have several users employing.

I don't hold any of those certifications…and yet I have trained (but not certified) people that DO hold those certs (including others, such as GCFA) in proper data acquisition methodologies, procedures and documentation…

I currently use FTK imager and it requires neither a dongel nor a license. It is available for download from accessdata. If that were placed on a bootable disk, say a BartPE disk and booted with a usb drive attached one could do exactly what Guidence is suggesting their tool will be able to do.

Like you, I have used FTK Imager…in a number of instances on live machines. Why? Because there was no other way. In one instance, the RAID mirror was broken and a drive removed from a system…upon hooking it up to a write-blocker, no tool (FTK Imager, EnCase, etc.) could discern a readable file structure. The drive had to be returned to the system, added back to the RAID, and imaged live.

I have worked with boot-from-SAN devices…no drives to acquire.

However, more often than not, the system that needs to be acquired cannot be brought down, per the customer's orders.

The key to performing a live acquisition is documentation.

 
Posted : 23/05/2009 1:15 am
(@ronanmagee)
Posts: 145
Estimable Member
Topic starter
 

If by trained you mean some type of certified forensic examiner (CFCE, EnCE, CCE, etc.), and by untrained you mean anyone who is not certified then I would vote yes, I can see a use for a simplified tool that I could have several users employing.

It's not me who is saying 'untrained', it's Guidance. I'm unsure of their definition but if anyone has clarification of this please pass it on.

If by untrained you mean someone who has never been shown any information on using the tool in question and the consequences of using it incorrectly, then of course the answer is no.

I think this is more common than we perceive. I'm sure there are instances where some investigators have dabbled in a tool without fully understanding what it does. I'm not saying that I understand what every tool out there is capable off but I've seen posts on here where people are clearly dabbling in tool use - I just wonder if they're deploying it on an investigation.

I'm very much in favour of learning and knowledge management and do see the advantage of such a tool but in order to use it I think there should be some form of compulsory training - not necessarily run by Guidance - but certainly run by the company/organisation who will receive the image file.

I also often worry about the forensic mindset becoming diluted. As investigators and forensic technologists we appreciate the need to preserve evidence, test tools and bring integrity to our work. This is not always appreciated outside of the profession.

I agree with the common chain of thought running through this post and that is 'Document, Document, Document', a skill most of us have mastered as we've become more experienced.

 
Posted : 23/05/2009 4:29 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I think that most of the things I wrote about COFEE may apply to this item as well
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=2488

As I see it it all revolves around the level of competence of the person using the tool.

A lesser competence is needed to just acquire data, but still SOME competence is needed.

jaclaz

 
Posted : 23/05/2009 11:21 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

Our industry is fraught with the risk of automation to the point where it is presumed to be as good or better than human expertise.

 
Posted : 24/05/2009 4:20 am
(@douglasbrush)
Posts: 812
Prominent Member
 

Our industry is fraught with the risk of automation to the point where it is presumed to be as good or better than human expertise.

Do we have a date yet for when Skynet becomes self aware? twisted

 
Posted : 24/05/2009 5:05 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Do we have a date yet for when Skynet becomes self aware? twisted

The date was
on August 29th, 1997 at 214 a.m. Eastern time

The timing was calculated (very accurately) on the basis of total networked processor power, BUT wink one single client of marginal importance was running Windows 95 AND a glitch in the matrix occurred

WinErr 01E Timing error - Please wait. And wait. And wait. And wait.

http//ifaq.wap.org/computers/windows95errors.html

P

jaclaz

 
Posted : 24/05/2009 5:42 pm
(@larrydaniel)
Posts: 229
Reputable Member
 

If by trained you mean some type of certified forensic examiner (CFCE, EnCE, CCE, etc.), and by untrained you mean anyone who is not certified then I would vote yes, I can see a use for a simplified tool that I could have several users employing.

If by untrained you mean someone who has never been shown any information on using the tool in question and the consequences of using it incorrectly, then of course the answer is no.

I currently use FTK imager and it requires neither a dongel nor a license. It is available for download from accessdata. If that were placed on a bootable disk, say a BartPE disk and booted with a usb drive attached one could do exactly what Guidence is suggesting their tool will be able to do.

I am not a fan of polls that have been written in a way to preclude all but the answer one is seeking.

BartPE is not a forensically sound environment. It mounts the subject hard drives in read/write mode. Not a method I would recommend.

 
Posted : 25/05/2009 4:16 pm
(@rich2005)
Posts: 535
Honorable Member
 

This changes the contents of the hard drive…how? On the systems I've worked with, boot order is maintained in the BIOS, and changing it hasn't (so far) made any changes to the contents of the HDD itself.

Wasn't saying that did, was more questioning whether its a good idea to have someone messing around with the BIOS options without knowing what they're doing. (I think we need to distinguish between 'untrained' as they quoted, and people with some degree of training in what they may encounter.)

Okay…agreed, things change…but if one can document that, what is wrong with the resulting data?

Just that its not ideal, when you could capture a completely unchanged copy, agreed though in some cases a live capture might be the only reasonable option.

 
Posted : 26/05/2009 1:50 pm
(@brede)
Posts: 64
Trusted Member
 

I do not recommend that untrained personnel do anything…but I do recommend training customer IT staff in proper procedures and methodologies for data acquisition, which includes proper documentation.

both hand signed.

 
Posted : 26/05/2009 2:20 pm
Logg
 Logg
(@logg)
Posts: 42
Eminent Member
 

I havn't touched this technology in over 2 years since I wrote the prototypes of EnCase Portable. Even then, it was fast and contrary to the consensus of this thread's belief, yes, someone without field experience could easily use it – that was, in fact, what it was designed for. …Keep in mind, that person without experience is only using it in the field & the device is configured by a trained expert before deployment & again used by a trained expert upon receipt.

My vote
*untrained .. regardless of the tool?* - absolutely not.
*untrained .. in a known and controlled environment?* - yes.

(of the -at the moment- 90+% of people to vote "no," can each and every one say that you knew exactly how every script, condition, and filter you've ever used has worked? …as well as what the differences are between the current and previously used versions of your forensic software are & your reasons for switching?)

 
Posted : 27/05/2009 1:37 am
Page 2 / 2
Share: