I would like to know if anyone on this forum can/will answer some questions about EnCase.
When a forensic examiner uses EnCase to "Preview" a hard drive, what information will come up? Is is possible that no date/time stamps for web pages accessed will show up on their search?
How would a forensic examiner be able to tell that a computer had seen a lot of use, mornings, noon, evenings and late nights, yet not be able to determine when web pages were accessed?
Iif a forensic examiner were to say something to the effect that some items were in unallocated space, and were, therefore, unreadable, what does that mean?
I would like to know, after a hard drive has been pre-viewed, is there some sort of report that EnCase/the examiner develops to bring to court that tells, exactly, what was found and where or does the software just spit out a bunch of lines of unquantified/unqualified computer code that make no sense, whatsoever? If an examiner has no such report with them when they go to trial, what can that mean?
What conditions would have to exist to cause a forensic examiner to use a "cut and paste" into a word document?
I'll rule out student.
Hire an expert, many will talk to you for a small fee and get you on the right path. You could just need something as simple as a report review and you could get that for a reasonable price.
That was my suggestion to him in a pm. Sounds like someone looking for free work or a get out of trouble card
I bet lawyer.
No. I am not a lawyer. I am not looking for a et out of trouble card. I am a student taking a computer security class (introductory, natch!) at Baker College and I am curious to know answers to my questions.
So, if you are all done judging me without knowing why I asked the questions (BTW, does it really matter why? either you know the answers or don't) I jusr wanted to know if anyone knew!
Sheesh! Isn't that what this is about?
Oh, and I forgot to say that when thinking o answers to my questions, please try to think in terms of EnCase Forensic versions that were out in 2003; not today. So, the knowledge I am after is old and outdated…so much for your free work ideas.
"Sheesh! Isn't that what this is about?"
Where did you see that this is about answering student questions for Term Papers?
Are you all trying to insult me or something? I don't understand. I thought this was a palce where if someone had a questiuon, they could ask it and get at least a decent, if not definitive, answer.
Is this what your forum is like? Do you guys think that as professional examiners you have some lock on the knowledge about these things?
Is this some sort of arcane knowledge where no one divulges the mystical secrets of EnCase without being paid?
I thought forums were places people can go to ask and answer questions, but all I have gotten from any of you is derision and contempt.
Again, I am NOT a lawyer. I am a student taking CSS211 @ Baker College. I have some questions. I would have hoped to have them answered here, but, like I just wrote, all I have gotten is insulted and it has been hinted that I am a lawerr, in trouble with the law or, in your case, a term paper source.
Why can't it be that I just have some quetions that I would like answered truthfully and leave it at that?
I thought this was a palce where if someone had a questiuon, they could ask it and get at least a decent, if not definitive, answer.
Note that it helps to provide other people with a little background info why you are asking the questions and what your knowledge level is.
It also helps if you ask specific questions. Let me elaborate
Your questions are not very Encase specific.
How would a forensic examiner be able to tell that a computer had seen a lot of use, mornings, noon, evenings and late nights, yet not be able to determine when web pages were accessed?
Not encase specific.
Iif a forensic examiner were to say something to the effect that some items were in unallocated space, and were, therefore, unreadable, what does that mean?
Not encase specific.
So my advice to you, do a little background research first, e.g. get a demo version of Encase or an ENCE book, then ask specific and detailed questions.
Regarding the remarks you got from other posters, you might want to read the following thread Do my homework….anyone?
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=6687&postdays=0&postorder=asc&start=0
Umm…obviously, I am not communicating very well…perhaps you and others may have misunderstood when I typed the following?
"I would like to know if anyone on this forum can/will answer some questions about EnCase."
Or did no one understand when I typed, "When a forensic examiner uses EnCase to "Preview" a hard drive, what information will come up? Is is possible that no date/time stamps for web pages accessed will show up on their search?"
Or was I being too thick when I further typed
"I would like to know, after a hard drive has been pre-viewed, is there some sort of report that EnCase/the examiner develops to bring to court that tells, exactly, what was found and where or does the software just spit out a bunch of lines of unquantified/unqualified computer code that make no sense, whatsoever? If an examiner has no such report with them when they go to trial, what can that mean?"
I guess with three specific EnCase references in my message, I was still, and apparently, being too oblique concerning the subject with what I was asking. For that I must apologize to all. I am sorry.
You say I should provide some background…okay, I thought I had provided enough to at the least, answer the technical questions, but, alas, I must be coming up short everywhere these days. Again, I apologize. I will attempt to give you more.
If you had not figured this out from reading my earlier questions, I will give the salient points
1. At a trial, a detective for a police agency gave sworn testimony that he was told by the state's forensic examiner (who used EnCase Forensic a 2003 version in preview mode) that the examiner could tell when a computer was used, morning, noon, evenings and late evenings.
2. For nine months before a trial, the detective said that the computer had been used to look up items related to a theft between some certain dates in the month prior to the theft. Obviously, this was used to bolster his case by putting premeditation for the theft into the mix. However, because the suspect was not even in the state to use her computer on those specific dates, his earlier assertions were wrong. This was proven by confirmed plane tickets and witnesses.
3. When confronted with this just before trial his earlier assertions of fact morphed into mere assumptions that were wrong; the detective then took the computer back to the forensic examiner, who again used EnCase to examine the computer in preview mode. He told the detective that the detective "was mistaken" for using those certain dates as they may have merely been updates of pages.
4. At trial, the forensic examiner stated on the record that there was "no way for him to determine date/time web pages were accessed" (ostensibly using the preview method of EnCse and creating a mirror image of the hard drive).
It is my belief that the forensic examiner perjured himself on the stand. I say this or two reasons. First, the software is designed by Guidance Software to, in their words, "determine who looked at what and when." It seems more than a bit suspicious when an examiner uses this tool and cannot determine that. Second, even after a second, supposedly more in-depth examination, there was not any more information gleaned. In fact, there was even less than before. How can that be?
So, there you have as much as I feel like typing right now. If you have any questions or need more information, ASK. I cannot know what you need before you tell me what you want.
Umm…obviously, I am not communicating very well…perhaps you and others may have misunderstood when I typed the following?
"I would like to know if anyone on this forum can/will answer some questions about EnCase."
TheKaisho42 no offence but you're asking more case/law specific questions here, that have little to do with EnCase. Let me demonstrate by trying to answer your questions.
Is is possible that no date/time stamps for web pages accessed will show up on their search?"
This highly depends on the data, but in general yes it is always possible due to various reasons.
I would like to know, after a hard drive has been pre-viewed, is there some sort of report that EnCase/the examiner develops to bring to court that tells, exactly, what was found and where or does the software just spit out a bunch of lines of unquantified/unqualified computer code that make no sense, whatsoever? If an examiner has no such report with them when they go to trial, what can that mean?"
An examiner can create reports. If they are used in a trial, highly depends on the trial the type of report, the relevance of the information reported about.
You're background info provided me with better indication what you're asking about.
1. At a trial, a detective for a police agency gave sworn testimony that he was told by the state's forensic examiner (who used EnCase Forensic a 2003 version in preview mode) that the examiner could tell when a computer was used, morning, noon, evenings and late evenings.
It is possible to determine activity and usage of a computer, again this has nothing to do with EnCase. However date and time collected from a computer should always be interpreted with the greatest care.
First, the software is designed by Guidance Software to, in their words, "determine who looked at what and when." It seems more than a bit suspicious when an examiner uses this tool and cannot determine that.
That is a marketing/sales pitch.
No software is a replacement for good investigative work. Encase, all forensic software or techniques for that matter, has limitations to its capabilities.
Second, even after a second, supposedly more in-depth examination, there was not any more information gleaned. In fact, there was even less than before. How can that be?
For that I would need to know more about the case in detail; but it sounds strange that there is now less information.