I heard something recently and I would like to know if anyone else can confirm or deny it…
AccessData, as we are all aware, have recently released FTK version 2.0. I'm sure people have seen numerous posts on these forums about the problems that they have been experiencing but I have heard something extremely disturbing…
Apparently, two 'identical' computers using identical disk images can produce different results even if the exact same steps are followed.
Like I say, this is something I've heard recently but I wondered if anyone else was familiar with this problem if it even exists. If so why haven't FTK said anything to their customers as this could have some serious repercussions.
Can you be more specific? Where do the results differ? If different options are selected, you'll get different results. Can you share where you heard this?
In short I can't say where I heard this but the problem is not complicated, the supposed problem is that identical computers, with identical installations of FTK, and using an identical image, show a different number of files in a folder.
Apparently when two people click on the same folder one may see a different number of files to the other making it difficult to replicate the findings of the first.
And the image was processed in an identical manner, and filtering was off on both, and no other KFF or NSRL hash sets were loaded to prevent viewing? Can you provide a screenshot?
I do not have the software myself. I don't want to give a lot away until I know I'm allowed to discuss it but apparently the software is "out-of-the-box" with no adjustments.
My source is reliable. They've also told me another item that I'm not allowed to discuss but will make for one hell of a story in the forensics world.
I remember someone bringing this issue up on AccessData's forum about two months ago. They had ran an exam, and attempted to verify their results and came up with different results. I cannot remember the specifics, and no longer have access to their forum to get the person's contact info for you. Maybe if someone else has access they may be able to get that info. But that was when I first heard of this problem.
I do not have the software myself. I don't want to give a lot away until I know I'm allowed to discuss it but apparently the software is "out-of-the-box" with no adjustments.
My source is reliable. They've also told me another item that I'm not allowed to discuss but will make for one hell of a story in the forensics world.
DFICSI
If you cut away all the cloak and dagger rumour stuff …. what are you actually saying ? can you be more specific and accurate about the problem and then perhaps it will generate some meaningful discussion.
MS
DFICSI
If you cut away all the cloak and dagger rumour stuff …. what are you actually saying ? can you be more specific and accurate about the problem and then perhaps it will generate some meaningful discussion.
MS
I was just about to say something to that effect. This just seems like FUD until there's some form of foundation.
Is it the Nuix story or something related to FTK (or something else)?
I remember someone bringing this issue up on AccessData's forum about two months ago. They had ran an exam, and attempted to verify their results and came up with different results. I cannot remember the specifics, and no longer have access to their forum to get the person's contact info for you. Maybe if someone else has access they may be able to get that info. But that was when I first heard of this problem.
I just spent quite a bit of time searching the forum and did not find and post similar to what you describe. Can you be a little more specific?