try this with encase v4.22a
using two identical pictures (jpg) put a black dot on one and call it pic b and the other pic a
wipe a floppy disk or format a new one
drag picture a onto the disk using windows
rename the pic (a-renamed) and delete it
drag b onto the disk
rename it b-dot and delete it
drag a on to the disk and rename/delete it.
image under encase! (forgot that bit)
run the file finder script for jpg and ponder the results.
Neddy,
what exactly were the results? Rather than hundreds of people trying your experiment, I'll believe you when you post the results 😉
duplicate files in gallery view, very confusing for a newbie. each duplicate has the same starting sector and leads you to believe that you have more than one deleted copy of each image.
i personally would rather use smart as i feel that i have more control over my searches and have more room to work within if you know what i mean? the price of encase 5 is kinda painful too…
"More control over [your] searches"? What does that mean? And no, I don't know what you mean…you haven't really said anything.
i just personally think encase blows for so many reasons that it should be reason enough to want to learn the other side of the fence incase you are ever called to the stand to defend yourself against someone who is aware of the many flaws of using encase for acquires.
This sounds to me like either an anti-Windows rant, or a rant against the cost of EnCase. I think that what you're missing is that LEOs go to court everyday after having used EnCase, and testify as to what they did and how they did it. With the folks I've talked to, it isn't so much the tools that are called into question as it is the process used by the investigator.
If an investigator successfully images a system with EnCase, and the image is verified…what's the issue?
From having read through the posts in this thread, you really haven't said anything, flytnx. It is clear, however, that you have a vague, unspecified dislike for EnCase, and prefer the bootable Linux CDs. That's fine…that's your personal preference. As long as you're able to provide such information as the settings you used for imaging (ie, command line for dd) so that they can be scrutinized…
H. Carvey
"Windows Forensics and Incident Recovery"
http//
http//windowsir.blogspot.com
Why would you give the command line used for DD when using SMART, to be scrutinised? It is done using a GUI.
There are some issues with Encase, If you read other forums, other forensic tools have issues too. They get resolved over time.
The issue DaveG mentioned, is relevant however I never did experience the differing hash values when acquiring disks with errors. Having said that, acquiring disks is time consuming and we cannot afford the time to waste experimenting, so my testing in this matter has been limited. Encase v5 has apparently been fixed to prevent this.
Smart has dealt with bad sectors correctly since it was first released.
Encase v5 does however appear to have some issues imaging cdroms. A cdrom full of data will appear to be blank when acquired and all of its data will be in unallocated space….
Wardy-
You are correct, Depending on the format, Encase requests you purchase CD/DVD Inspector by InfinaDyne. Image your CD with CD/DVD inspector, and you can drop directly those images into EnCase v5.04a.
Encase is definitely NOT a one size fits all solution, however, it does some things very well, while other things require a third party tool. Decryption and CD Imaging are two of those things for example.