hi,
My EnCase version is v7 and I found a terrible issue about index search in Unallocated area. Without Internet Evidence Finder I could not the truth of EnCase index search…Thanks God I use IEF to carve the evidence file and some webmail found..so I export those records as below Excel datasheet..guess what? I did index the evidence file and search same Simplified Chinese keywords in the Excel datasheet..no any hits found…
Forensics is a strict science..such kind of mistakes are unacceptable..Guidance should think highly of Chinese market and do something to fix this issue as soon as possible…
You guys could take a look at my blog then you will see what's happening here…
http//
This is just one example out of hundreds out there. If you check encase support forums, you can see how many more of the problems like yours are waiting for solutions.
No software can be excellent, ok this is acceptable to some extent, however, we have come across other cases, where encase could not find the texts in regular ms word files, even if we mounted compound files.
So, years of experience showed us that my colleagues and I do not trust any software in all aspects even if they have the word "Forensic" in their name, unless we confirm the results with another software, sometimes with two other ones, if required.
In my opinion, this is because forensic software are not tested proper enough. You can see most of them are not independently tested. And those which say they had been tested are only tested in one version, not each new version. So, if a forensic software has 5 versions in the market, 4 of them may not have been tested. So, check if your particular version has been tested and always make sure you confirm the results especially if it is the incriminating evidence.
Regards,
I can't agree more with you. Of course there is no perfect software/tool. But what we talk about is "Forensics", it's a strict science so such kind of missing hits in Unallocated area is unacceptable , no matter to forensic guys , or even to our clients. We promise our clients to use Forensic Sound tools to do thorough analysis, to restore the truth, to reveal justice as possible as we could.
We used EnCase for a very long time, and we're used to trust it on search results. Now we found it missed hits in the Unallocated area..that means we could have missed some important clue ..It's a serious problem. I don't want to put someone innocent into jail…
Now I use FTK and X-Ways Forensics to do raw search and index search. Fortunately they don't have such problems. They could search Simplified or Traditional Chinese characters in the Unallocated area and hit exactly as keywords without fail.
I'm not trying to say something bad about EnCase. I hope Guidance could solve such problems as soon as possible..then it could catch up with FTK or X-Ways , when it comes to keyword search, a basic and important function in Forensics.
I can't agree more with you. Of course there is no perfect software/tool. But what we talk about is "Forensics", it's a strict science so such kind of missing hits in Unallocated area is unacceptable , no matter to forensic guys , or even to our clients. We promise our clients to use Forensic Sound tools to do thorough analysis, to restore the truth, to reveal justice as possible as we could.
We used EnCase for a very long time, and we're used to trust it on search results. Now we found it missed hits in the Unallocated area..that means we could have missed some important clue ..It's a serious problem. I don't want to put someone innocent into jail…
Now I use FTK and X-Ways Forensics to do raw search and index search. Fortunately they don't have such problems. They could search Simplified or Traditional Chinese characters in the Unallocated area and hit exactly as keywords without fail.
I'm not trying to say something bad about EnCase. I hope Guidance could solve such problems as soon as possible..then it could catch up with FTK or X-Ways , when it comes to keyword search, a basic and important function in Forensics.
Thats why you dont just trust the tool, you also should be using multiple tools