Hi there
We have an issue around the evidence obtained from an internal investigation.
We had a forensic specialist take an image of a laptop. He used Encase 3.22f, this is a patched version and is apparently illegal.
The person being charged is alleging that the version is illegal and therefore the evidence is tinted and consequently cannot be used.
Is this in deed the case?
Can the data be used for the internal hearing?
Is a patched version of EnCase illegal? If so, why?
Regards
I've not heard of this before. The final version of 3 was 3.22g. I think 3.22f was a valid version. If he owns the software legitimately he can get a letter from guidance stating he has a valid license. Every version of Encase past the original release is a patched version in a sense.
If he's using some sort of pirated version the evidence isn't tainted, but his credibility is. To the same result.
I think that the issue is that a dogul was not used to do the imaging and therefore there is some problem with the image used.
Regards
Encase does not require a dongle for "acquisition mode". This in no way invalidates the image. Provided the examiner possesses a license and was not using some pirated version for the analysis I can't see any grounds for a challenge.
Greg is right, EnCase 3.22f is a valid version. No dongle is required to use the software in acquisition mode. The boot floppy containing the DOS imaging program (en.exe) is available free to download and use from the Guidance website.
Andy
I agree as well, the ONLY possibly way that I can see a problem is if they jumped to this conclusion if the verification of the image was done on this system (which one would assume it had been) and then for it to be completed on a new system they could technically argue that the evidence files *may* have been tampered with if there are no sha1/md5 values from the orignal acquisition.
my two cents
Encase does not require a dongle for "acquisition mode". This in no way invalidates the image. Provided the examiner possesses a license and was not using some pirated version for the analysis I can't see any grounds for a challenge.
While its not overly clear from the descriptions, EnCase version 3.22f is a valid version, but it was also a widely pirated version, showing up on most of the peer-to-peer servers and newsgroups.
So even if the encase aquisition tool is free and available online, the argument would go that the original investigator used the pirated version of 3.22f to duplicate and analyze the image. Since we don't know what the hackers did to break the copy protection - they could have installed back doors, spyware, etc - so basically, the tool can not be trusted, and therefore, the results of the tool can not be trusted, no matter what the MD5 / SHA1 says.
If I was working for the defense, that is the argument I would make, in an effort to get the evidence thrown out, barring that, at a minimum, the process has to be done over again using legal tools, and since that would take some time (and I would make them prove they were using legal tools), I would ask for dismissal of the charges based of being denied my right to a speedy trial. I would also go after the original investigator for using pirated software in the first place (professional ethics, etc).
Part of the problem is that once it was realized the investigaotr was using pirated tools, all of his investigations can be called into question. Nothing coming out of this person could be trusted.
But hey, that's just me, I could be wrong.
bj
well, they simply "cracked" the registration module, nothing unheard of in the world of software piracy… the encase protection module is nothing compared to that of ableton live for example, so given that with encase 4.22 i believe - they probally distributed the orignal .exe with the .exe crack to produce bogus registration information. i highly dobut that they would actually try to reverse engineer the software to comprimise the software to act as a backdoor seeing as 99% of examiners prefer to have their examination station either on a segmented vlan or with no connectivity at all, and if you even bring that up - then you are going to have to do analysis on a workstation with that version installed to prove or disprove. i agree though, the process should be done again with "legal" tools, however it is not always possible depending on the circumstances - sometimes the machine is a production server that you can just get a window of time to do, then it is returned to its operational state. personally i choose to carry tools like smart, a linux cd with dd and for win32 the ftk imager around with me seeing as they are all free distro's and a pretty safe bet that you can feel confident walking away from the scene that your image integrity is good.
While its not overly clear from the descriptions, EnCase version 3.22f is a valid version, but it was also a widely pirated version, showing up on most of the peer-to-peer servers and newsgroups.
So even if the encase aquisition tool is free and available online, the argument would go that the original investigator used the pirated version of 3.22f to duplicate and analyze the image. Since we don't know what the hackers did to break the copy protection - they could have installed back doors, spyware, etc - so basically, the tool can not be trusted, and therefore, the results of the tool can not be trusted, no matter what the MD5 / SHA1 says.
If I was working for the defense, that is the argument I would make, in an effort to get the evidence thrown out, barring that, at a minimum, the process has to be done over again using legal tools, and since that would take some time (and I would make them prove they were using legal tools), I would ask for dismissal of the charges based of being denied my right to a speedy trial. I would also go after the original investigator for using pirated software in the first place (professional ethics, etc).
Part of the problem is that once it was realized the investigaotr was using pirated tools, all of his investigations can be called into question. Nothing coming out of this person could be trusted.
But hey, that's just me, I could be wrong.
bj
well, they simply "cracked" the registration module, nothing unheard of in the world of software piracy…
In fact I think that you will find that the cracked version is exactly the same as the good version with the exception of one .dll which is used to avoid the dongle checking. A couple of md5s and a bit of reverse engineering on the .dll would be sufficient to show that the results produced by the cracked version were technically (if not legally) valid.
I sometimes think that we all get a bit a**l about the tainting of evidence. Clearly if the prosecution sets out to violate the rights of the accused the evidence might need to be struck out but if the investigator had a citation at age 12 for riding his bicycle without lights who relay cares?
In this case if the investigator is, in fact, using a joey copy of encase then clearly he needs his backside kicking but if the evidence can be shown to be valid why should it be excluded?
…