SecureArtisan

My Road to Digital Forensics Excellence

Encase v7 First Month

Posted by Paul Bobby on August 2, 2011

We have multi-day Evidence Processing times, Date format issues, HD encryption issues, reporting issues and a bunch of other smaller but still irritating gotchas to deal with. Just check the forum if you don’t believe me. Are they all end-user errors? Hah, not likely.

I have not yet worked with an operational v7 public release – Guidance is having difficulties licensing the forensic version to those of us with EE only dongles. *sigh*. But I do believe that the underlying capability of file system parsing is still intact. I tested out EXT/4 for example and found it to parse properly. So Encase, used as a file system browsing tool appears to behave as v6 currently does, and that is to present an accurate representation of the file system for manual review. What concerns  me however is that this core functionality has now been wrapped by a large number of new interface features, requiring a major relearn of the product, but more importantly, requiring considerable new testing on the part of the buyer before they feel that both v6 and v7 generate the same results.

I strongly recommend that no one use this for current production case load without submitting v7 to a rigorous internal testing plan. I only hope that we do not find something that is ‘not a bug’ but in fact a correct interpretation of filesystem/artifact data, and renders all previous v6 case work invalid because v6 did ‘it wrong all along’.

I have become aware that v6 owners, who wish to buy ‘modules’ for their v6 product (for example VFS) can no longer do so and must buy v7 instead. This is bad form Guidance considering the current state of v7.

Advertisements

One Response to “Encase v7 First Month”

  1. Your remarks imply that one could change from v6.x to v6.(x+1) with less testing – and that is not the case. There were plenty of things broken and then fixed (and, sometimes, broken again) between various v6 releases.

    Also, you seem to imply that a good test of a (release of a) tool will allow you to conclude that it will generate correct results on that same computer in the future and on other computers. This is also not true. EnCase, FTK and most other products rely on operating system behaviour and changes there (perhaps as a result of ‘fixes’ being applied, configuration changes or even the passage of time) can break things too. (Example: 2007 US daylight savings patch).

    There are examples of things that ‘v6 (and earlier) did it wrong all along’. For example, UNIX dates and times.

    I conducted some testing of v6 releases earlier this year as part of a paper I was writing (to prove some of the comments set out above). Whilst doing that I discovered that EnCase was switching from daylight to standard time at the wrong time – in every time zone I tested, including PT where you would think it would get the most testing.

    Daniel.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: