Just a couple of points to note about this problem. First, the issue of
using EnCase as an imaging solution. Since the "evidence" file created
(the .enN files) is not a true image, searches against it can not be relied
upon as being complete or accurate. You are forced to use EnCase or
restore the image, where other issues come into play. Especially if you
happen to be working on a unix filesystem. This is true of any proprietary
imaging file format.
Luckly, Guidance has finally incorporated the ability to load in raw image
files ("dd", for instance). Most forensics *labs* stay away from using
EnCase as an imaging solution. On the analysis side, it's great though.

<opinion tag>
I vote we lobby Guidance for a tool that can convert their proprietary file to
a raw image. I have this funny feeling that if they don't offer it soon, other
forensic processing suites may have the upper hand.
</opinion tag>

The second point is that Rob is entirely correct. If you have any suspicion
that your results are not correct or complete, attempt to perform the
operation with a different set of tools. Do not believe marketing material
that states that collections of GNU or older (but reliable) DOS command
line tools are not defensible in court. As long as you are familiar with the
tools, aware of their shortcomings, and that the tools are acceptable
(history of use, widely accepted by other experts) in this field, you should
have few problems.

One question though, Rob. Can you get the Unix port of these tools to run
on a sterilized version of DOS? If not, the example you gave may have just
modified your evidence (copy), given your DOS prompt and the fact that
you are pointing to a physical device that we can only assume is a
restored image.
I'm sure that you could, but it would take a CD, or about 12 floppies to load
the RAM disk with the libraries. I'm getting flashbacks to the 80's when
my system didn't have a hard drive..
:)

-- Matt

Quoting "Lee, Robert T." <ROBERT.T.LEE-2saic.com>:

> Brandon,
>
> Another option may be to compare the results from your Encase search
> and
> then run another search using the Unix port of "cat","strings", and
> "grep" on that filesystem and see if it produces any hits.
>
> Example:
>
> C:\>cat \\.\PhysicalDrive0 | strings | grep test
>
> Or if you have multiple strings put them in a file and run
>
> C:\>cat \\.\PhysicalDrive0 | strings | fgrep -f file-with-patterns
>
> Or if you do not have the ports of these tools, mount the drive on
> your
> favorite Linux flavor or choice and run the same test.
>
> Just a thought... I would be interested to see if that produces the
> hits you are looking for.
>
> --Rob
>

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]