Notifications
Clear all

EnCase Portable

20 Posts
14 Users
0 Likes
2,157 Views
(@ronanmagee)
Posts: 145
Estimable Member
Topic starter
 

I'd like to pick up on Jamies post and the recent news from Guidance on Encase Portabe

Even personnel untrained in computer forensics can forensically acquire documents …

Is this something that should be encouraged? I do see the benefits of such a tool but to aim it specifically at the untrained is a recipe for disaster IMO.

Thoughts?

P.S. Wonder do you need a dongle to use it ? 😉

 
Posted : 22/05/2009 6:47 pm
(@dficsi)
Posts: 283
Reputable Member
 

I say that people are free to employ whoever they want to take images. So what if the evidence gets crushed in court?

Also, I would suspect that the device has its own anti-piracy mechanism built in, otherwise what would stop people from just putting it on as many USB drives as they wish?

 
Posted : 22/05/2009 6:53 pm
(@rich2005)
Posts: 535
Honorable Member
 

If there was some way in which it could be plugged in on any computer, make no changes, and retrieve an exact copy. Yeah fine.
However i dont see how thats going to be possible, as we know the minute you start plugging things in, things change, so in that case is it a power off and back on? Are they then changing the boot order to boot from USB? Untrained people doing that?
Sounds like a recipe for disaster as you say thought up by marketing types p
There may be more logic to it, but couldnt find any specifics in that doc 😉

 
Posted : 22/05/2009 6:57 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

The question is "Should untrained personnel be acquiring images, regardless of which tool is used?"
The answer is no.

But, reality is they will. If my company can use a person already on site to make an image, it is highly unlikely they would fly me out if management believes the case does not warrant it.

I know we should always do everything as if it is a court case, but business does not, and will cut corners until burned. Then, there will be an upswing in policies and enforcements, then it will ebb away over time again.

 
Posted : 22/05/2009 7:54 pm
(@pbeardmore)
Posts: 289
Reputable Member
 

I look forward to any forum member voting yes, rather a one sided discussion I think! (and rightly so)

 
Posted : 22/05/2009 8:56 pm
(@patrick4n6)
Posts: 650
Honorable Member
 

There are degrees of training I think. Back when I worked for police, we used a linux based forensic boot disk for onsite preview of contraband images. We trained detectives over the course of 2 days and had competency testing at the end. I would be quite comfortable with those who were found competent performing this specific function. There's not a chance in hell that I'd be happy with someone using the boot disk without training.

So perhaps it's just really bad wording on the part of Guidance. Perhaps they mean people who are not FULLY trained in forensics can use this tool if they are properly trained in the usage of this tool. I'd hate to think that they are suggesting that any Joe could go use the tool in the field without training.

 
Posted : 22/05/2009 10:36 pm
(@douglasbrush)
Posts: 812
Prominent Member
 

"It is easy to use, fast and preserves digital evidence in the court-vetted evidence file format"

It does seem that it is geared towards a fast acquisition with minimal training but not as an end all alternative to full data & memory acquisition. Just another tool. However, it is worded through out the release a little to infomercialish "anyone can do it!". And here I am reading, researching and testing everyday like a sucker….

 
Posted : 22/05/2009 10:51 pm
(@kovar)
Posts: 805
Prominent Member
 

Greetings,

If I understand the press release correctly, this will boot the computer into an OS on the USB drive, ala Helix et al. There's no reason that data on the system under examination would change.

I can definitely see a use for this sort of device. At one client site, we have images going uncollected because we cannot get someone out to get the image. And with each day that passes, data is changing, I assure you.

I voted "yes". With the right tool and procedures, "untrained" people can be very useful.

-David

 
Posted : 23/05/2009 12:01 am
clifmeister
(@clifmeister)
Posts: 7
Active Member
 

If by trained you mean some type of certified forensic examiner (CFCE, EnCE, CCE, etc.), and by untrained you mean anyone who is not certified then I would vote yes, I can see a use for a simplified tool that I could have several users employing.

If by untrained you mean someone who has never been shown any information on using the tool in question and the consequences of using it incorrectly, then of course the answer is no.

I currently use FTK imager and it requires neither a dongel nor a license. It is available for download from accessdata. If that were placed on a bootable disk, say a BartPE disk and booted with a usb drive attached one could do exactly what Guidence is suggesting their tool will be able to do.

I am not a fan of polls that have been written in a way to preclude all but the answer one is seeking.

 
Posted : 23/05/2009 12:03 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

However i dont see how thats going to be possible, as we know the minute you start plugging things in, things change, so in that case is it a power off and back on?

Okay…agreed, things change…but if one can document that, what is wrong with the resulting data?

Are they then changing the boot order to boot from USB? Untrained people doing that?

This changes the contents of the hard drive…how? On the systems I've worked with, boot order is maintained in the BIOS, and changing it hasn't (so far) made any changes to the contents of the HDD itself.

I do not recommend that untrained personnel do anything…but I do recommend training customer IT staff in proper procedures and methodologies for data acquisition, which includes proper documentation.

 
Posted : 23/05/2009 1:10 am
Page 1 / 2
Share: