 |
EnCase Computer Forensics: The Official EnCE: EnCase Certified Examiner Study Guide
Steve Bunting, William Wei
ISBN: 978-0-7821-4435-2
Paperback
576 pages
March 2006
This title is out-of-print and not currently available for purchase from this site.
|
|
Do you think you've discovered an error in this book?
Please check the list of errata below to see if we've already addressed the error. If not,
please submit the error via our
Errata Form.
We will attempt to verify your error; if you're right, we will post a correction below.
| Chapter | Page | Details | Date | Print Run |
|---|
|
|
Guidance Software Evaluation and Data Integrity Test Updates September 2006
Guidance Software has provided a new evaluation version (Evalversion505e.zip) of EnCase for users of the EnCase Computer Forensics: The Official EnCE: EnCase Certified Examiner Study Guide. We have also updated the book’s exercise files (DataIntegrityTest.zip). You can download both from the download section here.
Note from Guidance Software:
Also, please note that EnCase has changed the way it automatically verifies the integrity of a data block each time a data block is accessed. In previous versions of EnCase, a popup box notified the user that something was wrong with a data block when the user caused an action to occur within said data block. The problem was that this pop up window required a mouse click to go away and would come back each time EnCase re-verified the data block. In some cases, this message would continue to notify the user over and over again as the user continued to work their case. This is because several files could be contained within one data block and as an investigator continued to look at different files, parts of several files might have been located within that same data block, thus triggering the pop up box. This pop up window was the topic of many discussions and, after due process, a decision was made to remove it in Version 5.
--Guidance Software
Author’s Note:
The text was written using, at all times, EnCase Version 5.04a, which was the longest available version of Version 5. Version 5.04a did display a pop-up window upon a failed CRC check for a corrupted block of data. This anomaly was discovered when 5.05 was released and testing of the file integrity evidence file was done against the new release. As it turns out, a piece of the old code was introduced into 5.04a that caused the pop-up warning of the past. It was removed when 5.05 was released.
Currently, if a CRC check fails, there is no pop-up warning or entry in any log. This is a known issue and Guidance Software has indicated that Version 6, due out first quarter 2007, will include some feature to better handle this issue. Until then, the only way you’ll know if an evidence file has been corrupted is to run a final file integrity check prior to closing out the case and going to court. While this is always a good practice, the current lack of a warning if a CRC fails almost necessitates this added check.
As a final note, remember that the demonstration software can’t be expected to be a fully functional version of EnCase able to perform every feature referenced in the text. Guidance Software included this demo version as a bonus to assist with the learning process when readers were away from their fully licensed versions of their software.
As a final reminder, when using the demo version, remember that you don’t start a new case in the same manner as with the licensed version. Rather, you drag and drop an evidence file (only those recognized by the demo version) into the left pane of the software at which point a new case is created for you, with some prompts.
Best regards to all,
Steve Bunting
|
9/13/06 |
|
|
|
