Thursday, March 24, 2011

Been procrastinating on upgrading EnCase?

So for those of you who have been putting off upgrading from EnCase v5 to V6, here is some incentive for you.

Take a look at this evidence file in V5, then use V6 or FTK Imager or other tool. Pay particular attention to Sector 280 and 676400.

For those of you using v6, don't think you live in a perfect world either, you may want to look at this too and see if it all looks "normal" to you.

I'm just saying...

Download Here


Daniel Friday, 25 March, 2011  

Sounded interesting so I had to play a bit... both sectors mention are headers to JPEGs (red rock? and koala). Both are starting sectors to ADS entries from "USB v5." It's bothering me as I feel like I'm missing something...

Lance Mueller Saturday, 26 March, 2011  

our observations are correct, but how does it appear in EnCase V6? Which icon? Its name?

How does it appear in v5?, which Icon and its name.

These are two perfectly normal JPG images placed onto a USB drive. The only "special" thing about them is that they are in an alternate data stream (ADS).

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles