cancel
Showing results for 
Search instead for 
Did you mean: 

Problems with Govt Forensic utility Encase

When we apply the recovery XML file, we get an error message "No Original MBR tag found in recovery file". McAfee is supposed to be compatible with the EnCase software utility for forensic analysis of encrypted drives. However we cannot get it to work, and Encase is insisting this is a McAfee problem

We are running Version 7 in FIPS mode. Any ideas?

6 Replies
Reliable Contributor SafeBoot
Reliable Contributor
Report Inappropriate Content
Message 2 of 7

Re: Problems with Govt Forensic utility Encase

if the machine was upgraded through different versions. it's quite possible there's no MBR in the recovery file - do you really need it though? What are you doing when you get this particular error?

re compatibility, it's more the other way around - there is no encase specific support in EEPC, no features designed for it, no code written for it - Simply, Encase is designed to consume the standard recovery data that EEPC/EPO exposes. I agree that no MBR in the recovery file is an EEPC issue (it's not necessarily a defect though), but how the recovery file is interpreted, is up to Guidence Software.

Message was edited by: SafeBoot on 9/25/13 11:43:22 AM EDT

Re: Problems with Govt Forensic utility Encase

The file works fine with EETECH, but when we use the Encase application and try to apply the recovery file, the Encase application refuses to process it, and gives the error message.

yes, we are required to use Encase when we encounter a classified incident. It is not sufficient to be able to decrypt the drive with EETECH, as this is not a certified forensic tool for this sort of requirment.

Message was edited by: awbattelle on 9/25/13 10:47:36 AM CDT
Reliable Contributor SafeBoot
Reliable Contributor
Report Inappropriate Content
Message 4 of 7

Re: Problems with Govt Forensic utility Encase

You are going to have to work with Guidence I'm afraid - having the MBR in the file (or not) is not a requirement of being able to decrypt the data. It's interesting to know there's no MBR tag, but it's not significant.

McAfee can't change the behavior of Encase as I hope you appreciate. Maybe you could fool the system by adding the MBR tag in?

As for EETech not being "certified", I've never heard of ANY incident where a court refused to accept the data output from it, or any of its predecessors. Encase I agree though is more appropriate as it's designed for forensics, whereas EETech is designed to recover your data.

Re: Problems with Govt Forensic utility Encase

So, what would an MBR tag look like? What is the syntax? Do you have an example of a recovery file where the tag is present?

Reliable Contributor SafeBoot
Reliable Contributor
Report Inappropriate Content
Message 6 of 7

Re: Problems with Govt Forensic utility Encase

sorry no - I don't have anything like that available. I'll see what I can find out for you though.

Highlighted

Re: Problems with Govt Forensic utility Encase

So, it really looks like Encase is not currently compatible with EEPC 7.x So, there is the answer for what it's worth.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community