cancel
Showing results for 
Search instead for 
Did you mean: 
awbattelle
Level 11

Problems with Govt Forensic utility Encase

When we apply the recovery XML file, we get an error message "No Original MBR tag found in recovery file". McAfee is supposed to be compatible with the EnCase software utility for forensic analysis of encrypted drives. However we cannot get it to work, and Encase is insisting this is a McAfee problem

We are running Version 7 in FIPS mode. Any ideas?

0 Kudos
6 Replies
SafeBoot
Level 21

Re: Problems with Govt Forensic utility Encase

if the machine was upgraded through different versions. it's quite possible there's no MBR in the recovery file - do you really need it though? What are you doing when you get this particular error?

re compatibility, it's more the other way around - there is no encase specific support in EEPC, no features designed for it, no code written for it - Simply, Encase is designed to consume the standard recovery data that EEPC/EPO exposes. I agree that no MBR in the recovery file is an EEPC issue (it's not necessarily a defect though), but how the recovery file is interpreted, is up to Guidence Software.

Message was edited by: SafeBoot on 9/25/13 11:43:22 AM EDT
0 Kudos
awbattelle
Level 11

Re: Problems with Govt Forensic utility Encase

The file works fine with EETECH, but when we use the Encase application and try to apply the recovery file, the Encase application refuses to process it, and gives the error message.

yes, we are required to use Encase when we encounter a classified incident. It is not sufficient to be able to decrypt the drive with EETECH, as this is not a certified forensic tool for this sort of requirment.

Message was edited by: awbattelle on 9/25/13 10:47:36 AM CDT
0 Kudos
SafeBoot
Level 21

Re: Problems with Govt Forensic utility Encase

You are going to have to work with Guidence I'm afraid - having the MBR in the file (or not) is not a requirement of being able to decrypt the data. It's interesting to know there's no MBR tag, but it's not significant.

McAfee can't change the behavior of Encase as I hope you appreciate. Maybe you could fool the system by adding the MBR tag in?

As for EETech not being "certified", I've never heard of ANY incident where a court refused to accept the data output from it, or any of its predecessors. Encase I agree though is more appropriate as it's designed for forensics, whereas EETech is designed to recover your data.

0 Kudos
awbattelle
Level 11

Re: Problems with Govt Forensic utility Encase

So, what would an MBR tag look like? What is the syntax? Do you have an example of a recovery file where the tag is present?

0 Kudos
SafeBoot
Level 21

Re: Problems with Govt Forensic utility Encase

sorry no - I don't have anything like that available. I'll see what I can find out for you though.

0 Kudos
awbattelle
Level 11

Re: Problems with Govt Forensic utility Encase

So, it really looks like Encase is not currently compatible with EEPC 7.x So, there is the answer for what it's worth.

0 Kudos