6 Replies Latest reply on Oct 24, 2013 12:11 PM by awbattelle

    Problems with Govt Forensic utility Encase

    awbattelle

      When we apply the recovery XML file, we get an error message "No Original MBR tag found in recovery file". McAfee is supposed to be compatible with the EnCase software utility for forensic analysis of encrypted drives. However we cannot get it to work, and Encase is insisting this is a McAfee problem

      We are running Version 7 in FIPS mode. Any ideas?

        • 1. Re: Problems with Govt Forensic utility Encase

          if the machine was upgraded through different versions. it's quite possible there's no MBR in the recovery file - do you really need it though? What are you doing when you get this particular error?

           

          re compatibility, it's more the other way around - there is no encase specific support in EEPC, no features designed for it, no code written for it - Simply, Encase is designed to consume the standard recovery data that EEPC/EPO exposes. I agree that no MBR in the recovery file is an EEPC issue (it's not necessarily a defect though), but how the recovery file is interpreted, is up to Guidence Software.

           

          Message was edited by: SafeBoot on 9/25/13 11:43:22 AM EDT
          • 2. Re: Problems with Govt Forensic utility Encase
            awbattelle

            The file works fine with EETECH, but when we use the Encase application and try to apply the recovery file, the Encase application refuses to process it, and gives the error message.

             

            yes, we are required to use Encase when we encounter a classified incident. It is not sufficient to be able to decrypt the drive with EETECH, as this is not a certified forensic tool for this sort of requirment.

             

            Message was edited by: awbattelle on 9/25/13 10:47:36 AM CDT
            • 3. Re: Problems with Govt Forensic utility Encase

              You are going to have to work with Guidence I'm afraid - having the MBR in the file (or not) is not a requirement of being able to decrypt the data. It's interesting to know there's no MBR tag, but it's not significant.

               

              McAfee can't change the behavior of Encase as I hope you appreciate. Maybe you could fool the system by adding the MBR tag in?

               

              As for EETech not being "certified", I've never heard of ANY incident where a court refused to accept the data output from it, or any of its predecessors. Encase I agree though is more appropriate as it's designed for forensics, whereas EETech is designed to recover your data.

              • 4. Re: Problems with Govt Forensic utility Encase
                awbattelle

                So, what would an MBR tag look like? What is the syntax? Do you have an example of a recovery file where the tag is present?

                • 5. Re: Problems with Govt Forensic utility Encase

                  sorry no - I don't have anything like that available. I'll see what I can find out for you though.

                  • 6. Re: Problems with Govt Forensic utility Encase
                    awbattelle

                    So, it really looks like Encase is not currently compatible with EEPC 7.x So, there is the answer for what it's worth.

                    1 of 1 people found this helpful