if the machine was upgraded through different versions. it's quite possible there's no MBR in the recovery file - do you really need it though? What are you doing when you get this particular error?
re compatibility, it's more the other way around - there is no encase specific support in EEPC, no features designed for it, no code written for it - Simply, Encase is designed to consume the standard recovery data that EEPC/EPO exposes. I agree that no MBR in the recovery file is an EEPC issue (it's not necessarily a defect though), but how the recovery file is interpreted, is up to Guidence Software.
The file works fine with EETECH, but when we use the Encase application and try to apply the recovery file, the Encase application refuses to process it, and gives the error message.
yes, we are required to use Encase when we encounter a classified incident. It is not sufficient to be able to decrypt the drive with EETECH, as this is not a certified forensic tool for this sort of requirment.
You are going to have to work with Guidence I'm afraid - having the MBR in the file (or not) is not a requirement of being able to decrypt the data. It's interesting to know there's no MBR tag, but it's not significant.
McAfee can't change the behavior of Encase as I hope you appreciate. Maybe you could fool the system by adding the MBR tag in?
As for EETech not being "certified", I've never heard of ANY incident where a court refused to accept the data output from it, or any of its predecessors. Encase I agree though is more appropriate as it's designed for forensics, whereas EETech is designed to recover your data.
So, what would an MBR tag look like? What is the syntax? Do you have an example of a recovery file where the tag is present?
sorry no - I don't have anything like that available. I'll see what I can find out for you though.
1 of 1 people found this helpful
So, it really looks like Encase is not currently compatible with EEPC 7.x So, there is the answer for what it's worth.