Comments on: More on EnCase Portable

By: JOHN

JOHN — Wed, 31 Mar 2010 13:10:20 +0000

I used Spada last week to retrieve images. I crashed when trying to axcess deleted images and data. Anybody had this happen before and would it affect our evidence gathering and subsequent court matters.

By: Eric MacIntosh

Eric MacIntosh — Tue, 22 Sep 2009 21:36:54 +0000

Has any body tried Encase Portable? If so can you clearify what it can and can’t do.

By: Daniel

Daniel — Fri, 03 Jul 2009 17:25:09 +0000

A lot of details left out of the video:

– Note minimal reference to the system having to be “off” (even though his demo machine is on) at the time of “data” extraction.
– Repeated use of the the term “data” vice evidence.
– Does the size of the repository USB device indicate estaimated amount of extracted “data”.
– No mention on the form this data would be extracted in.
– No mention of collection of system metadata associated with extraction.
– But to name a few … issues ….

By: Ron

Ron — Mon, 29 Jun 2009 02:40:01 +0000

Other comments…

If the target PC is not USB bootable, then you have to use the CD. All of this kind of takes away from the ‘stealthiness” aspect of the tool.

Likewise, I am guessing that there some sort of write blocking going on through the device or software, but is that guaranteed?

Finally, once you get the data, is it in some bizarro Encase only format that you need Encase enterprise to analyze?

By: Ron

Ron — Mon, 29 Jun 2009 02:36:58 +0000

Seems like they are competing against COFEE. I disagree with the arguments that somehow this is going to let untrained folks mess with computer evidence-anymore than any other tool.

Plus, since it is from Guidance. You just know it is going to cost several thousands bucks for the kit, then several thousand knicker to keep up with the license.

By: Marian

Marian — Wed, 24 Jun 2009 08:14:11 +0000

From one site it is commercial preasure to create “simple and widely used” tool for not-trained people, but crucial in forensic examination is to gather data properly. Once you have not enough data, you are not able to do correct forensic exanination. EnCase Portable seems to be more appropriate for quick search, where you need first information if there is something or not (for border points, intelligence, etc.).
…but we have not enough information for such conclusions yet.

By: Rob Pearson

Rob Pearson — Mon, 22 Jun 2009 13:11:23 +0000

Eh..Been there.. This is just a Commercial version of Forensic Boot CD’s have been around for awhile. It just makes things “EASIER” for the lay person. But if you are a newb…would you even know what you are looking for?? For this I will stick with SPADA, Helix, 10-23 or whatever flavor Linux Boot CD I can find at the time.. Gotta save money for EnCase 7!!

By: lee

lee — Sun, 21 Jun 2009 13:39:48 +0000

Someone still has to do the investigation at the other end. However can you imagine having a case thrown out because someone asked their secretary to get the data?

By: Jan Collie

Jan Collie — Sun, 21 Jun 2009 13:36:11 +0000

Is this the start of F**k-wit Forensics? No knowledge needed?