Comments on: Beat EnCase File Signature Analysis on a Windows System http://www.anti-forensics.com/beat-encase-file-signature-analysis-on-a-windows-system Rendering computer investigations irrelevant Sat, 05 Nov 2011 19:36:26 +0000 hourly 1 http://wordpress.org/?v=3.3 By: Anonymous http://www.anti-forensics.com/beat-encase-file-signature-analysis-on-a-windows-system/comment-page-1#comment-3857 Anonymous Sat, 08 Oct 2011 13:29:29 +0000 http://www.anti-forensics.com/?p=564#comment-3857 I am just throwing this out there but there is rumour that authorities have cracked true crypt. So whats to say the above average black hat hacker has not also managed to obtain this crack. I am just throwing this out there but there is rumour that authorities have cracked true crypt. So whats to say the above average black hat hacker has not also managed to obtain this crack.

]]> By: Jon http://www.anti-forensics.com/beat-encase-file-signature-analysis-on-a-windows-system/comment-page-1#comment-255 Jon Fri, 18 Jun 2010 18:54:32 +0000 http://www.anti-forensics.com/?p=564#comment-255 Chris Ford, you should not have replied to excalibur ii 1000 excalibur ii 1000 is a spamming bot, I have seen this kind of spam before, if you read again the one line sentence (it is usually a one line sentence), it is written in an ambigous way so that it can be posted at any blog, but that is not what gives it away, what gives "excalibur ii 1000" is: 1) Nickname is "excalibur ii 1000", a commercial product 2) "excalibur ii 1000" has a signature link to, you guessed it "excalibur ii 1000" 3) "excalibur ii 1000" also links to his minelabexcalibur selling "excalibur ii 1000" I have no problem with people using their URL at all, but this is not a human being, this is a bot, whom obviously does not read the blog. I have seen spam like this a dozen times before, the traits are: always generic replies, one line sentence, a signature linking to a commercial product. Chris Ford, you should not have replied to excalibur ii 1000

excalibur ii 1000 is a spamming bot, I have seen this kind of spam before, if you read again the one line sentence (it is usually a one line sentence), it is written in an ambigous way so that it can be posted at any blog, but that is not what gives it away, what gives “excalibur ii 1000″ is:

1) Nickname is “excalibur ii 1000″, a commercial product

2) “excalibur ii 1000″ has a signature link to, you guessed it “excalibur ii 1000″

3) “excalibur ii 1000″ also links to his minelabexcalibur selling “excalibur ii 1000″

I have no problem with people using their URL at all, but this is not a human being, this is a bot, whom obviously does not read the blog. I have seen spam like this a dozen times before, the traits are: always generic replies, one line sentence, a signature linking to a commercial product.

]]> By: Yar (Admin) http://www.anti-forensics.com/beat-encase-file-signature-analysis-on-a-windows-system/comment-page-1#comment-194 Yar (Admin) Thu, 25 Feb 2010 03:06:17 +0000 http://www.anti-forensics.com/?p=564#comment-194 Yes, depending on what type of file and the type of data and the type of OS accessing the data performing this type of data manipulation can render the file useless. There are plenty of articles throughout the rest of the site on using TrueCrypt as well. You are very correct in saying that if someone has data that they feel they need to hide or mask then they probably aren't going to do something tedious like this, but this is not the point of the article. Yes, EnCase is into the version 6 series which I use as well, in fact I use all versions of EnCase going back to 3. This method exists throughout. Yes, depending on what type of file and the type of data and the type of OS accessing the data performing this type of data manipulation can render the file useless.

There are plenty of articles throughout the rest of the site on using TrueCrypt as well. You are very correct in saying that if someone has data that they feel they need to hide or mask then they probably aren’t going to do something tedious like this, but this is not the point of the article.

Yes, EnCase is into the version 6 series which I use as well, in fact I use all versions of EnCase going back to 3. This method exists throughout.

]]> By: JimBob http://www.anti-forensics.com/beat-encase-file-signature-analysis-on-a-windows-system/comment-page-1#comment-192 JimBob Wed, 24 Feb 2010 20:05:35 +0000 http://www.anti-forensics.com/?p=564#comment-192 There is one thing I did not see mentioned (maybe I missed it). This makes that file unusable until you correct the bytes that you changed. So, you need to mask the header to hide, but unmask to use, then mask again to hide. I wonder why anyone would go through this hassle when you can hide data within a Truecrypt volume, or heck, even a hidden Truecrypt volume. That is a much easier solution, and investigators cannot do anything about it without the password. By the way, EnCase has progressed 2 major versions beyond that hacked version in your screen shots. There is one thing I did not see mentioned (maybe I missed it). This makes that file unusable until you correct the bytes that you changed. So, you need to mask the header to hide, but unmask to use, then mask again to hide.

I wonder why anyone would go through this hassle when you can hide data within a Truecrypt volume, or heck, even a hidden Truecrypt volume. That is a much easier solution, and investigators cannot do anything about it without the password.

By the way, EnCase has progressed 2 major versions beyond that hacked version in your screen shots.

]]> By: Yar (Admin) http://www.anti-forensics.com/beat-encase-file-signature-analysis-on-a-windows-system/comment-page-1#comment-163 Yar (Admin) Tue, 22 Dec 2009 05:52:29 +0000 http://www.anti-forensics.com/?p=564#comment-163 This is a great response Chris and the reasons you have given are very solid. Thank you for commenting on this topic. This is a great response Chris and the reasons you have given are very solid. Thank you for commenting on this topic.

]]> By: Chris Ford http://www.anti-forensics.com/beat-encase-file-signature-analysis-on-a-windows-system/comment-page-1#comment-162 Chris Ford Mon, 21 Dec 2009 22:05:23 +0000 http://www.anti-forensics.com/?p=564#comment-162 Excalibur ii 1000, I'll answer... For sensitive company information, we create a Truecrypt block volume on a device, create a hidden volume within that, with the datasets recorded being truecrypt containers with hidden volumes. Being that we send analysis data to "hostile" countries (Such as China, Vietnam, America) where data interception by those governments is high - using this method to encrypt TB's of data on a HDD is valuable indeed. We have, over the past 12 monhts, "lost" 30-35 disks in international mail-handling system - luckily, those who have stolen these will not recover anything! This keeps our IP safe.... We aren't doing anything illegal - (except for Veitnam, where any disk encryption is illegal) but we've never had any issues with "lost" disks there.. Excalibur ii 1000, I’ll answer…

For sensitive company information, we create a Truecrypt block volume on a device, create a hidden volume within that, with the datasets recorded being truecrypt containers with hidden volumes.

Being that we send analysis data to “hostile” countries (Such as China, Vietnam, America) where data interception by those governments is high – using this method to encrypt TB’s of data on a HDD is valuable indeed.

We have, over the past 12 monhts, “lost” 30-35 disks in international mail-handling system – luckily, those who have stolen these will not recover anything! This keeps our IP safe….

We aren’t doing anything illegal – (except for Veitnam, where any disk encryption is illegal) but we’ve never had any issues with “lost” disks there..

]]> By: Rob Zirnstein http://www.anti-forensics.com/beat-encase-file-signature-analysis-on-a-windows-system/comment-page-1#comment-156 Rob Zirnstein Wed, 18 Nov 2009 02:47:10 +0000 http://www.anti-forensics.com/?p=564#comment-156 The best way to detect file types with high accuracy is to develop additional methods for creating comparable signatures/hashes of files and confirming the results with mini interpreters. This is how we see past tricks like the simple addition of "MZ" at the beginning of a file. The best way to detect file types with high accuracy is to develop additional methods for creating comparable signatures/hashes of files and confirming the results with mini interpreters. This is how we see past tricks like the simple addition of “MZ” at the beginning of a file.

]]> By: excalibur ii 1000 http://www.anti-forensics.com/beat-encase-file-signature-analysis-on-a-windows-system/comment-page-1#comment-154 excalibur ii 1000 Fri, 13 Nov 2009 06:20:49 +0000 http://www.anti-forensics.com/?p=564#comment-154 Now why would you want to do anything on this website unless you were a criminal!? <a href="http://minelabexcalibur.com/the-minelab-excalibur-ii-1000-and-the-excalibur-ii-800/" rel="nofollow">minelab excalibur 1000</a> Now why would you want to do anything on this website unless you were a criminal!?

minelab excalibur 1000

]]> By: Snake http://www.anti-forensics.com/beat-encase-file-signature-analysis-on-a-windows-system/comment-page-1#comment-150 Snake Wed, 16 Sep 2009 04:02:01 +0000 http://www.anti-forensics.com/?p=564#comment-150 I guess if you think about it, what else can encase do ya no? I guess if you think about it, what else can encase do ya no?

]]>