Menu
▾
▴
#11 invalid dates and Target date error
First of I would like to say thank you, your tool has been my go to for 3 years here in South Africa.
I imaged an HP Lenovo using Kali Linux, with Guymager v 0.8.12-1. All dates in the .info corresponds with the chain of events. (being on 4 Aug 2020, or in the format: 2020/08/04).
My problem is that in Encase, the Target date shows as 1972/03/31. Another anomaly I encounter is that when I try and recover deleted files, after it has completed, it shows me a pop up error "Invalid date value".
Can you please advise if you have seen this happen?
I previously imaged with 0.8.11 at my previous job and cant recall seeing this happen.
Thanks, rooibost, I'm glad to hear that Guymager found its way down to ZA :-)
Concerning your date problem: Could you please verify with a third, independent tool? I would suggest that you use ewfinfo. It should be contained on the Kali Linux you use. Call it like this:
ewfinfo ImageName.E*You must pass all segment files to ewfinfo.
Have a look at the two output lines named "Acquisition date" and "System date".
Thank you for the quick response, I am in the process of imaging the same machine with FTK imager, using Brett Shavers' WindowsFE . Once it has completed, I will test your suggestions also on Kali Linux and will send you and update.
For now: I suppose it's an Encase bug and is related to Encase not interpreting the EWF header correctly. What you could try: Launch Guymager with option "AvoidEncaseErrors". From the documentation:
In order to start Guymager with that option:
1st possibility: From the command line, start with
sudo guymager AvoidEncaseProblems=true2nd possibility: Edit (create) file /etc/guymager/local.cfg (root rights needed to do so) and add the line
AvoidEncaseProblems=trueThen, start Guymager the usual way.
Brilliant, thanks! I will definitely work this into my build, as we are using Encase primarily and I have seen these error pop ups happening when adding the evidence files.
I will apply it later today and will continue with my tests with your suggestions and will give you an update afterwards whether it persists.
Hi Guy,
I applied your suggestion and changed "AvoidEncaseProblems".
Since then, from what I can see, it seems that this not only fixing the error popups when I add the evidence to Encase, but it appears to also have fixed the Target Date problem I had. Not sure if this is a "correlation does not imply causation" situation or if the images that i have been making had something different from the previous machines I imaged. I think for now I will continue to keep on it and will raise another ticket if it happens again.
Previously 7 images were affected by this "Target date" (6 HP laptops and a MS Surface Pro). So far I had tested 3 images (2 Dell's and a USB device) and all seems fine.
Thank you once again for the swift responses, I really appreciate it!
Those meta data fields (Timestamps, Case number, Examiner, Notes, Evidence number etc.) are simply glued together with TABs. Together with some more texts they form one big string,
So, the format is simplistic and I have no idea what's going wrong in Encase. You would have to ask the developers.
To me, it looks like an Encase bug, because I never had such feedback for other software. I always recommed to check with libewf (by Joachim Metz) in case of problems.
I cannot exlcude that the occurence of the Encase bug might be related to the meta data contents (but not the image data itself), Again, the Encase developers would have to tell you what's going on / going wrong inside.
The downside of "AvoidEncaseProblems": Strings are truncated, information is getting lost. There's nothing I can do about that.
Thanks for the detailed feedback and best wishes!
Closed - not a Guymager bug