#6 Encase verification errors E01 image, Imaged using Guymager

[Kelum Perera]

Hi there,

I took a disk image using Guymager 0.8 application via CAINE Linux live distro and the verification was successful.

However, when I verify the image with Encase (v8.09) it results differences in hash values.

Also at the time, I add the evidence I get the following errors

Errors are;
Error in “Header” : String cannot be longer than 12 characters
Error in “Header” : String cannot be longer than 64 characters
Invalid date Value

Appreciate it if you can tell why and how to avoid such Encase verification errors, and why such errors occur when adding the evidence into Encase.
Link_Guymager info file:

Link_Encase Evidence info file:

[Kelum Perera]

Picture files of the links in above

[guy]

Ticket moved from /p/guymager/bugs/10/

[guy]

Hello Kelum,

you're describing two different problems here. Let's start with easy one: The Encase problem. There is no reason for limiting those comment strings to 64 or even only 12 characters. The EWF format (as documented by Joachim Metz) has no such limits and every software should be able to handle much longer strings.

If Encase would complain only once about its inability to handle those strings, the user could still live with it. However, the annoying Encase error pops up again and again. As I know how embarrassing this is for the user, I added an option to Guymager to avoid the Encase problems. Excerpt from the documentation (in the configuration file /etc/guymager/guymager.cfg):

REM AvoidEncaseProblems      Encase produces strange error messages if the EWF internal fields "Imager Version" and
REM                          "OS Version" contain more than 11 or 23 characters, respectively. Leave this flag OFF
REM                          if you don't work with Encase (default setting). Set it to ON if ever you work with
REM                          Encase and want to avoid the Encase problems.

How to switch that flag on?
1. Forever - by creating file /etc/guymager/local.cfg and putting the line

AvoidEncaseProblems = On

into it. However, when booting from a live DVD (CAINE) that setting gets lost when shutting down the machine.
2. Temporarly - by starting Guymager from a shell and passing it the parameter:

sudo guymager AvoidEncaseProblems=On

Now to the next problem: The bad hash values. I never have seen and never have heard of Guymager images that were marked as being ok by Guymager but contained corrupt data. No user ever reported this to me.

The image creation and verification functions inside Guymager are independent. I cannot imagine how both functions could contain the same errors. So, please try another software to verify the images. I would suggest that you try ewfverify from Joachim Metz. It's contained on the CAINE DVD. Open a shell, then

cd path/to/your/image/

ewfverify PBW_20004_E01.E??

Please tell me about the results. If ever you're able to give me a copy of your image I can do the analysis for you.

Guy

[guy]

got no reply - therefore closed