Hi, * Zack Lau [Mon Jul 19, 2021 at 10:11:44AM +0000]:
> Tags: patch I don't see any patch in the BTS nor a MR at https://salsa.debian.org/pkg-security-team/guymager/, so I'll remove this tag > * What led up to the situation? > I believe the root cause is the default config file "guymager.cfg" from the > offical repo does not have the option "AvoidEncaseProblems" enabled. The > majority of forensic images created using the latest Guymager with > "AvoidEncaseProblems" disabled causes error. Thus, cannot be be added to a > case > in EnCase v8 or up. > * What exactly did you do (or not do) that was effective (or > ineffective)? > As I use Guymager from live CD, I have to change the "AvoidEncaseProblems" > option in line 426 of "/etc/guymager/guymager.cfg" from "off" to "on" > everytime > I launch Guymager. > * What was the outcome of this action? > After setting the "AvoidEncaseProblems" option to "on", forensic images > created > by Guymager can be loaded in EnCase v8 or up with no issue. > * What outcome did you expect instead? > I expect the "AvoidEncaseProblems" option can be set to "on" by default. > Suprisingly, this option is not known by a lot of people. Well, the configuration option is clearly documented in the configuration file and also explains the situation: | REM AvoidEncaseProblems Encase produces strange error messages if the EWF internal fields "Imager Version" and | REM "OS Version" contain more than 11 or 23 characters, respectively. Leave this flag OFF | REM if you don't work with Encase (default setting). Set it to ON if ever you work with | REM Encase and want to avoid the Encase problems. So I don't see how this could be enabled by default, given that not everybody uses Encase by default. But I'll ask upstream, whether they are aware of any possible better solutions. regards -mika-
signature.asc
Description: Digital signature
