Hi Mika, Yeah, I agree with your approach and think it makes more sense. Learned something new from you. Thanks again!
Regards, Zack On 26/7/21 5:58 pm, Michael Prokop wrote: > * Zack Lau [Mon Jul 26, 2021 at 09:49:16AM +0000]: > >> Thanks for looking into this. >> I understand this option is well explained in the configuration file. >> However, in most situations, forensic practitioners run the forensic >> imaging process using Guymager in forensics mode booted up from Live >> CD. In order words, the configuration file needs to be updated after >> every boot up. It would be great if this can be enabled by default. > I talked to the upstream author in the meanwhile, and upstream > agreed to my suggestion, to use output of `uname -r` for the kernel > version information, and keep the strings below the limit that's > known to be needed for EnCase. So there shouldn't be any need for > changing this option, once a new upstream version with the new > behavior is there. > >> Enabling this option in the configuration file does not prevent a >> Guymager created forensic image to load properly in other forensic >> software (i.e. FTK, Autopsy or X-Ways). Instead, it resolves the >> error issue when people try to load a Guymager created E01 in EnCase. > ACK, but I don't like diverging from upstream defaults, as there's > usually a good reason behind it. :) > >> I find this topic interesting. I saw comments in different forums >> think the EnCase error issue was caused by other settings, or what >> people put in the case data fields. There were only a few people >> mentioned this option, so I think this "AvoidEncaseProblems" option >> is not widely aware of among the forensics community. > Thanks for your input! > > regards > -mika-
smime.p7s
Description: S/MIME cryptographic signature
