Pat, Caution is the watchword with previews. Certainly using Encase preview is useful but you should be aware of a couple of possible concerns: 1. If you preview and don't find anything, you *may* be prevented from continuing with analysis of that machine using a full image or even seizing the computer. (I think others have mentioned this problem) 2. Text searching under preview does NOT work the same a text searching under image conditions. If a bad sector is located under preview, Encase appears to skip an entire cluster. I like Encase and have been using it as an analysis tool since the Expert Witness days but I also use Safeback and a host of other tools for imaging and analysis. Encase is but one tool in my box and I'm always wary of *any* single tools results. Imaging is *always* preferable to previewing but, if your only option is preview, be sure to: 1. make copious notes 2. video the screen during the session 3. use non invasive previewing whenever possible. Good luck shelly ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jul 05 2001 - 09:29:12 PDT