* Zack Lau [Mon Jul 26, 2021 at 09:49:16AM +0000]: > Thanks for looking into this.
> I understand this option is well explained in the configuration file. > However, in most situations, forensic practitioners run the forensic > imaging process using Guymager in forensics mode booted up from Live > CD. In order words, the configuration file needs to be updated after > every boot up. It would be great if this can be enabled by default. I talked to the upstream author in the meanwhile, and upstream agreed to my suggestion, to use output of `uname -r` for the kernel version information, and keep the strings below the limit that's known to be needed for EnCase. So there shouldn't be any need for changing this option, once a new upstream version with the new behavior is there. > Enabling this option in the configuration file does not prevent a > Guymager created forensic image to load properly in other forensic > software (i.e. FTK, Autopsy or X-Ways). Instead, it resolves the > error issue when people try to load a Guymager created E01 in EnCase. ACK, but I don't like diverging from upstream defaults, as there's usually a good reason behind it. :) > I find this topic interesting. I saw comments in different forums > think the EnCase error issue was caused by other settings, or what > people put in the case data fields. There were only a few people > mentioned this option, so I think this "AvoidEncaseProblems" option > is not widely aware of among the forensics community. Thanks for your input! regards -mika-
signature.asc
Description: Digital signature