Last week my friend brought me an evidence file duplicated from a Linux server, which distribution is CentOS 5.0 and the i18n is zh-tw. She wanna know whether there is any malware on this Linux server or not. OK. Let's get to work. I add this evidence and do Evidence Process. Guess what??? EnCase could not recognize Chinese character folder names / filenames, and those folder names / filenames become Hieroglyphics. I am very disappointed and don't know what to say to my friend... I guess I have to explain why EnCase may need night vision goggles when examining Linux platform evidence files. It's too ridiculous!
Needless to say, my friend also could not believe the #1 forensic tool - EnCase should have problems like that. Fortunately I still have another options like FTK or X-Ways Forensics to take over this case. You guys could take a look at screenshot below. I mount these evidence files by using FTK Imager Lite. You could see the Chinese character folder names / filenames now. I'd like to remind you that FTK Imager Lite is a free tool...
