search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Guidance EnCase fails to detect more than 25 partitions

Vulnerability Note VU#310057

Original Release Date: 2007-11-09 | Last Revised: 2007-11-20


Guidance Software's EnCase Forensic can only detect the first 25 partitions on a volume.


Guidance Software's EnCase Forensic is a tool that allows an investigator to acquire and analyze a disk image. EnCase names partitions either c: through z:, with an additional partition named \[.

EnCase Forensic may only detect the first 25 partitions on a volume. The hidden partitions are searchable, but not can not be browsed.

Note that when previewing a drive with EnCase, mounted drives, including CD-ROM, USB keys, native hard drives, and floppy drives will count towards the 25 limit.


An attacker may be able to hide or obscure data.


Guidance Encase customers should see the Guidance support portal for information about obtaining fixed software.

Vendor Information


Guidance Software, Inc. Affected

Notified:  September 18, 2007 Updated: November 20, 2007



Vendor Statement

The issue described in this report involves the inability of EnCase to logically view more than 25 partitions simultaneously. This issue is not relevant to devices being used only in an MS Windows environment, as it can only be present in devices used with certain non-Windows operating systems, such as Linux. This issue is a current limitation of the EnCase software that will be addressed in a future maintenance release.

Examiners should note that this issue affects viewing an evidence file or image in a slightly different manner than viewing a remote computer using EnCase Enterprise.

    • Evidence file – In this instance EnCase will provide logical access to up to
25 partitions within a single evidence file. If multiple evidence files are
examined simultaneously, the limit is 25 partitions per device, not 25
partitions total.
    • Remote device – In the instance where a computer is being previewed
using EnCase Enterprise, EnCase will provide access as follows:
      • Logical Access: If devices on a remote system are accessed as logical volumes, EnCase will provide access to up to 25 total partitions. This includes all logical partitions from all devices that the target computer currently has access to.
      • Physical Access: If a device is previewed at the physical level, EnCase will provide access to up to 25 partitions per device. If a system has reached or is approaching the 25 partition limit, this is the recommended solution, as it allows 25 partitions per device instead of 25 for the entire system.

It should be noted that analysis functions, such as keyword searching, is not affected by this issue. Searching will still locate pertinent data, although the logical location of the data will not be identified if it is located in a partition that is not visible to EnCase.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


See for more information.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector
Base 0 AV:--/AC:--/Au:--/C:--/I:--/A:--
Temporal 0 E:ND/RL:ND/RC:ND
Environmental 0 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND



This report was based on information released by iSec partners.

This document was written by Ryan Giobbi.

Other Information

CVE IDs: CVE-2007-4201
Severity Metric: 0.85
Date Public: 2007-08-03
Date First Published: 2007-11-09
Date Last Updated: 2007-11-20 18:36 UTC
Document Revision: 20

Sponsored by CISA.