-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only.
EnCase Version 7.09
Release Notes
November 21, 2013
EnCase Version 7.09
Thank you for using Guidance Software products.
The Release Notes for this version of EnCase contain important
information regarding your EnCase application. Before you install,
we recommend that you read the Release Notes to better understand
the changes we have made.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 2
SAFE Version
The SAFE version for this release is 7j.
This version includes the ability for a keymaster to grant
permission to non-keymaster SAFE users for them to administer user
accounts. This is useful in sizable organizations where it can be
burdensome for only one keymaster to administer large numbers of
accounts.
New Features
Result Set Processing
Previously, it was necessary to run Evidence Processor for an
entire device, even if you wanted to review only a specific type of
file, a specific location, or a subset within the device. Now you
can process a result set from the case for the specific information
you want to review.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 3
Processing a Result Set 1. Open the Processor Options dialog.
Depending on the context, there are several ways to
do this. For example, in the Evidence tab, click Process
Evidence > Process.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 4
2. Click Result Set. The Process Result Set dialog displays.
3. Select the result set you want to process, then click OK. The
EnCase Processor Options dialog displays a table with information
about the result set to be queued:
Name
Evidence Size
Item Logical Size
Item Count
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 5
This information helps you identify the size and scale of the
evidence to be processed. A result set may contain items from
multiple evidence files, all of which will be processed.
4. Click OK. EnCase begins processing the evidence.
Note: Processing modules (System Info Parser, File Carver,
Windows Artifact Parser, etc.), along with Recover
Folders, do not respect result sets and therefore run against
the entire device as they normally do.
Note: Because result sets can include items from multiple
devices in various processing states, locks do not display in
processing options when selecting result set processing.
However, items that would normally be locked because they
were previously run on a device will still run, even if they do
not have the lock item present. In other words, once a
lockable Evidence Processor option is run on a device, all
processing jobs that follow on that device will run the
option, even if it is not selected. The screenshot in Step 3
above explains that these previously processed items are
marked with asterisks, and those items will be reprocessed.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 6
Also, since locks do not display, some modules that are not
supported in certain instances will not run, even if they are
selected. For example, indexing will not run on items that come
from a remote node, and Snapshot will not run on an
evidence file or a local drive.
Launching Processor Options from the Results Tab
You can open the EnCase Processor Options dialog from the
Results tab. This saves time by giving you the option to process
only the evidence you want to examine.
1. In the Results tab, select the result set you want to
process.
2. Right click, then click Process in the dropdown menu.
3. The EnCase Processor Options dialog displays.
Creating Result Sets in Entries and Records Views
You can create a result set similar to the way you create a
Logical Evidence File. The menu is accessed from Entries or Records
view, as described below.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 7
Creating a Result Set in Entries View
1. In the Tree and/or Table pane, blue check the items you want
to include in the result set.
2. Right click, and in the dropdown menu click Entries >
Create Results.
3. The Create Results dialog displays, showing the number of
items selected that are under the highlighted folder.
In the example above, note that in Step 2, 11 entries were blue
checked, but the Create Results dialog shows that only 7 entries
are being included in the result set in Step 3. This is because a
folder was highlighted in the entry tree in Step 2 when Create
Results was selected. Only blue checked items below the folder that
is currently highlighted are included in the result set. Blue
checked items in adjacent or higher branches in the folder tree are
excluded. This behavior is similar to the way EnCase includes
selected items when creating a LEF.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 8
To include all blue checked items in a device, highlight the
device root first before selecting the Create Results option.
4. Enter a name for the result set, then click OK.
5. EnCase creates the result set, and it displays in the Results
tab.
Creating a Result Set in Records View
In Records view, you can create result sets from mounted items
that are not metadata only.
Some examples of data types that allow creation of result sets
include:
Email archives
Compound files (for example, .zip files)
Internet artifacts
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 9
Examples of data types that do not allow creation of results
(because they are metadata only) include:
Snapshot data
System Info Parser results
Windows Artifact Parser results
Windows Event Log Parser results
1. In the Tree and/or Table pane, blue check the items you want
to include in the result set.
2. Right click, and in the dropdown menu click Records (or
Entries, depending on the context) > Create Results.
3. The Create Results dialog displays, showing the number of
items selected.
4. Enter a name for the result set, then click OK.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 10
5. EnCase creates the result set, which displays in the Results
tab.
Overwriting the Evidence Cache
The Overwrite Evidence Cache option enables you to delete
previous processing results for the selected item and restart
processing.
Note: Use this option with caution, as it will remove all
processing results for the devices selected.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 11
1. Click the Overwrite Evidence Cache checkbox. An information
message displays in the right pane.
Note: This option is enabled only when you select Current Item
and the evidence is already
processed.
2. Click OK. A warning message displays, asking if you want to
continue and delete previously processed output.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 12
3. To continue, click Yes. EnCase will delete all caches related
to the specified evidence file.
Note: When you use the Overwrite Evidence Cache option, items in
the result sets and bookmarks belonging to
the device will no longer resolve to the original item GUIDs and
will become invalid. You can delete the existing result
sets and bookmarks or maintain them as a reference for manual
recreation.
Sweep Enterprise Enhancements
Tab-Based User Interface
Sweep Enterprise now uses a tabbed framework, comprising four
tabs.
Sweep Enterprise
Create Scan
Status
Analysis Browser
Changes to Sweep Enterprise screens and workflow are described
below.
Sweep Enterprise Tab
The Sweep Enterprise tab contains two sections, New Scan and
Previous Scans.
In the new scan area, click Create Scan to create a new
scan.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 13
The Previous Scans area displays most recent scans (up to five),
as well as an All Scans report link. Clicking one of the previous
scans takes you to the Analysis Browser tab with the results of
that scan.
Create Scan Tab
1. To select targets for the sweep, click Create Scan on the
Sweep Enterprise main tab.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 14
2. The Create Scan subtab of the Sweep Enterprise tab
displays.
3. In the target list, select the nodes you want to sweep. To
select or clear all nodes in the list, click Selected.
4. Click Run Scan. The Module Settings dialog opens, displaying
available modules in the left pane and information about the
currently selected module in the right pane.
The System Info Parser and Snapshot modules are selected by
default.
A snapshot of each target is generated for all collection jobs;
therefore, you cannot clear the checkbox for the Snapshot
module.
The File Processor module is not selected by default because it
has a significantly higher run time than the other modules.
The System Info Parser module is not enabled for Linux
systems.
The System Info Parser module Advanced tab options for
collecting custom registry keys are not available.
Selecting Check In directs Sweep to wait infinitely for all the
targets to check in before it runs the selected modules on the
target. If you leave this checkbox blank, the SAFE initiates
communication. If a servlet does not respond after a certain amount
of time, the SAFE ends the communication and EnCase informs you
that the servlet cannot be reached.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 15
Selecting Deploy Servlet causes the SAFE to initiate
communication with the target and automatically install a servlet
if one is not already installed. This option is only available if
the user's role is configured with the Deploy Servlet permission.
The Deploy Servlet and the Check In options cannot be used
simultaneously. See Automatically Deploying Servlets.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 16
5. When you finish selecting modules and their associated
options, click Next. A Confirmation Page displays, showing the
target node list and module selections.
6. Click Finish.
Importing Targets
You can add a list of targets to the Create Scan tab.
1. Click Import Targets.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 17
2. The Add Targets dialog displays.
3. Enter, or copy and paste, a list of machine names, IP
addresses, or IP ranges, then click OK.
4. A Temporary Targets folder containing the imported items is
added to the Create Scan tab. You can select them like any other
target.
Note: Temporary targets are only available for the current
sweep.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 18
Status Tab
When you click Finish on the confirmation page, the Status tab
displays.
The tab contains two buttons and a checkbox:
Cancel Scan: Cancels a scan in progress.
Analysis Browser: Opens the Analysis Browser.
Refresh Automatically (checked by default): Dynamically updates
the status of a scan in progress.
A green bar indicates the progress of the scan for a given node
and module (for example, Mounting Drives, Waiting, Scanning,
Snapshot Taken).
The Collection Status column also indicates if connection to a
specific node failed.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 19
Analysis Browser Tab
The Analysis Browser tab now behaves exactly like the Case
Analyzer reports page. It displays all reports from the latest
scan.
Reports are contained within folders in the tree.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 20
The available Sweep Enterprise reports are listed below in
bold.
Accounts and Users folder: o Users - Comprehensive
o Users - Registry
o Users - Snapshot
File Processor folder: o Collected Files - All
o Collected Files - Hash
o Collected Files - Keywords
o Collected Files - Metadata
o Deleted Files
Hardware folder: o Hardware Devices
o Hardware Miscellaneous
Network folder: o ARP
o DNS
o Hidden Ports
o IP Gateway Pairs
o IP MAC Pairs
o Network Interfaces - Registry
o Network Interfaces - Snapshot
o Open Ports By DLL
o Open Ports No Process
o Open Ports
o Routes
Operating System folder: DLLs subfolder: o DLLs
o DLLs by Process Details
o Injected DLLs
OS Services Processes subfolder: o Processes - All
o Processes - Apps
o Processes - Drivers
o Processes - Hidden
o Processes - Services
System Info
Time Zone Removable Media folder:
o Drives Overview
o USB Devices
o USB Drives Overview
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 21
Shared and Mapped Devices folder: o Drives Overview
o Mapped Shares
o UNC Folders Visited
Snapshot
Software folder: o Installed Apps
o Installed MS Apps
o Uninstalled Apps
Target Info folder: o Job Target Files Collected
o Target Volumes
o Targets Collected
o Targets Failed
User Activity folder: o Open Files
o Processes Launched by User
Analysis Browser Improved Target and Job Filtering
You can filter results in the Analysis Browser tab to display
only those items that are of interest to you by selecting specific
scans and targets or entering targets manually.
1. Click Target Constraint.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 22
2. The Scans/Targets dialog displays. It contains a list of
scans and targets from which you can choose to limit the displayed
results in the Analysis Browser tab.
3. Select one scan and one or more targets to limit the
displayed results. Alternately, you can enter targets manually in
the Manual Entry area.
Note: No selection means there is no limitation.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 23
4. Click OK. The displayed results in the Analysis Browser tab
change to reflect your constraint. In this example, the results
were narrowed down from 66 items to 18.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 24
Analysis Browser Pagination
Controls at the bottom of the report pane allow you to view data
across several pages.
The controls include:
Buttons for going to the first and last page of the report.
Forward and back buttons for going to the next page or previous
page of the report.
Checkboxes for each individual page of the report. The number of
checkboxes varies, depending on the report's size.
A Go to Page button.
A Change Page Size button.
A Show All checkbox.
First Page Button
Click First to go to the first page from anywhere in the report.
When you select this button, the Page 1 checkbox is checked.
Last Page Button
Click Last to go to the last page from anywhere in the report.
When you select this button, the checkbox for the last page is
checked.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 25
Forward and Back Buttons
Click the forward button to go to the next page from anywhere in
the report. Click the back button to go to the previous page.
Numbered Checkboxes for Individual Pages
Click a numbered checkbox to go to that page in the report. The
first 11 checkboxes are displayed by default. If the report
contains more than 11 pages, click the Last button to see more
checkboxes.
Go to Page
1. Click Go to Page. The Pages from 1 to XX (the last page of
the report) dialog displays.
2. Use the up or down buttons to specify a page number or enter
a page number manually, then click OK.
3. The report displays the page number you specified, and that
page number's checkbox is checked.
Change Page Size
1. Click Change Page Size. The Page Size dialog displays.
2. Use the up or down buttons to specify the number of items
that display on one page or enter a number manually (the default is
200), then click OK.
3. The report displays the number of items you specified for
each page.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 26
Show All
1. Click the Show All checkbox.
2. All items in the report (in this example, 4541) display on
one page which you can scroll through, and a checkbox displays for
one page.
Clear the Show All checkbox to revert to the previous page
size.
Analysis Browser Sorting
To sort a column, double click the column heading. A red
triangle pointing upward displays in the column heading, indicating
that the column is now sorted in ascending order.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 27
Double click the column header again to sort in descending
order.
To initiate a subsort, hold down the Shift key and double click
the column heading. You can sort columns up to six layers deep.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 28
System Info Parser Live Registry Analysis
The System Info Parser now includes an option to focus on live
registry in memory.
This option enables you to perform a quick sweep against
registry entries only resident in memory (versus disk), reducing
time taken to analyze live machines.
Note: In the Sweep Enterprise System Info Parser dialog, the
Live Registry Only checkbox is checked by default. In
the Evidence Processor System Info Parser dialog, the Live
Registry Only checkbox is cleared by default.
Windows 8 and Windows Server 2012 Support
You can now run EnCase Examiner, SAFE, and Processor Node on
Windows 8 or Windows Server 2012.
This includes Virtual File System and Physical Disk
Emulator.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 29
WinMagic SecureDoc 5.x and 6.x Encryption Support
EnCase now supports decryption of WinMagic SecureDoc 5.x and 6.x
encrypted devices.
This requires the WinMagic .dbk file, password, and the
emergency recovery disk.
Government Issued ID Pattern Matching
EnCase now provides the ability to standardize searches for any
type of government ID (not just Social Security numbers) through
the use of GREP expressions. This reduces the time spent
customizing analysis after processing evidence. This feature is
especially useful in areas where government issued IDs have
different formats.
The hits are indexed and searchable using the Government ID
pattern query.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 30
To create GREP expressions for specific government IDs:
1. In the EnCase Processor Options dialog, expand Index text and
metadata, then click Personal Information.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 31
2. The Personal Information dialog displays. Click the
Government ID tab.
3. Social Security Number displays as the default. To add
another type of ID, click New. The Government ID dialog
displays.
Note: you cannot view or edit the default Social Security
Number.
4. Enter a name in the Government ID box and a GREP expression
in the Search Expression (GREP) box.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 32
This example shows the GREP expression for a Colombian Cedula
Number:
5. Click OK. The ID type just created displays in the Government
ID tab.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 33
To edit an existing Government ID type:
1. In the Government ID tab, select the Search Name you want,
then click Edit.
2. The Government ID dialog displays. Enter your changes, then
click OK.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 34
SAFE User Management Role
A keymaster can grant permission to non-keymaster SAFE users for
them to administer user accounts. This is useful in sizable
organizations where it can be burdensome for only one keymaster to
administer large numbers of accounts.
Note: Any user who has this Administer Users permission cannot
have any roles. That is, this account can be used to
administer users only, not to acquire data from servlet
nodes.
To grant a user permission to administer user accounts:
1. Log on to the SAFE as keymaster.
2. Click Enterprise > Users.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 35
3. The Users tab displays.
4. Right click a username, then click Edit in the dropdown
menu.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 36
5. The edit dialog displays. Click the Permission/Role tab.
6. Right click in the tab, then click New in the dropdown menu.
The New Permission/Role dialog displays.
7. In the Permission Type tab, click the checkbox for Administer
Users.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 37
8. Click OK. Administer Users is added to the list of
permissions for the designated user.
9. Click OK to close the Edit dialog.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 38
Password Protected iTunes Backup Acquisition
EnCase provides the ability to acquire an Apple iTunes backup
protected by a password.
To acquire a password protected iTunes backup:
1. Open a case and click Add Evidence > Acquire
Smartphone.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 39
2. The Acquire Smartphone dialog displays. Under Backup Files,
click Apple iTunes.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 40
3. Specify an input file and output path:
a. For the input file, browse to the Manifest.plist file from
the iTunes device backup folder.
b. Specify an output path for the evidence file.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 41
4. Click Finish. The Enter iTunes Backup Password dialog
displays.
5. Enter the password, then click OK.
6. EnCase parses the data, and you can view the records in the
Evidence tab or Smartphone report.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 42
Improved .NET API Binary Data Buffer Handling
EnCase now provides the ability to pass binary data from a
FileClass object to a .NET library and back.
Accessing an EnScript FileClass in .NET
Here is an example of the code EnScript authors can use in order
to provide a readable or writable object to .NET from EnScript:
// EnScript LocalFileClass file(); file.Open("myfile.txt");
DotNetStreamClass dnStream(file); MyAssembly::MyClass dnObj();
dnObj.DoSomething(dnStream); // .NET C# namespace MyAssembly {
public class MyClass { public void DoSomething(System.IO.Stream
stream) { using (StreamReader reader = new StreamReader(stream)) {
while (!reader.EndOfFile) { Debugger.WriteLine(reader.ReadLine());
} } } } }
EnScript FileClass objects are not thread safe. Therefore, .NET
code must take care when using wrapped objects. If the object is
only used by .NET, access should be synchronized using .NET
serialization constructs. If the object is shared between EnScript
and .NET, it should only be accessed on the calling thread
(EnScript thread), or an appropriate synchronization object should
be used that can then synchronize access between EnScript and .NET.
Even then, it is possible internal EnCase code could conflict with
.NET code accessing the same FileClass object.
.NET treats all streams as binary (not text), then adds text
interpretation with Reader and Writer objects. EnScript authors
must use care to open FileClass objects with appropriate
options.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 43
Accessing a .NET Stream in EnScript
Here is an example of the code EnScript authors can use in order
to provide a readable or writable object to .NET from EnScript:
// .NET C# namespace MyAssembly { public class MyClass { private
System.IO.Stream _MyStream = File.OpenRead("myfile.txt"); public
System.IO.Stream MyStream { get { return _MyStream; } } } } //
EnScript MyAssembly::MyClass dnObj(); FileClass file = new
DotNetFileClass(dnObj.MyStream()); while (file.More()) {
Console.WriteLine(file.ReadChar()); }
Items Fixed
Acquisition/Add Device/Preview/File System
68163: Version 7h of the servlet now lists devices available for
acquisition at /dev/cciss.
67770: When acquiring devices as .E01 in LinEn, segmentation
faults no longer occur.
67609: EnCase crashed when adding an ext3 formatted USB device.
This is fixed.
67422: When acquiring images of GPT disks, EnCase now includes
the last sector of every partition.
67258: The Acquisition Info tab now correctly displays the date
and start/stop sector count for manually interrupted acquisitions
for both legacy .E01 and for .Ex01 files.
65159: After using and formatting an exFAT device, with the
WinAcq command line acquisition tool, with verbose logging, to
acquire a logical volume on a flash drive, EnCase now reports a
matching sector count and logical size.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 44
Bookmarks
68186: In the Bookmarks tab's table pane, when No Report is
checked, selected files are not displayed in the Report view, as
expected.
67667: If the View pane was undocked, the Bookmark > Raw Text
option was disabled in the Text and Hex tabs. The Raw Text option
is now available in those tabs when the View pane is undocked.
67559: Logical Size was showing as zero for email bookmarked via
Show Conversation. EnCase now displays the correct logical
size.
Case Analyzer
66255: Case Analyzer reports allowed specifying constraints
using only 19 characters. This is now expanded to 1024
characters.
63867: In Case Analyzer, OS X dates are now displayed
consistently across devices and logs.
50883: Data in the Event Type column displayed as numbers
instead of actual event type values (for example, Unknown, Error,
etc.). The correct values display now.
50710: Case Analyzer displayed EnCase Portable as a device after
the Portable dongle was removed. This is fixed.
Email
68438: Evidence Processor no longer sticks during Mount Task of
a Folders.dbx file.
65043: Show Conversation and Show Related Messages options are
now available, as expected, when multiple .pst files are opened.
These options remain unavailable when you mix email with other
types of records (internet data, etc.).
Encrypted Devices
66624: A problem with ReFS volumes encrypted by BitLocker on
Server 2012 caused the volumes to fail and not properly decrypt.
After providing correct BitLocker credentials, the file system was
not parsed. This is fixed.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 45
EnScript
67539: The System Info Parser displayed the OS last shutdown
time in the Records tab as Wednesday, 22nd April, 2009 19:24:48
GMT, regardless of the current evidence. This is fixed.
67113: EntryClass methods and properties of the EnScript API now
have the necessary permissions to run on mounted devices in direct
nodes.
66556: EnCase now provides a complete path for entries retrieved
from ItemCacheClass using the stored monikers.
Entry Metadata
68019: In Evidence view, the name of a deleted folder in the
Recycle Bin displayed twice in the Original Path column. The
deleted folder name now displays only once.
67555: After mounting a network share, you were required to view
the files on the host system to see the VFS Name column populated
in EnCase. This is fixed.
EnView
67668: You can now view document files in the Recycle Bin in the
Doc tab.
Evidence Files/Logical Evidence Files/Case Files/Single
Files/Structured Files
65069: Files of type .ppt and .xlsx are now parsed properly. You
can now run index searches on these files.
Evidence Processor
68496: The Evidence Processor no longer terminates
unexpectedly.
65068: When running Evidence Processor multiple times,
processing did not complete and an "Error Prepping LEF" message
displayed. This is fixed.
Gallery View/Pictures
67438: In Gallery view, EnCase allowed you to select only the
first image in the last row. Now you can select all images in the
last row.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 46
General
68374: When using the Copy Folders command, EnCase copies the
folders, as expected, without a system failure.
68103: When you run Keyword Searching before you run Recover
Folders, the keyword search no longer becomes unusable when you
later run Recover Folders.
68075: When applying a filter, EnCase now stores and retrieves
the preference for Table or Tree-Table.
67564: When your case automatically updates a node's servlet to
Version 7g, it no longer adds the description "EnCase Enterprise
Agent" to the node's Processes tab in Task Manager.
66607: EnCase became unstable when scrolling in Table Evidence
view. This is fixed.
63944: Line wrap settings are now applied by EnCase as set by
the user.
Hashing/Hash Sets
67902: Sorting on the Hash Sets column was slow due to EnCase
data processing of this data whenever an entry was redisplayed.
This is fixed.
67633: EnCase no longer crashes when importing Hashkeeper from
the NSRL hash set.
Index/Query Index
67611: When a wild card was used with an index search, the Next
Hit button was disabled. This is fixed.
Internet
67665: Opera Internet history was parsed using the Western
European Windows codepage only, and text did not display correctly.
EnCase now uses the UTF-8 codepage and this is fixed.
Reporting
67990: When you export a Review Package in the Evidence view,
EnCase no longer generates a JavaScript error.
67243: Now no error message displays with reports containing
files or strings greater than 64k.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 47
Smartphone
66807: SGH-1337 Samsung Galaxy S4 with Android v4.2 is now
detected.
Sweep Enterprise
68080: In previous versions of EnCase, Sweep Enterprise's System
Info Parser options incorrectly displayed Auto Runs. Auto Runs is
no longer displayed in the System Info Parser options.
68015: When Sweep Enterprise reports are imported into a
separate instance of EnCase and analyzed with Case Analyzer, Case
Analyzer now displays the reports as expected. They match the
reports from the Sweep Enterprise instance.
67345: The Sweep Enterprise Status page and the Analysis Browser
page now appear as tabs in EnCase and, as expected, contain
data.
61704: When a SAFE has no available connections, it now displays
an error pertaining to connection unavailability rather than an
error pertaining to unsuccessful SAFE validation.
53025: Non-deleted files no longer appear in the Deleted Files
view of the Analysis Browser.
52864: In the Analysis Browser, highlighting blue checked views
no longer removes the blue check.
47766: In previous versions of EnCase, the Sweep Enterprise
window became stuck open when canceled. In Version 7.09, the Sweep
Enterprise window is embedded in EnCase, so this is no longer an
issue.
47539: In the DNS view, the Type column now displays the
expected values rather than numeric codes.
47527: In the Snapshot settings, deselecting the Hidden
Processes option now results in the expected exclusion of hidden
processes in the Analysis Browser's Hidden Processes View.
46718: In the Analysis Browser, row numbers in the table now
match row numbers at the bottom of the page in the page
controller.
46624: When viewing Snapshot job results in the Analysis
Browser, the Dixon box reflecting the number of selected rows now
includes all rows in all pages rather than only the rows in the
first page.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 48
UI/Controls
68463: After creating bookmarks in the Transcript tab, a system
failure no longer occurs in the Bookmarks tab when switching
between its View pane's Fields and Report tabs.
68411: As expected, when you choose the Print to PDF option in
the Evidence tab, a PDF file is created and EnCase does not
freeze.
68202: The Results tab no longer displays data in Trable or Tree
modes. Sorts in the Results tab are only available in Table or Tree
Table modes.
67635: In Search view, EnCase did not display correct
information in the Name column. The correct name now displays.
67558: Records view now correctly updates and corresponds with
Evidence view for manually mounted files.
67297: In the index search Results tab, the SocialSecurity
option has been changed to GovernmentID.
64518: In Sweep Enterprise, the servlet deployment option is now
enabled or disabled according to role permissions.
52776: The true path column in Search view displayed an
incorrect path for some items. This is fixed.
Known Limitations
65853: Files contained within a compound file go undetected when
running a condition or filter. Filters now search recursively for
items that satisfy the logic of the filter, starting from the
current device; so if the user has drilled into a .zip file, the
first folder to be searched is the .zip file, not the device it
belongs to.
68536: When attempting to connect to a Linux target using the
Sweep Check-in option, the servlet may crash. This is a known
limitation on Linux. The servlet may crash on some Linux
distributions when it tries to resolve the SAFE's name to the IP
address. In order to avoid this issue, use the IP address instead
of the host name for the SAFE address during SAFE installation.
62045: View File Structure does not display entry slack in
Logical Evidence Files.
Found in 7.08.02
67680: When running enlinuxpc64, the auto update keeps the
servlet at the latest version, but does not switch automatically
from 32- to 64-bit. In order to switch to 64-bit servlets on 64-bit
Linux kernels, the first time you must update manually.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 49
Found In 7.08.01
67028: EnCase becomes unstable when you drag and drop evidence
into a case while a sort operation is running.
Found in Version 7.08
67028: EnCase becomes unstable when you drag and drop evidence
into a case while a sort operation is running.
66773: When there is a large amount of evidence, such as more
than 250 LEFs, Case Analyzer does not show any reports.
66624: ReFS and exFAT volumes encrypted by Bitlocker are not
properly decrypted. After providing the correct Bitlocker
credentials, the file system is not parsed.
66607: In the Evidence view, when you use the scroll bar to
scroll to the bottom of the table, and then scroll up with the
mouse wheel, EnCase crashes sometimes.
66161: Some compound index queries with NOT terms do not yield
correct results.
65853: Running a filter against Current Device Only does not
return results that are contained within mounted files.
65820: Outside In Version 8.4.0 does not display text in the
Transcript tab correctly for .msg files.
65150: After opening a new case and loading a lotus Notes NSF
file using the Evidence view, View File Structure option to mount a
compounded file, folders such as Appointments, Contacts, Notices,
Trash, and Junk Mail are missing.
52565: After upgrading the CodeMeter Runtime from 4.20 to 4.40
or 4.50, the dongle doesn't display in the CodeMeter Control
Center. EnCase launches in acquisition mode.
Found in Version 7.07
64225: When running the PII module repeatedly, with different
settings, search does not consistently return hits from subsequent
runs.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 50
Found in Version 7.06
62196: EnCase returns empty records when the Sweep Enterprise
Snapshot module takes more than ten minutes to run on a machine.
This causes EnCase to time out, and fails to return any snapshot
data for that machine. When this happens you can reboot the machine
that returns these empty records and rerun Sweep Enterprise with
the Snapshot module on.
Note: The Sweep interface does not tell you which targets return
no data. To get that information, you must query the Sweep.sqlite
database using a query of this form: (Select B.Target From Snapshot
as A, _TargetRuns as B Where A._TargetRuns_Key = B.ID and A.Name =
).
The Sweep database is stored in the Case folder, under
EnScript/Sweep Enterprise.
Found in Version 7.05
52275: Microsoft Visio files are being mounted as compound files
by the Evidence Processor.
Found in Version 7.04
43707: When acquiring email data from Acer tablets, only some
Gmail messages from the inbox are able to be parsed. Gmail messages
in drafts and other folders are not captured in the .L01 file. This
is due to a change in how Gmail caches information. In addition,
the default Acer email application does not provide read access to
its data, so no email messages from the default email application
can be acquired.
Found in Version 7.03
46686: Email messages for Blackberry phones are shown in a
Smartphone Report only if they are in Plain Text. Issue 46995 has
been entered to fix this defect.
45813: Index hits with large numbers of characters that wrap
over line breaks do not display in the Review tab.
Guidance Software Product Compatibility Tables
The Support Portal contains a list of version-to-version
compatibility tables for all Guidance Software products at
https://support.guidancesoftware.com/matrix.
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 51
Encryption Support
EnCase now supports the following encryption products.
Vendor Product Supported Versions 64-bit Support
Check Point Check Point Full Disk Encryption
(formerly Pointsec PC)
6.3.1 up to 7.4, 8.0 (for
Windows and Macintosh
computers)
Yes
Credant Mobile Guardian 5.2.1, 5.3, 5.4.1, 5.4.2, 6.1
through 6.8, 7.3
No
GuardianEdge Encryption Plus/Anywhere 7 and 8 No
GuardianEdge Hard Disk Encryption 9.1.5, 9.2.2 , 9.3.0,
9.4.0,
9.5.0, 9.5.1
Yes
McAfee EndPoint Encryption (formerly
SafeBoot)
4, 5, 6, 7 (for Windows
and Macintosh computers)
Yes (for Versions
4 and 5)
Microsoft BitLocker and BitLocker To Go Windows Vista, 7, and
8,
Server 2008
Yes
Sophos SafeGuard Easy and Enterprise
(formerly Utimaco)
4.5, 5.5, 5.6, 6.0 Yes (only for
SafeGuard Easy,
not for Enterprise)
Symantec PGP Whole Disk Encryption 9.8, 9.9, 10, 10.1, 10.2
Yes
Symantec Endpoint Encryption 7.0.2, 7.0.3, 7.0.4, 7.0.5,
7.0.6, 7.0.7, 7.0.8, 8.0, 8.2
Yes
WinMagic SecureDoc Full Disk Encryption 4.5, 4.6, 5.x, 6.x
No
USGCB Compliance
EnCase has been validated as USGCB compliant using the following
version of NIST VHD images:
10/14/11 (for Windows 7 only)
EnCase was tested using Retina Network Security Scanner, which
is an NIST validated USGCB scanner
(http://usgcb.nist.gov/usgcb/microsoft_content.html).
-
2013 Guidance Software, Inc. All rights reserved. Information in
these release notes is subject to change without notice and is
provided for informational purposes only. 52
Support
Technical assistance is available online at
http://www.guidancesoftware.com/technical-support.htm. From this
page you can register for and access the Guidance Software Support
Portal, an invaluable resource providing product-specific technical
forums, an extensive knowledge base, a bug tracking database, and
an Online Submission Form for your questions.
Technical Support
Guidance Software offers several technical support options,
including:
Live Chat
Support Request Form
Email
Telephone
Customer Service
Please direct service questions to the Guidance Software
Customer Service Department:
MondayFriday 7 AM5 PM Pacific time Phone: (626) 229-9191, press
5 Fax: (626) 229-9199 Email: [email protected]
1055 E. Colorado Blvd. Pasadena, CA 91106-2375
You can access our Customer Service Request Form online at
http://www.guidancesoftware.com/CustomerServiceRequest.aspx.
EnCase Version 7.09November 18, 2013EnCase Version 7.09SAFE
VersionNew FeaturesResult Set ProcessingProcessing a Result
SetLaunching Processor Options from the Results TabCreating Result
Sets in Entries and Records ViewsCreating a Result Set in Entries
ViewCreating a Result Set in Records View
Overwriting the Evidence Cache
Sweep Enterprise EnhancementsTab-Based User InterfaceSweep
Enterprise TabCreate Scan TabStatus TabAnalysis Browser TabAnalysis
Browser Improved Target and Job FilteringAnalysis Browser
PaginationAnalysis Browser Sorting
System Info Parser Live Registry AnalysisWindows 8 and Windows
Server 2012 SupportWinMagic SecureDoc 5.x and 6.x Encryption
SupportGovernment Issued ID Pattern MatchingSAFE User Management
RolePassword Protected iTunes Backup AcquisitionImproved .NET API
Binary Data Buffer HandlingAccessing an EnScript FileClass in
.NETAccessing a .NET Stream in EnScript
Items FixedAcquisition/Add Device/Preview/File
SystemBookmarksCase AnalyzerEmailEncrypted DevicesEnScriptEntry
MetadataEnViewEvidence Files/Logical Evidence Files/Case
Files/Single Files/Structured FilesEvidence ProcessorGallery
View/PicturesGeneralHashing/Hash SetsIndex/Query
IndexInternetReportingSmartphoneSweep EnterpriseUI/Controls
Known LimitationsFound in 7.08.02Found In 7.08.01Found in
Version 7.08Found in Version 7.07Found in Version 7.06Found in
Version 7.05Found in Version 7.04Found in Version 7.03
Guidance Software Product Compatibility TablesEncryption
SupportUSGCB ComplianceSupportTechnical SupportCustomer Service