Encase Examiner v709 Release Notes

EnCase Version 7.
09
Release Notes
November 21, 2013
EnCase Version 7.09

Thank you for using Guidance Software products.
The Release Notes for this version of EnCase contain important information regarding your
EnCase application. Before you install, we recommend that you read the Release Notes to better
understand the changes we have made.
2013 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
SAFE Version
The SAFE version for this release is 7j.
This version includes the ability for a keymaster to grant permission to non-keymaster SAFE users
for them to administer user accounts. This is useful in sizable organizations where it can be
burdensome for only one keymaster to administer large numbers of accounts.
New Features
Result Set Processing
Previously, it was necessary to run Evidence Processor for an entire device, even if you wanted to
review only a specific type of file, a specific location, or a subset within the device. Now you can
process a result set from the case for the specific information you want to review.
Processing a Result Set

1.
Open the Processor Options dialog. Depending on the context, there are several ways to
do this. For example, in the Evidence tab, click Process Evidence > Process.
2.
Click Result Set. The Process Result Set dialog displays.
3.
Select the result set you want to process, then click OK. The EnCase Processor Options
dialog displays a table with information about the result set to be queued:
Name
Evidence Size
Item Logical Size
Item Count
This information helps you identify the size and scale of the evidence to be processed. A
result set may contain items from multiple evidence files, all of which will be processed.
4.
Click OK. EnCase begins processing the evidence.
Note: Processing modules (System Info Parser, File Carver, Windows Artifact Parser, etc.), along with Recover
Folders, do not respect result sets and therefore run against the entire device as they normally do.
Note: Because result sets can include items from multiple devices in various processing states, locks do not display in
processing options when selecting result set processing. However, items that would normally be locked because they
were previously run on a device will still run, even if they do not have the lock item present. In other words, once a
lockable Evidence Processor option is run on a device, all processing jobs that follow on that device will run the
option, even if it is not selected. The screenshot in Step 3 above explains that these previously processed items are
marked with asterisks, and those items will be reprocessed.
Also, since locks do not display, some modules that are not supported in certain instances will not run, even if they are
selected. For example, indexing will not run on items that come from a remote node, and Snapshot will not run on an
evidence file or a local drive.
Launching Processor Options from the Results Tab

You can open the EnCase Processor Options dialog from the Results tab. This saves time by
giving you the option to process only the evidence you want to examine.
1.
In the Results tab, select the result set you want to process.
2.
Right click, then click Process in the dropdown menu.
3.
The EnCase Processor Options dialog displays.
Creating Result Sets in Entries and Records Views

You can create a result set similar to the way you create a Logical Evidence File. The menu is
accessed from Entries or Records view, as described below.
Creating a Result Set in Entries View

1.
In the Tree and/or Table pane, blue check the items you want to include in the result set.
2.
Right click, and in the dropdown menu click Entries > Create Results.
3.
The Create Results dialog displays, showing the number of items selected that are under
the highlighted folder.
In the example above, note that in Step 2, 11 entries were blue checked, but the Create
Results dialog shows that only 7 entries are being included in the result set in Step 3. This
is because a folder was highlighted in the entry tree in Step 2 when Create Results was
selected. Only blue checked items below the folder that is currently highlighted are
included in the result set. Blue checked items in adjacent or higher branches in the folder
tree are excluded. This behavior is similar to the way EnCase includes selected items
when creating a LEF.
To include all blue checked items in a device, highlight the device root first before
selecting the Create Results option.
4.
Enter a name for the result set, then click OK.
5.
EnCase creates the result set, and it displays in the Results tab.
Creating a Result Set in Records View

In Records view, you can create result sets from mounted items that are not metadata only.
Some examples of data types that allow creation of result sets include:
Email archives
Compound files (for example, .zip files)
Internet artifacts
Examples of data types that do not allow creation of results (because they are metadata only)
include:
Snapshot data
System Info Parser results
Windows Artifact Parser results
Windows Event Log Parser results
1.
In the Tree and/or Table pane, blue check the items you want to include in the result set.
2.
Right click, and in the dropdown menu click Records (or Entries, depending on the
context) > Create Results.
3.
The Create Results dialog displays, showing the number of items selected.
4.
Enter a name for the result set, then click OK.
5.
EnCase creates the result set, which displays in the Results tab.
Overwriting the Evidence Cache

The Overwrite Evidence Cache option enables you to delete previous processing results for the
selected item and restart processing.
Note: Use this option with caution, as it will remove all processing results for the devices selected.
10
1.
Click the Overwrite Evidence Cache checkbox. An information message displays in the
right pane.
Note: This option is enabled only when you select Current Item and the evidence is already
processed.
2.
Click OK. A warning message displays, asking if you want to continue and delete
previously processed output.
11
3.
To continue, click Yes. EnCase will delete all caches related to the specified evidence file.
Note: When you use the Overwrite Evidence Cache option, items in the result sets and bookmarks belonging to
the device will no longer resolve to the original item GUIDs and will become invalid. You can delete the existing result
sets and bookmarks or maintain them as a reference for manual recreation.
Sweep Enterprise Enhancements

Tab-Based User Interface
Sweep Enterprise now uses a tabbed framework, comprising four tabs.
Sweep Enterprise
Create Scan
Status
Analysis Browser
Changes to Sweep Enterprise screens and workflow are described below.
Sweep Enterprise Tab

The Sweep Enterprise tab contains two sections, New Scan and Previous Scans.
In the new scan area, click Create Scan to create a new scan.
12
The Previous Scans area displays most recent scans (up to five), as well as an All Scans report
link. Clicking one of the previous scans takes you to the Analysis Browser tab with the results of
that scan.
Create Scan Tab

1.
To select targets for the sweep, click Create Scan on the Sweep Enterprise main tab.
13
2.
The Create Scan subtab of the Sweep Enterprise tab displays.
3.
In the target list, select the nodes you want to sweep. To select or clear all nodes in the
list, click Selected.
4.
Click Run Scan. The Module Settings dialog opens, displaying available modules in the
left pane and information about the currently selected module in the right pane.
The System Info Parser and Snapshot modules are selected by default.
A snapshot of each target is generated for all collection jobs; therefore, you cannot
clear the checkbox for the Snapshot module.
The File Processor module is not selected by default because it has a significantly
higher run time than the other modules.
The System Info Parser module is not enabled for Linux systems.
The System Info Parser module Advanced tab options for collecting custom registry
keys are not available.
Selecting Check In directs Sweep to wait infinitely for all the targets to check in before
it runs the selected modules on the target. If you leave this checkbox blank, the SAFE
initiates communication. If a servlet does not respond after a certain amount of time,
the SAFE ends the communication and EnCase informs you that the servlet cannot be
reached.
14
Selecting Deploy Servlet causes the SAFE to initiate communication with the target
and automatically install a servlet if one is not already installed. This option is only
available if the user's role is configured with the Deploy Servlet permission. The
Deploy Servlet and the Check In options cannot be used simultaneously. See
Automatically Deploying Servlets.
15
5.
When you finish selecting modules and their associated options, click Next. A
Confirmation Page displays, showing the target node list and module selections.
6.
Click Finish.
Importing Targets
You can add a list of targets to the Create Scan tab.
1.
Click Import Targets.
16
2.
The Add Targets dialog displays.
3.
Enter, or copy and paste, a list of machine names, IP addresses, or IP ranges, then click
OK.
4.
A Temporary Targets folder containing the imported items is added to the Create Scan
tab. You can select them like any other target.
Note: Temporary targets are only available for the current sweep.
17
Status Tab
When you click Finish on the confirmation page, the Status tab displays.
The tab contains two buttons and a checkbox:
Cancel Scan: Cancels a scan in progress.
Analysis Browser: Opens the Analysis Browser.
Refresh Automatically (checked by default): Dynamically updates the status of a scan in

progress.
A green bar indicates the progress of the scan for a given node and module (for example,
Mounting Drives, Waiting, Scanning, Snapshot Taken).
The Collection Status column also indicates if connection to a specific node failed.
18
Analysis Browser Tab

The Analysis Browser tab now behaves exactly like the Case Analyzer reports page. It displays
all reports from the latest scan.
Reports are contained within folders in the tree.
19
The available Sweep Enterprise reports are listed below in bold.

Accounts and Users folder:
o Users - Comprehensive
o Users - Registry
o Users - Snapshot
File Processor folder:
o Collected Files - All
o Collected Files - Hash
o Collected Files - Keywords
o Collected Files - Metadata
o Deleted Files
Hardware folder:
o Hardware Devices
o Hardware Miscellaneous
Network folder:
o ARP
o DNS
o Hidden Ports
o IP Gateway Pairs
o IP MAC Pairs
o Network Interfaces - Registry
o Network Interfaces - Snapshot
o Open Ports By DLL
o Open Ports No Process
o Open Ports
o Routes
Operating System folder:
DLLs subfolder:
o DLLs
o DLLs by Process Details
o Injected DLLs
OS Services
Processes subfolder:
o Processes - All
o Processes - Apps
o Processes - Drivers
o Processes - Hidden
o Processes - Services
System Info
Time Zone
Removable Media folder:
o Drives Overview
o USB Devices
o USB Drives Overview
20
Shared and Mapped Devices folder:

o Drives Overview
o Mapped Shares
o UNC Folders Visited
Snapshot
Software folder:
o Installed Apps
o Installed MS Apps
o Uninstalled Apps
Target Info folder:
o Job Target Files Collected
o Target Volumes
o Targets Collected
o Targets Failed
User Activity folder:
o Open Files
o Processes Launched by User
Analysis Browser Improved Target and Job Filtering

You can filter results in the Analysis Browser tab to display only those items that are of interest to
you by selecting specific scans and targets or entering targets manually.
1.
Click Target Constraint.
21
2.
The Scans/Targets dialog displays. It contains a list of scans and targets from which you
can choose to limit the displayed results in the Analysis Browser tab.
3.
Select one scan and one or more targets to limit the displayed results. Alternately, you can
enter targets manually in the Manual Entry area.
Note: No selection means there is no limitation.
22
4.
Click OK. The displayed results in the Analysis Browser tab change to reflect your
constraint. In this example, the results were narrowed down from 66 items to 18.
23
Analysis Browser Pagination

Controls at the bottom of the report pane allow you to view data across several pages.
The controls include:
Buttons for going to the first and last page of the report.
Forward and back buttons for going to the next page or previous page of the report.
Checkboxes for each individual page of the report. The number of checkboxes varies,
depending on the report's size.
A Go to Page button.
A Change Page Size button.
A Show All checkbox.
First Page Button

Click First to go to the first page from anywhere in the report. When you select this button, the
Page 1 checkbox is checked.
Last Page Button

Click Last to go to the last page from anywhere in the report. When you select this button, the
checkbox for the last page is checked.
24
Forward and Back Buttons

Click the forward button to go to the next page from anywhere in the report. Click the back button
to go to the previous page.
Numbered Checkboxes for Individual Pages

Click a numbered checkbox to go to that page in the report. The first 11 checkboxes are displayed
by default. If the report contains more than 11 pages, click the Last button to see more
checkboxes.
Go to Page
1.
Click Go to Page. The Pages from 1 to XX (the last page of the report) dialog displays.
2.
Use the up or down buttons to specify a page number or enter a page number manually,
then click OK.
3.
The report displays the page number you specified, and that page number's checkbox is
checked.
Change Page Size

1.
Click Change Page Size. The Page Size dialog displays.
2.
Use the up or down buttons to specify the number of items that display on one page or
enter a number manually (the default is 200), then click OK.
3.
The report displays the number of items you specified for each page.
25
Show All
1.
Click the Show All checkbox.
2.
All items in the report (in this example, 4541) display on one page which you can scroll
through, and a checkbox displays for one page.
Clear the Show All checkbox to revert to the previous page size.
Analysis Browser Sorting

To sort a column, double click the column heading. A red triangle pointing upward displays in the
column heading, indicating that the column is now sorted in ascending order.
26
Double click the column header again to sort in descending order.
To initiate a subsort, hold down the Shift key and double click the column heading. You can sort
columns up to six layers deep.
27
System Info Parser Live Registry Analysis

The System Info Parser now includes an option to focus on live registry in memory.
This option enables you to perform a quick sweep against registry entries only resident in memory
(versus disk), reducing time taken to analyze live machines.
Note: In the Sweep Enterprise System Info Parser dialog, the Live Registry Only checkbox is checked by default. In
the Evidence Processor System Info Parser dialog, the Live Registry Only checkbox is cleared by default.
Windows 8 and Windows Server 2012

Support
You can now run EnCase Examiner, SAFE, and Processor Node on Windows 8 or Windows
Server 2012.
This includes Virtual File System and Physical Disk Emulator.
28
WinMagic SecureDoc 5.x and 6.x Encryption

Support
EnCase now supports decryption of WinMagic SecureDoc 5.x and 6.x encrypted devices.
This requires the WinMagic .dbk file, password, and the emergency recovery disk.
Government Issued ID Pattern Matching

EnCase now provides the ability to standardize searches for any type of government ID (not just
Social Security numbers) through the use of GREP expressions. This reduces the time spent
customizing analysis after processing evidence. This feature is especially useful in areas where
government issued IDs have different formats.
The hits are indexed and searchable using the Government ID pattern query.
29
To create GREP expressions for specific government IDs:

1.
In the EnCase Processor Options dialog, expand Index text and metadata, then click
Personal Information.
30
2.
The Personal Information dialog displays. Click the Government ID tab.
3.
Social Security Number displays as the default. To add another type of ID, click New. The
Government ID dialog displays.
Note: you cannot view or edit the default Social Security Number.
4.
Enter a name in the Government ID box and a GREP expression in the Search
Expression (GREP) box.
31
This example shows the GREP expression for a Colombian Cedula Number:
5.
Click OK. The ID type just created displays in the Government ID tab.
32
To edit an existing Government ID type:

1.
In the Government ID tab, select the Search Name you want, then click Edit.
2.
The Government ID dialog displays. Enter your changes, then click OK.
33
SAFE User Management Role

A keymaster can grant permission to non-keymaster SAFE users for them to administer user
accounts. This is useful in sizable organizations where it can be burdensome for only one
keymaster to administer large numbers of accounts.
Note: Any user who has this Administer Users permission cannot have any roles. That is, this account can be used to
administer users only, not to acquire data from servlet nodes.
To grant a user permission to administer user accounts:

1.
Log on to the SAFE as keymaster.
2.
Click Enterprise > Users.
34
3.
The Users tab displays.
4.
Right click a username, then click Edit in the dropdown menu.
35
5.
The edit dialog displays. Click the Permission/Role tab.
6.
Right click in the tab, then click New in the dropdown menu. The New Permission/Role
dialog displays.
7.
In the Permission Type tab, click the checkbox for Administer Users.
36
8.
Click OK. Administer Users is added to the list of permissions for the designated user.
9.
Click OK to close the Edit dialog.
37
Password Protected iTunes Backup

Acquisition
EnCase provides the ability to acquire an Apple iTunes backup protected by a password.
To acquire a password protected iTunes backup:
1.
Open a case and click Add Evidence > Acquire Smartphone.
38
2.
The Acquire Smartphone dialog displays. Under Backup Files, click Apple iTunes.
39
3.
Specify an input file and output path:

a. For the input file, browse to the Manifest.plist file from the iTunes device backup
folder.
b. Specify an output path for the evidence file.
40
4.
Click Finish. The Enter iTunes Backup Password dialog displays.
5.
Enter the password, then click OK.
6.
EnCase parses the data, and you can view the records in the Evidence tab or
Smartphone report.
41
Improved .NET API Binary Data Buffer

Handling
EnCase now provides the ability to pass binary data from a FileClass object to a .NET library and
back.
Accessing an EnScript FileClass in .NET

Here is an example of the code EnScript authors can use in order to provide a readable or writable
object to .NET from EnScript:
// EnScript
LocalFileClass file();
file.Open("myfile.txt");
DotNetStreamClass dnStream(file);
MyAssembly::MyClass dnObj();
dnObj.DoSomething(dnStream);
// .NET C#
namespace MyAssembly {
public class MyClass {
public void DoSomething(System.IO.Stream stream) {
using (StreamReader reader = new StreamReader(stream)) {
while (!reader.EndOfFile) {
Debugger.WriteLine(reader.ReadLine());
}
}
}
}
}
EnScript FileClass objects are not thread safe. Therefore, .NET code must take care when using
wrapped objects. If the object is only used by .NET, access should be synchronized using .NET
serialization constructs. If the object is shared between EnScript and .NET, it should only be
accessed on the calling thread (EnScript thread), or an appropriate synchronization object should
be used that can then synchronize access between EnScript and .NET. Even then, it is possible
internal EnCase code could conflict with .NET code accessing the same FileClass object.
.NET treats all streams as binary (not text), then adds text interpretation with Reader and Writer
objects. EnScript authors must use care to open FileClass objects with appropriate options.
42
Accessing a .NET Stream in EnScript

Here is an example of the code EnScript authors can use in order to provide a readable or writable
object to .NET from EnScript:
// .NET C#
namespace MyAssembly {
public class MyClass {
private System.IO.Stream _MyStream = File.OpenRead("myfile.txt");
public System.IO.Stream MyStream {
get { return _MyStream; }
}
}
}
// EnScript
MyAssembly::MyClass dnObj();
FileClass file = new DotNetFileClass(dnObj.MyStream());
while (file.More()) {
Console.WriteLine(file.ReadChar());
}
Items Fixed
Acquisition/Add Device/Preview/File System
68163: Version 7h of the servlet now lists devices available for acquisition at /dev/cciss.
67770: When acquiring devices as .E01 in LinEn, segmentation faults no longer occur.
67609: EnCase crashed when adding an ext3 formatted USB device. This is fixed.
67422: When acquiring images of GPT disks, EnCase now includes the last sector of every
partition.
67258: The Acquisition Info tab now correctly displays the date and start/stop sector count for
manually interrupted acquisitions for both legacy .E01 and for .Ex01 files.
65159: After using and formatting an exFAT device, with the WinAcq command line acquisition
tool, with verbose logging, to acquire a logical volume on a flash drive, EnCase now reports a
matching sector count and logical size.
43
Bookmarks
68186: In the Bookmarks tab's table pane, when No Report is checked, selected files are not
displayed in the Report view, as expected.
67667: If the View pane was undocked, the Bookmark > Raw Text option was disabled in the
Text and Hex tabs. The Raw Text option is now available in those tabs when the View pane is
undocked.
67559: Logical Size was showing as zero for email bookmarked via Show Conversation. EnCase
now displays the correct logical size.
Case Analyzer
66255: Case Analyzer reports allowed specifying constraints using only 19 characters. This is now
expanded to 1024 characters.
63867: In Case Analyzer, OS X dates are now displayed consistently across devices and logs.
50883: Data in the Event Type column displayed as numbers instead of actual event type values
(for example, Unknown, Error, etc.). The correct values display now.
50710: Case Analyzer displayed EnCase Portable as a device after the Portable dongle was
removed. This is fixed.
Email
68438: Evidence Processor no longer sticks during Mount Task of a Folders.dbx file.
65043: Show Conversation and Show Related Messages options are now available, as expected,
when multiple .pst files are opened. These options remain unavailable when you mix email with
other types of records (internet data, etc.).
Encrypted Devices
66624: A problem with ReFS volumes encrypted by BitLocker on Server 2012 caused the volumes
to fail and not properly decrypt. After providing correct BitLocker credentials, the file system was
not parsed. This is fixed.
44
EnScript
67539: The System Info Parser displayed the OS last shutdown time in the Records tab as
Wednesday, 22nd April, 2009 19:24:48 GMT, regardless of the current evidence. This is fixed.
67113: EntryClass methods and properties of the EnScript API now have the necessary
permissions to run on mounted devices in direct nodes.
66556: EnCase now provides a complete path for entries retrieved from ItemCacheClass using the
stored monikers.
Entry Metadata
68019: In Evidence view, the name of a deleted folder in the Recycle Bin displayed twice in the
Original Path column. The deleted folder name now displays only once.
67555: After mounting a network share, you were required to view the files on the host system to
see the VFS Name column populated in EnCase. This is fixed.
EnView
67668: You can now view document files in the Recycle Bin in the Doc tab.
Evidence Files/Logical Evidence Files/Case Files/Single

Files/Structured Files
65069: Files of type .ppt and .xlsx are now parsed properly. You can now run index searches on
these files.
Evidence Processor
68496: The Evidence Processor no longer terminates unexpectedly.
65068: When running Evidence Processor multiple times, processing did not complete and an
"Error Prepping LEF" message displayed. This is fixed.
Gallery View/Pictures
67438: In Gallery view, EnCase allowed you to select only the first image in the last row. Now you
can select all images in the last row.
45
General
68374: When using the Copy Folders command, EnCase copies the folders, as expected, without
a system failure.
68103: When you run Keyword Searching before you run Recover Folders, the keyword search no
longer becomes unusable when you later run Recover Folders.
68075: When applying a filter, EnCase now stores and retrieves the preference for Table or TreeTable.
67564: When your case automatically updates a node's servlet to Version 7g, it no longer adds the
description "EnCase Enterprise Agent" to the node's Processes tab in Task Manager.
66607: EnCase became unstable when scrolling in Table Evidence view. This is fixed.
63944: Line wrap settings are now applied by EnCase as set by the user.
Hashing/Hash Sets
67902: Sorting on the Hash Sets column was slow due to EnCase data processing of this data
whenever an entry was redisplayed. This is fixed.
67633: EnCase no longer crashes when importing Hashkeeper from the NSRL hash set.
Index/Query Index
67611: When a wild card was used with an index search, the Next Hit button was disabled. This is
fixed.
Internet
67665: Opera Internet history was parsed using the Western European Windows codepage only,
and text did not display correctly. EnCase now uses the UTF-8 codepage and this is fixed.
Reporting
67990: When you export a Review Package in the Evidence view, EnCase no longer generates a
JavaScript error.
67243: Now no error message displays with reports containing files or strings greater than 64k.
46
Smartphone
66807: SGH-1337 Samsung Galaxy S4 with Android v4.2 is now detected.
Sweep Enterprise
68080: In previous versions of EnCase, Sweep Enterprise's System Info Parser options incorrectly
displayed Auto Runs. Auto Runs is no longer displayed in the System Info Parser options.
68015: When Sweep Enterprise reports are imported into a separate instance of EnCase and
analyzed with Case Analyzer, Case Analyzer now displays the reports as expected. They match
the reports from the Sweep Enterprise instance.
67345: The Sweep Enterprise Status page and the Analysis Browser page now appear as tabs in
EnCase and, as expected, contain data.
61704: When a SAFE has no available connections, it now displays an error pertaining to
connection unavailability rather than an error pertaining to unsuccessful SAFE validation.
53025: Non-deleted files no longer appear in the Deleted Files view of the Analysis Browser.
52864: In the Analysis Browser, highlighting blue checked views no longer removes the blue
check.
47766: In previous versions of EnCase, the Sweep Enterprise window became stuck open when
canceled. In Version 7.09, the Sweep Enterprise window is embedded in EnCase, so this is no
longer an issue.
47539: In the DNS view, the Type column now displays the expected values rather than numeric
codes.
47527: In the Snapshot settings, deselecting the Hidden Processes option now results in the
expected exclusion of hidden processes in the Analysis Browser's Hidden Processes View.
46718: In the Analysis Browser, row numbers in the table now match row numbers at the bottom
of the page in the page controller.
46624: When viewing Snapshot job results in the Analysis Browser, the Dixon box reflecting the
number of selected rows now includes all rows in all pages rather than only the rows in the first
page.
47
UI/Controls
68463: After creating bookmarks in the Transcript tab, a system failure no longer occurs in the
Bookmarks tab when switching between its View pane's Fields and Report tabs.
68411: As expected, when you choose the Print to PDF option in the Evidence tab, a PDF file is
created and EnCase does not freeze.
68202: The Results tab no longer displays data in Trable or Tree modes. Sorts in the Results tab
are only available in Table or Tree Table modes.
67635: In Search view, EnCase did not display correct information in the Name column. The
correct name now displays.
67558: Records view now correctly updates and corresponds with Evidence view for manually
mounted files.
67297: In the index search Results tab, the SocialSecurity option has been changed to
GovernmentID.
64518: In Sweep Enterprise, the servlet deployment option is now enabled or disabled according
to role permissions.
52776: The true path column in Search view displayed an incorrect path for some items. This is
fixed.
Known Limitations
65853: Files contained within a compound file go undetected when running a condition or filter.
Filters now search recursively for items that satisfy the logic of the filter, starting from the current
device; so if the user has drilled into a .zip file, the first folder to be searched is the .zip file, not the
device it belongs to.
68536: When attempting to connect to a Linux target using the Sweep Check-in option, the servlet
may crash. This is a known limitation on Linux. The servlet may crash on some Linux distributions
when it tries to resolve the SAFE's name to the IP address. In order to avoid this issue, use the IP
address instead of the host name for the SAFE address during SAFE installation.
62045: View File Structure does not display entry slack in Logical Evidence Files.
Found in 7.08.02
67680: When running enlinuxpc64, the auto update keeps the servlet at the latest version, but
does not switch automatically from 32- to 64-bit. In order to switch to 64-bit servlets on 64-bit Linux
kernels, the first time you must update manually.
48
Found In 7.08.01
67028: EnCase becomes unstable when you drag and drop evidence into a case while a sort
operation is running.
Found in Version 7.08

67028: EnCase becomes unstable when you drag and drop evidence into a case while a sort
operation is running.
66773: When there is a large amount of evidence, such as more than 250 LEFs, Case Analyzer
does not show any reports.
66624: ReFS and exFAT volumes encrypted by Bitlocker are not properly decrypted. After
providing the correct Bitlocker credentials, the file system is not parsed.
66607: In the Evidence view, when you use the scroll bar to scroll to the bottom of the table, and
then scroll up with the mouse wheel, EnCase crashes sometimes.
66161: Some compound index queries with NOT terms do not yield correct results.
65853: Running a filter against Current Device Only does not return results that are contained
within mounted files.
65820: Outside In Version 8.4.0 does not display text in the Transcript tab correctly for .msg files.
65150: After opening a new case and loading a lotus Notes NSF file using the Evidence view,
View File Structure option to mount a compounded file, folders such as Appointments, Contacts,
Notices, Trash, and Junk Mail are missing.
52565: After upgrading the CodeMeter Runtime from 4.20 to 4.40 or 4.50, the dongle doesn't
display in the CodeMeter Control Center. EnCase launches in acquisition mode.

64225: When running the PII module repeatedly, with different settings, search does not
consistently return hits from subsequent runs.
49

62196: EnCase returns empty records when the Sweep Enterprise Snapshot module takes more
than ten minutes to run on a machine. This causes EnCase to time out, and fails to return any
snapshot data for that machine. When this happens you can reboot the machine that returns these
empty records and rerun Sweep Enterprise with the Snapshot module on.
Note: The Sweep interface does not tell you which targets return no data. To get that information,
you must query the Sweep.sqlite database using a query of this form: (Select B.Target From
Snapshot as A, _TargetRuns as B Where A._TargetRuns_Key = B.ID and A.Name = ).
The Sweep database is stored in the Case folder, under EnScript/Sweep Enterprise.

52275: Microsoft Visio files are being mounted as compound files by the Evidence Processor.

43707: When acquiring email data from Acer tablets, only some Gmail messages from the inbox
are able to be parsed. Gmail messages in drafts and other folders are not captured in the .L01 file.
This is due to a change in how Gmail caches information. In addition, the default Acer email
application does not provide read access to its data, so no email messages from the default email
application can be acquired.

46686: Email messages for Blackberry phones are shown in a Smartphone Report only if they are
in Plain Text. Issue 46995 has been entered to fix this defect.
45813: Index hits with large numbers of characters that wrap over line breaks do not display in the
Review tab.
Guidance Software Product Compatibility

Tables
The Support Portal contains a list of version-to-version compatibility tables for all Guidance
Software products at https://support.guidancesoftware.com/matrix.
50
Encryption Support
EnCase now supports the following encryption products.
Vendor
Product
Supported Versions
64-bit Support
Check Point
Check Point Full Disk Encryption

(formerly Pointsec PC)
6.3.1 up to 7.4, 8.0 (for

Windows and Macintosh
computers)
Yes
Credant
Mobile Guardian
5.2.1, 5.3, 5.4.1, 5.4.2, 6.1

through 6.8, 7.3
No
GuardianEdge
Encryption Plus/Anywhere
7 and 8
No
GuardianEdge
Hard Disk Encryption
9.1.5, 9.2.2 , 9.3.0, 9.4.0,

9.5.0, 9.5.1
Yes
McAfee
EndPoint Encryption (formerly

SafeBoot)
4, 5, 6, 7 (for Windows
Yes (for Versions
and Macintosh computers) 4 and 5)
Microsoft
BitLocker and BitLocker To Go
Windows Vista, 7, and 8,

Server 2008
Yes
Sophos
SafeGuard Easy and Enterprise

(formerly Utimaco)
4.5, 5.5, 5.6, 6.0
Yes (only for

SafeGuard Easy,
not for Enterprise)
Symantec
PGP Whole Disk Encryption
9.8, 9.9, 10, 10.1, 10.2
Yes
Symantec
Endpoint Encryption
7.0.2, 7.0.3, 7.0.4, 7.0.5,

7.0.6, 7.0.7, 7.0.8, 8.0, 8.2
Yes
WinMagic
SecureDoc Full Disk Encryption
4.5, 4.6, 5.x, 6.x
No
USGCB Compliance
EnCase has been validated as USGCB compliant using the following version of NIST VHD
images:
10/14/11 (for Windows 7 only)
EnCase was tested using Retina Network Security Scanner, which is an NIST validated USGCB
scanner (http://usgcb.nist.gov/usgcb/microsoft_content.html).
51
Support
Technical assistance is available online at http://www.guidancesoftware.com/technicalsupport.htm. From this page you can register for and access the Guidance Software Support
Portal, an invaluable resource providing product-specific technical forums, an extensive
knowledge base, a bug tracking database, and an Online Submission Form for your questions.
Technical Support
Guidance Software offers several technical support options, including:
Live Chat
Support Request Form
Email
Telephone
Customer Service
Please direct service questions to the Guidance Software Customer Service Department:
MondayFriday 7 AM5 PM Pacific time
Phone: (626) 229-9191, press 5
Fax: (626) 229-9199
Email: customerservice@guidancesoftware.com
1055 E. Colorado Blvd.
Pasadena, CA 91106-2375
You can access our Customer Service Request Form online at
http://www.guidancesoftware.com/CustomerServiceRequest.aspx.
52

Encase Examiner v709 Release Notes

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Encase Examiner v709 Release Notes

Hochgeladen von

Copyright:

Verfügbare Formate

EnCase Version 7.

EnCase Version 7.09

Processing a Result Set

Click Result Set. The Process Result Set dialog displays.

Item Logical Size

Click OK. EnCase begins processing the evidence.

Launching Processor Options from the Results Tab

Right click, then click Process in the dropdown menu.

The EnCase Processor Options dialog displays.

Creating Result Sets in Entries and Records Views

Creating a Result Set in Entries View

Enter a name for the result set, then click OK.

Creating a Result Set in Records View

Compound files (for example, .zip files)

System Info Parser results

Windows Artifact Parser results

Windows Event Log Parser results

Enter a name for the result set, then click OK.

Overwriting the Evidence Cache

Sweep Enterprise Enhancements

Changes to Sweep Enterprise screens and workflow are described below.

Sweep Enterprise Tab

Create Scan Tab

The Create Scan subtab of the Sweep Enterprise tab displays.

Click Import Targets.

The Add Targets dialog displays.

The tab contains two buttons and a checkbox:

Cancel Scan: Cancels a scan in progress.

Analysis Browser: Opens the Analysis Browser.

Refresh Automatically (checked by default): Dynamically updates the status of a scan in

Analysis Browser Tab

The available Sweep Enterprise reports are listed below in bold.

Shared and Mapped Devices folder:

Analysis Browser Improved Target and Job Filtering

Click Target Constraint.

Analysis Browser Pagination

The controls include:

A Change Page Size button.

A Show All checkbox.

First Page Button

Last Page Button

Forward and Back Buttons

Numbered Checkboxes for Individual Pages

Change Page Size

Click Change Page Size. The Page Size dialog displays.

Click the Show All checkbox.

Analysis Browser Sorting

Double click the column header again to sort in descending order.

System Info Parser Live Registry Analysis

Windows 8 and Windows Server 2012

WinMagic SecureDoc 5.x and 6.x Encryption

Government Issued ID Pattern Matching

To create GREP expressions for specific government IDs:

The Personal Information dialog displays. Click the Government ID tab.

To edit an existing Government ID type:

SAFE User Management Role

To grant a user permission to administer user accounts:

Log on to the SAFE as keymaster.

Click Enterprise > Users.

The Users tab displays.

Right click a username, then click Edit in the dropdown menu.

The edit dialog displays. Click the Permission/Role tab.

Click OK to close the Edit dialog.