encase version 7.05 release notes - emtemt.com.tr/encaseexaminerv705releasenotes.pdf · encase ®...

© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and is provided for informational purposes only.

EnCase® Version 7.05

Release Notes October 1, 2012

EnCase Version 7.05

Thank you for using Guidance Software products.

The Release Notes for this version of EnCase contain important information regarding your EnCase application. Before you install, we recommend that you read the Release Notes to better understand the changes we have made.

© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and is provided for informational purposes only. 2

New Features

Filters and Conditions in Original Table or Tree-Table View

EnCase now optionally displays filtered data in the original Table or Tree-Table view, in addition to displaying the data in a result set.

Filters in Table View

1. Click Run from the Filter dropdown menu on the toolbar. The Open File dialog displays.

2. Select the filter you want from either Records or Entries, then click Open. The Run Filter dialog displays.

Current View filters only the data in the current Tree/Table view and displays it in that view.

Current Device filters only the data in the currently selected device and displays it in the Results view.


All Evidence Files filters all the evidence in the case and displays it in the Results view.

3. When you execute a filter in Current View, a button displays just above the table to the right of the Selected checkbox. Click the red X on the button to turn the filter off.

4. To turn the filter back on, click the filter icon on the button.


Filters in Tree-Table View

To switch to Tree-Table View:

1. From the Split Mode dropdown menu, click Tree-Table.

2. The view displays the folder tree as well as the Table tab.

Note: EnCase remembers the last selected filter view (Table or Tree-Table) and defaults to that setting the next time you enter filter mode.


Enhanced Evidence Processor Performance

New architecture in Version 7.05 significantly improves indexing of large data sets.

Evidence Processor Prioritization

The Evidence Processor now includes a Processing Prioritization column with hyperlinks to a prioritization dialog. This enables you to process a subset of the evidence and begin examining it while the Evidence Processor continues to process the remaining evidence.


1. Click the hyperlink in the column where you want to specify items to be prioritized during processing. The Processing Prioritization dialog displays.

2. Click the Enable processing prioritization checkbox to enable the next three checkboxes in the dialog.

3. Click the checkboxes (Documents, Pictures, or Items within these dates) for the items you want to have priority in processing. You can select more than one checkbox. Checking Items within these dates enables the Minimum Date and Maximum Date fields. You can enter dates and times manually or use the calendar (for dates) and the up and down arrows (for times).

4. If you want to process only the types of items you selected, instead of all evidence in the evidence image, click the Process only prioritized items checkbox.

Note: If you select Process only prioritized items, you cannot run Evidence Processor

modules.


5. When are finished, click OK. The Processing Prioritization column reflects the selections you made.

Case Analyzer Enhancements

EnCase 7.05 includes enhancements to Case Analyzer, as described below.

Case Analysis

Analysis provides higher level reports of metadata than you see in the Records tab of EnCase. The Records tables generally show lists of parsed artifacts, emails, files, etc. The goal of analysis reports, on the other hand, is to show what happened on a system. These reports often consist of multiple artifacts joined together or specific prefiltered data indicating that something happened on a system.

You can run Case Analyzer after the Evidence Processor modules run, or after data is collected by EnCase Portable or Sweep Enterprise. Analysis reports are pulled from a SQLite database, which contains metadata only. Analysis does not involve file content.


Case Analyzer

To create analysis reports:

1. Open the case you want to analyze.

2. On the case Home page Browse area, click Case Analyzer.

3. The Case Analyzer page displays. In the View Reports area, you can select the metadata to analyze:

Case: Runs Case Analyzer on evidence files previously run on the Evidence Processor.

Portable Device: Creates an analysis on specific targets collected to any portable device attached to the system.

Sweep Enterprise (Case Data): Creates analysis reports for data from all collections performed by Sweep Enterprise.


Sweep Enterprise (Jobs Data): Creates analysis reports from a specific Sweep Enterprise collection.

The navigation in the left pane is built dynamically and shows only reports which return data from the metadata database. Depending on the modules you chose to run and what they found, you get varying numbers of reports. Think of the navigation as a narrative of what was found on the computer.


To hide the navigation and expand the view of the data, click the Expand Data View button.

Click the Unavailable Views button on the toolbar to show reports that do not return data.


Many reports offer higher level conclusions and automate the manual steps of correlating multiple artifacts to determine what happened on a system. For example, the Files Seen on USB Device report joins together linked files to the USB history and mapped drives in the Windows registry.

Each report includes enough information for examiners to find the original evidence and investigate the data further. Most reports include an item path column to the file which was originally parsed.

Click the About button on any report to see more information. This example shows the registry keys used in the Files Seen on Known USB Devices report:


To filter reports, click the Constraint button. This is similar to a condition, but in this instance, you are filtering data in a database.

Analyzing EnCase Portable Data

To analyze data collected by EnCase Portable:

1. In the View Reports area of the Case Analyzer page, click Portable Device.


2. The Analysis Target Selector dialog displays. EnCase Portable analysis is performed separately for each target. Click the target you want to analyze, then click OK.

3. The Data Browser dialog displays. It functions in the same way as the Analysis Browser tab.


Analyzing Sweep Enterprise Case Data

1. To analyze all data collected by Sweep Enterprise, click Sweep Enterprise (Case Data), then click OK.



Analyzing Sweep Enterprise Jobs Data

1. To analyze data from a specific collection job, click Sweep Enterprise (Jobs Data).

2. The jobs available for analysis display.

3. Select the job you want to analyze, then click OK.


Viewing Multiple Records Simultaneously

Viewing multiple records simultaneously is similar to the previously existing ability to view multiple evidence files simultaneously.

1. In the Records tab, select the records you want to expand and view as a group, then click Open.


2. The selected items display in the Records tab.

The Records tab lists all mounted volumes and results from the Evidence Processor or other activities. Therefore, Records view can display three types of items:

Entries (mounted archives)

Records (module results)

Email (mounted email archives)


EnCase supports viewing only one item type at a time. If more than one type is found in the selected records, the Open Item dialog displays, enabling you to choose the item type you want to view. The default is Entries.

Note: In the Open Item dialog, only the radio buttons for the found item types are enabled.

Enhanced Functionality in Search and Results Tabs

These functions are now available in the Search and Results tabs:

Copy Files

Copy Folders

Add Results to Hash Library

Save Results


Refreshing Search Results during a Keyword Search

When running a raw keyword search, you can view the search hits while the search is ongoing, instead of waiting for the entire search to complete.

To see search results while the search is ongoing, click the Refresh Raw Search Hits icon on the Search tab.

If new search hits are available, the icon displays in green. If no new search hits are available, the icon is disabled.

The icon is dynamic: after clicking, it is disabled until more search hits are available. When more search hits are available, the icon is enabled and displays again in green.


Activating an Electronic License

You can now activate your EnCase license electronically:

1. On the EnCase Home page, click the down arrow in the upper right corner, then click Activate Electronic License in the dropdown menu.

2. The Activate Electronic License dialog displays.

3. Enter the license key number you obtained via email from Guidance Software and your email address in the boxes provided.


4. Click Next. A second Activate Electronic License dialog displays.

5. Return to your MyAccount email and click the Submit your file link.

6. In the Web page that displays, browse to the location of the License Request file, then click Submit.

7. Wait to receive an email response from MyAccount. In the License Activation portion of the email, click the link to save your License Activation file, then copy this file into the same folder as the License Request file.

8. Click Next. A third Activate Electronic License dialog displays.

9. Click Finish to complete the activation process.

Creating a New Request File

If you want to create a new request file--for example, if you previously entered an incorrect license key number or an incorrect email address--follow these instructions:

1. On the EnCase Home page, click the down arrow in the upper right corner, then click Activate Electronic License in the dropdown menu. The Activate Electronic License dialog displays.

2. Click Back. In the dialog that displays, make the corrections to the license key number or the email address, then click Next.

3. Follow the steps in "Activating an Electronic License", above.


Reactivating an Electronic License

If you already have an active license installed, and you click Activate Electronic License, this message displays:

Click OK to remove the active license or Cancel to retain the current active license.

If You Already Have a Physical Dongle

If you already have a physical dongle, and you purchase another copy of EnCase with an electronic license, the electronic license is fixed to the machine where it is installed, and it cannot be moved to another computer. The physical dongle can be moved from one machine to another, as before.

EnCase Enterprise Active Directory Authentication

Previous versions of EnCase Enterprise offered SAFE administrators the option to protect an account with the Additional Password feature, which prompts users to provide separate passwords in addition to the password for their private keys.

EnCase Enterprise Version 7.05 adds Active Directory integration. This option secures SAFE user accounts by allowing SAFE administrators to associate a SAFE account with a Windows domain account (user or group) from Active Directory. If a Windows user running EnCase is associated with a SAFE account, or is a member of a Windows domain group associated with a SAFE account, access to a SAFE is granted. Otherwise, access is denied.

This option implements the following Windows built-in account management features:

Password strength and expiration policies are enforced at the Windows domain level.

Windows user accounts can be disabled upon employment termination.

Users can be included or excluded from Windows groups using standard Windows management tools.

Guidance Software recommends Active Directory integration in favor of the Additional Password function; however, the latter is still supported by SAFE for backward compatibility.


SAFE Account Types

The SAFE maintains two types of user accounts:

Regular user accounts that perform collection work, selecting data to be collected and machines from which to acquire evidence.

The Keymaster account is controls permissions for regular users, but is unable to perform collections.

Guidance Software recommends that Keymaster and regular users have different associations with Active Directory accounts.

Configuring Active Directory Groups

This section provides a sample configuration of Active Directory that can be used with SAFE accounts. Here, two Windows Domain groups are created:

SAFE Users: Includes Windows users who run EnCase for performing evidence acquisition.

SAFE Administrators: Includes all Windows users who are allowed to log on to a SAFE as Keymaster users and configure SAFE network, roles, and permissions. This group can include users as well as other groups, such as built-in administrators and domain administrators.

The following screenshot identifies these two groups:

Securing a Keymaster Account

A Keymaster account is a built-in account created during SAFE installation. It cannot be modified using EnCase. Therefore, to use Active Directory Integration for a Keymaster, you must configure it during SAFE installation.


Use the following SAFE installer page to associate a Keymaster account with a SAFE administrators Windows group. This ensures that only members of that group can log on to the SAFE as Keymaster:

Note: To either disassociate the Keymaster account from the Windows account, or associate the Keymaster with

another Windows account, you must run SAFE Installer again.

Securing Regular User SAFE Accounts

Use the EnCase user interface to create regular user accounts. To provide a way of associating a SAFE user with an Active Directory user or group (in Windows terminology, a trustee), the New/Modify User dialog includes an option to add a Windows trustee. This input control invokes a standard Windows dialog to choose either a user or a group.


The following screenshot demonstrates how to associate a SAFE user account with a previously created SAFE Users Windows group:

Enhanced Macintosh Support

EnCase now supports Macintosh OS 10.6 (Snow Leopard) and OS 10.7 (X Lion) via the servlet for Enterprise.

Enhanced Windows Event Log Parser Support

The Windows Event Log Parser now parses corrupt or partial .evt and .evtx files.

Enhanced exFAT File System Support

For exFAT, two new internal entries have been added:

$FAT Alignment, an internal file that ensures that $Primary FAT is properly aligned.

$Primary FAT Padding that ensures the following file (usually $Bitmap) is properly aligned.

Enhanced PGP Support

EnCase now supports PGP Whole Disk Encryption 10.1 and 10.2


Added AIX Support for Deploying and Running Servlets

EnCase 7.05 adds support for deploying and running servlets on AIX versions 6.1 and 7.1.

Previously, it was necessary to install different physical files based on the version and bitness of AIX.

Now you only need to install one file, based on bitness (32 or 64).

Creating Hyperlinks to an Exported Item from Report Templates

You can embed hyperlinks and link to exported files. The ways to do this are described below.

Using Bookmarks to Link to an External File

To specify bookmarks in a report:

1. In Report Templates view, check the part of the report where you want the bookmarks to display, then click the Body Text tab in the lower pane.


2. In the Add Table dropdown menu, click Bookmark Folder.

3. The Bookmark dialog displays.

4. In the Destination Folder tab, select the folder where you want the table to be saved and enter a folder name.


5. In the Columns tab, click the checkboxes for the columns you want to display in the table.

6. In the View Options tab, click the checkboxes for the options you want. Be sure to click the Hyperlink to files checkbox.

7. Click OK. The bookmarks display as hyperlinks in the table in the report.


Exporting a Report to Display Hyperlinks

To export a report to display hyperlinks:

1. Right click, then click Save As from the dropdown menu. The Save As dialog displays.

2. For the Output Format, select RTF, HTML, or PDF, then click the Export items checkbox.

Note: The Export items checkbox is disabled for the other formats.

3. Accept the default path or enter another path. If you want to see the exported report after saving, click the Open file checkbox.

4. Click OK. The hyperlinks display in the exported report.

Exporting a Metadata Report to Display Hyperlinks

To display hyperlinks in a metadata report:

1. In the Evidence tab, select the item you want to display as a hyperlink in the report.


2. In the lower pane, click the Report tab to display metadata.

3. Right click and select Save As from the dropdown menu. The Save As dialog displays.

4. Select the Output Format you want. The supported formats are RTF, HTML, and PDF.

5. Click the Export items checkbox. If you want to view the report after saving, click the Open file checkbox.

6. Accept the default path, or enter a path of your own, then click OK.

7. The hyperlink displays in the metadata report.


Adding a Hyperlink to a URL

To add a hyperlink to a URL:

1. Go to Report Templates view. Select the part of the report where you want to add a hyperlink, then click the Body Text tab in the lower pane to display the text.

2. Place the cursor where you want to insert the hyperlink, then click Hyperlink in the Document dropdown menu.


3. A line of hyperlink code displays.

4. Replace http://www.link.com with the URL for your hyperlink. Replace Hyperlink with the text you want to display for the hyperlink.

5. Save your work. The hyperlink displays in blue in the report.

Enhanced Date/Time Format for Exporting to Spreadsheets

Now when you export date and time, it displays correctly in Excel and other spreadsheets in the

format hh:mm:ss tt.

Note: This applies to clean installations. Otherwise, reset the date and time on the Date tab of Tools > Options.


Device Cache Optimization

The device cache file format is now optimized to provide faster device loading times and smaller file sizes, making cache speed twice as fast and reducing the size of the file by half.

Backward and Forward Compatibility

The following applies when writing and reading device cache files from a version with optimized device caches (Version 7.05) and a version without optimized device caches (Version 7.04):

Version 7.04 always writes out legacy device caches (as before).

Version 7.05 writes out optimized device caches by default.

Version 7.05 can read legacy device caches and leave them unchanged.

When updating an existing device cache, Version 7.05 saves the device cache in the legacy format.

If the original format was legacy, Version 7.05 updates and saves the format as legacy.

If the original format was optimized, Version 7.05 updates and saves the format as optimized.


EnScript Application UI

There are now links on the Home and Case pages for EnScripts. There is also a new package details page.

Home Page

On the Home page, there is an EnScripts link in the View section.


Click the link to go to the EnScripts page. This page displays the most recently used scripts.

Case Page

On the Case page, there is an EnScripts link in the Browse section.

Click the link to go to the EnScripts page.


Package Details Page

To view the package details page:

1. On the Session tab, click the down arrow in the upper right corner of the tab. From the dropdown menu, click Package Properties.

2. In the Package Properties dialog, select the EnPack file you want, then click Open.


3. The package details page displays, with options to run the EnPack or go to the location of the file, as well as information about the package.

EnScript Report Generation Enhancements

New EnScript options provide more control when creating a table in EnScript report. You can now change the report paper size, and there is a better algorithm to calculate column width without compromising a column's content.

You can now access the PaperClass object of the ReportWindowClass by calling the GetPaper

function: PaperClass ReportWindowClass::GetPaper()

You can change the paper size and orientation by calling the Create function of the PaperClass.

There are two new options for ExportClass::AddTable() function. To access the options, enter bool ExportClass::AddTable(TableClass table, ContextClass context, uint

options)

For no skewing (that is, all columns fit their content without any wrapping): ExportClass::TableClass::SHOWMAXSPAN

For all columns with string content to skew proportionally in relation to the page width: ExportClass::TableClass::SHOWMINSPAN

Whenever a table is wider than the page width, EnCase automatically splits the table and the remaining columns go onto the next page.


Items Fixed

Acquisition/Add Device/Preview/File System

47786: When attempting to open an image, you are unable to parse a Fedora 16 ext4 partition.

47952: When acquiring a UNIX device, the default file name contains a high dot character outside of the ASCII range and results in an error.

47953: When acquiring a UNIX device, EnCase prompts for unneeded credentials.

49075: Adding raw images with a matching GUID fails. Disk images contain different data.

49545: EnCase incorrectly matches object headers and their chunks when multiple chunkid and sequence collisions occur.

49569: EnCase does not read the exFAT file system correctly.

50133: After acquiring a renamed drive, the reacquire dialog displays the default drive name instead of the custom name.

50330: An acquired IPD file does not contain all information in the original IPD file.

Bookmarks

43365: In the Bookmark dropdown menu, the same shortcut (Ctrl-B) is listed for Single item and Data structure.

52215: After undocking the viewer pane, the Bookmarks option is not available in the dropdown menu.

52408: Bookmarked swept text data highlights text that was not swept.

Case Analyzer

50874: Most IM Parser related data does not display, or it displays incorrectly.

51080: Records are missing from one of the registries in Installed MS Apps and Uninstalled Apps views.


Compressed Files/Archived Files

47956: The path for Entries > Records in compound files is relative to the cached LEF and not the original evidence.

48632: Using View File Structure on an MSI file type displays data in Chinese.

Date Handling

50361: SMS dates are incorrect in a LEF when acquiring from an iPad/iPhone using iOS 5.1.

Doc/Transcript

07328: Not all custom properties data for MS Office files display on the Transcript tab.

Email

38933: For undeliverable email messages, the To: field and body do not render correctly.

47449: EnCase handles encoded MIME messages incorrectly.

48897: The Show Conversation/Show Related option does not display the Tag column.

49343: EnCase crashes when running a search on a local drive.

49418: Running a processing job on a PST file causes EnCase to crash.

50297: ASCII characters in an mbox compound file attachment do not decode correctly.

51717: EnCase crashes when viewing file structure on a .PST archive.

EnCase Modules

41283: The option Dismount Emulated Disk is still listed in the Share menu, even though the process was cancelled.

46063: You cannot mount evidence files over 160GB in size with PDE or VFS.

Encrypted Devices

50583: A BitLocker encrypted search hit is not decrypted in the Text tab in Results view.


EnScript

43536: While generating transcripts for email records, EnCase terminates the EnScript with an internal error and may crash.

44991: Adding multiple ResultClass objects to a ResultSetClass causes EnCase to crash.

47326: After adding an invalid evidence file using EvidenceClass::AddToCase(), no error

message displays after the script completes.

47795: BookmarkDecodeClass bookmarks do not display as pictures in the Gallery view of the

Bookmarks tab when the type is set to BookmarkDecodeClass::PICTURE.

49530: The example DatabaseClass EnScript creates a HandlerClass and NodeClass with

null values.

50295: If there are mounted RAID or LVM devices in a case, trying to iterate through devices or entries using EnScript fails, and no error is reported.

50926: SearchClass::Find returns different results in EnCase Version 6 and Version 7 when

using a search length greater than the file size.

EnView

40828: EnView fails to display transcript information of an Excel file.

52185: Processing takes an excessively long time due to an issue with Passware.

Evidence Files/Logical Evidence Files/Case Files/Single Files

43842: A shared folder does not display case templates.

44366: In the Find dialog, the Results in Output Window option is enabled, but it does not function.

48155: When highlighting dates in an MFT record, information in the Text and Hex tabs does not match.

48431: When creating a LEF from an .E01 file, the file identifier is not preserved.

51149: Some volumes display with folder icons.


Evidence Processor

40513: The default path for saving Evidence Processor options is the path from which the evidence was loaded.

41331: There is no response after clicking the Edit button in Evidence Processor, even if the Process checkbox is selected.

49476: The Evidence Processor dialog does not display until you move the mouse.

50462: Using the Evidence Processor Find Internet artifacts option for an unallocated search creates duplicates of deleted files.

51168: The File Carver incorrectly carves data on an Advanced Format (4096-byte structure) disk.

52388: When performing View File Structure on a specific file, EnCase crashes.

52478: When parsing an mbox file, EnCase crashes.

52913: Evidence processor appears in the bottom right corner, then stops when when Process Evidence is selected.

Export Files/Folders

50088: The Add Link to File option does not link files.

Filters/Conditions/Queries

45002: Conditions are slow to respond in EnCase Version 7 compared with Version 6.

47383: In conditions, more than one folder can have the identical name.

48972: Find Files Based on Category or Extension filters by category and not by the selected file extension.

51043: Conditions take significantly longer to execute than in Version 7.03.

Gallery View/Pictures

49409: EnCase crashes when changing from one filter to another in Gallery view.


Hashing/Searching/File Signatures/Signature Analysis

47346: EnCase does not properly handle a scenario where files with no hash value are added to a hash set.

48055: In Text view, words that wrap to a second line do not display.

49488: Adding custom HashKeeper files causes EnCase to crash.

50219: The import hash process stops when it encounters a duplicated hash item.

50260: Go to file option from a search result goes to the Windows artifact link parser home screen instead of to the actual file.

50515, 50704, 51146: Selecting Raw Search All for multiple evidence files returns results from only the last evidence file.

51634: The Import EnCase Legacy Hash Sets function imports corrupted hash set files.

51768: Hash generation causes intermediate files to be dumped into the root case folder.

Index/Query Index

49294: After indexing, EnCase cannot find keywords in an .XLSX file.

49424: Indexing does not exclude noise words.

50865: Selecting multiple items from an index search, then tagging them all, causes EnCase to crash.

51835: Tab names in Excel files do not display in the Transcript tab, and they are not searchable when performing an indexed search.

52144: "[Item Type]IT_EMAIL" does not return entries in the Search Index tab.

52622: Indexing never finishes for an .L01 file.

Internet

47450: The profile name in non-ASCII does not display in Internet history.

48745: Some gzip formatted artifacts do not display properly.

49489: Sort does not work correctly on the URL Host column of the Records tab.


Localization

45755: EnPacks do not display in EnCase on initial launch.

Records

50759: Customized column order does not persist after using the Go to File option.

Registry

49450: Incorrect or no data displays when viewing a registry value that contains large data records in the HIVE file format.

51303: Two entries inside a mounted registry file have the same unique offset.

Report

43109: The SMS Type column is empty in an HTC Touch Diamond smartphone report.

46856: The report template truncates pasted text.

47814: When running a report on bookmarks, the Name column is blank.

50621: In the Report Template, you cannot add the case name to the title page.

50676: The File Report EnScript generates a blank report after blue checking items from a software RAID built through LVM.

50705: Bookmark table view does not display all metadata.

51986: Tagged items are not in a smartphone report.

SAFE

36966: The Add device dialog takes several minutes from selecting a machine to listing devices.

38417: EnCase cannot connect to a node via an IPv6 address.

48187: A SAFE name containing a hyphen is truncated in the SAFE log.

48337: The SAFE diagnostic shows a v7 cert is not properly installed, when it actually is.


48718: The SAFE logging on status bar still displays after attempting to connect to the wrong SAFE.

49542: A SAFE network import procedure populates the screen but does not push imported nodes to the SAFE.

Servlet

52531: Installing the servlet increases the start time of Windows.

Smartphone

52267: An iMessage date is not correctly reported on an iOS 5.1.1 device.

52268: Dates and times are misread from an iOS 5.1.1 property list.

Sweep Enterprise

51735: In Case Analyzer, the Linux Devices view contains duplicate records.

52523: In Case Analyzer, not all cron jobs are parsed from a Linux LEF.

Tagging

50373: Tags are not retained between tabs if the source evidence is an EnCase Portable LEF.

Timeline

42817: Evidence Timeline printing results in multiple copies of output.

UI/Controls/Configuration

39257: The Options screen is oversized when using non-default dpi settings.

42833: In Virtual File System, the Mount as Network Share option is available when EnCase is in acquisition mode.

44549: The Mount as Network Share Client option is missing from the Tools menu.

44716: After undocking the View pane, the Tag pane disappears.

46985: Sort column icons in the Add Network Preview > Network Devices dialog are non-functional.


48414: Highlighting a folder entry and pressing Enter does not move the folder contents.

48529: After parsing with System Info Parser, column headers for Ubuntu user account information are incorrect.

48896: The Show Conversation/Show Related dropdown menu does not contain the Export to *.msg option.

48907: Show Conversation/Show Related parent items have no checkboxes available.

49410: In the Results Tab, tags bleed into the next column instead of wrapping.

50350: Custom tags remain after deleting in the Manage tags dialog.

52527: Incorrect results display when running a condition more than once.

52605: Clicking in Disk view crashes EnCase.

Users/Roles/Permissions

00792: A keymaster can create two logon roles with the same name.

26785: Duplicate permissions can be added to any role or user.

Known Limitations

47786: When attempting to open an image, EnCase is unable to parse a Fedora 16 ext4 partition.

48667: Rescanning a machine and running Find Internet Artifacts causes duplicate Internet Artifacts to display in the Records tab.

51167: The SafeBoot encryption .dll causes EnCase to crash when the encryption algorithm for the server does not match the one implemented in SbAlg.dll.

51723: 32-bit x86 Evidence Processor generates an error and does not complete successfully. Workaround: We strongly recommend that you install 64-bit EnCase.

51795: In EnScript development, calling GetRoot() on a node returns a reference to the root node that is not ref counted. This can cause a crash if a developer expects for the root node ref to be counted and debugs the script.

51875: Evidence and its related cache that is processed or reprocessed in EnCase Version 7.05 and later cannot be opened in EnCase Version 7.04 and earlier.

52237: Running Evidence Processor without indexing, then running Evidence Processor with indexing selected, produces different search hits.


52263: Passware fails to initialize on the x64 bit version when Comodo Internet Security (which includes antivirus and firewall) is installed on the same system as EnCase. You need to uninstall Comodo for Passware to work properly.

52391: The content of a mountable device is transcripted and indexed if mounted and non-indexed evidence is reprocessed.

52565: After upgrading CodeMeter drivers from Version 4.20 to a newer version, EnCase does not detect a CodeMeter dongle.

52667: A result set does not display until the case is closed and reopened.

52944: Running Evidence Processor on evidence files which contain a large number (100,000) of small archives will cause Windows to become slow or non-responsive.

53024: Attempting to preview a SAFE machine as a target returns an “Error loading evidence file” message.

53025: Files which are not deleted display in the Deleted Files view of the Sweep Enterprise Analysis Browser.

Guidance Software Product Compatibility Tables

The Support Portal contains a list of version-to-version compatibility tables for all Guidance Software products at https://support.guidancesoftware.com/matrix.


Encryption Support

EnCase now supports the following encryption products.

Vendor Product Supported Versions 64-bit Support

Check Point Check Point Full Disk Encryption

(formerly Pointsec PC)

6.3.1 up to 7.4 Yes

CREDANT Mobile Guardian 5.2.1, 5.3, 5.4.1, 5.4.2, 6.1

through 6.8

No

GuardianEdge Encryption Plus/Anywhere 7 and 8 No

GuardianEdge Hard Disk Encryption 9.2.2 , 9.3.0, 9.4.0, 9.5.0,

9.5.1

Yes

McAfee EndPoint Encryption (formerly

SafeBoot)

4.5, 6 (for Windows and

Macintosh computers)

No

Microsoft BitLocker and BitLocker To Go Vista, 7 Yes

Sophos SafeGuard Easy and Enterprise

(formerly Utimaco)

4.5, 5.5, 5.6 Yes

Symantec PGP Whole Disk Encryption 9.8, 9.9, 10 Yes

Symantec Endpoint Encryption 7.0.2, 7.0.3, 7.0.4, 7.0.5,

7.0.6, 7.0.7, 7.0.8, 8.0

Yes

WinMagic SecureDoc Full Disk Encryption 4.5, 4.6 No

USGCB Compliance

EnCase has been validated as USGCB compliant using the following version of NIST VHD images:

10/14/11 (for Windows 7 only)

EnCase was tested using Retina Network Security Scanner, which is an NIST validated USGCB scanner (http://usgcb.nist.gov/usgcb/microsoft_content.html).


Support

Technical assistance is available online at http://www.guidancesoftware.com/technical-support.htm. From this page you can register for and access the Guidance Software Support Portal, an invaluable resource providing product-specific technical forums, an extensive knowledge base, a bug tracking database, and an Online Submission Form for your questions.

Technical Support

Guidance Software offers several technical support options, including:

Live Chat

Support Request Form

Email

Telephone

Customer Service

Please direct service questions to the Guidance Software Customer Service Department:

Monday–Friday 7 AM–5 PM Pacific time Phone: (626) 229-9191, press 5 Fax: (626) 229-9199 Email: [email protected] 215 North Marengo Avenue, Suite 250 Pasadena, CA 91101

You can access our Customer Service Request Form online at http://www.guidancesoftware.com/CustomerServiceRequest.aspx.