Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

EnCase® Version 7.09.02 Release Notes

EnCase® Version 7.09.02
Release Notes
January 17, 2014
EnCase Version 7.09.02
Thank you for using Guidance Software products.
The Release Notes for this version of EnCase contain important information regarding your
EnCase application. Before you install, we recommend that you read the Release Notes to better
understand the changes we have made.
SAFE Version
The SAFE version for EnCase 7.09.02 is 7j1.
This fixes an issue where the .nas file was missing after SAFE installation.
© 2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and
is provided for informational purposes only.
New Features
Updated Outside In Viewer Support
EnCase uses Outside In viewer version 8.4.1.
Enhanced OS X Servlet Support
The OS X servlet is now compatible with OS X 10.9 Mavericks. This includes the following
capabilities:












Devices
Files
Hashing
Path-based commands
Process: Kill
Process: Run
Remote acquisition
Resolve paths
Resolve variables
Search: Keyword
Snapshot
Wipe
Apple iOS 7 Support
EnCase now supports Apple iOS 7 for mobile devices.
FileVault 1 Decryption Support
EnCase now supports FileVault 1 AES-256 decryption support for:



DMG
Sparse image
Sparse bundle
© 2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and
is provided for informational purposes only.
Tableau Device Information Stored and Displayed in EnCase
The .Ex01 format now supports storing and displaying specific information extracted from
Tableau TD2/TD3 logs.
The Tableau device information stored in .Ex01 file format and displayed in the EnCase User
Interface is the following:








Imager serial number
Drive firmware revision
Drive interface type
USB serial number
FireWire GUID
Protocol module model number
Protocol module serial number
Protocol module firmware version number
© 2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and
is provided for informational purposes only.
This information is displayed within EnCase in the Fields tab of Evidence view:
© 2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and
is provided for informational purposes only.
Items Fixed
Doc/Transcript
68170, 68320: Outside In no longer causes EnCase to crash when viewing a particular file.
EnScript
68653: The System Info Parser Live Registry feature now does not process the registry of the
examiner's machine unless it was specifically added as evidence.
68666: When no footer is present and export is enabled, file carver results are based on the
default file length and not the export size.
Evidence Processor
68567, 68588: The link parser no longer causes EnCase to crash when processing corrupted
evidence.
68881: Now when a DBX file is too large for the EnCase parser, View File Structure reports an
error.
68977: Typed URLs now display for a user whose registry hive is mounted.
68993: When creating a new case and pointing the evidence cache to the root directory of a
volume, the cache status is now Ready (Primary) instead of Unknown.
Export Files/Folders
68948: When performing multiple searches during the Copy Folders process, EnCase does not
crash.
General
68794: Now when you run the Snapshot option while previewing a 64-bit Linux kernel machine,
the full path for the processes displays correctly in the Processes tab of Records view.
Index/Query Index
68560: Scan LVM now parses the logical volume successfully.
68777: When saving an index search as a results set, search hits now highlight correctly in the
Results tab.
68957: If a document has a string in the form $ Word, the string is now correctly indexed as two
separate words.
© 2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and
is provided for informational purposes only.
Installation
68237: EnCase now installs with the latest CodeMeter driver, version 5.10.
Processor
68960: Now 25 processor instances can be launched on a single node while using only a single
processor NAS license.
Servlet
68528: When the servlet started as a process or service, it attempted to load SDDisk.dll via
LoadLibraryEx. Now the file is loaded only from the system32 directory.
68647: The Deploy Servlet feature now correctly executes WSF scripts to deploy the servlet
when the examiner and target are on different subnets.
68861: Deploying the enlinuxpc servlet from SAFE version 7h or higher is now successful.
UI/Controls
68539: Adjusting column width in the Table pane now persists and no longer reverts to the size
of a previously highlighted item.
68654: Opening the Tag pane when viewing a results set no longer clears any blue-checked items
in that view.
Known Limitations
68604: Linux implements special characters (such as German umlauts) using Unicode UTF-8
encodings, but EnCase by default does not decode these 2-byte UTF-8 encodings when it displays
the file and folder names. Workaround: Change the Code Page to UTF-8 to see characters with
codes above 127. Setting the Code Page in EnCase to UTF-8 if the locale is unknown is better than
using the default when an evidence or dd image acquired from *NIX is added to EnCase.
68793: Find Internet Artifacts does not collect user downloaded files for Mozilla Firefox.
68889: Outside In: EnCase hangs while viewing some .mif files.
Found in Version 7.08.01
67028: EnCase becomes unstable when you drag and drop evidence into a case while a sort
operation is running.
© 2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and
is provided for informational purposes only.
Found in Version 7.08
65144: The sparse size of an Ubuntu ext3 file is improperly reported.
66161: Some compound index queries with NOT terms do not yield correct results.
Found in Version 7.06
62196: EnCase returns empty records when the Sweep Enterprise Snapshot module takes more
than ten minutes to run on a machine. This causes EnCase to time out, and fails to return any
snapshot data for that machine. When this happens you can reboot the machine that returns
these empty records and rerun Sweep Enterprise with the Snapshot module on.
Note: The Sweep interface does not tell you which targets return no data. To get that
information, you must query the Sweep.sqlite database using a query of this form: (Select
B.Target From Snapshot as A, _TargetRuns as B Where A._TargetRuns_Key = B.ID and A.Name =
‘’).
The Sweep database is stored in the Case folder, under EnScript/Sweep Enterprise.
Found in Version 7.05
52275: Microsoft Visio files are being mounted as compound files by the Evidence Processor.
Found in Version 7.04
43707: When acquiring email data from Acer tablets, only some Gmail messages from the inbox
are able to be parsed. Gmail messages in drafts and other folders are not captured in the logical
evidence file. This is due to a change in how Gmail caches information. In addition, the default
Acer email application does not provide read access to its data, so no email messages from the
default email application can be acquired.
Found in Version 7.03
45813: Index hits with large numbers of characters that wrap over line breaks do not display in
the Review tab.
46686: Email messages for Blackberry phones are shown in a Smartphone Report only if they are
in Plain Text. Issue 46995 has been entered to fix this defect.
Guidance Software Product Compatibility Tables
The Support Portal contains a list of version-to-version compatibility tables for all Guidance
Software products at https://support.guidancesoftware.com/matrix.
© 2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and
is provided for informational purposes only.
Encryption Support
EnCase now supports the following encryption products.
Vendor
Product
Supported Versions
64-bit Support
Check Point
Check Point Full Disk
Encryption (formerly Pointsec
PC)
6.3.1 up to 7.4, 8.0 (for
Windows and
Macintosh computers)
Yes
Credant
Mobile Guardian
5.2.1, 5.3, 5.4.1, 5.4.2,
6.1 through 6.8, 7.3
Yes
GuardianEdge
Encryption Plus/Anywhere
7 and 8
No
GuardianEdge
Hard Disk Encryption
9.1.5, 9.2.2 , 9.3.0,
9.4.0, 9.5.0, 9.5.1
Yes
McAfee
EndPoint Encryption (formerly
SafeBoot)
4, 5, 6, 7 (for Windows
and Macintosh
computers)
Yes (for Versions
4 and 5)
Microsoft
BitLocker and BitLocker To Go
Windows Vista, 7, and
8, Server 2008
Yes
Sophos
SafeGuard Easy and Enterprise
(formerly Utimaco)
4.5, 5.5, 5.6, 6.0
Yes (only for
SafeGuard Easy,
not for
Enterprise)
Symantec
PGP Whole Disk Encryption
9.8, 9.9, 10, 10.1, 10.2
Yes
Symantec
Endpoint Encryption
7.0.2, 7.0.3, 7.0.4,
7.0.5, 7.0.6, 7.0.7,
7.0.8, 8.0, 8.2
Yes
WinMagic
SecureDoc Full Disk Encryption
4.5, 4.6, 5.x, 6.x
Yes
USGCB Compliance
EnCase has been validated as USGCB compliant using the following version of NIST VHD images:
10/14/11 (for Windows 7 only)
EnCase was tested using Retina Network Security Scanner, which is an NIST validated USGCB
scanner (http://usgcb.nist.gov/usgcb/microsoft_content.html).
© 2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and
is provided for informational purposes only.
Support
Technical assistance is available online at
http://www.guidancesoftware.com/technical-support.htm. From this page you can register for
and access the Guidance Software Support Portal, an invaluable resource providing
product-specific technical forums, an extensive knowledge base, a bug tracking database, and an
Online Submission Form for your questions.
Technical Support
Guidance Software offers several technical support options, including:




Live Chat
Support Request Form
Email
Telephone
Customer Service
Please direct service questions to the Guidance Software Customer Service Department:
Monday–Friday 7 AM–5 PM Pacific time
Phone: (626) 229-9191, press 5
Fax: (626) 229-9199
Email: customerservice@guidancesoftware.com
1055 E. Colorado Blvd.
Pasadena, CA 91106-2375
You can access our Customer Service Request Form online at
http://www.guidancesoftware.com/CustomerServiceRequest.aspx.
© 2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and
is provided for informational purposes only.
Related documents
EnCase Enterprise Basics
EnCase Enterprise Basics
Guidance Software Celebrates 50,000 EnCase® Students
Guidance Software Celebrates 50,000 EnCase® Students
EnCase® Forensic v7 - Digital Intelligence
EnCase® Forensic v7 - Digital Intelligence
EnCase® Forensic Features and Functionality
EnCase® Forensic Features and Functionality
EnCase Computer Forensics I Syllabus
EnCase Computer Forensics I Syllabus
Ernest J. Koeberlein: Curriculum Vitae Computer Crime Forensic
Ernest J. Koeberlein: Curriculum Vitae Computer Crime Forensic
EnCase® Version 7.05
EnCase® Version 7.05
EnCase® Processor
EnCase® Processor
CCSS - 6 Shifts in English Language Artsx
CCSS - 6 Shifts in English Language Artsx
Computer Evidence Search Final
Computer Evidence Search Final
Guidance Software Training
Guidance Software Training
The EnCE Study Guide v7
The EnCE Study Guide v7
Download