EnCase® Version 7.05
Release Notes
October 1, 2012
EnCase Version 7.05
Thank you for using Guidance Software products.
The Release Notes for this version of EnCase contain important information regarding your
EnCase application. Before you install, we recommend that you read the Release Notes to better
understand the changes we have made.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
New Features
Filters and Conditions in Original Table or Tree-Table View
EnCase now optionally displays filtered data in the original Table or Tree-Table view, in addition to
displaying the data in a result set.
Filters in Table View
1.
Click Run from the Filter dropdown menu on the toolbar. The Open File dialog displays.
2.
Select the filter you want from either Records or Entries, then click Open. The Run Filter
dialog displays.


Current View filters only the data in the current Tree/Table view and displays it in that
view.
Current Device filters only the data in the currently selected device and displays it in
the Results view.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
2

3.
4.
All Evidence Files filters all the evidence in the case and displays it in the Results
view.
When you execute a filter in Current View, a button displays just above the table to the
right of the Selected checkbox. Click the red X on the button to turn the filter off.
To turn the filter back on, click the filter icon on the button.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
3
Filters in Tree-Table View
To switch to Tree-Table View:
1.
From the Split Mode dropdown menu, click Tree-Table.
2.
The view displays the folder tree as well as the Table tab.
Note: EnCase remembers the last selected filter view (Table or Tree-Table) and defaults to that
setting the next time you enter filter mode.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
4
Enhanced Evidence Processor Performance
New architecture in Version 7.05 significantly improves indexing of large data sets.
Evidence Processor Prioritization
The Evidence Processor now includes a Processing Prioritization column with hyperlinks to a
prioritization dialog. This enables you to process a subset of the evidence and begin examining it
while the Evidence Processor continues to process the remaining evidence.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
5
1.
Click the hyperlink in the column where you want to specify items to be prioritized during
processing. The Processing Prioritization dialog displays.
2.
Click the Enable processing prioritization checkbox to enable the next three
checkboxes in the dialog.
3.
Click the checkboxes (Documents, Pictures, or Items within these dates) for the items
you want to have priority in processing. You can select more than one checkbox.
Checking Items within these dates enables the Minimum Date and Maximum Date
fields. You can enter dates and times manually or use the calendar (for dates) and the up
and down arrows (for times).
4.
If you want to process only the types of items you selected, instead of all evidence in the
evidence image, click the Process only prioritized items checkbox.
Note: If you select Process only prioritized items, you cannot run Evidence Processor
modules.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
6
5.
When are finished, click OK. The Processing Prioritization column reflects the selections
you made.
Case Analyzer Enhancements
EnCase 7.05 includes enhancements to Case Analyzer, as described below.
Case Analysis
Analysis provides higher level reports of metadata than you see in the Records tab of EnCase.
The Records tables generally show lists of parsed artifacts, emails, files, etc. The goal of analysis
reports, on the other hand, is to show what happened on a system. These reports often consist of
multiple artifacts joined together or specific prefiltered data indicating that something happened on
a system.
You can run Case Analyzer after the Evidence Processor modules run, or after data is collected by
EnCase Portable or Sweep Enterprise. Analysis reports are pulled from a SQLite database, which
contains metadata only. Analysis does not involve file content.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
7
Case Analyzer
To create analysis reports:
1.
Open the case you want to analyze.
2.
On the case Home page Browse area, click Case Analyzer.
3.
The Case Analyzer page displays. In the View Reports area, you can select the metadata
to analyze:



Case: Runs Case Analyzer on evidence files previously run on the Evidence
Processor.
Portable Device: Creates an analysis on specific targets collected to any portable
device attached to the system.
Sweep Enterprise (Case Data): Creates analysis reports for data from all collections
performed by Sweep Enterprise.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
8

Sweep Enterprise (Jobs Data): Creates analysis reports from a specific Sweep
Enterprise collection.
The navigation in the left pane is built dynamically and shows only reports which return data from
the metadata database. Depending on the modules you chose to run and what they found, you get
varying numbers of reports. Think of the navigation as a narrative of what was found on the
computer.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
9
To hide the navigation and expand the view of the data, click the Expand Data View button.
Click the Unavailable Views button on the toolbar to show reports that do not return data.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
10
Many reports offer higher level conclusions and automate the manual steps of correlating multiple
artifacts to determine what happened on a system. For example, the Files Seen on USB Device
report joins together linked files to the USB history and mapped drives in the Windows registry.
Each report includes enough information for examiners to find the original evidence and
investigate the data further. Most reports include an item path column to the file which was
originally parsed.
Click the About button on any report to see more information. This example shows the registry
keys used in the Files Seen on Known USB Devices report:
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
11
To filter reports, click the Constraint button. This is similar to a condition, but in this instance, you
are filtering data in a database.
Analyzing EnCase Portable Data
To analyze data collected by EnCase Portable:
1.
In the View Reports area of the Case Analyzer page, click Portable Device.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
12
2.
The Analysis Target Selector dialog displays. EnCase Portable analysis is performed
separately for each target. Click the target you want to analyze, then click OK.
3.
The Data Browser dialog displays. It functions in the same way as the Analysis Browser
tab.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
13
Analyzing Sweep Enterprise Case Data
1.
To analyze all data collected by Sweep Enterprise, click Sweep Enterprise (Case Data),
then click OK.
2.
The Data Browser dialog displays. It functions in the same way as the Analysis Browser
tab.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
14
Analyzing Sweep Enterprise Jobs Data
1.
To analyze data from a specific collection job, click Sweep Enterprise (Jobs Data).
2.
The jobs available for analysis display.
3.
Select the job you want to analyze, then click OK.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
15
4.
The Data Browser dialog displays. It functions in the same way as the Analysis Browser
tab.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
16
Viewing Multiple Records Simultaneously
Viewing multiple records simultaneously is similar to the previously existing ability to view multiple
evidence files simultaneously.
1.
In the Records tab, select the records you want to expand and view as a group, then click
Open.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
17
2.
The selected items display in the Records tab.
The Records tab lists all mounted volumes and results from the Evidence Processor or other
activities. Therefore, Records view can display three types of items:

Entries (mounted archives)

Records (module results)

Email (mounted email archives)
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
18
EnCase supports viewing only one item type at a time. If more than one type is found in the
selected records, the Open Item dialog displays, enabling you to choose the item type you want to
view. The default is Entries.
Note: In the Open Item dialog, only the radio buttons for the found item types are enabled.
Enhanced Functionality in Search and Results Tabs
These functions are now available in the Search and Results tabs:

Copy Files

Copy Folders

Add Results to Hash Library

Save Results
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
19
Refreshing Search Results during a Keyword Search
When running a raw keyword search, you can view the search hits while the search is ongoing,
instead of waiting for the entire search to complete.
To see search results while the search is ongoing, click the Refresh Raw Search Hits icon on the
Search tab.
If new search hits are available, the icon displays in green. If no new search hits are available, the
icon is disabled.
The icon is dynamic: after clicking, it is disabled until more search hits are available. When more
search hits are available, the icon is enabled and displays again in green.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
20
Activating an Electronic License
You can now activate your EnCase license electronically:
1.
On the EnCase Home page, click the down arrow in the upper right corner, then click
Activate Electronic License in the dropdown menu.
2.
The Activate Electronic License dialog displays.
3.
Enter the license key number you obtained via email from Guidance Software and your
email address in the boxes provided.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
21
4.
Click Next. A second Activate Electronic License dialog displays.
5.
Return to your MyAccount email and click the Submit your file link.
6.
In the Web page that displays, browse to the location of the License Request file, then
click Submit.
7.
Wait to receive an email response from MyAccount. In the License Activation portion of
the email, click the link to save your License Activation file, then copy this file into the
same folder as the License Request file.
8.
Click Next. A third Activate Electronic License dialog displays.
9.
Click Finish to complete the activation process.
Creating a New Request File
If you want to create a new request file--for example, if you previously entered an incorrect license
key number or an incorrect email address--follow these instructions:
1.
On the EnCase Home page, click the down arrow in the upper right corner, then click
Activate Electronic License in the dropdown menu. The Activate Electronic License
dialog displays.
2.
Click Back. In the dialog that displays, make the corrections to the license key number or
the email address, then click Next.
3.
Follow the steps in "Activating an Electronic License", above.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
22
Reactivating an Electronic License
If you already have an active license installed, and you click Activate Electronic License, this
message displays:
Click OK to remove the active license or Cancel to retain the current active license.
If You Already Have a Physical Dongle
If you already have a physical dongle, and you purchase another copy of EnCase with an
electronic license, the electronic license is fixed to the machine where it is installed, and it cannot
be moved to another computer. The physical dongle can be moved from one machine to another,
as before.
EnCase Enterprise Active Directory Authentication
Previous versions of EnCase Enterprise offered SAFE administrators the option to protect an
account with the Additional Password feature, which prompts users to provide separate passwords
in addition to the password for their private keys.
EnCase Enterprise Version 7.05 adds Active Directory integration. This option secures SAFE user
accounts by allowing SAFE administrators to associate a SAFE account with a Windows domain
account (user or group) from Active Directory. If a Windows user running EnCase is associated
with a SAFE account, or is a member of a Windows domain group associated with a SAFE
account, access to a SAFE is granted. Otherwise, access is denied.
This option implements the following Windows built-in account management features:

Password strength and expiration policies are enforced at the Windows domain level.

Windows user accounts can be disabled upon employment termination.

Users can be included or excluded from Windows groups using standard Windows
management tools.
Guidance Software recommends Active Directory integration in favor of the Additional Password
function; however, the latter is still supported by SAFE for backward compatibility.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
23
SAFE Account Types
The SAFE maintains two types of user accounts:

Regular user accounts that perform collection work, selecting data to be collected and
machines from which to acquire evidence.

The Keymaster account is controls permissions for regular users, but is unable to perform
collections.
Guidance Software recommends that Keymaster and regular users have different associations
with Active Directory accounts.
Configuring Active Directory Groups
This section provides a sample configuration of Active Directory that can be used with SAFE
accounts. Here, two Windows Domain groups are created:

SAFE Users: Includes Windows users who run EnCase for performing evidence
acquisition.

SAFE Administrators: Includes all Windows users who are allowed to log on to a SAFE as
Keymaster users and configure SAFE network, roles, and permissions. This group can
include users as well as other groups, such as built-in administrators and domain
administrators.
The following screenshot identifies these two groups:
Securing a Keymaster Account
A Keymaster account is a built-in account created during SAFE installation. It cannot be modified
using EnCase. Therefore, to use Active Directory Integration for a Keymaster, you must configure
it during SAFE installation.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
24
Use the following SAFE installer page to associate a Keymaster account with a SAFE
administrators Windows group. This ensures that only members of that group can log on to the
SAFE as Keymaster:
Note: To either disassociate the Keymaster account from the Windows account, or associate the Keymaster with
another Windows account, you must run SAFE Installer again.
Securing Regular User SAFE Accounts
Use the EnCase user interface to create regular user accounts. To provide a way of associating a
SAFE user with an Active Directory user or group (in Windows terminology, a trustee), the
New/Modify User dialog includes an option to add a Windows trustee. This input control invokes a
standard Windows dialog to choose either a user or a group.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
25
The following screenshot demonstrates how to associate a SAFE user account with a previously
created SAFE Users Windows group:
Enhanced Macintosh Support
EnCase now supports Macintosh OS 10.6 (Snow Leopard) and OS 10.7 (X Lion) via the servlet for
Enterprise.
Enhanced Windows Event Log Parser Support
The Windows Event Log Parser now parses corrupt or partial .evt and .evtx files.
Enhanced exFAT File System Support
For exFAT, two new internal entries have been added:

$FAT Alignment, an internal file that ensures that $Primary FAT is properly aligned.

$Primary FAT Padding that ensures the following file (usually $Bitmap) is properly aligned.
Enhanced PGP Support
EnCase now supports PGP Whole Disk Encryption 10.1 and 10.2
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
26
Added AIX Support for Deploying and Running Servlets
EnCase 7.05 adds support for deploying and running servlets on AIX versions 6.1 and 7.1.
Previously, it was necessary to install different physical files based on the version and bitness of
AIX.
Now you only need to install one file, based on bitness (32 or 64).
Creating Hyperlinks to an Exported Item from Report Templates
You can embed hyperlinks and link to exported files. The ways to do this are described below.
Using Bookmarks to Link to an External File
To specify bookmarks in a report:
1.
In Report Templates view, check the part of the report where you want the bookmarks to
display, then click the Body Text tab in the lower pane.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
27
2.
In the Add Table dropdown menu, click Bookmark Folder.
3.
The Bookmark dialog displays.
4.
In the Destination Folder tab, select the folder where you want the table to be saved and
enter a folder name.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
28
5.
In the Columns tab, click the checkboxes for the columns you want to display in the table.
6.
In the View Options tab, click the checkboxes for the options you want. Be sure to click
the Hyperlink to files checkbox.
7.
Click OK. The bookmarks display as hyperlinks in the table in the report.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
29
Exporting a Report to Display Hyperlinks
To export a report to display hyperlinks:
1.
Right click, then click Save As from the dropdown menu. The Save As dialog displays.
2.
For the Output Format, select RTF, HTML, or PDF, then click the Export items checkbox.
Note: The Export items checkbox is disabled for the other formats.
3.
Accept the default path or enter another path. If you want to see the exported report after
saving, click the Open file checkbox.
4.
Click OK. The hyperlinks display in the exported report.
Exporting a Metadata Report to Display Hyperlinks
To display hyperlinks in a metadata report:
1.
In the Evidence tab, select the item you want to display as a hyperlink in the report.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
30
2.
In the lower pane, click the Report tab to display metadata.
3.
Right click and select Save As from the dropdown menu. The Save As dialog displays.
4.
Select the Output Format you want. The supported formats are RTF, HTML, and PDF.
5.
Click the Export items checkbox. If you want to view the report after saving, click the
Open file checkbox.
6.
Accept the default path, or enter a path of your own, then click OK.
7.
The hyperlink displays in the metadata report.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
31
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
32
Adding a Hyperlink to a URL
To add a hyperlink to a URL:
1.
Go to Report Templates view. Select the part of the report where you want to add a
hyperlink, then click the Body Text tab in the lower pane to display the text.
2.
Place the cursor where you want to insert the hyperlink, then click Hyperlink in the
Document dropdown menu.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
33
3.
A line of hyperlink code displays.
4.
Replace http://www.link.com with the URL for your hyperlink. Replace Hyperlink
with the text you want to display for the hyperlink.
5.
Save your work. The hyperlink displays in blue in the report.
Enhanced Date/Time Format for Exporting to Spreadsheets
Now when you export date and time, it displays correctly in Excel and other spreadsheets in the
format hh:mm:ss tt.
Note: This applies to clean installations. Otherwise, reset the date and time on the Date tab of Tools > Options.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
34
Device Cache Optimization
The device cache file format is now optimized to provide faster device loading times and smaller
file sizes, making cache speed twice as fast and reducing the size of the file by half.
Backward and Forward Compatibility
The following applies when writing and reading device cache files from a version with optimized
device caches (Version 7.05) and a version without optimized device caches (Version 7.04):

Version 7.04 always writes out legacy device caches (as before).

Version 7.05 writes out optimized device caches by default.

Version 7.05 can read legacy device caches and leave them unchanged.

When updating an existing device cache, Version 7.05 saves the device cache in the
legacy format.

If the original format was legacy, Version 7.05 updates and saves the format as legacy.

If the original format was optimized, Version 7.05 updates and saves the format as
optimized.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
35
EnScript Application UI
There are now links on the Home and Case pages for EnScripts. There is also a new package
details page.
Home Page
On the Home page, there is an EnScripts link in the View section.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
36
Click the link to go to the EnScripts page. This page displays the most recently used scripts.
Case Page
On the Case page, there is an EnScripts link in the Browse section.
Click the link to go to the EnScripts page.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
37
Package Details Page
To view the package details page:
1.
On the Session tab, click the down arrow in the upper right corner of the tab. From the
dropdown menu, click Package Properties.
2.
In the Package Properties dialog, select the EnPack file you want, then click Open.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
38
3.
The package details page displays, with options to run the EnPack or go to the location of
the file, as well as information about the package.
EnScript Report Generation Enhancements
New EnScript options provide more control when creating a table in EnScript report. You can now
change the report paper size, and there is a better algorithm to calculate column width without
compromising a column's content.
You can now access the PaperClass object of the ReportWindowClass by calling the GetPaper
function: PaperClass ReportWindowClass::GetPaper()
You can change the paper size and orientation by calling the Create function of the PaperClass.
There are two new options for ExportClass::AddTable() function. To access the options, enter
bool ExportClass::AddTable(TableClass table, ContextClass context, uint
options)

For no skewing (that is, all columns fit their content without any wrapping):
ExportClass::TableClass::SHOWMAXSPAN

For all columns with string content to skew proportionally in relation to the page width:
ExportClass::TableClass::SHOWMINSPAN
Whenever a table is wider than the page width, EnCase automatically splits the table and the
remaining columns go onto the next page.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
39
Items Fixed
Acquisition/Add Device/Preview/File System
47786: When attempting to open an image, you are unable to parse a Fedora 16 ext4 partition.
47952: When acquiring a UNIX device, the default file name contains a high dot character outside
of the ASCII range and results in an error.
47953: When acquiring a UNIX device, EnCase prompts for unneeded credentials.
49075: Adding raw images with a matching GUID fails. Disk images contain different data.
49545: EnCase incorrectly matches object headers and their chunks when multiple chunkid and
sequence collisions occur.
49569: EnCase does not read the exFAT file system correctly.
50133: After acquiring a renamed drive, the reacquire dialog displays the default drive name
instead of the custom name.
50330: An acquired IPD file does not contain all information in the original IPD file.
Bookmarks
43365: In the Bookmark dropdown menu, the same shortcut (Ctrl-B) is listed for Single item and
Data structure.
52215: After undocking the viewer pane, the Bookmarks option is not available in the dropdown
menu.
52408: Bookmarked swept text data highlights text that was not swept.
Case Analyzer
50874: Most IM Parser related data does not display, or it displays incorrectly.
51080: Records are missing from one of the registries in Installed MS Apps and Uninstalled Apps
views.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
40
Compressed Files/Archived Files
47956: The path for Entries > Records in compound files is relative to the cached LEF and not the
original evidence.
48632: Using View File Structure on an MSI file type displays data in Chinese.
Date Handling
50361: SMS dates are incorrect in a LEF when acquiring from an iPad/iPhone using iOS 5.1.
Doc/Transcript
07328: Not all custom properties data for MS Office files display on the Transcript tab.
Email
38933: For undeliverable email messages, the To: field and body do not render correctly.
47449: EnCase handles encoded MIME messages incorrectly.
48897: The Show Conversation/Show Related option does not display the Tag column.
49343: EnCase crashes when running a search on a local drive.
49418: Running a processing job on a PST file causes EnCase to crash.
50297: ASCII characters in an mbox compound file attachment do not decode correctly.
51717: EnCase crashes when viewing file structure on a .PST archive.
EnCase Modules
41283: The option Dismount Emulated Disk is still listed in the Share menu, even though the
process was cancelled.
46063: You cannot mount evidence files over 160GB in size with PDE or VFS.
Encrypted Devices
50583: A BitLocker encrypted search hit is not decrypted in the Text tab in Results view.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
41
EnScript
43536: While generating transcripts for email records, EnCase terminates the EnScript with an
internal error and may crash.
44991: Adding multiple ResultClass objects to a ResultSetClass causes EnCase to crash.
47326: After adding an invalid evidence file using EvidenceClass::AddToCase(), no error
message displays after the script completes.
47795: BookmarkDecodeClass bookmarks do not display as pictures in the Gallery view of the
Bookmarks tab when the type is set to BookmarkDecodeClass::PICTURE.
49530: The example DatabaseClass EnScript creates a HandlerClass and NodeClass with
null values.
50295: If there are mounted RAID or LVM devices in a case, trying to iterate through devices or
entries using EnScript fails, and no error is reported.
50926: SearchClass::Find returns different results in EnCase Version 6 and Version 7 when
using a search length greater than the file size.
EnView
40828: EnView fails to display transcript information of an Excel file.
52185: Processing takes an excessively long time due to an issue with Passware.
Evidence Files/Logical Evidence Files/Case Files/Single Files
43842: A shared folder does not display case templates.
44366: In the Find dialog, the Results in Output Window option is enabled, but it does not
function.
48155: When highlighting dates in an MFT record, information in the Text and Hex tabs does not
match.
48431: When creating a LEF from an .E01 file, the file identifier is not preserved.
51149: Some volumes display with folder icons.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
42
Evidence Processor
40513: The default path for saving Evidence Processor options is the path from which the
evidence was loaded.
41331: There is no response after clicking the Edit button in Evidence Processor, even if the
Process checkbox is selected.
49476: The Evidence Processor dialog does not display until you move the mouse.
50462: Using the Evidence Processor Find Internet artifacts option for an unallocated search
creates duplicates of deleted files.
51168: The File Carver incorrectly carves data on an Advanced Format (4096-byte structure) disk.
52388: When performing View File Structure on a specific file, EnCase crashes.
52478: When parsing an mbox file, EnCase crashes.
52913: Evidence processor appears in the bottom right corner, then stops when when Process
Evidence is selected.
Export Files/Folders
50088: The Add Link to File option does not link files.
Filters/Conditions/Queries
45002: Conditions are slow to respond in EnCase Version 7 compared with Version 6.
47383: In conditions, more than one folder can have the identical name.
48972: Find Files Based on Category or Extension filters by category and not by the selected
file extension.
51043: Conditions take significantly longer to execute than in Version 7.03.
Gallery View/Pictures
49409: EnCase crashes when changing from one filter to another in Gallery view.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
43
Hashing/Searching/File Signatures/Signature Analysis
47346: EnCase does not properly handle a scenario where files with no hash value are added to a
hash set.
48055: In Text view, words that wrap to a second line do not display.
49488: Adding custom HashKeeper files causes EnCase to crash.
50219: The import hash process stops when it encounters a duplicated hash item.
50260: Go to file option from a search result goes to the Windows artifact link parser home screen
instead of to the actual file.
50515, 50704, 51146: Selecting Raw Search All for multiple evidence files returns results from
only the last evidence file.
51634: The Import EnCase Legacy Hash Sets function imports corrupted hash set files.
51768: Hash generation causes intermediate files to be dumped into the root case folder.
Index/Query Index
49294: After indexing, EnCase cannot find keywords in an .XLSX file.
49424: Indexing does not exclude noise words.
50865: Selecting multiple items from an index search, then tagging them all, causes EnCase to
crash.
51835: Tab names in Excel files do not display in the Transcript tab, and they are not searchable
when performing an indexed search.
52144: "[Item Type]IT_EMAIL" does not return entries in the Search Index tab.
52622: Indexing never finishes for an .L01 file.
Internet
47450: The profile name in non-ASCII does not display in Internet history.
48745: Some gzip formatted artifacts do not display properly.
49489: Sort does not work correctly on the URL Host column of the Records tab.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
44
Localization
45755: EnPacks do not display in EnCase on initial launch.
Records
50759: Customized column order does not persist after using the Go to File option.
Registry
49450: Incorrect or no data displays when viewing a registry value that contains large data records
in the HIVE file format.
51303: Two entries inside a mounted registry file have the same unique offset.
Report
43109: The SMS Type column is empty in an HTC Touch Diamond smartphone report.
46856: The report template truncates pasted text.
47814: When running a report on bookmarks, the Name column is blank.
50621: In the Report Template, you cannot add the case name to the title page.
50676: The File Report EnScript generates a blank report after blue checking items from a
software RAID built through LVM.
50705: Bookmark table view does not display all metadata.
51986: Tagged items are not in a smartphone report.
SAFE
36966: The Add device dialog takes several minutes from selecting a machine to listing devices.
38417: EnCase cannot connect to a node via an IPv6 address.
48187: A SAFE name containing a hyphen is truncated in the SAFE log.
48337: The SAFE diagnostic shows a v7 cert is not properly installed, when it actually is.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
45
48718: The SAFE logging on status bar still displays after attempting to connect to the wrong
SAFE.
49542: A SAFE network import procedure populates the screen but does not push imported nodes
to the SAFE.
Servlet
52531: Installing the servlet increases the start time of Windows.
Smartphone
52267: An iMessage date is not correctly reported on an iOS 5.1.1 device.
52268: Dates and times are misread from an iOS 5.1.1 property list.
Sweep Enterprise
51735: In Case Analyzer, the Linux Devices view contains duplicate records.
52523: In Case Analyzer, not all cron jobs are parsed from a Linux LEF.
Tagging
50373: Tags are not retained between tabs if the source evidence is an EnCase Portable LEF.
Timeline
42817: Evidence Timeline printing results in multiple copies of output.
UI/Controls/Configuration
39257: The Options screen is oversized when using non-default dpi settings.
42833: In Virtual File System, the Mount as Network Share option is available when EnCase is in
acquisition mode.
44549: The Mount as Network Share Client option is missing from the Tools menu.
44716: After undocking the View pane, the Tag pane disappears.
46985: Sort column icons in the Add Network Preview > Network Devices dialog are nonfunctional.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
46
48414: Highlighting a folder entry and pressing Enter does not move the folder contents.
48529: After parsing with System Info Parser, column headers for Ubuntu user account
information are incorrect.
48896: The Show Conversation/Show Related dropdown menu does not contain the Export to
*.msg option.
48907: Show Conversation/Show Related parent items have no checkboxes available.
49410: In the Results Tab, tags bleed into the next column instead of wrapping.
50350: Custom tags remain after deleting in the Manage tags dialog.
52527: Incorrect results display when running a condition more than once.
52605: Clicking in Disk view crashes EnCase.
Users/Roles/Permissions
00792: A keymaster can create two logon roles with the same name.
26785: Duplicate permissions can be added to any role or user.
Known Limitations
47786: When attempting to open an image, EnCase is unable to parse a Fedora 16 ext4 partition.
48667: Rescanning a machine and running Find Internet Artifacts causes duplicate Internet
Artifacts to display in the Records tab.
51167: The SafeBoot encryption .dll causes EnCase to crash when the encryption algorithm for
the server does not match the one implemented in SbAlg.dll.
51723: 32-bit x86 Evidence Processor generates an error and does not complete successfully.
Workaround: We strongly recommend that you install 64-bit EnCase.
51795: In EnScript development, calling GetRoot() on a node returns a reference to the root node
that is not ref counted. This can cause a crash if a developer expects for the root node ref to be
counted and debugs the script.
51875: Evidence and its related cache that is processed or reprocessed in EnCase Version 7.05
and later cannot be opened in EnCase Version 7.04 and earlier.
52237: Running Evidence Processor without indexing, then running Evidence Processor with
indexing selected, produces different search hits.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
47
52263: Passware fails to initialize on the x64 bit version when Comodo Internet Security (which
includes antivirus and firewall) is installed on the same system as EnCase. You need to uninstall
Comodo for Passware to work properly.
52391: The content of a mountable device is transcripted and indexed if mounted and non-indexed
evidence is reprocessed.
52565: After upgrading CodeMeter drivers from Version 4.20 to a newer version, EnCase does not
detect a CodeMeter dongle.
52667: A result set does not display until the case is closed and reopened.
52944: Running Evidence Processor on evidence files which contain a large number (100,000) of
small archives will cause Windows to become slow or non-responsive.
53024: Attempting to preview a SAFE machine as a target returns an “Error loading evidence file”
message.
53025: Files which are not deleted display in the Deleted Files view of the Sweep Enterprise
Analysis Browser.
Guidance Software Product Compatibility
Tables
The Support Portal contains a list of version-to-version compatibility tables for all Guidance
Software products at https://support.guidancesoftware.com/matrix.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
48
Encryption Support
EnCase now supports the following encryption products.
Vendor
Product
Supported Versions
64-bit Support
Check Point
Check Point Full Disk Encryption
(formerly Pointsec PC)
6.3.1 up to 7.4
Yes
CREDANT
Mobile Guardian
5.2.1, 5.3, 5.4.1, 5.4.2, 6.1
through 6.8
No
GuardianEdge
Encryption Plus/Anywhere
7 and 8
No
GuardianEdge
Hard Disk Encryption
9.2.2 , 9.3.0, 9.4.0, 9.5.0,
9.5.1
Yes
McAfee
EndPoint Encryption (formerly
SafeBoot)
4.5, 6 (for Windows and
Macintosh computers)
No
Microsoft
BitLocker and BitLocker To Go
Vista, 7
Yes
Sophos
SafeGuard Easy and Enterprise
(formerly Utimaco)
4.5, 5.5, 5.6
Yes
Symantec
PGP Whole Disk Encryption
9.8, 9.9, 10
Yes
Symantec
Endpoint Encryption
7.0.2, 7.0.3, 7.0.4, 7.0.5,
7.0.6, 7.0.7, 7.0.8, 8.0
Yes
WinMagic
SecureDoc Full Disk Encryption
4.5, 4.6
No
USGCB Compliance
EnCase has been validated as USGCB compliant using the following version of NIST VHD
images:
10/14/11 (for Windows 7 only)
EnCase was tested using Retina Network Security Scanner, which is an NIST validated USGCB
scanner (http://usgcb.nist.gov/usgcb/microsoft_content.html).
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
49
Support
Technical assistance is available online at http://www.guidancesoftware.com/technicalsupport.htm. From this page you can register for and access the Guidance Software Support
Portal, an invaluable resource providing product-specific technical forums, an extensive
knowledge base, a bug tracking database, and an Online Submission Form for your questions.
Technical Support
Guidance Software offers several technical support options, including:

Live Chat

Support Request Form

Email

Telephone
Customer Service
Please direct service questions to the Guidance Software Customer Service Department:
Monday–Friday 7 AM–5 PM Pacific time
Phone: (626) 229-9191, press 5
Fax: (626) 229-9199
Email: customerservice@guidancesoftware.com
215 North Marengo Avenue, Suite 250
Pasadena, CA 91101
You can access our Customer Service Request Form online at
http://www.guidancesoftware.com/CustomerServiceRequest.aspx.
© 2012 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
50