Encase Examiner v709 Release Notes

2013 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and is provided for informational purposes only.

EnCase Version 7.09

Release Notes

November 21, 2013

EnCase Version 7.09

Thank you for using Guidance Software products.

The Release Notes for this version of EnCase contain important information regarding your EnCase application. Before you install, we recommend that you read the Release Notes to better understand the changes we have made.

2013 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and is provided for informational purposes only. 2

SAFE Version

The SAFE version for this release is 7j.

This version includes the ability for a keymaster to grant permission to non-keymaster SAFE users for them to administer user accounts. This is useful in sizable organizations where it can be burdensome for only one keymaster to administer large numbers of accounts.

New Features

Result Set Processing

Previously, it was necessary to run Evidence Processor for an entire device, even if you wanted to review only a specific type of file, a specific location, or a subset within the device. Now you can process a result set from the case for the specific information you want to review.


Processing a Result Set 1. Open the Processor Options dialog. Depending on the context, there are several ways to

do this. For example, in the Evidence tab, click Process Evidence > Process.


2. Click Result Set. The Process Result Set dialog displays.

3. Select the result set you want to process, then click OK. The EnCase Processor Options dialog displays a table with information about the result set to be queued:

Name

Evidence Size

Item Logical Size

Item Count


This information helps you identify the size and scale of the evidence to be processed. A result set may contain items from multiple evidence files, all of which will be processed.

4. Click OK. EnCase begins processing the evidence.

Note: Processing modules (System Info Parser, File Carver, Windows Artifact Parser, etc.), along with Recover

Folders, do not respect result sets and therefore run against the entire device as they normally do.

Note: Because result sets can include items from multiple devices in various processing states, locks do not display in

processing options when selecting result set processing. However, items that would normally be locked because they

were previously run on a device will still run, even if they do not have the lock item present. In other words, once a

lockable Evidence Processor option is run on a device, all processing jobs that follow on that device will run the

option, even if it is not selected. The screenshot in Step 3 above explains that these previously processed items are

marked with asterisks, and those items will be reprocessed.


Also, since locks do not display, some modules that are not supported in certain instances will not run, even if they are

selected. For example, indexing will not run on items that come from a remote node, and Snapshot will not run on an

evidence file or a local drive.

Launching Processor Options from the Results Tab

You can open the EnCase Processor Options dialog from the Results tab. This saves time by giving you the option to process only the evidence you want to examine.

1. In the Results tab, select the result set you want to process.

2. Right click, then click Process in the dropdown menu.

3. The EnCase Processor Options dialog displays.

Creating Result Sets in Entries and Records Views

You can create a result set similar to the way you create a Logical Evidence File. The menu is accessed from Entries or Records view, as described below.


Creating a Result Set in Entries View

1. In the Tree and/or Table pane, blue check the items you want to include in the result set.

2. Right click, and in the dropdown menu click Entries > Create Results.

3. The Create Results dialog displays, showing the number of items selected that are under the highlighted folder.

In the example above, note that in Step 2, 11 entries were blue checked, but the Create Results dialog shows that only 7 entries are being included in the result set in Step 3. This is because a folder was highlighted in the entry tree in Step 2 when Create Results was selected. Only blue checked items below the folder that is currently highlighted are included in the result set. Blue checked items in adjacent or higher branches in the folder tree are excluded. This behavior is similar to the way EnCase includes selected items when creating a LEF.


To include all blue checked items in a device, highlight the device root first before selecting the Create Results option.

4. Enter a name for the result set, then click OK.

5. EnCase creates the result set, and it displays in the Results tab.

Creating a Result Set in Records View

In Records view, you can create result sets from mounted items that are not metadata only.

Some examples of data types that allow creation of result sets include:

Email archives

Compound files (for example, .zip files)

Internet artifacts


Examples of data types that do not allow creation of results (because they are metadata only) include:

Snapshot data

System Info Parser results

Windows Artifact Parser results

Windows Event Log Parser results

1. In the Tree and/or Table pane, blue check the items you want to include in the result set.

2. Right click, and in the dropdown menu click Records (or Entries, depending on the context) > Create Results.

3. The Create Results dialog displays, showing the number of items selected.

4. Enter a name for the result set, then click OK.


5. EnCase creates the result set, which displays in the Results tab.

Overwriting the Evidence Cache

The Overwrite Evidence Cache option enables you to delete previous processing results for the selected item and restart processing.

Note: Use this option with caution, as it will remove all processing results for the devices selected.


1. Click the Overwrite Evidence Cache checkbox. An information message displays in the right pane.

Note: This option is enabled only when you select Current Item and the evidence is already

processed.

2. Click OK. A warning message displays, asking if you want to continue and delete previously processed output.


3. To continue, click Yes. EnCase will delete all caches related to the specified evidence file.

Note: When you use the Overwrite Evidence Cache option, items in the result sets and bookmarks belonging to

the device will no longer resolve to the original item GUIDs and will become invalid. You can delete the existing result

sets and bookmarks or maintain them as a reference for manual recreation.

Sweep Enterprise Enhancements

Tab-Based User Interface

Sweep Enterprise now uses a tabbed framework, comprising four tabs.

Sweep Enterprise

Create Scan

Status

Analysis Browser

Changes to Sweep Enterprise screens and workflow are described below.

Sweep Enterprise Tab

The Sweep Enterprise tab contains two sections, New Scan and Previous Scans.

In the new scan area, click Create Scan to create a new scan.


The Previous Scans area displays most recent scans (up to five), as well as an All Scans report link. Clicking one of the previous scans takes you to the Analysis Browser tab with the results of that scan.

Create Scan Tab

1. To select targets for the sweep, click Create Scan on the Sweep Enterprise main tab.


2. The Create Scan subtab of the Sweep Enterprise tab displays.

3. In the target list, select the nodes you want to sweep. To select or clear all nodes in the list, click Selected.

4. Click Run Scan. The Module Settings dialog opens, displaying available modules in the left pane and information about the currently selected module in the right pane.

The System Info Parser and Snapshot modules are selected by default.

A snapshot of each target is generated for all collection jobs; therefore, you cannot clear the checkbox for the Snapshot module.

The File Processor module is not selected by default because it has a significantly higher run time than the other modules.

The System Info Parser module is not enabled for Linux systems.

The System Info Parser module Advanced tab options for collecting custom registry keys are not available.

Selecting Check In directs Sweep to wait infinitely for all the targets to check in before it runs the selected modules on the target. If you leave this checkbox blank, the SAFE initiates communication. If a servlet does not respond after a certain amount of time, the SAFE ends the communication and EnCase informs you that the servlet cannot be reached.


Selecting Deploy Servlet causes the SAFE to initiate communication with the target and automatically install a servlet if one is not already installed. This option is only available if the user's role is configured with the Deploy Servlet permission. The Deploy Servlet and the Check In options cannot be used simultaneously. See Automatically Deploying Servlets.


5. When you finish selecting modules and their associated options, click Next. A Confirmation Page displays, showing the target node list and module selections.

6. Click Finish.

Importing Targets

You can add a list of targets to the Create Scan tab.

1. Click Import Targets.


2. The Add Targets dialog displays.

3. Enter, or copy and paste, a list of machine names, IP addresses, or IP ranges, then click OK.

4. A Temporary Targets folder containing the imported items is added to the Create Scan tab. You can select them like any other target.

Note: Temporary targets are only available for the current sweep.


Status Tab

When you click Finish on the confirmation page, the Status tab displays.

The tab contains two buttons and a checkbox:

Cancel Scan: Cancels a scan in progress.

Analysis Browser: Opens the Analysis Browser.

Refresh Automatically (checked by default): Dynamically updates the status of a scan in progress.

A green bar indicates the progress of the scan for a given node and module (for example, Mounting Drives, Waiting, Scanning, Snapshot Taken).

The Collection Status column also indicates if connection to a specific node failed.


Analysis Browser Tab

The Analysis Browser tab now behaves exactly like the Case Analyzer reports page. It displays all reports from the latest scan.

Reports are contained within folders in the tree.


The available Sweep Enterprise reports are listed below in bold.

Accounts and Users folder: o Users - Comprehensive

o Users - Registry

o Users - Snapshot

File Processor folder: o Collected Files - All

o Collected Files - Hash

o Collected Files - Keywords

o Collected Files - Metadata

o Deleted Files

Hardware folder: o Hardware Devices

o Hardware Miscellaneous

Network folder: o ARP

o DNS

o Hidden Ports

o IP Gateway Pairs

o IP MAC Pairs

o Network Interfaces - Registry

o Network Interfaces - Snapshot

o Open Ports By DLL

o Open Ports No Process

o Open Ports

o Routes

Operating System folder: DLLs subfolder: o DLLs

o DLLs by Process Details

o Injected DLLs

OS Services Processes subfolder: o Processes - All

o Processes - Apps

o Processes - Drivers

o Processes - Hidden

o Processes - Services

System Info

Time Zone Removable Media folder:

o Drives Overview

o USB Devices

o USB Drives Overview


Shared and Mapped Devices folder: o Drives Overview

o Mapped Shares

o UNC Folders Visited

Snapshot

Software folder: o Installed Apps

o Installed MS Apps

o Uninstalled Apps

Target Info folder: o Job Target Files Collected

o Target Volumes

o Targets Collected

o Targets Failed

User Activity folder: o Open Files

o Processes Launched by User

Analysis Browser Improved Target and Job Filtering

You can filter results in the Analysis Browser tab to display only those items that are of interest to you by selecting specific scans and targets or entering targets manually.

1. Click Target Constraint.


2. The Scans/Targets dialog displays. It contains a list of scans and targets from which you can choose to limit the displayed results in the Analysis Browser tab.

3. Select one scan and one or more targets to limit the displayed results. Alternately, you can enter targets manually in the Manual Entry area.

Note: No selection means there is no limitation.


4. Click OK. The displayed results in the Analysis Browser tab change to reflect your constraint. In this example, the results were narrowed down from 66 items to 18.


Analysis Browser Pagination

Controls at the bottom of the report pane allow you to view data across several pages.

The controls include:

Buttons for going to the first and last page of the report.

Forward and back buttons for going to the next page or previous page of the report.

Checkboxes for each individual page of the report. The number of checkboxes varies, depending on the report's size.

A Go to Page button.

A Change Page Size button.

A Show All checkbox.

First Page Button

Click First to go to the first page from anywhere in the report. When you select this button, the Page 1 checkbox is checked.

Last Page Button

Click Last to go to the last page from anywhere in the report. When you select this button, the checkbox for the last page is checked.


Forward and Back Buttons

Click the forward button to go to the next page from anywhere in the report. Click the back button to go to the previous page.

Numbered Checkboxes for Individual Pages

Click a numbered checkbox to go to that page in the report. The first 11 checkboxes are displayed by default. If the report contains more than 11 pages, click the Last button to see more checkboxes.

Go to Page

1. Click Go to Page. The Pages from 1 to XX (the last page of the report) dialog displays.

2. Use the up or down buttons to specify a page number or enter a page number manually, then click OK.

3. The report displays the page number you specified, and that page number's checkbox is checked.

Change Page Size

1. Click Change Page Size. The Page Size dialog displays.

2. Use the up or down buttons to specify the number of items that display on one page or enter a number manually (the default is 200), then click OK.

3. The report displays the number of items you specified for each page.


Show All

1. Click the Show All checkbox.

2. All items in the report (in this example, 4541) display on one page which you can scroll through, and a checkbox displays for one page.

Clear the Show All checkbox to revert to the previous page size.

Analysis Browser Sorting

To sort a column, double click the column heading. A red triangle pointing upward displays in the column heading, indicating that the column is now sorted in ascending order.


Double click the column header again to sort in descending order.

To initiate a subsort, hold down the Shift key and double click the column heading. You can sort columns up to six layers deep.


System Info Parser Live Registry Analysis

The System Info Parser now includes an option to focus on live registry in memory.

This option enables you to perform a quick sweep against registry entries only resident in memory (versus disk), reducing time taken to analyze live machines.

Note: In the Sweep Enterprise System Info Parser dialog, the Live Registry Only checkbox is checked by default. In

the Evidence Processor System Info Parser dialog, the Live Registry Only checkbox is cleared by default.

Windows 8 and Windows Server 2012 Support

You can now run EnCase Examiner, SAFE, and Processor Node on Windows 8 or Windows Server 2012.

This includes Virtual File System and Physical Disk Emulator.


WinMagic SecureDoc 5.x and 6.x Encryption Support

EnCase now supports decryption of WinMagic SecureDoc 5.x and 6.x encrypted devices.

This requires the WinMagic .dbk file, password, and the emergency recovery disk.

Government Issued ID Pattern Matching

EnCase now provides the ability to standardize searches for any type of government ID (not just Social Security numbers) through the use of GREP expressions. This reduces the time spent customizing analysis after processing evidence. This feature is especially useful in areas where government issued IDs have different formats.

The hits are indexed and searchable using the Government ID pattern query.


To create GREP expressions for specific government IDs:

1. In the EnCase Processor Options dialog, expand Index text and metadata, then click Personal Information.


2. The Personal Information dialog displays. Click the Government ID tab.

3. Social Security Number displays as the default. To add another type of ID, click New. The Government ID dialog displays.

Note: you cannot view or edit the default Social Security Number.

4. Enter a name in the Government ID box and a GREP expression in the Search Expression (GREP) box.


This example shows the GREP expression for a Colombian Cedula Number:

5. Click OK. The ID type just created displays in the Government ID tab.


To edit an existing Government ID type:

1. In the Government ID tab, select the Search Name you want, then click Edit.

2. The Government ID dialog displays. Enter your changes, then click OK.


SAFE User Management Role

A keymaster can grant permission to non-keymaster SAFE users for them to administer user accounts. This is useful in sizable organizations where it can be burdensome for only one keymaster to administer large numbers of accounts.

Note: Any user who has this Administer Users permission cannot have any roles. That is, this account can be used to

administer users only, not to acquire data from servlet nodes.

To grant a user permission to administer user accounts:

1. Log on to the SAFE as keymaster.

2. Click Enterprise > Users.


3. The Users tab displays.

4. Right click a username, then click Edit in the dropdown menu.


5. The edit dialog displays. Click the Permission/Role tab.

6. Right click in the tab, then click New in the dropdown menu. The New Permission/Role dialog displays.

7. In the Permission Type tab, click the checkbox for Administer Users.


8. Click OK. Administer Users is added to the list of permissions for the designated user.

9. Click OK to close the Edit dialog.


Password Protected iTunes Backup Acquisition

EnCase provides the ability to acquire an Apple iTunes backup protected by a password.

To acquire a password protected iTunes backup:

1. Open a case and click Add Evidence > Acquire Smartphone.


2. The Acquire Smartphone dialog displays. Under Backup Files, click Apple iTunes.


3. Specify an input file and output path:

a. For the input file, browse to the Manifest.plist file from the iTunes device backup folder.

b. Specify an output path for the evidence file.


4. Click Finish. The Enter iTunes Backup Password dialog displays.

5. Enter the password, then click OK.

6. EnCase parses the data, and you can view the records in the Evidence tab or Smartphone report.


Improved .NET API Binary Data Buffer Handling

EnCase now provides the ability to pass binary data from a FileClass object to a .NET library and back.

Accessing an EnScript FileClass in .NET

Here is an example of the code EnScript authors can use in order to provide a readable or writable object to .NET from EnScript:

// EnScript LocalFileClass file(); file.Open("myfile.txt"); DotNetStreamClass dnStream(file); MyAssembly::MyClass dnObj(); dnObj.DoSomething(dnStream); // .NET C# namespace MyAssembly { public class MyClass { public void DoSomething(System.IO.Stream stream) { using (StreamReader reader = new StreamReader(stream)) { while (!reader.EndOfFile) { Debugger.WriteLine(reader.ReadLine()); } } } } }

EnScript FileClass objects are not thread safe. Therefore, .NET code must take care when using wrapped objects. If the object is only used by .NET, access should be synchronized using .NET serialization constructs. If the object is shared between EnScript and .NET, it should only be accessed on the calling thread (EnScript thread), or an appropriate synchronization object should be used that can then synchronize access between EnScript and .NET. Even then, it is possible internal EnCase code could conflict with .NET code accessing the same FileClass object.

.NET treats all streams as binary (not text), then adds text interpretation with Reader and Writer objects. EnScript authors must use care to open FileClass objects with appropriate options.


Accessing a .NET Stream in EnScript

Here is an example of the code EnScript authors can use in order to provide a readable or writable object to .NET from EnScript:

// .NET C# namespace MyAssembly { public class MyClass { private System.IO.Stream _MyStream = File.OpenRead("myfile.txt"); public System.IO.Stream MyStream { get { return _MyStream; } } } } // EnScript MyAssembly::MyClass dnObj(); FileClass file = new DotNetFileClass(dnObj.MyStream()); while (file.More()) { Console.WriteLine(file.ReadChar()); }

Items Fixed

Acquisition/Add Device/Preview/File System

68163: Version 7h of the servlet now lists devices available for acquisition at /dev/cciss.

67770: When acquiring devices as .E01 in LinEn, segmentation faults no longer occur.

67609: EnCase crashed when adding an ext3 formatted USB device. This is fixed.

67422: When acquiring images of GPT disks, EnCase now includes the last sector of every partition.

67258: The Acquisition Info tab now correctly displays the date and start/stop sector count for manually interrupted acquisitions for both legacy .E01 and for .Ex01 files.

65159: After using and formatting an exFAT device, with the WinAcq command line acquisition tool, with verbose logging, to acquire a logical volume on a flash drive, EnCase now reports a matching sector count and logical size.


Bookmarks

68186: In the Bookmarks tab's table pane, when No Report is checked, selected files are not displayed in the Report view, as expected.

67667: If the View pane was undocked, the Bookmark > Raw Text option was disabled in the Text and Hex tabs. The Raw Text option is now available in those tabs when the View pane is undocked.

67559: Logical Size was showing as zero for email bookmarked via Show Conversation. EnCase now displays the correct logical size.

Case Analyzer

66255: Case Analyzer reports allowed specifying constraints using only 19 characters. This is now expanded to 1024 characters.

63867: In Case Analyzer, OS X dates are now displayed consistently across devices and logs.

50883: Data in the Event Type column displayed as numbers instead of actual event type values (for example, Unknown, Error, etc.). The correct values display now.

50710: Case Analyzer displayed EnCase Portable as a device after the Portable dongle was removed. This is fixed.

Email

68438: Evidence Processor no longer sticks during Mount Task of a Folders.dbx file.

65043: Show Conversation and Show Related Messages options are now available, as expected, when multiple .pst files are opened. These options remain unavailable when you mix email with other types of records (internet data, etc.).

Encrypted Devices

66624: A problem with ReFS volumes encrypted by BitLocker on Server 2012 caused the volumes to fail and not properly decrypt. After providing correct BitLocker credentials, the file system was not parsed. This is fixed.


EnScript

67539: The System Info Parser displayed the OS last shutdown time in the Records tab as Wednesday, 22nd April, 2009 19:24:48 GMT, regardless of the current evidence. This is fixed.

67113: EntryClass methods and properties of the EnScript API now have the necessary permissions to run on mounted devices in direct nodes.

66556: EnCase now provides a complete path for entries retrieved from ItemCacheClass using the stored monikers.

Entry Metadata

68019: In Evidence view, the name of a deleted folder in the Recycle Bin displayed twice in the Original Path column. The deleted folder name now displays only once.

67555: After mounting a network share, you were required to view the files on the host system to see the VFS Name column populated in EnCase. This is fixed.

EnView

67668: You can now view document files in the Recycle Bin in the Doc tab.

Evidence Files/Logical Evidence Files/Case Files/Single Files/Structured Files

65069: Files of type .ppt and .xlsx are now parsed properly. You can now run index searches on these files.

Evidence Processor

68496: The Evidence Processor no longer terminates unexpectedly.

65068: When running Evidence Processor multiple times, processing did not complete and an "Error Prepping LEF" message displayed. This is fixed.

Gallery View/Pictures

67438: In Gallery view, EnCase allowed you to select only the first image in the last row. Now you can select all images in the last row.


General

68374: When using the Copy Folders command, EnCase copies the folders, as expected, without a system failure.

68103: When you run Keyword Searching before you run Recover Folders, the keyword search no longer becomes unusable when you later run Recover Folders.

68075: When applying a filter, EnCase now stores and retrieves the preference for Table or Tree-Table.

67564: When your case automatically updates a node's servlet to Version 7g, it no longer adds the description "EnCase Enterprise Agent" to the node's Processes tab in Task Manager.

66607: EnCase became unstable when scrolling in Table Evidence view. This is fixed.

63944: Line wrap settings are now applied by EnCase as set by the user.

Hashing/Hash Sets

67902: Sorting on the Hash Sets column was slow due to EnCase data processing of this data whenever an entry was redisplayed. This is fixed.

67633: EnCase no longer crashes when importing Hashkeeper from the NSRL hash set.

Index/Query Index

67611: When a wild card was used with an index search, the Next Hit button was disabled. This is fixed.

Internet

67665: Opera Internet history was parsed using the Western European Windows codepage only, and text did not display correctly. EnCase now uses the UTF-8 codepage and this is fixed.

Reporting

67990: When you export a Review Package in the Evidence view, EnCase no longer generates a JavaScript error.

67243: Now no error message displays with reports containing files or strings greater than 64k.


Smartphone

66807: SGH-1337 Samsung Galaxy S4 with Android v4.2 is now detected.

Sweep Enterprise

68080: In previous versions of EnCase, Sweep Enterprise's System Info Parser options incorrectly displayed Auto Runs. Auto Runs is no longer displayed in the System Info Parser options.

68015: When Sweep Enterprise reports are imported into a separate instance of EnCase and analyzed with Case Analyzer, Case Analyzer now displays the reports as expected. They match the reports from the Sweep Enterprise instance.

67345: The Sweep Enterprise Status page and the Analysis Browser page now appear as tabs in EnCase and, as expected, contain data.

61704: When a SAFE has no available connections, it now displays an error pertaining to connection unavailability rather than an error pertaining to unsuccessful SAFE validation.

53025: Non-deleted files no longer appear in the Deleted Files view of the Analysis Browser.

52864: In the Analysis Browser, highlighting blue checked views no longer removes the blue check.

47766: In previous versions of EnCase, the Sweep Enterprise window became stuck open when canceled. In Version 7.09, the Sweep Enterprise window is embedded in EnCase, so this is no longer an issue.

47539: In the DNS view, the Type column now displays the expected values rather than numeric codes.

47527: In the Snapshot settings, deselecting the Hidden Processes option now results in the expected exclusion of hidden processes in the Analysis Browser's Hidden Processes View.

46718: In the Analysis Browser, row numbers in the table now match row numbers at the bottom of the page in the page controller.

46624: When viewing Snapshot job results in the Analysis Browser, the Dixon box reflecting the number of selected rows now includes all rows in all pages rather than only the rows in the first page.


UI/Controls

68463: After creating bookmarks in the Transcript tab, a system failure no longer occurs in the Bookmarks tab when switching between its View pane's Fields and Report tabs.

68411: As expected, when you choose the Print to PDF option in the Evidence tab, a PDF file is created and EnCase does not freeze.

68202: The Results tab no longer displays data in Trable or Tree modes. Sorts in the Results tab are only available in Table or Tree Table modes.

67635: In Search view, EnCase did not display correct information in the Name column. The correct name now displays.

67558: Records view now correctly updates and corresponds with Evidence view for manually mounted files.

67297: In the index search Results tab, the SocialSecurity option has been changed to GovernmentID.

64518: In Sweep Enterprise, the servlet deployment option is now enabled or disabled according to role permissions.

52776: The true path column in Search view displayed an incorrect path for some items. This is fixed.

Known Limitations

65853: Files contained within a compound file go undetected when running a condition or filter. Filters now search recursively for items that satisfy the logic of the filter, starting from the current device; so if the user has drilled into a .zip file, the first folder to be searched is the .zip file, not the device it belongs to.

68536: When attempting to connect to a Linux target using the Sweep Check-in option, the servlet may crash. This is a known limitation on Linux. The servlet may crash on some Linux distributions when it tries to resolve the SAFE's name to the IP address. In order to avoid this issue, use the IP address instead of the host name for the SAFE address during SAFE installation.

62045: View File Structure does not display entry slack in Logical Evidence Files.

Found in 7.08.02

67680: When running enlinuxpc64, the auto update keeps the servlet at the latest version, but does not switch automatically from 32- to 64-bit. In order to switch to 64-bit servlets on 64-bit Linux kernels, the first time you must update manually.


Found In 7.08.01

67028: EnCase becomes unstable when you drag and drop evidence into a case while a sort operation is running.

Found in Version 7.08

67028: EnCase becomes unstable when you drag and drop evidence into a case while a sort operation is running.

66773: When there is a large amount of evidence, such as more than 250 LEFs, Case Analyzer does not show any reports.

66624: ReFS and exFAT volumes encrypted by Bitlocker are not properly decrypted. After providing the correct Bitlocker credentials, the file system is not parsed.

66607: In the Evidence view, when you use the scroll bar to scroll to the bottom of the table, and then scroll up with the mouse wheel, EnCase crashes sometimes.

66161: Some compound index queries with NOT terms do not yield correct results.

65853: Running a filter against Current Device Only does not return results that are contained within mounted files.

65820: Outside In Version 8.4.0 does not display text in the Transcript tab correctly for .msg files.

65150: After opening a new case and loading a lotus Notes NSF file using the Evidence view, View File Structure option to mount a compounded file, folders such as Appointments, Contacts, Notices, Trash, and Junk Mail are missing.

52565: After upgrading the CodeMeter Runtime from 4.20 to 4.40 or 4.50, the dongle doesn't display in the CodeMeter Control Center. EnCase launches in acquisition mode.


64225: When running the PII module repeatedly, with different settings, search does not consistently return hits from subsequent runs.



62196: EnCase returns empty records when the Sweep Enterprise Snapshot module takes more than ten minutes to run on a machine. This causes EnCase to time out, and fails to return any snapshot data for that machine. When this happens you can reboot the machine that returns these empty records and rerun Sweep Enterprise with the Snapshot module on.

Note: The Sweep interface does not tell you which targets return no data. To get that information, you must query the Sweep.sqlite database using a query of this form: (Select B.Target From Snapshot as A, _TargetRuns as B Where A._TargetRuns_Key = B.ID and A.Name = ).

The Sweep database is stored in the Case folder, under EnScript/Sweep Enterprise.


52275: Microsoft Visio files are being mounted as compound files by the Evidence Processor.


43707: When acquiring email data from Acer tablets, only some Gmail messages from the inbox are able to be parsed. Gmail messages in drafts and other folders are not captured in the .L01 file. This is due to a change in how Gmail caches information. In addition, the default Acer email application does not provide read access to its data, so no email messages from the default email application can be acquired.


46686: Email messages for Blackberry phones are shown in a Smartphone Report only if they are in Plain Text. Issue 46995 has been entered to fix this defect.

45813: Index hits with large numbers of characters that wrap over line breaks do not display in the Review tab.

Guidance Software Product Compatibility Tables

The Support Portal contains a list of version-to-version compatibility tables for all Guidance Software products at https://support.guidancesoftware.com/matrix.


Encryption Support

EnCase now supports the following encryption products.

Vendor Product Supported Versions 64-bit Support

Check Point Check Point Full Disk Encryption

(formerly Pointsec PC)

6.3.1 up to 7.4, 8.0 (for

Windows and Macintosh

computers)

Yes

Credant Mobile Guardian 5.2.1, 5.3, 5.4.1, 5.4.2, 6.1

through 6.8, 7.3

No

GuardianEdge Encryption Plus/Anywhere 7 and 8 No

GuardianEdge Hard Disk Encryption 9.1.5, 9.2.2 , 9.3.0, 9.4.0,

9.5.0, 9.5.1

Yes

McAfee EndPoint Encryption (formerly

SafeBoot)

4, 5, 6, 7 (for Windows

and Macintosh computers)

Yes (for Versions

4 and 5)

Microsoft BitLocker and BitLocker To Go Windows Vista, 7, and 8,

Server 2008

Yes

Sophos SafeGuard Easy and Enterprise

(formerly Utimaco)

4.5, 5.5, 5.6, 6.0 Yes (only for

SafeGuard Easy,

not for Enterprise)

Symantec PGP Whole Disk Encryption 9.8, 9.9, 10, 10.1, 10.2 Yes

Symantec Endpoint Encryption 7.0.2, 7.0.3, 7.0.4, 7.0.5,

7.0.6, 7.0.7, 7.0.8, 8.0, 8.2

Yes

WinMagic SecureDoc Full Disk Encryption 4.5, 4.6, 5.x, 6.x No

USGCB Compliance

EnCase has been validated as USGCB compliant using the following version of NIST VHD images:

10/14/11 (for Windows 7 only)

EnCase was tested using Retina Network Security Scanner, which is an NIST validated USGCB scanner (http://usgcb.nist.gov/usgcb/microsoft_content.html).


Support

Technical assistance is available online at http://www.guidancesoftware.com/technical-support.htm. From this page you can register for and access the Guidance Software Support Portal, an invaluable resource providing product-specific technical forums, an extensive knowledge base, a bug tracking database, and an Online Submission Form for your questions.

Technical Support

Guidance Software offers several technical support options, including:

Live Chat

Support Request Form

Email

Telephone

Customer Service

Please direct service questions to the Guidance Software Customer Service Department:

MondayFriday 7 AM5 PM Pacific time Phone: (626) 229-9191, press 5 Fax: (626) 229-9199 Email: [email protected] 1055 E. Colorado Blvd. Pasadena, CA 91106-2375

You can access our Customer Service Request Form online at http://www.guidancesoftware.com/CustomerServiceRequest.aspx.

EnCase Version 7.09November 18, 2013EnCase Version 7.09SAFE VersionNew FeaturesResult Set ProcessingProcessing a Result SetLaunching Processor Options from the Results TabCreating Result Sets in Entries and Records ViewsCreating a Result Set in Entries ViewCreating a Result Set in Records View

Overwriting the Evidence Cache

Sweep Enterprise EnhancementsTab-Based User InterfaceSweep Enterprise TabCreate Scan TabStatus TabAnalysis Browser TabAnalysis Browser Improved Target and Job FilteringAnalysis Browser PaginationAnalysis Browser Sorting

System Info Parser Live Registry AnalysisWindows 8 and Windows Server 2012 SupportWinMagic SecureDoc 5.x and 6.x Encryption SupportGovernment Issued ID Pattern MatchingSAFE User Management RolePassword Protected iTunes Backup AcquisitionImproved .NET API Binary Data Buffer HandlingAccessing an EnScript FileClass in .NETAccessing a .NET Stream in EnScript

Items FixedAcquisition/Add Device/Preview/File SystemBookmarksCase AnalyzerEmailEncrypted DevicesEnScriptEntry MetadataEnViewEvidence Files/Logical Evidence Files/Case Files/Single Files/Structured FilesEvidence ProcessorGallery View/PicturesGeneralHashing/Hash SetsIndex/Query IndexInternetReportingSmartphoneSweep EnterpriseUI/Controls

Known LimitationsFound in 7.08.02Found In 7.08.01Found in Version 7.08Found in Version 7.07Found in Version 7.06Found in Version 7.05Found in Version 7.04Found in Version 7.03

Guidance Software Product Compatibility TablesEncryption SupportUSGCB ComplianceSupportTechnical SupportCustomer Service

Documents

Encase Examiner v709 Release Notes