Professional Documents
Culture Documents
10
Release Notes
July 30, 2014
SAFE Version
The SAFE version for this release is 7j6.
2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
New Features
Enhancements to Reporting
Connecting Bookmark Folders and Report Sections
You can access reports directly and add folders to a report by using the Report Template Wizard.
To use the wizard:
1. On the Bookmarks tab, click Reports, then click Add folder to report from the dropdown
menu.
2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
3. Select an existing section, or create a new custom section. To create a new section, enter
a section name in the <New Section Name> area and click Add. The new section is
created as a child of the currently selected section or report. In the example below, a
section called Conclusions is added to the body of the report.
2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
4. Click Next. The second Add folder to report dialog displays. It enables you to apply
commonly used formatting to the report. When you click a Report section formatting
checkbox, the wizard generates Report Object Code automatically.
2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
6. To add metadata, click Customize metadata. The Customize metadata dialog displays.
a. In the Metadata fields pane on the left, click the field you want to work with (Item
fields, Entry fields, Common email fields, Record fields).
b. In the Name pane in the middle, click the name of a metadata type you want to add
to the report, then click the double right arrow button (>>) to add it to the Display
order list.
2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
Note that as you add metadata items to the Display order list, the preview pane
updates dynamically to reflect your choices.
To change the order, click the item in the Display order list you want to change,
then click the Up or Down button. Repeat as necessary to get the order you want.
To remove an item from the Display order list, click it, then click the double left
arrow button (<<).
7. When you finish customizing metadata, click OK.
8. Back in the Add folder to report dialog, click Finish.
2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
You can see the Report Object Code that the Report Template Wizard added to the template.
2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
2. The report displays. In the example below, there is an empty section called Pictures of
Interest.
3. Click the Hide empty sections checkbox. Any empty sections no longer display in the
report.
2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
Folder
Bookmark Folder
Note
Notable Files
Entry
Text File
Highlighted Text
Data Bookmark
Table
Decode
Decoded Data
Image
Record
Tree
Folder
2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
EnCase Examiner
EnCase SAFE and servlet
Artifacts parsed from Windows 8.1 devices through Evidence Processor modules, in
particular the Windows Artifact parser
BitLocker encryption
EnCase requirements and configuration recommendations have been revised; however, for best
performance, Windows 7 (64-bit) remains recommended.
2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
10
The database is often left in a "dirty" state, even when Internet Explorer is shut down
gracefully.
The database is likely to be dirty if Internet Explorer is running during acquisition.
The database typically commits transactions when Internet Explorer is closed.
EnCase parses dirty databases, but it does not commit dirty transactions. Transactions can be
inserts; they can also be deletes, so they may be destructive (for example, clearing the cache or
deleting bookmarks). If destructive transactions are committed, data is lost, so EnCase does not
parse them.
You can export the file and use the utility included in Windows called ESENTUTL to repair the ESE
database files and process transactions. You can then bring the file back into EnCase to analyze
using the Internet Artifacts parser.
2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
11
System Modules
The System Info Parser module collects system artifacts related to user activity, network
configurations, installed software, hardware components, startup routines,
users/accounts, and shared/mapped drives. This information is pulled from the Windows
Registry or the system files appropriate to a given Linux distribution.
The Windows Artifact Parser module collects link files, the MFT $LogFile transaction log,
and Recycle Bin items.
The Encryption module produces a single page report listing the encryption type of each
drive and volume on the target system.
Search Modules
The IM Parser module identifies and parses information from artifacts left by instant
messaging clients such as AOL, MSN, and Yahoo.
The Personal Information module collects information containing personal information.
This module searches all document, database, and internet files and identifies Visa,
MasterCard, American Express, and Discover card numbers, as well as Social Security
numbers, phone numbers, and email addresses. Jobs created with this module enable
you to triage information as it is being collected.
The Internet Artifacts module collects a history of visited Web sites, user cache,
bookmarks, cookies, and downloaded files.
The File Processor module provides a way to review and collect specific types of files.
From within the File Processor module, you can elect to find data using metadata,
keywords, or hash sets, or find picture data. You can also configure your own collection
sets using an entry conditions dialog. Jobs created with this module enable you to triage
information as it is being collected. You can then decide what files, if any, to collect.
The Windows Event Log Parser module collects information pertaining to Windows
events logged into system logs, including application, system, and security logs.
The Unix Login module parses the Unix systems' WTMP and UTMP files, which record all
login activities.
The Linux Syslog Parser module collects and parses Linux system log files and their
system messages.
Collection Modules
2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
12
Requirements
One or two removable devices are required to execute Portable jobs:
The Portable device contains and executes preconfigured jobs that collect evidence from
target machines.
Evidence can be stored on the Portable device if desired. However, a separate Portable
storage device can be used to collect large amounts of evidence if necessary.
Once the evidence is collected directly on the Portable device or the Portable storage device, it
can be analyzed in the field or imported back into EnCase to review the results. You can then
build and generate reports that capture all or selected parts of the collected information.
OS X Artifacts
Double Files
Double files are artifacts created by OS X.
The HFS+ file system supports extended attributes, such as Finder attributes and the location of a
file within the Finder coordinates X and Y. They are in the Attributes tab in EnCase.
When OS X writes to a file system that does not support extended attributes (for example, FAT or
exFAT), a double file is created in the same location as the actual file that is written to store the
extended attributes the HFS+ needs. So if the file is ever copied back to an HFS+ formatted drive,
the attributes are included along with the file itself.
Double files have the prefix ._
2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
13
EnCase automatically populates the contents of double files in the Attributes tab.
2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
14
X:DateAdded
X:DateAdded indicates the time a file was added to the parent folder. For example, X:DateAdded
to the Trash folder represents the time the file was deleted:
Keychain Parsing
OS X keychains provide a secure way to store passwords, certificates, and notes. Whenever OS X
asks if you want to remember a password, it is stored in a keychain.
The user keychain is typically located in \Users\<user>\Library\Keychains.
2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
15
3. The View File Structure dialog displays. Enter a password and click OK (4 in the example
below).
Note: If you do not know the password, there are tools (such as Passware Forensic) that can
perform keychain attacks.
2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
16
Once the keychain is parsed, you can view the contents as records:
If a keychain's password is known, secrets in the keychain are parsed and stored in Secure
Storage in EnCase.
For details on keychain parsing, refer to these posts in the Guidance Software blog Digital
Forensics Today:
http://encase-forensic-blog.guidancesoftware.com/2014/04/encase-70904-extractingpasswords-from.html
http://encase-forensic-blog.guidancesoftware.com/2013/07/examining-mac-os-x-usersystem-keychains.html
2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
17
2. The View File Structure dialog displays. Click OK. You do not need to enter a password.
2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
18
2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
19
2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
20
For details on Quick Look thumbnails, refer to this post in the Guidance Software blog Digital
Forensics Today:
http://encase-forensic-blog.guidancesoftware.com/2014/05/examination-of-mac-os-xquick-look.html
2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
21
2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
22
2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
23
3. Open the device and enter your SecureDoc credentials when prompted.
4. Click OK. EnCase parses the file system, and the SED is unlocked and presented to EnCase
(but it is still invisible to the OS).
2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
24
All instructions and relevant information are provided in-line for each step, eliminating the need
to consult the user's guide. If you need to interrupt installation, you can resume later at the step
where you paused, or you can restart installation.
A progress indicator advances as you complete each step and shows where you are in the
installation process.
You can access the installer wizard via a link in your MyAccount email. It is a separate selfextracting executable.
Note: You can still use the previous manual method of installing EnCase Examiner and the SAFE. The new installer
wizard streamlines the process and makes it possible to begin working in EnCase expeditiously.
Items Fixed
Add Device/Preview/File System
CORE-964/69775: Building software RAIDs using Scan Disk Configuration was not working. This is
fixed.
65144: The sparse size of an Ubuntu ext3 file was not properly reported. This is fixed.
Bookmarks
CORE-1035/69861: After bookmarking email messages with attachments, going to the Reports
tab and clicking Save As > HTML and clicking the Export Files checkbox, the HTML report created
thumbnails for the image but not links to the exported file. This is fixed.
CORE-951/69808: Bookmarking a file from Evidence view, then bookmarking the same file from
Go to File view displayed two different true paths. They should be identical. This is fixed.
2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
25
Case Analyzer
CORE-990/69836: When running a snapshot against a network target, the State column did not
display and it was not possible to see the status of the servlet. This is fixed.
Doc/Transcript
CORE-391/69670: Images in a rebuilt Web page were not rendering correctly. This is fixed.
Documentation
CORE-831-69766: EnScript Help contained examples that did not work or were not best practice.
This is fixed.
EnScript IDE
FOR-1415/69645: When running WELP for EVT files, the Event ID column displayed meaningless
numbers (for example, 1,073,742,824 instead of 1,000). This is fixed.
Evidence Processor
CORE-28/60578: After running the Evidence Processor more than once, the Transcript tab
contained no text. This is now fixed.
Export Files/Folders
CORE-157/69390: When exporting duplicate files from two different locations of the same drive,
the duplicate file name had no bracket. For example, an original file name is Mov_3092 and the
duplicate file name is Mov_30921, instead of Mov_3092[1]. This is now fixed.
Filters/Conditions/Queries
CORE-385/69658: After sorting a column, then running a condition or filter and returning to the
original view, sorting did not persist. This is fixed.
CORE-37/63110: After selecting Category in Properties for a condition, and then running the
condition, an error message "Cannot read integer" displays. This is fixed. Proper dialog controls
are now in effect.
2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
26
Index/Query Index
GSI-17410/70021: During multiple passes of Evidence Processor, indexing became unavailable.
This is fixed.
CORE-44/66161: Applying the NOT operator to an index query yielded incorrect results. This is
fixed.
66161: Some compound index queries with NOT terms did not yield correct results. This is fixed.
Keyword Searching
CORE-113/69660: When performing a second raw search on a single file, the keyword does not
populate in the search view, even though the search is in progress, and the Refresh button is
inactive. This is now fixed.
CORE-48/69058: When viewing keywords in larger files using the Review tab, EnCase became
very slow or froze. This is fixed.
Logging
CORE-56/69358: After wiping a disk, the console should show the amount of total sectors, as well
as read/write and verify errors. These fields were not populating in the console. This is fixed.
Records
CORE-55/69202: When viewing EMLX files in Records view, it was possible to use the Show
Columns option to deselect the default metadata columns and then select columns that are
invalid for EMLX files. This caused the UI options (for example, Go to Parent, Sort, Show Columns,
etc.) to disappear. This is now fixed.
Report
CORE-475/69741: Exporting a report as a PDF caused a blank page at the end of the PDF. This is
fixed.
CORE-416/69703: Adding the SHOWTABLE option to report formatting caused most of the
attribute list values to disappear. This is fixed.
CORE-43/65744: User defined formatting was not persistent for tables in a report. This is fixed.
CORE 41-64210: After clicking Rescan on the Evidence tab multiple times, elements are missing
from the report. This is fixed.
2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
27
SAFE/Network
CORE-337/69581: After running Sweep Enterprise, EnCase held up connections and did not allow
subsequent sweeps unless EnCase was closed and relaunched. This is fixed.
UI/Controls
CORE-19/52132: The File Type Tag column was not sorting correctly for either ascending or
descending order. This is fixed.
UI/Embedded
CORE-386/69587: After performing a search and selecting Go to File in the Search tab, the
physical device name was missing from the Item Path and True Path columns. This is fixed.
Known Limitations
CORE-1322: When exporting items in Search Results, if Add to existing evidence file is selected,
EnCase will crash.
CORE-895/69792: The index uses all caps by default; so, for example, DOBBS is the only possible
hit for a search on <c>DOBBS. <c>dobbs, <c>Dobbs, and all other case variations are in a different
set.
2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
28
2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
29
Encryption Support
EnCase now supports the following encryption products.
Vendor
Product
Supported Versions
64-bit Support
Check Point
Yes
Credant
Mobile Guardian
Yes
Dell
Data Protection
8.3
Yes
GuardianEdge
Encryption Plus/Anywhere
7 and 8
No
GuardianEdge
Yes
McAfee
4, 5, 6, 7 (for Windows
and Macintosh
computers)
Yes
Microsoft
Yes
Sophos
Symantec
Yes
Symantec
Endpoint Encryption
Yes
WinMagic
Yes
2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
30
USGCB Compliance
EnCase has been validated as USGCB compliant using the following version of NIST VHD images:
10/14/11 (for Windows 7 only)
EnCase was tested using Retina Network Security Scanner, which is an NIST validated USGCB
scanner (http://usgcb.nist.gov/usgcb/microsoft_content.html).
Support
Technical assistance is available online at http://www.guidancesoftware.com/technicalsupport.htm. From this page you can register for and access the Guidance Software Support
Portal, an invaluable resource providing product-specific technical forums, an extensive
knowledge base, a bug tracking database, and an Online Submission Form for your questions.
Technical Support
Guidance Software offers several technical support options, including:
Live Chat
Support Request Form
Email
Telephone
Customer Service
Please direct service questions to the Guidance Software Customer Service Department:
MondayFriday 7 AM5 PM Pacific time
Phone: (626) 229-9191, press 5
Fax: (626) 229-9199
Email: customerservice@guidancesoftware.com
1055 E. Colorado Blvd.
Pasadena, CA 91106-2375
You can access our Customer Service Request Form online at
http://www.guidancesoftware.com/CustomerServiceRequest.aspx.
2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
31