Encase Examiner v710 Release Notes

EnCase Version 7.
10
Release Notes
July 30, 2014
EnCase Version 7.10

Thank you for using Guidance Software products.
The Release Notes for this version of EnCase contain important information regarding your
EnCase application. Before you install, we recommend that you read the Release Notes to better
understand the changes we have made.
SAFE Version
The SAFE version for this release is 7j6.
2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.
New Features
Enhancements to Reporting
Connecting Bookmark Folders and Report Sections
You can access reports directly and add folders to a report by using the Report Template Wizard.
To use the wizard:
1. On the Bookmarks tab, click Reports, then click Add folder to report from the dropdown
menu.
2. The Add folder to report dialog displays.
3. Select an existing section, or create a new custom section. To create a new section, enter
a section name in the <New Section Name> area and click Add. The new section is
created as a child of the currently selected section or report. In the example below, a
section called Conclusions is added to the body of the report.
4. Click Next. The second Add folder to report dialog displays. It enables you to apply
commonly used formatting to the report. When you click a Report section formatting
checkbox, the wizard generates Report Object Code automatically.
Restart numbering restarts numbering at 1 in a new section, instead of continuing

numbering from a previous section.
Hyperlink to exported items configures the report section to add a hyperlink to
exported data.
5. Click Preview to see how the formatting will display in the report.
6. To add metadata, click Customize metadata. The Customize metadata dialog displays.
a. In the Metadata fields pane on the left, click the field you want to work with (Item
fields, Entry fields, Common email fields, Record fields).
b. In the Name pane in the middle, click the name of a metadata type you want to add
to the report, then click the double right arrow button (>>) to add it to the Display
order list.
Note that as you add metadata items to the Display order list, the preview pane
updates dynamically to reflect your choices.
To change the order, click the item in the Display order list you want to change,
then click the Up or Down button. Repeat as necessary to get the order you want.
To remove an item from the Display order list, click it, then click the double left
arrow button (<<).
7. When you finish customizing metadata, click OK.
8. Back in the Add folder to report dialog, click Finish.
You can see the Report Object Code that the Report Template Wizard added to the template.
In this example, bookmarks folders were added to "Examination Report":
In this example, formats were updated with specified metadata:
Hiding Empty Report Sections

You can hide sections that do not contain any bookmarks.
1. On the Bookmarks tab, click Reports > View Report, then click the report you want to
view.
2. The report displays. In the example below, there is an empty section called Pictures of
Interest.
3. Click the Hide empty sections checkbox. Any empty sections no longer display in the
report.
Bookmark Formats Names

Bookmark formats are now named the same as the type of bookmark.
Previous Format Name
Updated Format Name
Folder
Bookmark Folder
Note
Note (no change)
Notable Files
Entry
Text File
Highlighted Text
Data Bookmark
Table
Decode
Decoded Data
Image
Image (no change)
Record
Record (no change)
Email
Email (no change)
Tree
Folder
Improved Tooltips in Report Object Code

Tooltips in Report Object Code are now updated with improved descriptions. They also refer to
topics in EnCase Help.
The example below shows the tooltip for cell.
Windows 8.1 and Server 2012 R2 Support

EnCase Version 7.10 certifies Windows 8.1 and Server 2012 R2 support for:
EnCase Examiner
EnCase SAFE and servlet
Artifacts parsed from Windows 8.1 devices through Evidence Processor modules, in
particular the Windows Artifact parser
BitLocker encryption
EnCase requirements and configuration recommendations have been revised; however, for best
performance, Windows 7 (64-bit) remains recommended.
10
Internet Explorer 10 and 11 Artifacts Support

With Internet Explorer 10 and later, Microsoft changed the format to store Internet history. The
index.dat is replaced with WebCacheV[01].dat., which EnCase now supports.
Extensible Storage Engine (ESE) Database

Internet Explorer 10 and 11 use an ESE database to commit transactions. Note that:
The database is often left in a "dirty" state, even when Internet Explorer is shut down
gracefully.
The database is likely to be dirty if Internet Explorer is running during acquisition.
The database typically commits transactions when Internet Explorer is closed.
EnCase parses dirty databases, but it does not commit dirty transactions. Transactions can be
inserts; they can also be deletes, so they may be destructive (for example, clearing the cache or
deleting bookmarks). If destructive transactions are committed, data is lost, so EnCase does not
parse them.
You can export the file and use the utility included in Windows called ESENTUTL to repair the ESE
database files and process transactions. You can then bring the file back into EnCase to analyze
using the Internet Artifacts parser.
EnCase Portable Functionality

EnCase Portable functionality, previously only available as a separate product, is now fully
included in EnCase. EnCase Portable automates the collection of evidence from computers in the
lab and in the field. It is a self-contained application that runs on a removable USB device
inserted into a running machine.
EnCase Portable Jobs

EnCase Portable uses jobs to collect information. These jobs contain groups of settings
configured to collect the specific data you require.
Jobs are typically created in EnCase and exported to the Portable device. You can also create and
edit jobs directly from the Portable device. Once a job is created, you can modify or copy it to
create other jobs. Some jobs can be configured to triage the information as it comes in, so you
can choose exactly what information to collect.
Jobs use modules, which are configurable sets of instructions for how to look for certain kinds of
data, such as information found in running memory, certain types of files, etc. Modules also
define a specific set of data to be collected. You can configure the information collected by a
module by selecting a specific set of options for each module.
11
System Modules
The System Info Parser module collects system artifacts related to user activity, network
configurations, installed software, hardware components, startup routines,
users/accounts, and shared/mapped drives. This information is pulled from the Windows
Registry or the system files appropriate to a given Linux distribution.
The Windows Artifact Parser module collects link files, the MFT $LogFile transaction log,
and Recycle Bin items.
The Encryption module produces a single page report listing the encryption type of each
drive and volume on the target system.
Search Modules
The IM Parser module identifies and parses information from artifacts left by instant
messaging clients such as AOL, MSN, and Yahoo.
The Personal Information module collects information containing personal information.
This module searches all document, database, and internet files and identifies Visa,
MasterCard, American Express, and Discover card numbers, as well as Social Security
numbers, phone numbers, and email addresses. Jobs created with this module enable
you to triage information as it is being collected.
The Internet Artifacts module collects a history of visited Web sites, user cache,
bookmarks, cookies, and downloaded files.
The File Processor module provides a way to review and collect specific types of files.
From within the File Processor module, you can elect to find data using metadata,
keywords, or hash sets, or find picture data. You can also configure your own collection
sets using an entry conditions dialog. Jobs created with this module enable you to triage
information as it is being collected. You can then decide what files, if any, to collect.
Log Parser Modules
The Windows Event Log Parser module collects information pertaining to Windows
events logged into system logs, including application, system, and security logs.
The Unix Login module parses the Unix systems' WTMP and UTMP files, which record all
login activities.
The Linux Syslog Parser module collects and parses Linux system log files and their
system messages.
Collection Modules
The Snapshot module collects a snapshot of pertinent machine information. Captured

information includes running processes, open ports, logged on users, device drives,
Windows services, network interfaces, and job information.
The Acquisition module acquires drives and memory from target machines.
The Screen Capture module preserves images of each open window on a running
machine.
12
Requirements
One or two removable devices are required to execute Portable jobs:
The Portable device contains and executes preconfigured jobs that collect evidence from
target machines.
Evidence can be stored on the Portable device if desired. However, a separate Portable
storage device can be used to collect large amounts of evidence if necessary.
Once the evidence is collected directly on the Portable device or the Portable storage device, it
can be analyzed in the field or imported back into EnCase to review the results. You can then
build and generate reports that capture all or selected parts of the collected information.
OS X Artifacts
Double Files
Double files are artifacts created by OS X.
The HFS+ file system supports extended attributes, such as Finder attributes and the location of a
file within the Finder coordinates X and Y. They are in the Attributes tab in EnCase.
When OS X writes to a file system that does not support extended attributes (for example, FAT or
exFAT), a double file is created in the same location as the actual file that is written to store the
extended attributes the HFS+ needs. So if the file is ever copied back to an HFS+ formatted drive,
the attributes are included along with the file itself.
Double files have the prefix ._
13
Extended attributes in HFS+ are stored in double files.

This example shows a Red tag, which is a Finder attribute (an OS X way of categorizing a file).
EnCase automatically populates the contents of double files in the Attributes tab.
14
X:DateAdded
X:DateAdded indicates the time a file was added to the parent folder. For example, X:DateAdded
to the Trash folder represents the time the file was deleted:
Keychain Parsing
OS X keychains provide a secure way to store passwords, certificates, and notes. Whenever OS X
asks if you want to remember a password, it is stored in a keychain.
The user keychain is typically located in \Users\<user>\Library\Keychains.
15
When you are investigating a Mac:

1. Locate the keychain (1 in the example below).
2. Click Entries > View File Structure (2 and 3 in the example below).
3. The View File Structure dialog displays. Enter a password and click OK (4 in the example
below).
Note: If you do not know the password, there are tools (such as Passware Forensic) that can
perform keychain attacks.
16
Once the keychain is parsed, you can view the contents as records:
If a keychain's password is known, secrets in the keychain are parsed and stored in Secure
Storage in EnCase.
For details on keychain parsing, refer to these posts in the Guidance Software blog Digital
Forensics Today:
http://encase-forensic-blog.guidancesoftware.com/2014/04/encase-70904-extractingpasswords-from.html
http://encase-forensic-blog.guidancesoftware.com/2013/07/examining-mac-os-x-usersystem-keychains.html
17
Streamlined DMG Decryption

If credentials are parsed and stored in Secure Storage, EnCase automatically decrypts and
mounts the .dmg file.
1. View File Structure on a .dmg file.
2. The View File Structure dialog displays. Click OK. You do not need to enter a password.
18
3. The .dmg file mounts and its contents are decrypted.
19
OS X Quick Look Thumbnail Cache Support

Thumbnails of pictures, documents, and PDFs are created when you browse the Apple OS X
Finder and view the files with Cover Flow.
EnCase parses the Quick Look thumbnail cache in two ways:
Manually, via View File Structure.

Automatically, using the Create Thumbnails module in the Evidence Processor.
Quick Look thumbnails in Records tab Gallery view:
20
For details on Quick Look thumbnails, refer to this post in the Guidance Software blog Digital
Forensics Today:
http://encase-forensic-blog.guidancesoftware.com/2014/05/examination-of-mac-os-xquick-look.html
Select Tagged Items

Tags persist across views, and selected items (that is, blue checks) do not persist across all views
in EnCase 7. Some operations, like performing an acquisition of a logical evidence file, operate
only on selected items, and in these cases, it can be useful to select items based on tag
assignments.
1. Click Tags > Select tagged items.
21
2. The Select Tagged Items dialog displays.
3. Select the tags you want, then click OK.

Note: There are still some operations (for example, Create Logical Evidence File) that act on selected items only.
Dell Data Protection 8.3 Support

EnCase now supports Dell Data Protection 8.3.
The technology and procedure are the same as with Dell Data Protection 8.3's predecessor,
Credant Mobile Guardian. For more information, see the "Credant Encryption Support (FileBased Encryption)" topic in the EnCase Decryption Suite chapter of the EnCase Examiner Version
7.10 User's Guide.
22
WinMagic SecureDoc Self Encrypting Drive (SED) Support

You can now unlock and decrypt SED drives in EnCase using WinMagic.
1. Connect a WinMagic SecureDoc managed SED to the forensic workstation. Only the 128
MB Master Boot Record shadow file system is available to the OS.
2. Add the physical device to your case in EnCase.
23
3. Open the device and enter your SecureDoc credentials when prompted.
4. Click OK. EnCase parses the file system, and the SED is unlocked and presented to EnCase
(but it is still invisible to the OS).
24
EnCase Starter Installer

A new wizard streamlines installation of the EnCase Examiner and SAFE into a single workflow.
The Starter Installer reduces the time and effort between download and first investigation.
The wizard:
Installs the Examiner and SAFE on a single machine

Simplifies basic configuration:
Generates electronic license and SAFE activation files in a single step.
Automatically configures the SAFE NAS for the installed examiner.
Creates a network tree with a default role and permissions, and allows machine
creation.
Creates keymaster and investigator user encryption keys.
All instructions and relevant information are provided in-line for each step, eliminating the need
to consult the user's guide. If you need to interrupt installation, you can resume later at the step
where you paused, or you can restart installation.
A progress indicator advances as you complete each step and shows where you are in the
installation process.
You can access the installer wizard via a link in your MyAccount email. It is a separate selfextracting executable.
Note: You can still use the previous manual method of installing EnCase Examiner and the SAFE. The new installer
wizard streamlines the process and makes it possible to begin working in EnCase expeditiously.
Items Fixed
Add Device/Preview/File System
CORE-964/69775: Building software RAIDs using Scan Disk Configuration was not working. This is
fixed.
65144: The sparse size of an Ubuntu ext3 file was not properly reported. This is fixed.
Bookmarks
CORE-1035/69861: After bookmarking email messages with attachments, going to the Reports
tab and clicking Save As > HTML and clicking the Export Files checkbox, the HTML report created
thumbnails for the image but not links to the exported file. This is fixed.
CORE-951/69808: Bookmarking a file from Evidence view, then bookmarking the same file from
Go to File view displayed two different true paths. They should be identical. This is fixed.
25
Case Analyzer
CORE-990/69836: When running a snapshot against a network target, the State column did not
display and it was not possible to see the status of the servlet. This is fixed.
Doc/Transcript
CORE-391/69670: Images in a rebuilt Web page were not rendering correctly. This is fixed.
Documentation
CORE-831-69766: EnScript Help contained examples that did not work or were not best practice.
This is fixed.
EnScript IDE
FOR-1415/69645: When running WELP for EVT files, the Event ID column displayed meaningless
numbers (for example, 1,073,742,824 instead of 1,000). This is fixed.
Evidence Processor
CORE-28/60578: After running the Evidence Processor more than once, the Transcript tab
contained no text. This is now fixed.
Export Files/Folders
CORE-157/69390: When exporting duplicate files from two different locations of the same drive,
the duplicate file name had no bracket. For example, an original file name is Mov_3092 and the
duplicate file name is Mov_30921, instead of Mov_3092[1]. This is now fixed.
Filters/Conditions/Queries
CORE-385/69658: After sorting a column, then running a condition or filter and returning to the
original view, sorting did not persist. This is fixed.
CORE-37/63110: After selecting Category in Properties for a condition, and then running the
condition, an error message "Cannot read integer" displays. This is fixed. Proper dialog controls
are now in effect.
26
Index/Query Index
GSI-17410/70021: During multiple passes of Evidence Processor, indexing became unavailable.
This is fixed.
CORE-44/66161: Applying the NOT operator to an index query yielded incorrect results. This is
fixed.
66161: Some compound index queries with NOT terms did not yield correct results. This is fixed.
Keyword Searching
CORE-113/69660: When performing a second raw search on a single file, the keyword does not
populate in the search view, even though the search is in progress, and the Refresh button is
inactive. This is now fixed.
CORE-48/69058: When viewing keywords in larger files using the Review tab, EnCase became
very slow or froze. This is fixed.
Logging
CORE-56/69358: After wiping a disk, the console should show the amount of total sectors, as well
as read/write and verify errors. These fields were not populating in the console. This is fixed.
Records
CORE-55/69202: When viewing EMLX files in Records view, it was possible to use the Show
Columns option to deselect the default metadata columns and then select columns that are
invalid for EMLX files. This caused the UI options (for example, Go to Parent, Sort, Show Columns,
etc.) to disappear. This is now fixed.
Report
CORE-475/69741: Exporting a report as a PDF caused a blank page at the end of the PDF. This is
fixed.
CORE-416/69703: Adding the SHOWTABLE option to report formatting caused most of the
attribute list values to disappear. This is fixed.
CORE-43/65744: User defined formatting was not persistent for tables in a report. This is fixed.
CORE 41-64210: After clicking Rescan on the Evidence tab multiple times, elements are missing
from the report. This is fixed.
27
SAFE/Network
CORE-337/69581: After running Sweep Enterprise, EnCase held up connections and did not allow
subsequent sweeps unless EnCase was closed and relaunched. This is fixed.
UI/Controls
CORE-19/52132: The File Type Tag column was not sorting correctly for either ascending or
descending order. This is fixed.
UI/Embedded
CORE-386/69587: After performing a search and selecting Go to File in the Search tab, the
physical device name was missing from the Item Path and True Path columns. This is fixed.
Known Limitations
CORE-1322: When exporting items in Search Results, if Add to existing evidence file is selected,
EnCase will crash.
CORE-895/69792: The index uses all caps by default; so, for example, DOBBS is the only possible
hit for a search on <c>DOBBS. <c>dobbs, <c>Dobbs, and all other case variations are in a different
set.
Found in Version 7.09.04

69649: After several iterations of running Case Analyzer and bookmarking, when clicking on a
bookmark created with Case Analyzer, EnCase may crash.

68889: Outside In: EnCase hangs while viewing some .mif files.

67028: EnCase becomes unstable when you drag and drop evidence into a case while a sort
operation is running.
28
Guidance Software Product Compatibility Tables

The Support Portal contains a list of version-to-version compatibility tables for all Guidance
Software products at https://support.guidancesoftware.com/matrix.
Target Machine Operating Systems

Servlets are deployed on target machines and can be used to search the following operating
systems:
AIX 4.3, 5.1, 5.2, 5.3, 6.1, 7.1

HPUX 11.0, 11.1x, 11.2x
Linux Kernels 2.6.9 (32 and 64-bit) or 2.6.4 (32-bit) or higher with Process File System
(procfs)
NetWare 5.1 SP8, 6.0 SP4, 6.5
Mac OS X 10.2 through 10.9.2 (32 and 64-bit, Intel, and PPC)
Solaris 8, 9, 10 (32 and 64-bit, SPARC only)
Windows XP (32 and 64-bit)
Windows Vista (32 and 64-bit)
Windows 7 (32 and 64-bit)
Windows 8 (32 and 64-bit)
Windows 8.1 (32 and 64-bit)
Windows NT/2000
Windows Server 2003 (32 and 64-bit)
Windows Server 2008 (32 and 64-bit)
Windows Server 2008 R2 (32 and 64-bit)
Windows Server 2012 R2 (64-bit)
29
Encryption Support
EnCase now supports the following encryption products.
Vendor
Product
Supported Versions
64-bit Support
Check Point
Check Point Full Disk

Encryption (formerly Pointsec
PC)
6.3.1 up to 7.4, 8.0 (for

Windows and
Macintosh computers)
Yes
Credant
Mobile Guardian
5.2.1, 5.3, 5.4.1, 5.4.2,

6.1 through 6.8, 7.3
Yes
Dell
Data Protection
8.3
Yes
GuardianEdge
Encryption Plus/Anywhere
7 and 8
No
GuardianEdge
Hard Disk Encryption
9.1.5, 9.2.2 , 9.3.0,

9.4.0, 9.5.0, 9.5.1
Yes
McAfee
EndPoint Encryption (formerly

SafeBoot)
4, 5, 6, 7 (for Windows
and Macintosh
computers)
Yes
Microsoft
BitLocker and BitLocker To Go
Windows Vista, 7, and

8, Server 2008
Yes
Sophos
SafeGuard Easy and Enterprise

(formerly Utimaco)
4.5, 5.5, 5.6, 6.0
Yes (only for

SafeGuard Easy,
not for
Enterprise)
Symantec
PGP Whole Disk Encryption
9.8, 9.9, 10, 10.1, 10.2
Yes
Symantec
Endpoint Encryption
7.0.2, 7.0.3, 7.0.4,

7.0.5, 7.0.6, 7.0.7,
7.0.8, 8.0, 8.2
Yes
WinMagic
SecureDoc Full Disk Encryption

and Self-Encrypting Drives
4.5, 4.6, 5.x, 6.x
Yes
30
USGCB Compliance
EnCase has been validated as USGCB compliant using the following version of NIST VHD images:
10/14/11 (for Windows 7 only)
EnCase was tested using Retina Network Security Scanner, which is an NIST validated USGCB
scanner (http://usgcb.nist.gov/usgcb/microsoft_content.html).
Support
Technical assistance is available online at http://www.guidancesoftware.com/technicalsupport.htm. From this page you can register for and access the Guidance Software Support
Portal, an invaluable resource providing product-specific technical forums, an extensive
knowledge base, a bug tracking database, and an Online Submission Form for your questions.
Technical Support
Guidance Software offers several technical support options, including:
Live Chat
Support Request Form
Email
Telephone
Customer Service
Please direct service questions to the Guidance Software Customer Service Department:
MondayFriday 7 AM5 PM Pacific time
Phone: (626) 229-9191, press 5
Fax: (626) 229-9199
Email: customerservice@guidancesoftware.com
1055 E. Colorado Blvd.
Pasadena, CA 91106-2375
You can access our Customer Service Request Form online at
http://www.guidancesoftware.com/CustomerServiceRequest.aspx.
31

Encase Examiner v710 Release Notes

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Encase Examiner v710 Release Notes

Uploaded by

Copyright:

Available Formats

EnCase Version 7.

EnCase Version 7.10

2. The Add folder to report dialog displays.

Restart numbering restarts numbering at 1 in a new section, instead of continuing

In this example, bookmarks folders were added to "Examination Report":

In this example, formats were updated with specified metadata:

Hiding Empty Report Sections

Bookmark Formats Names

Previous Format Name

Updated Format Name

Note (no change)

Image (no change)

Record (no change)

Email (no change)

Improved Tooltips in Report Object Code

Windows 8.1 and Server 2012 R2 Support

Internet Explorer 10 and 11 Artifacts Support

Extensible Storage Engine (ESE) Database

EnCase Portable Functionality

EnCase Portable Jobs

Log Parser Modules

The Snapshot module collects a snapshot of pertinent machine information. Captured

Extended attributes in HFS+ are stored in double files.

When you are investigating a Mac:

Streamlined DMG Decryption

3. The .dmg file mounts and its contents are decrypted.

OS X Quick Look Thumbnail Cache Support

EnCase parses the Quick Look thumbnail cache in two ways:

Manually, via View File Structure.

Quick Look thumbnails in Records tab Gallery view:

Select Tagged Items

2. The Select Tagged Items dialog displays.

3. Select the tags you want, then click OK.

Dell Data Protection 8.3 Support

WinMagic SecureDoc Self Encrypting Drive (SED) Support

2. Add the physical device to your case in EnCase.

EnCase Starter Installer

Installs the Examiner and SAFE on a single machine

Found in Version 7.09.04

Found in Version 7.09.02

Found in Version 7.08.01

Guidance Software Product Compatibility Tables

Target Machine Operating Systems

AIX 4.3, 5.1, 5.2, 5.3, 6.1, 7.1

Check Point Full Disk

6.3.1 up to 7.4, 8.0 (for

5.2.1, 5.3, 5.4.1, 5.4.2,

Hard Disk Encryption

9.1.5, 9.2.2 , 9.3.0,

EndPoint Encryption (formerly

BitLocker and BitLocker To Go

Windows Vista, 7, and

SafeGuard Easy and Enterprise

4.5, 5.5, 5.6, 6.0

Yes (only for

PGP Whole Disk Encryption

9.8, 9.9, 10, 10.1, 10.2

7.0.2, 7.0.3, 7.0.4,

SecureDoc Full Disk Encryption

4.5, 4.6, 5.x, 6.x

You might also like