Encase Forensic v8 01 Release Notes

EnCase Forensic
Version 8.01
Release Notes
June 30, 2016
EnCase Version 8.01

Thank you for using Guidance Software products.
The Release Notes for this version of EnCase Forensic contain important information regarding your
EnCase application. Before you install, we recommend that you read the Release Notes to better
understand the changes we have made.
SAFE Version
This product is compatible with EnCase SAFEversion 7m.
Refer to the SAFEAdministration Guide for installation, licensing, and upgrade information.
2016 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and is provided for
informational purposes only.
New Features
Integration with Project VIC
Project VIC (www.projectVIC.org) was created to develop an ecosystem of information and data
sharing between law enforcement agencies all working on crimes facilitated against children. Project
VIC's mission is to aid law enforcement officers in victim identification by leveraging the use of
extremely large and high quality hash sets to identify and eliminate images. There are two ways EnCase
Forensic interacts with Project VIC data. You can:
l Check case information against the Project VIC hash library by:
o Downloading the hash library
o Importing the hash library into EnCase
o Applying the hash library to your case
o Performing hash analysis
l Export images and a .JSONfile compatible with Project VIC
EnCase currently supports version 1.2 of the Project VIC data model.
OBTAIN THE PROJECT VIC HASH SET .JSON FILE

You must be registered with the Internet Crimes Against Children Child Online Protective Services
(ICACCOPS) to access the Project VIChash library. The Project VIC hash library can be downloaded
through the Hubstream (www.hubstream.net) Intelligence Agent. The data is saved as a Javascript
Object Notation (.JSON) file on your machine.
IMPORT THE PROJECT VIC HASH LIBRARY INTO ENCASE

1. Click Tools > Manage Hash Library. The Manage Hash Library dialog displays.
2. Click New and create a new folder in which to store the Project VIChash library.
3. Click OK, then click Import >Project VIC. The Project VIC dialog displays.
4. Browse to the .JSON file and click Open.
5. Click Finish. The Project VIC hash sets display in the Manage Hash Set dialog.
6. Click Close.
APPLY THE PROJECT VIC HASH LIBRARY TO YOUR CASE
1. Open the case where you want to apply the Project VIC hash library.
2. Click [Case Name] > Hash Libraries.
3. The Hash Libraries dialog displays.
2
4. Double click Primary or Secondary. In the Browse for Folder dialog, navigate to the Project VIC
hash library folder you created and click OK. The Existing hash sets area of the Hash Libraries dia-
log populates with the Project VIC hash sets. Click OK.
5. A prompt displays, informing you that you will need to manually run a hash analysis to update
the cache. Click OK to proceed.
6. Click Yes.
7. Click OK to close the Hash Libraries dialog.
8. Perform a hash analysis (CRTL-SHIFT-H).
9. When processing is finished, the Refresh button in the upper right corner is enabled.
10. Click the Refresh button. The Tree view updates with the Project VIC hash library applied to the
relevant files. Matches display in the Hash Set Names column.
3
EXPORT IMAGES AND A .JSONFILE COMPATIBLE WITH PROJECT VIC
If you find files you believe would be good candidates for inclusion in the Project VIC hash library, you
can export them.
1. Blue check the item(s) you want to export.

2. Click Entries > Export Project VIC Files.
3. Enter or browse to an export path, then click OK to generate a .JSON file.
4. You can download this file to Griffeye (www.griffeye.com) where you can further categorize the
data or upload it directly to Project VIC using the Hubstream Intelligence Agent. Your file will be
reviewed and, if accepted, added to the Project VIC hash library.
Using Pathways to Streamline Workflows

Pathways provide step by step guidelines to walk you through specific workflow scenarios. Each
Pathway contains links that take you to individual steps in the workflow process.
Pathways are based on the curriculum taught by the award-winning Guidance training department,
and are designed to help examiners of any level efficiently navigate an investigation. Pathways are not
mandatory. You can exit a Pathway at any stage of your investigation.
You can access Pathways from two locations in the interface:
l Home page
l Toolbar menu
If you exit the Pathway, or your workflow navigates you away from the Pathway, you can always
return to the Pathway from one of these two access points.
Using Pathways you can:
l Create a full investigation

l Preview and triage your evidence
Full Investigation Pathway
GETTING STARTED
To get started with a full investigation, the Pathway suggests five steps:
l Create a case
l Add evidence
l Audit your drive space
l Determine the time zone of your evidence
l Apply a hash library to your case
4
1. On the home page in the Pathways group, click Full Investigation.
2. The Full Investigation page displays. You can follow the steps for the case you have open, or you
can start a new case by clicking Create a New Case. In the User Guide, see Using a Case Template
to Create a Case.
3. Once you have a case created, the next step is to add evidence to it. Back on the Full Invest-
igation page, click Add Evidence to Your Case. The Add Evidence dialog displays.
4. Click the appropriate link and follow the instructions to perform any of the available add evid-
ence actions. This must be done before any processing is done on the evidence. In the User
Guide, see Adding Evidence to a Case.
5. After evidence is added, the next step is to audit the space of all devices in the case. This must be
done before any processing is performed on the evidence. This process builds a summary table
in the bookmarks tab showing the usage of all devices in the case. Additional tables are built in
the bookmarks tab for each device to account for all space on each drive. In the User Guide, see
the Audit Drive Space topic.
6. Now that your drive space is audited, the Pathway leads you towards setting a time zone for
your evidence. This step parses the SystemRegistry Hive to determine the current control set
and then parses the current control set to retrieve the time zone information for each of the
selected evidence files. To preserve the forensic accuracy of the data, this must be done before
any processing is done on the evidence. In the Full Investigation dialog, click Determine the Time
Zone of the Evidence. In the User Guide, see Determining the Time Zone of Your Evidence.
7. On the Full Investigation page, click Apply Hash Library to Your Case. In the User Guide, see
Adding Hash Libraries to a Case.
PROCESSING EVIDENCE
Once you have set up your case and added evidence, you can process it in a variety of ways. Once you
have processed your evidence with one of the processing profiles listed below, you will be unable to
reprocess it with another Pathway Profile. Any further processing should be done using the Custom
profile Pathways option or from the Process Evidence menu in the toolbar.
Once a processing profile is selected, you can view its progress by double clicking the progress bar on
the bottom right of the screen.
l Process evidence without indexing (fastest)

o File signature analysis
o Hash analysis (MD5 and SHA-1)
o Expand compound files
o Find email (except lost or deleted items)
o Find allocated Internet artifacts
o System Information Parser without live registry
o Allocated Windows artifacts
l Process evidence with indexing

5
oExpand compound files
oFind email (except lost or deleted items)
o Index allocated text and metadata (with East Asian script support)
o Skipping files in hash library and skipping slack
l Process Internet artifacts

l Process email
l Comprehensive processing without unallocated (for deep investigation of allocated files)

o Recover folders and NTFS 3.0 reconstruction
o Protected file analysis
o System InformationParser without live registry, all advanced folders
o Protected file analysis
o Thumbnail creation
l Comprehensive processing (for deep investigation of an entire drive)

o Recover folders and NTFS 3.0 reconstruction
o Hash analysis (MD5, SHA-1 and entropy)
o Find all Internet artifacts, including unallocated
o System InformationParser without live registry, all advanced folders
o All Windows artifacts, including unallocated
l Custom: Use this to build your own processing routine
6
WHAT ARE YOU LOOKING FOR?
Once you process your evidence files, you can now find information in a variety of ways.
l Select the filter options to find information by type or specific attributes:

o All pictures finds all files with image extensions
o All documents finds all files with document extensions
o All files over specified size enables you to specify a logical size value and find all files exceed-
ing that value

o All files by extension enables you to define specific extensions to search for
l Select the view options to see different aspects of your evidence. These options only work if email
messages and/or internet artifacts were selected during processing. Selecting either one of these
options takes you to the Artifacts tab.
o View email messages
o View Internet artifacts
l Select the search options to perform:

o Index searches (Indexing must have been included in the selected processing option.)
o Keyword searches (Selecting this option opens the Search view; select the Keyword tab to
view the live results.)
GENERATING REPORTS
After you have found the information you need, you can generate reports in a variety of ways.
l Generate a standard full examination report

l Report templates enable you to create a customized report. In the User Guide, see Using Report
Templates.
l Generate a Triage report to easily share your findings in HTML format. In the User Guide, see
Triage Report.
Preview and Triage Pathway

The Preview/Triage pathway helps you to easily preview and triage your evidence.
GETTING STARTED
To get started with a triage case, the pathway suggests three steps:
o Create a case
o Add evidence
o Apply a hash library to your case
1. On the home page in the Pathways group, click Preview/Triage.

2. The Full Investigation page displays. You can follow the steps for the case you have open, or you
can start a new case by clicking Create a New Case. In the User Guide, see Using a Case Template
to Create a Case.
7
3. Once you create a case, the next step is to add evidence to it. Back on the Preview/Triage page,
click Add Evidence to Your Case. The Add Evidence dialog displays.
4. Click the appropriate link and follow the instructions to perform any of the available add evid-
ence actions. In the User Guide, see Adding Evidence to a Case.
5. On the Preview/Triage page, click Apply Hash Library to Your Case. In the User Guide, see
Adding Hash Libraries to a Case.
6. The Apply Hash Library to Case dialog displays.
QUICK ANALYSIS
Once you have set up your case and added evidence, you can process it in a variety of ways:
l Perform hash analysis

l Perform signature analysis

l Perform hash and signature analysis

l Locate Internet artifacts

l Locate email messages

l Locate Internet artifacts and email messages

l Find email (except lost or deleted items)
l Find allocated Internet artifacts
WHAT ARE YOU LOOKING FOR?

Once you process your evidence files, you can now find information in a variety of ways.
l Select the filter options to find information by type or specific attributes:

o All pictures finds all files with image extensions
o All documents finds all files with document extensions
o All files over specified size enables you to specify a logical size value and find all files exceed-
ing that value

o All files by extension enables you to define specific extensions to search for
l Select the view options to see different aspects of your evidence:

o View email messages
o View Internet artifacts
GENERATING REPORTS
After you have found the information you need, you can:
l Generate a Triage report to easily share your findings in HTML format. See Triage Report.
8
Triage Report
The Triage report enables you to customize and quickly generate an investigation report.
This report creates a fully linked HTML report from bookmark folders you create. Each bookmark
folder is a separate report section linked together by a table of contents. Each report section can have
an associated custom format or be formatted automatically. Each bookmarked item by default
includes a separate item report including comprehensive data for that item.
You can customize this report with your own logo, and add external links within the report.All
customization can be done using an HTML editor.
When done, this report can easily be distributed on a CD or USB drive and is compatible with most
browsers. This enables evidence to be easily shared across teams so that the most relevant
information can be discovered and acted upon quickly.
To share your report, navigate to its export location and copy theTriage Report folder, index.html,
and Triage.Report.html files to a USB drive or CD.
This reporting option can be accessed on the case home page under the Report header. It is also
available in both the Full Investigation and Preview/Triage Pathways.
9
Main screen
EXPORT LOCATION
Using the browse button, select the folder that the completed HTML report will be placed into. This
folder must exist on the system.
OPEN EXPORT PATH

When selected, automatically opens Windows Explorer to the export location when the report is
written.
OPEN REPORT
When selected, automatically loads the report in the default browser.
10
ADDITIONAL LINKS
This section enables the examiner to include additional links in the left pane of the completed report.
By default, it includes:
l The Case Information link which draws the data from case information items tab in EnCase.
l The logo item which is used to hold the location for a custom logo.
Unselected items will not show up in the report.
The Name column shows the text that will be placed on the left pane for the link.
The Link column is used to designate the file path of the file to be linked.
If AutoCopy is selected, the linked file will be copied automatically into the export path for the Triage
report. This can only be used if the linked file is a single file (i.e. PDF or Word doc, Excel spreadsheet). If
the AutoCopy is not selected, you must copy the file or files into the export location before setting the
Link field. For example, if you are trying to link in a HTML report which consists of multiple files, the files
will have to be manually copied into the export location.
BOOKMARK FOLDERS
The Bookmark Folders table shows all bookmark folders contained in the current case. Selected folders
are included in the Triage report when the report is created.
The Name field shows the bookmark folder.
The Format field designates what information is included in that section of the report. The format can
be changed by clicking Auto and selecting a different format form the popup box. In the popup:
l The Auto format selection attempts to use the most appropriate data for each of the book-
marked items.
l Selecting External Link allows you to set the link on the left side of the screen to an alternate file.
If External Link is selected, that report section will not be created. You must manually copy the
linked file(s) to the export location before the link is created.
The NoExport checkbox stops the exporting of the bookmarked files for that section of the report.
Individual files and bookmarks can also be prevented from being exported or included in the report by
using the No Export and No Report options from the Bookmarks tab.
The No TOC (Notable of contents)checkbox removes that section of the report from the table of
contents, but the section is still created and a link is created in the parent report section.
11
The Include in Parent checkbox includes the selected report section within the parent report section.
This can be used to create a single report section based on different formats. If you select Include in
Parent on all bookmark folders, the report will be displayed in a flat form. The HTML links on the left
side of the final report will jump the viewer to the respective sections.
Click Make Single Bookmark Report on the menu bar to recreate only the current report section. This
was designed so you would not have to recreate the entire report when only one section has been
changed. This will not recreate the table of contents.
Options
The options button provides you with ways to change the behavior of the Triage report.
TEMPLATE LIST
The Template List displays the list of default formats and custom formats available. The Auto format
automatically selects the default format depending on the bookmarked item type. Default formats can
be changed but if they are deleted they will be recreated the next time the Triage report is run.
12
FIELD DEFINITIONS
Field definitions designate what information is included in the report section for each item.
REPORT TITLE
Enables you to modify the report title shown in the browser when the report is displayed.
TOP LEVEL AS HEADERS

When selected, includes the top level sections in the table of contents even if not selected.
AUTO SORT CHILD FOLDERS

When selected, places the child report sections at the top of the report instead of in the bookmarked
order.
ALTERNATE ROW COLORS

When selected, alternates the colors of the rows within the report for better clarity.
13
HIDE PREVIEW
When selected, hide the preview pane in the main window.
REPORT FILENAME
Enter the filename for the main HTML page. An identical INDEX.HTML is also created.
MAX FILE EXPORT SIZE

Specify the maximum file size that can be exported by the triage report. This feature prevents the
unintended export of extremely large files (i.e. pagefile.sys, hiberfil.sys, Unallocated Space).
OPTIONAL STYLE SHEET

Enables you to substitute an alternate style sheet instead of the default.
INCLUDE PRINT OPTION

When selected, includes a print icon at the top of each report section. This option is on, by default.
ITEM REPORT TYPE

Designates if the individual report for each bookmark item (not section) is in HTML format or PDF.
14
EXPORTED FILENAME FORMATS
Select which type of filename is used for each export file.
Note: The Original setting can cause filename conflicts.
Report Formatting
CUSTOM REPORT FORMATS

l Each line represents a cell of data for the field.
l Separate tags below with a "," comma
l Use a single "-" to make a new line in the table.
l * = default
TAGS
l FIELD= property name. (the word FIELD is not needed) Multiple fields can be place in a single cell,
separate with a "|"

l LINK= Defines a hyperlink for the cell. *Auto is a hyperlink to the exported file for the Name prop-
erty.
l LINK=*AUTO, NONE, FILE,PDF,REPORT,REPORT_HTML,REPORT_PDF, FOLDER
l ALIGN= *1 = left, 0 = center, -1 = right
l HEADER= Alternate cell title, replaces field name.
l ICON= Draws an enscript icon in the cell
l REPORT,PRINT, etc...
l COLOR= color value in hex or enscript color const - #000066, BLUE
l SIZE= [THUMBNAIL pixels = ], [PREVIEW length=100] (not complete)!
l SHOW= BOTH, REPORTONLY (not complete)!
Extensive Interface and Menu Changes

EnCase Forensic has been extensively redesigned for greater ease of use.
The design work has included changes to the interface, as well as changes to the menu layouts and
icons.
Use this table as a reference to help you get oriented with Version 8.01:
15
Version 7.x Version 8.01
l Gear icon on the right of the top toolbar

l Contains advanced features that affect entire win-
Triangle menu (down arrow on the right of dow
the top toolbar) l Duplicated items have been removed.
l Create an Electronic License can now be found in
the question mark Help menu
l Hamburger menu at the top right of the grid

l Includes new table spacing feature to modify
Triangle menu (down arrow on the right of information density
a table) l Contains instructions that affect the table, or per-
form table related actions
l Duplicated items have been removed
Filter and conditions menus (on top tool-

On top of new fourth pane on bottom right of screen
bar)
Split mode menu item Same location; signified with an icon only
Open with Accessible through right click menu
Evidence view toolbar Icons and menu items rearranged for greater usability
Viewing menu View menu
Related To menu Accessible through right click menu
l Removed
Zoom in/ Zoom out buttons l Achieve same functionality with the percentage
dropdown or CTRL-scrollwheel
Now contain the same menu options as the toolbar, at

Right click menu options
minimum
Records tab shows email, internet, and Artifacts tab shows email, internet, and other similar
other similar items items
Persistent Blue Checks

Two improvements have been made to blue checking behavior.
Blue checks now persist within a case. Blue checks are case specific and remain persistent in the same
tab where they were created.
Blue checks persist when:
16
l Navigating from Evidence view to Entry view or from Entry view to Evidence view.
l Navigating from Entry view to Record view (for example, viewing file structure on an entry).
l Navigating from Entry view to Results view.
l Navigating from Results to Entry (within the same tab).
In addition, you now have the option to have your blue checks persist if you end your session in
EnCase.
A new option was added to the Tools > Options menu giving you the choice to allow blue checks to
persist after closing a case or exiting EnCase. This option is off by default.
Blue checks do not persist on evidence removed from a case.
Refreshing the Entry View Table

A new button allows you to refresh the Entry view table after performing an action. It is no longer
necessary to exit from Entry view and go back into the evidence in order to see the effect of actions
such as hash analysis. The ability to refresh the Entry view works:
l After processing is completed

l After running a Hash/Sig analysis
Bookmarked Column in Entry View

A new column entry in Entry view indicates if an item is already bookmarked or not. If an item is
bookmarked anywhere in the current case, the default option for TRUEdisplays in the column.
Updated File Types

Three new file types have been added to improve the accuracy and coverage of file signature analysis.
New file types include:
l SQLite 3.x database

l KeePass Password Safe database
17
l Torrent files
Multi Colored Sweeping Bookmarks

It is now easier to separate and identify bookmarked evidence using different colors of sweeping
bookmarks.
When working with raw text, transcript text, and decoding, you can now highlight a string, create a
bookmark, and then highlight a separate string with a different color and create it as a separate
bookmark.
Fourth Pane Added

A fourth pane has been added to the lower right of the screen. This pane provides a place to organize
and run filters and conditions, run EnScripts, and manage tags.
l Using new drag and drop functionality, you can organize your items into folders.
l You can add a new item using the new toolbar item or with a right click.
l You can import a folder of items.
l Double click on an item to run it.
l Editing can be done using the edit button or with a right click.
The fourth pane can be quickly minimized by double clicking the small triangle to the left of the pane.
Once minimized, double clicking the triangle expands the window.
Previewing Remote Network Device Improvements

A new triage option has been introduced when viewing local or remote network devices.
After a device is added, you can select it in the Evidence view and click the Triage icon. When in Triage
mode, all data is stored in RAM and nothing is written to disk. To greatly streamline reviewing and
retrieval time, you can choose when to cache the GUIDs by clicking the Cache Device(s) icon in the
toolbar.
18
Support for Firefox v32
Mozilla FireFox v32 is now supported.
Additionally:
l The processing module now supports both the old version of the Firefox cache, as well as the new
Version 2 of the cache.
l Processing of cache entries is supported even if an index file does not exist.
Default Conditions Location

Conditions that come pre-packaged with the product are stored, by default, in the location where
Encase Forensic is installed (by default, c:\program files\Encase8\Condition). Conditions that
you create are stored in the folder where your case files are stored (by default, Libraries ->
Encase -> Condition).
The two paths are different and conditions in both places can be supported. However, the program
install path will get updated when a new version of Encase is released, and all conditions in that folder
will be erased. Customized conditions should therefore not be stored in that folder in an effort to
reduce conflicts.
Note: If you currently store your custom conditions in c:\program

files\Encase8\Condition, they will be erased upon installation of EnCase 8.
Ability to Parse Windows 10 $I Files

EnCase can now parse original filename logical size and time deleted information from Recycle Bin $I
Windows 10 index files.
Custom Logo in Case Page

The case page now displays the case information on the right side of the screen.
You can add a custom logo to the case page by clicking the hamburger menu on the upper right hand
of the screen. This logo will not appear in any reports.
19
Streamlined Hash Analysis Behavior
Processing of hash analysis was streamlined n EnCase Version 7.12 by running a hash analysis
whenever a hash set is added, removed or changed. This improved performance by not running the
hash set analysis until absolutely needed.
A popup warning now displays whenever you access a menu that allows you to modify the hash
libraries. This popup just lets you know that any changes will cause the hash analysis to be run again. If
you choose not to run the hash analysis again, you will not see the results of your changes until the
library is refreshed.
To update your hash library cache, select OK when you see this popup warning. Select the appropriate
evidence, then click Hash/Sig Analysis >Hash Analysis Option. This updates everything and the new
hash libraries are applied to the case.
Note: A new shortcut (CTRL-SHFT-H) has been added that automatically displays the
Hash/Sig Analyis menu.
Disk View Accessible from Evidence View

For greater efficiency, Disk view is now accessible directly from the Evidence pane.
Adjusting Spacing in a Table

You can now adjust how tightly together rows are spaced within a table.
Click the hamburger menu at the far right of the table, then select Change Table Spacing. From the
dialog, select the Vertical grid cell padding you prefer. The lower the value, the more closely the rows
are displayed together. The setting is global, and affects the display of all tables in the product.
20
Items Fixed
DOC-1536: EnCase no longer crashes when you add a folder to the report template, name the folder,
and click Next before clicking Add.
DOC-1569: EnCase no longer crashes when attempting to select certain tagged items in the Search
view.
DOC-1570: EnCase occasionally crashed when drilling into certain compound or evidence files. This
issue has been fixed.
Known Limitations
Found in Version 8.01
DOC-1654: The Isbookmarked column does not show True when bookmarking a thumbnail artifact.
The bookmark is created and can be seen in the Bookmarks tab, but does not update in the Artifacts
tab.
DOC-1650: The Isbookmarked column does not show True for items that are bookmarked in the Table
view.
21
DOC-1647: If you reprocess an Ex01 evidence file with Overwrite Evidence Cache selected, clicking the
green refresh button does not refresh the page. To refresh the page, you must exit Entry view and
return.
DOC-1644: When working with default conditions, an error appears if Enter is pressed instead of
double clicking.
DOC-1643: When clicking on bookmarked items in View >Report templates, the font color is
inconsistent.
DOC-1609: The screenshots in the EnCase Forensic User Guide do not reflect the current extensive
changes to the interface. Unless otherwise noted in these release notes, the functionality is the same,
but the design and format may be different from what is displayed on your screen.
DOC-1533: EnScript cannot currently call the Isbookmarked function; therefore, the new bookmarked
column in Entry view does not display correctly for custom EnScript programs.
FOR-3189: You cannot move a folder between the User and Shared folders while in the fourth pane.

DOC-1217: After selecting a specific process memory entry from the network preview pane and drilling
into the corresponding item in EnCase, the only entry shown is the unused disk area. The memory
event representing the memory of the process is not shown. This issue is specific to Windows 10.
DOC-1215: Running System Info Parser with the checkbox Live Registry cleared returns a folder in the
Records tab with the label "xxxxxx (Live Registry)." This is misleading, because the live registry option is
disabled.

CORE-1527: The 32 and 64-bit EnCase servlet requires the Windows Management Interface (WMI)
service for installation and operation on Windows 10, Windows 8, Windows 8.1, Windows Server 2012,
and Windows 2012 R2.
TS-141: File Carver may display a status of 100 percent complete, but continue to process or crash
EnCase.This situation is caused by File Carver searching for numerous file types, including headers
leading with "..." Guidance Software recommends that you perform file carving for file types with "..."
leading headers separately.
CORE-1322: When exporting items in Search Results, if Add to existing evidence file is selected,
EnCase crashes.
22
CORE-895/69792: The index uses all caps by default; so, for example, DOBBS is the only hit for a search
on <c>DOBBS. <c>dobbs, <c>Dobbs, and all other case variations are in a different set.
Found in Version 7.09.04

69649: After several iterations of running Case Analyzer and bookmarking, when clicking on a
bookmark created with Case Analyzer, EnCase may crash.
Found in Version 7.09.02

68889: Outside In: EnCase hangs while viewing some .mif files.
Target Machine Operating Systems

Agents are deployed on target machines and can be used to search the following operating systems:
l AIX 4.3, 5.1, 5.2, 5.3, 6.1, 7.1

l HPUX 11.0, 11.1x, 11.2x
l Linux Kernels 2.6.9 (32 and 64-bit) or 2.6.4 (32-bit) or higher with Process File System (procfs)
l NetWare 5.1 SP8, 6.0 SP4, 6.5
l Mac OS X 10.5 (32-bit, Intel) and 10.6 - 10.11 (64-bit, Intel)
l Solaris 8, 9, 10 (32 and 64-bit, SPARC only)
l Windows XP (32 and 64-bit)
l Windows Vista (32 and 64-bit)
l Windows 7 (32 and 64-bit)
l Windows 8.1 (32 and 64-bit)
l Windows NT/2000
l Windows Server 2003 (32 and 64-bit)
l Windows Server 2008 R2 (32 and 64-bit)
l Windows Server 2012 R2 (64-bit)
McAfee ePolicy Orchestrator (ePO) Integration

McAfee ePolicy Orchestrator administrators can use ePO to deploy EnCase agents to ePO-managed
nodes. Versions 4.5, 4.6, 5.1, and 5.3 are supported.
Third Party Systems

Vendor Version
Project VIC data model 1.2
23
Encryption Support
EnCase supports the following encryption products.
Vendor Product Supported Versions 64-bit Support
Check Point Full Disk 6.3.1 up to 7.4, 8.0 (for

Check Point Encryption (formerly Windows and Macintosh Yes
Pointsec PC) computers)
5.2.1, 5.3, 5.4.1, 5.4.2, 6.1

Credant Mobile Guardian Yes
through 6.8, 7.3
Dell Data Protection 8.3 Yes
GuardianEdge Encryption Plus/Anywhere 7 and 8 No
9.1.5, 9.2.2, 9.3.0, 9.4.0, 9.5.0,

GuardianEdge Hard Disk Encryption Yes
9.5.1
EndPoint Encryption 4, 5, 6, 7 (for Windows and

McAfee Yes
(formerly SafeBoot) Macintosh computers)
BitLocker and BitLocker To Windows Vista, 7, 8, and 10,

Microsoft Yes
Go Server 2008
SafeGuard Easy and Yes (only for SafeGuard

Sophos Enterprise (formerly 4.5, 5.5, 5.6, 6.0 Easy, not for
Utimaco) Enterprise)
Symantec PGP Whole Disk Encryption 9.8, 9.9, 10, 10.1, 10.2 Yes
7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6,

Symantec Endpoint Encryption Yes
7.0.7, 7.0.8, 8.0, 8.2
SecureDoc Full Disk

WinMagic Encryption and Self- 4.5, 4.6, 5.x, 6.x Yes
Encrypting Drives
USGCB Compliance
EnCase has been validated as USGCB compliant using the following version of NIST VHD images:
10/14/11 (for Windows 7 only)
24
EnCase was tested using Retina Network Security Scanner, which is an NIST validated USGCB scanner
(http://usgcb.nist.gov/usgcb/microsoft_content.html).
Support
Guidance Software is committed to providing our customers with the best user experience possible.
There are a variety of ways for you to get the help you need, when you need it.
Guidance Software provides a wide array of resources to help you find answers to your questions
online.
To access online support, navigate to www.guidancesoftware.com and click Support.
Contact Technical Support

Guidance Software provides telephone technical support 24 hours a day, excluding weekends and
holidays, through the regional support numbers listed below. All technical support inquiries are
automatically routed to either our US or UK office, depending on the time of day.
UNITED STATES:
MondayThursday 5 AM10 PM Pacific time, Friday 5 AM7 PM Pacific time
Phone: +1 (866) 973-6577 or (626) 463-7977
Fax:+1 (626) 229-9199
1055 E. Colorado Blvd.
Pasadena, CA 91106
UNITED KINGDOM:
MondayFriday 6 AM4 PM UTC/BST
Phone: +44 (0) 1753-552252, Option 4
Fax:+44 (0) 1753-552232
Thames Central, 5th Floor
Hatfield Road
Slough, Berkshire UK SL1 1QE
EMEA AND APAC:

+800-4843-2623
For customers in the following countries, use your country's local exit code and call:
+800-GUIDANCE (4843-2623). Do not dial US country code 1.
l Australia
l Belgium
l China-North
25
l China-South
l Denmark
l Finland
l France
l Germany
l Hong Kong
l Italy
l Japan
l Malaysia
l Netherlands
l New Zealand
l Norway
l Poland
l Singapore
l South Korea
l Spain
l Sweden
If you do not know your exit code, refer to http://www.howtocallabroad.com/codes.html. Dial your
country's exit code, then dial 800-4843-2623.
Contact Customer Service
BY TELEPHONE:
626-463-7964 (Monday through Friday, 7 am to 5 pm, Pacific Time)
866-229-9199
BY ONLINE REQUEST:
Navigate to www.guidancesoftware.com and click Support >Customer Service >Contact.
26

Encase Forensic v8 01 Release Notes

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Encase Forensic v8 01 Release Notes

Uploaded by

Copyright:

Available Formats

EnCase Forensic

June 30, 2016

EnCase Version 8.01

l Export images and a .JSONfile compatible with Project VIC

OBTAIN THE PROJECT VIC HASH SET .JSON FILE

IMPORT THE PROJECT VIC HASH LIBRARY INTO ENCASE

4. Browse to the .JSON file and click Open.

APPLY THE PROJECT VIC HASH LIBRARY TO YOUR CASE

3. The Hash Libraries dialog displays.

1. Blue check the item(s) you want to export.

Using Pathways to Streamline Workflows

You can access Pathways from two locations in the interface:

Using Pathways you can:

l Create a full investigation

Full Investigation Pathway

l Process evidence without indexing (fastest)

l Process evidence with indexing

l Process Internet artifacts

l Comprehensive processing without unallocated (for deep investigation of allocated files)

l Comprehensive processing (for deep investigation of an entire drive)

l Custom: Use this to build your own processing routine

l Select the filter options to find information by type or specific attributes:

ing that value

l Select the search options to perform:

view the live results.)

l Generate a standard full examination report

Preview and Triage Pathway

1. On the home page in the Pathways group, click Preview/Triage.

l Perform hash analysis

l Perform signature analysis

l Perform hash and signature analysis

l Locate Internet artifacts

l Locate email messages

l Locate Internet artifacts and email messages

l Find allocated Internet artifacts

WHAT ARE YOU LOOKING FOR?

l Select the filter options to find information by type or specific attributes:

ing that value

l Select the view options to see different aspects of your evidence:

OPEN EXPORT PATH

Unselected items will not show up in the report.

The Name field shows the bookmark folder.

TOP LEVEL AS HEADERS

AUTO SORT CHILD FOLDERS

ALTERNATE ROW COLORS

MAX FILE EXPORT SIZE

OPTIONAL STYLE SHEET

INCLUDE PRINT OPTION

ITEM REPORT TYPE

Note: The Original setting can cause filename conflicts.

CUSTOM REPORT FORMATS

l Separate tags below with a "," comma

l Use a single "-" to make a new line in the table.

separate with a "|"

l ALIGN= *1 = left, 0 = center, -1 = right

l HEADER= Alternate cell title, replaces field name.

l ICON= Draws an enscript icon in the cell

l COLOR= color value in hex or enscript color const - #000066, BLUE

l SIZE= [THUMBNAIL pixels = ], [PREVIEW length=100] (not complete)!

l SHOW= BOTH, REPORTONLY (not complete)!

Extensive Interface and Menu Changes

l Gear icon on the right of the top toolbar

l Hamburger menu at the top right of the grid

Filter and conditions menus (on top tool-