EnCase v6.15 Release Notes

Published on July 2016 | Categories: Types, Creative Writing | Downloads: 80 | Comments: 0 | Views: 451
of 18
Download PDF   Embed   Report

manual do encase

Comments

Content

EnCase® Version 6.15
Release Notes
October 29, 2009

EnCase Version 6.15
Thank you for using Guidance Software products.
The Release Notes for this version of EnCase contain new feature highlights, the most current
compatibility details, platform and browser support, known issues, and items fixed. Before you
install the upgrade, we recommend that you read these Release Notes to better understand the
changes we have made.

© 2009 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.

New Features
Windows Server 2008 Support
EnCase supports running on Windows Server 2008 32-bit and 64-bit. This includes:


Examiner 32-bit and 64-bit



ProSuite (EnCase Decryption Suite, Virtual File System, Physical Disk Emulator, and
FastBloc SE) 32-bit and 64-bit



32-bit and 64-bit servlets

Windows 7 Support
EnCase now supports running on Windows 7 32-bit and 64-bit. This includes:


Examiner 32-bit and 64-bit



ProSuite (EnCase Decryption Suite, Virtual File System, Physical Disk Emulator, and
FastBloc SE) 32-bit and 64-bit



32-bit and 64-bit servlets

on these versions of Windows 7:


Professional



Ultimate



OEM



Enterprise

Note: EnCase does not support analysis of Windows 7 artifacts via EnScript. Also, EnCase does not support Windows
7 BitLocker in terms of encryption support.

GuardianEdge 9.2 Support
EnCase supports decryption of encrypted disks using GuardianEdge Hard Disk Encryption version
9.2.

WinMagic SecureDoc 4.6 Support
EnCase supports decryption of encrypted disks using WinMagic SecureDoc Full Disk Encryption
version 4.6.

CREDANT Mobile Guardian 5.4.2 Support
EnCase supports decryption of encrypted files using CREDANT Mobile Guardian 5.4.2.
© 2009 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.

2

Fast File Transfer
EnCase provides improved performance when the servlet transfers files to EnCase. Before,
EnCase sent requests to obtain one chunk of data (32 kb) at a time, and transferring a large file
involved sending many read commands from the examiner. Although extremely robust, combined
with network latency, this protocol could cause significant delays on certain networks.
In the new approach, the examiner sends just one read command, and error handling is done by
the TCP/IP layer.
This functionality is built into the EnCase UI, and you can also access this function from EnScript,
where a new option, CopyFile, has been added to the file class. It contains two parameters:


Output file



Size (optional)

If size is not specified, the data from the current position to the end of the file is transferred.
Note: This is EnScript-specific and is not the default file transfer method for EnCase.

Enhanced FAT Parsing
Not all implementations of the FAT file system can be automatically detected. For example, some
FAT 16 volumes in certain removable mediamay be detected as FAT 12.
To address this issue, EnCase provides an option to specify the FAT type (FAT 12, FAT 16, or
FAT 32) to parse. This option is included in the Add Raw Image and Add Partition dialogs.

© 2009 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.

3

Add Raw Image Dialog
1.

Click File > Add Raw Image. The Add Raw Image dialog opens.

2.

Click the Volume option button, then select the Partition Type for the FAT volume you are
parsing.

3.

Click OK.

Add Partition Dialog
1.

Select the Disk tab in Table view, then right click for a dropdown menu.

© 2009 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.

4

2.

In the dropdown menu, click Add Partition. The Add Partition dialog opens.

3.

Select the Partition Type for the FAT volume you are parsing.

4.

Click OK.

Refresh Bookmarks in EnScript
EnCase now includes the ability to save bookmarks in the background while an EnScript is still
running. This feature is especially useful with EnScripts such Sweep Enterprise when used in
conjunction with the Check-in servlet feature. While the EnScript is still running, the user can
“refresh” the bookmark view and data collected up to that point is populated and available for
review.

Outside In 8.3 Support
EnCase now supports Oracle Outside In version 8.3 technology for viewing various file formats.

Enhanced McAfee ePolicy Orchestrator (ePO) Integration
There is a new way to deploy EnCase Enterprise servlets using McAfee's ePolicy Orchestrator.
The installation has been simplified. The certsetup.exe is not used any more. Copy setup.exe from
the SAFE install folder to the shared folder. A small program copies setup.exe from the shared
folder, installs the ePO dlls, then installs the servlets. There is no longer a need to reinstall ePO
every time the servlets are updated.

© 2009 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.

5

There are two new command line options:


-o <setup options>



-v <servlet version>

The -o option is a passthrough. Any options in the -o option go to the servlet. For example, -o
"-p c:\Windows" installs the servlet in the Windows folder. Any normal servlet install options
can be used in the -o option. Be sure to use quotes when using the -o option.
The -v option is compared against already installed servlets to verify if an update is needed. If the
information in -v does not match the installed servlets, an update is pushed.
For more details, see the Deploying and Running Servlets chapter of the SAFE Administration
User's Guide.
Note: EnCase now integrates with ePolicy Orchestrator 4.5 Server and McAfee Agent.

HASP SRM 5.75 Security Key Driver
EnCase supports the use of the HASP SRM 5.75 security key driver. This allows the HASP
security key to be used with Windows 7.
Note: Under Windows 7, install the security key driver using the HASP SRM 5.75 run-time command-line installation.

Source Processor
Managing EnCase Portable from within Source Processor
Access to EnCase Portable has been consolidated within Source Processor. To manage EnCase
Portable from Source Processor, open either the Collection Jobs or Collected Data tab, then
click Manage Portable Devices. All EnCase Portable functions can be accessed from there.

Preview
You can quickly preview all the data on your EnCase Portable USB storage device without
importing it first.
1.

From Source Processor, open the Collected Data tab.

2.

Click Manage Portable Devices. The Manage Portable Devices dialog displays.

3.

Click Preview. Source Processor performs a full analysis of all collected evidence files on
the selected devices and creates a report showing the combined results. No information is
copied or imported during this process.

If you want to import the previewed information, click Import Evidence.

© 2009 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.

6

Improved Targeting of Cases
Source Processor can now identify and target any item that can be added to a case. This includes:


An evidence file



A previewed drive (either the local machine or a remote node)



One or more single files



RAM

When a case is specified as a target in a job, a window displays a list of items in the case, divided
into two categories: devices and machines.


Devices are items that do not have a live connection (such as single files, evidence files, or
RAM).



Machines are all the devices that have a live connection (such as a local machine or
remote node).

Clear any items that you do not want used for the collection job. When the collection is complete, a
LEF is created for each selected item, which can then be analyzed separately.

Log Parsers
Linux Syslog Parser Module
The Linux Syslog Parser module collects and parses Linux system log files and their system
messages. It then is able to provide information about the machine, log file summaries, and log
messages.

© 2009 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.

7

Windows Event Log Parser Module
The Windows Event Log Parser module collects information pertaining to Windows events logged
into system logs, including application, system, and security logs.

WTMP/UMP Log Parser Module
The WTMP/UTMP Log Parser module parses the Unix systems' WTMP and UTMP files, which
record all login activities. In the module analysis reports, the WTMP-UTMP Log Parser provides
information about machine, login type, and login message.

Enhanced Internet Artifacts Module
The Internet Artifacts module has been enhanced to capture a variety of Internet usage information
including caches information, cookies, bookmarks, and downloaded data.

Device Decryption
When encrypted physical or logical devices are encountered during the running of a job, an
Encryption Information dialog displays to provide you with decryption options.

© 2009 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.

8

If credentials to decrypt the drive are not known, a hyperlink prompt appears in the Valid Credential
column. Clicking on this hyperlink opens up a credential dialog specific for the encryption protocol
detected. For example, for a device using PGP encryption, the following dialog displays for you to
enter decryption credentials, if known.

If credentials are not known, or if the device is encrypted with a protocol not currently supported by
EnCase Portable, the device is not mounted; however, if you are running the Acquisition Module,
the device is acquired in its encrypted state.

© 2009 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.

9

Items Fixed
Add Device/Preview/File System
723: Free BSD only shows when Read File System is disabled.
24720: A raw image that cannot be verified claims the file is verified with zero errors.
25766: When adding a FAT16 formatted device smaller than 16 MB, EnCase detects the device as
FAT12.
25920: Selecting FAT volume in the Add Raw Image dialog does not add an image file.
26005: While adding a Tableau write blocked device, if you add a USB device during the power
down phase and then turn the Tableau device back on, the USB device displays as the new
source drive. The Tableau device displays as one drive letter and one disk number below the USB
device.
27215: EnCase cannot dismount the volume of a thumb drive in Disk view.
27217: When adding a thumb drive to EnCase, if you clear the Read File System column, EnCase
still reads the file system.
29726: Files being previewed on an AIX 5.3 volume with the JFS2 file system incorrectly show as
deleted or overwritten in EnCase.
29735: $volume name is parsed incorrectly from a Vista machine.
29846: File Acquired Time in an evidence file is different for FAT32 and NTFS volumes when the
times should be the same.
30510: When adding partitions manually, EnCase creates two partitions instead of one.
30954: EnCase may crash when mounting corrupt Microsoft Office documents with View File
Structure.

Bookmarks
4077: When the Bookmarks root entry is selected in the Tree pane, the Summary Bookmark option
is missing from the Edit menu.
5417: After selecting Excluded for a bookmark entry, the bookmark remains in the list.
28054: Japanese language Firefox bookmarks are garbled.
29604: EnCase does not bookmark hex on the root volume of an array.
© 2009 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.

10

29847: After selecting Set Include, the report fails to display device information bookmarks for
logical volumes.
30485: Partition table information does not display in bookmark data.
30588: Sweeping a 4-byte date in the registry, then bookmarking the date, produces no results.
30659: When sweeping bookmarks, some data types do not function as expected.
30693: When sweeping a bookmark and selecting an integer data type, no data displays.
31161: When using a sweeping bookmark on an HTML unicode file, the bookmark data box
displays more information than was actually bookmarked.

Compressed/Archived Files
7205: Selecting attachments for .edb files defaults to the "PR_ATTACH_SIZE" entry.
23823: After adding and removing a partition, then selecting View File Structure, an error message
displays: "A file at this offset has already been parsed."
28732: Certain DBX email does not display the message body in Report view.
28049: Unable to mount .dbx files using View File Structure.
29344: EnCase does not display the full data stream from a Word document.
30885: Some NTFS compressed files display incorrectly in EnCase, resulting in inaccurate hash
values. This is also the case when some NTSF compressed files are exported via copy/unerase.

Doc/Transcript
2592: The embedded bar diagram image created in Word 2007 document does not display in the
Doc tab.
8066: EnCase does not parse an image of a PowerPoint file in the Doc tab.
13341: Doc View does not display documents correctly after bookmarking data.
14827: Print file path header is truncated if it is longer than one line.
20812: Outside In does not render a cab.exe single file.
20924: File content is truncated in Transcript tab using Outside In 8.2.
20939: EnCase does no view .rar content in Transcript tab using Ouside In 8.2 with Encase x64bit installer.
24268: Outside In 8.2.2 cannot render mwkd file types, yet text can be read in Text view.
© 2009 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.

11

EnCase Modules
2160: An unpartitoned SCSI drive causes FastBloc SE dialog to hang indefinitely.
10298: Uninstalling drivers for SIIG Ultra ATA 133 manually, then attempting to write block the IDE
channel, generates an error.
29627: MS Office Category metadata is missing when a file is mounted using View File Structure.
29805: Decrypting a BitLocker drive does not allow for subsequent decryption.
30595: Running Analyze EFS may cause EnCase to crash.

EnScript
2187: When searching mounted files of large size, EnCase generates the message "Memory
Allocation Error 8. Not enough storage is available to process this command."
26441: After running Case Creator (V3) script, the new case file name is not populated in the
metadata of the new evidence file.
27407: RegistryClass does no open specific hives passed to it.
27719: LocalFileClass::SetTimeStamps(EntryClass) does not consistently set date fields on some
files.
28277, 29986: In EnScript.chm file, description of MemoryFileClass::Open(uint,uint) is incorrect.
28498: UTF-8 parsing of AOL email does not display the character set correctly under Entries.
28999: Circular references or multi-threaded EnScripts may crash EnCase.
29031: Scan Local Machine may crash during a collection when the mount option is set to Mount Detect Extension.
29076: Calling EvidenceFileClass::SetStopSector has no effect on acquisitions using this
EntryFileClass object.
29077: EvidenceFileClass::SetCompression does not affect acquisitions.
29149: The Machine Survey Servlet Deploy script does not deploy servlets to a range of IP
addresses.
29280: Record::ExportMessage() does not remove an invalid file name.
29312: When using the Compromise Assessment Module via the Scan Local Machine EnScript,
the bookmark folders created always indicate a registry value was present, regardless of the actual
contents of the registry.

© 2009 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.

12

29458: After performing an Internet History search using EnScript with an unknown parameter in
the Add Bookmark function, then saving and reopening the case, EnCase crashes.
29542: Link File Parser does not create a bookmark folder for Vista.
29582: In Bookmark Data and Link File Parser, Windows time shows a one hour difference when
Account for Seasonal DST is selected by default.
29776: Error in EnScript Help: array = {“asd”, ”cds”, ”vfd’, “fdg”}; should be array
{“asd”, “cds”, “vfd”, “fdg”};.
29845: The tab delimited output for Link File Parser does not report all hits.
29905: Running Machine Survey Servlet Deploy exits with an internal error when attempting to
deploy a servlet or verify that a servlet is installed.
29915: EnScript documentation for EntryFileClass::Open(EntryClass, uint, CredentialClass) is
incorrect.
30117: Running the Find Protected Files EnScript in Case Processor with the option Determine
file type using signature analysis checked results in an internal error.
30200: If you have a remediation enabled SAFE, the Sweep Enterprise Scan Registry module
does not write a value to a registry key.
30663: Windows Initialize Case EnScript reports incorrect logon dates and times.
30688: You cannot install a servlet on Vista or 2008 machines with WMI on, FW off, and UAC off
using the Machine Survey Servlet Deploy EnScript.
30894: The constructor for EntropyClass is missing, so you cannot create EntropyClass objects.
31099: Sweep Enterprise Connection Details screen does not reference all swept nodes.

Evidence Files/Logical Evidence Files/Single Files
3555: The File Integrity column displays "verifying" even though the verification is cancelled.
9969: After selecting New from the Single Files context menu in the Table pane, you cannot
navigate to a file using the New Entry dialog.
30519: Adding an evidence file to a case may cause a division by zero error.

Export Files/Folders
26970: Copy/Unerase does not use times or dates of a file attribute when exporting a file stream.
30484, 30800, 31044: Column headings are missing in Table view when an item is exported to
text, RTF, or HTML.
© 2009 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.

13

Filters/Conditions/Queries
24729: When creating a new filter, clicking OK in the New Filter dialog does not open the new filter
code tab.
26443: After deleting a filter, EnCase does not close the source code tab for that filter.
30331: Some files with the same hashes are not excluded after running the Remove Duplicate by
hash filter.

Hashing/Searching/Signature Analysis
27320: !Bad signature displays at folder level instead of file level.
27772: The Hash Items tab menu mistakenly contains an Import option.
29375: The search hit from a keyword does not display at first.
29589: There are invalid search hits in $UsnJrnl·$J. In the Search Hits tab, the hits are blank in
the Preview column and zeroes in Hex view.

Internet
4555: EnCase displays an empty Last Accessed column after Internet History search on an
evidence file containing Opera browser history.

Report
2373: When exporting a report from the Cases > Home tab in .html format, EnCase includes
tables containing items from other tabs (such as Entries, Bookmarks, Search Hits, etc.).
26118: Print tags for header and footer do not show expected data for CasePath or FullPath.
27743: An image file does not display in a report after saving the case file.
30078: Bookmarked volume information disappears in Report view when you select Set Include
for a folder.

SAFE
30013: The servlet is not calling back to the secondary SAFE when the primary SAFE is offline.

© 2009 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.

14

UI/Controls
29524: When EnCase is in Acquisition or Enterprise mode, the menu option View > Encryption
Keys is missing.

© 2009 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.

15

Known Limitations
10239 and 29960: Unable to preview CD media on a Solaris node in EnCase. Solution: on the
Solaris machine, you must disable the service enabling automount. The administrator needs to
enter the command svcadm disable volfs.
10535: EnCase can acquire memory processes, but shows that the process is the physical size of
the RAM, instead of what the operating system actually sees.
29579: Solaris 9 64-bit servlet will not run until additional library files are added to the operating
system.
26383: File association does not work with evidence files in Windows (using the Windows
Explorer/Tools/Folder options) due to a Windows configuration dialog limitation. Note, however,
that file association works properly when editing the path using the advanced menu in EnCase.
29628: Empty Excel file metadata is not mounted properly using View File Structure. The modified
data is in the file but at the very top instead of in the summary section of the binary format. The
problem is resolved when you save the file for the first time.
29755: For certain .htm files, Outside In 8.3 Transcript viewer replaces line feed character (0A)
with carriage return character (0D).
29787: For certain xlsx files, Outside In 8.3 Transcript viewer removes some quote (hex 22)
characters.
29788: In preview SecureDoc 4.6 and higher with EnCase 6.15, if you attempt to preview a remote
node that is running a servlet from a SAFE older than version 6.15, the remote node goes to blue
screen. You must upgrade the SAFE to version 6.15.
30009: Unable to decrypt Guardian Edge encrypted device using a Vista examiner machine. If you
use EnCase on a Vista operating system to decrypt a GuardianEdge encrypted device, you must
download the msvcp71.dll from Microsoft at http://msdn.microsoft.com/enus/library/k9a8ehy3(VS.71).aspx http://msdn.microsoft.com/en-us/library/k9a8ehy3(VS.71).aspx
and place it in the Encase6\lib\PC Guardian-Guardian Edge\EAHD directory in addition to the two
GuardianEdge dll files.
30013: For Sweep Enterprise to connect to remote machines, you must include the port number in
the SAFE name in the servlet check-in list.
30093: Installing the SAFE from a Backup1.sbk file on a Vista 64-bit machine causes Error
creating service. This only happens when a dongle is not plugged in. If the dongle is in place, this
error does not occur.
30363: EnCase takes significant processing time during "Parsing Alternate Data" when attempting
to mount a *.dbx file when it is part of a *E01 file. This occurs when there is a large number of
deleted email messages in the *.dbx file.

© 2009 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.

16

30447: The Windows Event Log Parser supports Microsoft® Windows XP, 2008 and Vista.
Windows 7 is not currently supported.
30810: Entries are unexpectedly blue checked. A device offset is the byte offset from the beginning
of an evidence file. Blue checks are stored as device offsets because they are globally unique
across evidence. The area of evidence that makes up an entry is not unique, however, since two
entries can represent the same location on disk. When the blue check resolution occurs, EnCase
checks all Entries that cover the device offset associated with the blue check. Since more than one
entry can cover a location in evidence (for example, deleted files), more than one entry can be blue
checked.
30970: Acquired volume may show a different hash value than the preview of the whole disk. This
is because when previewing the whole disk, if the drive size is smaller than the size reported by
the partition table, the drive has a volume slack of 1. In acquiring a volume through Sweep
Enterprise, EnCase uses the size offered by the operating system (without volume slack). Manually
decreasing the stop sector by 1 results in the same hash value.
31254: Bookmarks in cases created in older versions of EnCase must be recreated in version 6.15
for EnCase to parse the bookmarks correctly.
31334: The HASP HL driver installs successfully, but Device Manager shows it as an unknown
device on Windows Server 2008 (32 and 64-bit) and Windows 7 (32 and 64-bit). This may happen
if you use a Security Key Dongle that has older firmware.
31375: Printing from the Doc tab produces several pages instead of a single document. This
occurs if you specify both the %f and %p switches. Use only one of the options to avoid possible
printer problems.

31399: In the Source Processor Case Target Options dialog, if you select Machines, but no
Devices, no data is reported after running an analysis. This is because the Machines option is
limited to access and registry only.
31530: The Promise Technology Ultra 66 Controller Card does not include drivers for Windows 7
(32 and 64-bit) or Windows 2008 Server (32 and 64-bit).
© 2009 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.

17

EnCase Version 6 Guidance Product Version
Matrix
The Guidance Product Version Matrix (GPVM) displays a version-to-version compatibility table for
all of our products. For information about EnCase compatibility with our other products, see the
GPVM at: https://support.guidancesoftware.com/node/1108.

Support
Technical Support
You can find product-specific technical assistance online at http://www.guidancesoftware.com,
or please contact the Guidance Software Technical Services Department.
Support is available between our US and UK offices 24 hours a day, Monday through Friday,
excluding public holidays. Calls are automatically routed to the open office.
United States (626) 229-9191, ext. 565 Monday - Thursday, 5 AM - 10 PM; Friday 5 AM 7PM Pacific time
United Kingdom +44 (0) 175-355-2252, option 4 Monday - Friday, 6 AM - 4 PM UK time

Customer Service
Please direct service questions and concerns to the Guidance Software Customer Service
Department:
215 North Marengo Avenue
Second Floor
Pasadena, CA 91101
Phone: (626) 229-9191, press 5 Monday - Friday, 7:00 AM - 5:00 PM Pacific time
Fax: (626) 229-9199
Email: [email protected]
You can access our Customer Service Request Form online at
http://www.guidancesoftware.com/support/cs_requestform.aspx.

© 2009 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice
and is provided for informational purposes only.

18

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close