EnCase Version 7.10 Release Notes

EnCase® Version 7.10 Release Notes July 30, 2014 EnCase Version 7.10 Thank you for using Guidance Software products. The Release Notes for this versi...
Author: Stanley Norris
1 downloads 1 Views 2MB Size
EnCase® Version 7.10 Release Notes July 30, 2014

EnCase Version 7.10 Thank you for using Guidance Software products. The Release Notes for this version of EnCase contain important information regarding your EnCase application. Before you install, we recommend that you read the Release Notes to better understand the changes we have made.

SAFE Version The SAFE version for this release is 7j6.

© 2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and is provided for informational purposes only.

New Features Enhancements to Reporting Connecting Bookmark Folders and Report Sections You can access reports directly and add folders to a report by using the Report Template Wizard. To use the wizard: 1. On the Bookmarks tab, click Reports, then click Add folder to report from the dropdown menu.

© 2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and is provided for informational purposes only.

2

2. The Add folder to report dialog displays.

3. Select an existing section, or create a new custom section. To create a new section, enter a section name in the area and click Add. The new section is created as a child of the currently selected section or report. In the example below, a section called Conclusions is added to the body of the report.

© 2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and is provided for informational purposes only.

3

4. Click Next. The second Add folder to report dialog displays. It enables you to apply commonly used formatting to the report. When you click a Report section formatting checkbox, the wizard generates Report Object Code automatically.



Restart numbering restarts numbering at 1 in a new section, instead of continuing numbering from a previous section.  Hyperlink to exported items configures the report section to add a hyperlink to exported data. 5. Click Preview to see how the formatting will display in the report.

© 2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and is provided for informational purposes only.

4

6. To add metadata, click Customize metadata. The Customize metadata dialog displays.

a. In the Metadata fields pane on the left, click the field you want to work with (Item fields, Entry fields, Common email fields, Record fields). b. In the Name pane in the middle, click the name of a metadata type you want to add to the report, then click the double right arrow button (>>) to add it to the Display order list.

© 2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and is provided for informational purposes only.

5



Note that as you add metadata items to the Display order list, the preview pane updates dynamically to reflect your choices.



To change the order, click the item in the Display order list you want to change, then click the Up or Down button. Repeat as necessary to get the order you want.  To remove an item from the Display order list, click it, then click the double left arrow button ( Select tagged items.

© 2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and is provided for informational purposes only.

21

2. The Select Tagged Items dialog displays.

3. Select the tags you want, then click OK. Note: There are still some operations (for example, Create Logical Evidence File) that act on selected items only.

Dell Data Protection 8.3 Support EnCase now supports Dell Data Protection 8.3. The technology and procedure are the same as with Dell Data Protection 8.3's predecessor, Credant Mobile Guardian. For more information, see the "Credant Encryption Support (FileBased Encryption)" topic in the EnCase Decryption Suite chapter of the EnCase Examiner Version 7.10 User's Guide.

© 2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and is provided for informational purposes only.

22

WinMagic SecureDoc Self Encrypting Drive (SED) Support You can now unlock and decrypt SED drives in EnCase using WinMagic. 1. Connect a WinMagic SecureDoc managed SED to the forensic workstation. Only the 128 MB Master Boot Record shadow file system is available to the OS.

2. Add the physical device to your case in EnCase.

© 2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and is provided for informational purposes only.

23

3. Open the device and enter your SecureDoc credentials when prompted.

4. Click OK. EnCase parses the file system, and the SED is unlocked and presented to EnCase (but it is still invisible to the OS).

© 2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and is provided for informational purposes only.

24

EnCase Starter Installer A new wizard streamlines installation of the EnCase Examiner and SAFE into a single workflow. The Starter Installer reduces the time and effort between download and first investigation. The wizard:  

Installs the Examiner and SAFE on a single machine Simplifies basic configuration:  Generates electronic license and SAFE activation files in a single step.  Automatically configures the SAFE NAS for the installed examiner.  Creates a network tree with a default role and permissions, and allows machine creation.  Creates keymaster and investigator user encryption keys.

All instructions and relevant information are provided in-line for each step, eliminating the need to consult the user's guide. If you need to interrupt installation, you can resume later at the step where you paused, or you can restart installation. A progress indicator advances as you complete each step and shows where you are in the installation process. You can access the installer wizard via a link in your MyAccount email. It is a separate selfextracting executable. Note: You can still use the previous manual method of installing EnCase Examiner and the SAFE. The new installer wizard streamlines the process and makes it possible to begin working in EnCase expeditiously.

Items Fixed Add Device/Preview/File System CORE-964/69775: Building software RAIDs using Scan Disk Configuration was not working. This is fixed. 65144: The sparse size of an Ubuntu ext3 file was not properly reported. This is fixed.

Bookmarks CORE-1035/69861: After bookmarking email messages with attachments, going to the Reports tab and clicking Save As > HTML and clicking the Export Files checkbox, the HTML report created thumbnails for the image but not links to the exported file. This is fixed. CORE-951/69808: Bookmarking a file from Evidence view, then bookmarking the same file from Go to File view displayed two different true paths. They should be identical. This is fixed.

© 2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and is provided for informational purposes only.

25

Case Analyzer CORE-990/69836: When running a snapshot against a network target, the State column did not display and it was not possible to see the status of the servlet. This is fixed.

Doc/Transcript CORE-391/69670: Images in a rebuilt Web page were not rendering correctly. This is fixed.

Documentation CORE-831-69766: EnScript Help contained examples that did not work or were not best practice. This is fixed.

EnScript IDE FOR-1415/69645: When running WELP for EVT files, the Event ID column displayed meaningless numbers (for example, 1,073,742,824 instead of 1,000). This is fixed.

Evidence Processor CORE-28/60578: After running the Evidence Processor more than once, the Transcript tab contained no text. This is now fixed.

Export Files/Folders CORE-157/69390: When exporting duplicate files from two different locations of the same drive, the duplicate file name had no bracket. For example, an original file name is Mov_3092 and the duplicate file name is Mov_30921, instead of Mov_3092[1]. This is now fixed.

Filters/Conditions/Queries CORE-385/69658: After sorting a column, then running a condition or filter and returning to the original view, sorting did not persist. This is fixed. CORE-37/63110: After selecting Category in Properties for a condition, and then running the condition, an error message "Cannot read integer" displays. This is fixed. Proper dialog controls are now in effect.

© 2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and is provided for informational purposes only.

26

Index/Query Index GSI-17410/70021: During multiple passes of Evidence Processor, indexing became unavailable. This is fixed. CORE-44/66161: Applying the NOT operator to an index query yielded incorrect results. This is fixed. 66161: Some compound index queries with NOT terms did not yield correct results. This is fixed.

Keyword Searching CORE-113/69660: When performing a second raw search on a single file, the keyword does not populate in the search view, even though the search is in progress, and the Refresh button is inactive. This is now fixed. CORE-48/69058: When viewing keywords in larger files using the Review tab, EnCase became very slow or froze. This is fixed.

Logging CORE-56/69358: After wiping a disk, the console should show the amount of total sectors, as well as read/write and verify errors. These fields were not populating in the console. This is fixed.

Records CORE-55/69202: When viewing EMLX files in Records view, it was possible to use the Show Columns option to deselect the default metadata columns and then select columns that are invalid for EMLX files. This caused the UI options (for example, Go to Parent, Sort, Show Columns, etc.) to disappear. This is now fixed.

Report CORE-475/69741: Exporting a report as a PDF caused a blank page at the end of the PDF. This is fixed. CORE-416/69703: Adding the SHOWTABLE option to report formatting caused most of the attribute list values to disappear. This is fixed. CORE-43/65744: User defined formatting was not persistent for tables in a report. This is fixed. CORE 41-64210: After clicking Rescan on the Evidence tab multiple times, elements are missing from the report. This is fixed.

© 2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and is provided for informational purposes only.

27

SAFE/Network CORE-337/69581: After running Sweep Enterprise, EnCase held up connections and did not allow subsequent sweeps unless EnCase was closed and relaunched. This is fixed.

UI/Controls CORE-19/52132: The File Type Tag column was not sorting correctly for either ascending or descending order. This is fixed.

UI/Embedded CORE-386/69587: After performing a search and selecting Go to File in the Search tab, the physical device name was missing from the Item Path and True Path columns. This is fixed.

Known Limitations CORE-1322: When exporting items in Search Results, if Add to existing evidence file is selected, EnCase will crash. CORE-895/69792: The index uses all caps by default; so, for example, DOBBS is the only possible hit for a search on DOBBS. dobbs, Dobbs, and all other case variations are in a different set.

Found in Version 7.09.04 69649: After several iterations of running Case Analyzer and bookmarking, when clicking on a bookmark created with Case Analyzer, EnCase may crash.

Found in Version 7.09.02 68889: Outside In: EnCase hangs while viewing some .mif files.

Found in Version 7.08.01 67028: EnCase becomes unstable when you drag and drop evidence into a case while a sort operation is running.

© 2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and is provided for informational purposes only.

28

Guidance Software Product Compatibility Tables The Support Portal contains a list of version-to-version compatibility tables for all Guidance Software products at https://support.guidancesoftware.com/matrix.

Target Machine Operating Systems Servlets are deployed on target machines and can be used to search the following operating systems:                

AIX 4.3, 5.1, 5.2, 5.3, 6.1, 7.1 HPUX 11.0, 11.1x, 11.2x Linux Kernels 2.6.9 (32 and 64-bit) or 2.6.4 (32-bit) or higher with Process File System (procfs) NetWare 5.1 SP8, 6.0 SP4, 6.5 Mac OS X 10.2 through 10.9.2 (32 and 64-bit, Intel, and PPC) Solaris 8, 9, 10 (32 and 64-bit, SPARC only) Windows XP (32 and 64-bit) Windows Vista (32 and 64-bit) Windows 7 (32 and 64-bit) Windows 8 (32 and 64-bit) Windows 8.1 (32 and 64-bit) Windows NT/2000 Windows Server 2003 (32 and 64-bit) Windows Server 2008 (32 and 64-bit) Windows Server 2008 R2 (32 and 64-bit) Windows Server 2012 R2 (64-bit)

© 2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and is provided for informational purposes only.

29

Encryption Support EnCase now supports the following encryption products. Vendor

Product

Supported Versions

64-bit Support

Check Point

Check Point Full Disk Encryption (formerly Pointsec PC)

6.3.1 up to 7.4, 8.0 (for Windows and Macintosh computers)

Yes

Credant

Mobile Guardian

5.2.1, 5.3, 5.4.1, 5.4.2, 6.1 through 6.8, 7.3

Yes

Dell

Data Protection

8.3

Yes

GuardianEdge

Encryption Plus/Anywhere

7 and 8

No

GuardianEdge

Hard Disk Encryption

9.1.5, 9.2.2 , 9.3.0, 9.4.0, 9.5.0, 9.5.1

Yes

McAfee

EndPoint Encryption (formerly SafeBoot)

4, 5, 6, 7 (for Windows and Macintosh computers)

Yes

Microsoft

BitLocker and BitLocker To Go

Windows Vista, 7, and 8, Server 2008

Yes

Sophos

SafeGuard Easy and Enterprise (formerly Utimaco)

4.5, 5.5, 5.6, 6.0

Yes (only for SafeGuard Easy, not for Enterprise)

Symantec

PGP Whole Disk Encryption

9.8, 9.9, 10, 10.1, 10.2

Yes

Symantec

Endpoint Encryption

7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 8.0, 8.2

Yes

WinMagic

SecureDoc Full Disk Encryption and Self-Encrypting Drives

4.5, 4.6, 5.x, 6.x

Yes

© 2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and is provided for informational purposes only.

30

USGCB Compliance EnCase has been validated as USGCB compliant using the following version of NIST VHD images: 10/14/11 (for Windows 7 only) EnCase was tested using Retina Network Security Scanner, which is an NIST validated USGCB scanner (http://usgcb.nist.gov/usgcb/microsoft_content.html).

Support Technical assistance is available online at http://www.guidancesoftware.com/technicalsupport.htm. From this page you can register for and access the Guidance Software Support Portal, an invaluable resource providing product-specific technical forums, an extensive knowledge base, a bug tracking database, and an Online Submission Form for your questions.

Technical Support Guidance Software offers several technical support options, including:    

Live Chat Support Request Form Email Telephone

Customer Service Please direct service questions to the Guidance Software Customer Service Department: Monday–Friday 7 AM–5 PM Pacific time Phone: (626) 229-9191, press 5 Fax: (626) 229-9199 Email: [email protected] 1055 E. Colorado Blvd. Pasadena, CA 91106-2375 You can access our Customer Service Request Form online at http://www.guidancesoftware.com/CustomerServiceRequest.aspx.

© 2014 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and is provided for informational purposes only.

31