Encase V6.15 Release Notes

Transcript

EnCase® Version 6.15 Release Notes October 29, 2009 EnCase Version 6.15 Thank you for using Guidance Software products. The Release Notes for this version of EnCase contain new feature highlights, the most current compatibility details, platform and browser support, known issues, and items fixed. Before you install the upgrade, we recommend that you read these Release Notes to better understand the changes we have made. © 2009 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and is provided for informational purposes only. New Features Windows Server 2008 Support EnCase supports running on Windows Server 2008 32-bit and 64-bit. This includes:  Examiner 32-bit and 64-bit  ProSuite (EnCase Decryption Suite, Virtual File System, Physical Disk Emulator, and FastBloc SE) 32-bit and 64-bit  32-bit and 64-bit servlets Windows 7 Support EnCase now supports running on Windows 7 32-bit and 64-bit. This includes:  Examiner 32-bit and 64-bit  ProSuite (EnCase Decryption Suite, Virtual File System, Physical Disk Emulator, and FastBloc SE) 32-bit and 64-bit  32-bit and 64-bit servlets on these versions of Windows 7:  Professional  Ultimate  OEM  Enterprise Note: EnCase does not support analysis of Windows 7 artifacts via EnScript. Also, EnCase does not support Windows 7 BitLocker in terms of encryption support. GuardianEdge 9.2 Support EnCase supports decryption of encrypted disks using GuardianEdge Hard Disk Encryption version 9.2. WinMagic SecureDoc 4.6 Support EnCase supports decryption of encrypted disks using WinMagic SecureDoc Full Disk Encryption version 4.6. CREDANT Mobile Guardian 5.4.2 Support EnCase supports decryption of encrypted files using CREDANT Mobile Guardian 5.4.2. © 2009 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and is provided for informational purposes only. 2 Fast File Transfer EnCase provides improved performance when the servlet transfers files to EnCase. Before, EnCase sent requests to obtain one chunk of data (32 kb) at a time, and transferring a large file involved sending many read commands from the examiner. Although extremely robust, combined with network latency, this protocol could cause significant delays on certain networks. In the new approach, the examiner sends just one read command, and error handling is done by the TCP/IP layer. This functionality is built into the EnCase UI, and you can also access this function from EnScript, where a new option, CopyFile, has been added to the file class. It contains two parameters:  Output file  Size (optional) If size is not specified, the data from the current position to the end of the file is transferred. Note: This is EnScript-specific and is not the default file transfer method for EnCase. Enhanced FAT Parsing Not all implementations of the FAT file system can be automatically detected. For example, some FAT 16 volumes in certain removable mediamay be detected as FAT 12. To address this issue, EnCase provides an option to specify the FAT type (FAT 12, FAT 16, or FAT 32) to parse. This option is included in the Add Raw Image and Add Partition dialogs. © 2009 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and is provided for informational purposes only. 3 Add Raw Image Dialog 1. Click File > Add Raw Image. The Add Raw Image dialog opens. 2. Click the Volume option button, then select the Partition Type for the FAT volume you are parsing. 3. Click OK. Add Partition Dialog 1. Select the Disk tab in Table view, then right click for a dropdown menu. © 2009 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and is provided for informational purposes only. 4 2. In the dropdown menu, click Add Partition. The Add Partition dialog opens. 3. Select the Partition Type for the FAT volume you are parsing. 4. Click OK. Refresh Bookmarks in EnScript EnCase now includes the ability to save bookmarks in the background while an EnScript is still running. This feature is especially useful with EnScripts such Sweep Enterprise when used in conjunction with the Check-in servlet feature. While the EnScript is still running, the user can “refresh” the bookmark view and data collected up to that point is populated and available for review. Outside In 8.3 Support EnCase now supports Oracle Outside In version 8.3 technology for viewing various file formats. Enhanced McAfee ePolicy Orchestrator (ePO) Integration There is a new way to deploy EnCase Enterprise servlets using McAfee's ePolicy Orchestrator. The installation has been simplified. The certsetup.exe is not used any more. Copy setup.exe from the SAFE install folder to the shared folder. A small program copies setup.exe from the shared folder, installs the ePO dlls, then installs the servlets. There is no longer a need to reinstall ePO every time the servlets are updated. © 2009 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and is provided for informational purposes only. 5 There are two new command line options:  -o  -v The -o option is a passthrough. Any options in the -o option go to the servlet. For example, -o "-p c:\Windows" installs the servlet in the Windows folder. Any normal servlet install options can be used in the -o option. Be sure to use quotes when using the -o option. The -v option is compared against already installed servlets to verify if an update is needed. If the information in -v does not match the installed servlets, an update is pushed. For more details, see the Deploying and Running Servlets chapter of the SAFE Administration User's Guide. Note: EnCase now integrates with ePolicy Orchestrator 4.5 Server and McAfee Agent. HASP SRM 5.75 Security Key Driver EnCase supports the use of the HASP SRM 5.75 security key driver. This allows the HASP security key to be used with Windows 7. Note: Under Windows 7, install the security key driver using the HASP SRM 5.75 run-time command-line installation. Source Processor Managing EnCase Portable from within Source Processor Access to EnCase Portable has been consolidated within Source Processor. To manage EnCase Portable from Source Processor, open either the Collection Jobs or Collected Data tab, then click Manage Portable Devices. All EnCase Portable functions can be accessed from there. Preview You can quickly preview all the data on your EnCase Portable USB storage device without importing it first. 1. From Source Processor, open the Collected Data tab. 2. Click Manage Portable Devices. The Manage Portable Devices dialog displays. 3. Click Preview. Source Processor performs a full analysis of all collected evidence files on the selected devices and creates a report showing the combined results. No information is copied or imported during this process. If you want to import the previewed information, click Import Evidence. © 2009 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and is provided for informational purposes only. 6 Improved Targeting of Cases Source Processor can now identify and target any item that can be added to a case. This includes:  An evidence file  A previewed drive (either the local machine or a remote node)  One or more single files  RAM When a case is specified as a target in a job, a window displays a list of items in the case, divided into two categories: devices and machines.  Devices are items that do not have a live connection (such as single files, evidence files, or RAM).  Machines are all the devices that have a live connection (such as a local machine or remote node). Clear any items that you do not want used for the collection job. When the collection is complete, a LEF is created for each selected item, which can then be analyzed separately. Log Parsers Linux Syslog Parser Module The Linux Syslog Parser module collects and parses Linux system log files and their system messages. It then is able to provide information about the machine, log file summaries, and log messages. © 2009 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and is provided for informational purposes only. 7 Windows Event Log Parser Module The Windows Event Log Parser module collects information pertaining to Windows events logged into system logs, including application, system, and security logs. WTMP/UMP Log Parser Module The WTMP/UTMP Log Parser module parses the Unix systems' WTMP and UTMP files, which record all login activities. In the module analysis reports, the WTMP-UTMP Log Parser provides information about machine, login type, and login message. Enhanced Internet Artifacts Module The Internet Artifacts module has been enhanced to capture a variety of Internet usage information including caches information, cookies, bookmarks, and downloaded data. Device Decryption When encrypted physical or logical devices are encountered during the running of a job, an Encryption Information dialog displays to provide you with decryption options. © 2009 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and is provided for informational purposes only. 8 If credentials to decrypt the drive are not known, a hyperlink prompt appears in the Valid Credential column. Clicking on this hyperlink opens up a credential dialog specific for the encryption protocol detected. For example, for a device using PGP encryption, the following dialog displays for you to enter decryption credentials, if known. If credentials are not known, or if the device is encrypted with a protocol not currently supported by EnCase Portable, the device is not mounted; however, if you are running the Acquisition Module, the device is acquired in its encrypted state. © 2009 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and is provided for informational purposes only. 9 Items Fixed Add Device/Preview/File System 723: Free BSD only shows when Read File System is disabled. 24720: A raw image that cannot be verified claims the file is verified with zero errors. 25766: When adding a FAT16 formatted device smaller than 16 MB, EnCase detects the device as FAT12. 25920: Selecting FAT volume in the Add Raw Image dialog does not add an image file. 26005: While adding a Tableau write blocked device, if you add a USB device during the power down phase and then turn the Tableau device back on, the USB device displays as the new source drive. The Tableau device displays as one drive letter and one disk number below the USB device. 27215: EnCase cannot dismount the volume of a thumb drive in Disk view. 27217: When adding a thumb drive to EnCase, if you clear the Read File System column, EnCase still reads the file system. 29726: Files being previewed on an AIX 5.3 volume with the JFS2 file system incorrectly show as deleted or overwritten in EnCase. 29735: $volume name is parsed incorrectly from a Vista machine. 29846: File Acquired Time in an evidence file is different for FAT32 and NTFS volumes when the times should be the same. 30510: When adding partitions manually, EnCase creates two partitions instead of one. 30954: EnCase may crash when mounting corrupt Microsoft Office documents with View File Structure. Bookmarks 4077: When the Bookmarks root entry is selected in the Tree pane, the Summary Bookmark option is missing from the Edit menu. 5417: After selecting Excluded for a bookmark entry, the bookmark remains in the list. 28054: Japanese language Firefox bookmarks are garbled. 29604: EnCase does not bookmark hex on the root volume of an array. © 2009 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and is provided for informational purposes only. 10 29847: After selecting Set Include, the report fails to display device information bookmarks for logical volumes. 30485: Partition table information does not display in bookmark data. 30588: Sweeping a 4-byte date in the registry, then bookmarking the date, produces no results. 30659: When sweeping bookmarks, some data types do not function as expected. 30693: When sweeping a bookmark and selecting an integer data type, no data displays. 31161: When using a sweeping bookmark on an HTML unicode file, the bookmark data box displays more information than was actually bookmarked. Compressed/Archived Files 7205: Selecting attachments for .edb files defaults to the "PR_ATTACH_SIZE" entry. 23823: After adding and removing a partition, then selecting View File Structure, an error message displays: "A file at this offset has already been parsed." 28732: Certain DBX email does not display the message body in Report view. 28049: Unable to mount .dbx files using View File Structure. 29344: EnCase does not display the full data stream from a Word document. 30885: Some NTFS compressed files display incorrectly in EnCase, resulting in inaccurate hash values. This is also the case when some NTSF compressed files are exported via copy/unerase. Doc/Transcript 2592: The embedded bar diagram image created in Word 2007 document does not display in the Doc tab. 8066: EnCase does not parse an image of a PowerPoint file in the Doc tab. 13341: Doc View does not display documents correctly after bookmarking data. 14827: Print file path header is truncated if it is longer than one line. 20812: Outside In does not render a cab.exe single file. 20924: File content is truncated in Transcript tab using Outside In 8.2. 20939: EnCase does no view .rar content in Transcript tab using Ouside In 8.2 with Encase x64bit installer. 24268: Outside In 8.2.2 cannot render mwkd file types, yet text can be read in Text view. © 2009 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and is provided for informational purposes only. 11 EnCase Modules 2160: An unpartitoned SCSI drive causes FastBloc SE dialog to hang indefinitely. 10298: Uninstalling drivers for SIIG Ultra ATA 133 manually, then attempting to write block the IDE channel, generates an error. 29627: MS Office Category metadata is missing when a file is mounted using View File Structure. 29805: Decrypting a BitLocker drive does not allow for subsequent decryption. 30595: Running Analyze EFS may cause EnCase to crash. EnScript 2187: When searching mounted files of large size, EnCase generates the message "Memory Allocation Error 8. Not enough storage is available to process this command." 26441: After running Case Creator (V3) script, the new case file name is not populated in the metadata of the new evidence file. 27407: RegistryClass does no open specific hives passed to it. 27719: LocalFileClass::SetTimeStamps(EntryClass) does not consistently set date fields on some files. 28277, 29986: In EnScript.chm file, description of MemoryFileClass::Open(uint,uint) is incorrect. 28498: UTF-8 parsing of AOL email does not display the character set correctly under Entries. 28999: Circular references or multi-threaded EnScripts may crash EnCase. 29031: Scan Local Machine may crash during a collection when the mount option is set to Mount Detect Extension. 29076: Calling EvidenceFileClass::SetStopSector has no effect on acquisitions using this EntryFileClass object. 29077: EvidenceFileClass::SetCompression does not affect acquisitions. 29149: The Machine Survey Servlet Deploy script does not deploy servlets to a range of IP addresses. 29280: Record::ExportMessage() does not remove an invalid file name. 29312: When using the Compromise Assessment Module via the Scan Local Machine EnScript, the bookmark folders created always indicate a registry value was present, regardless of the actual contents of the registry. © 2009 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and is provided for informational purposes only. 12 29458: After performing an Internet History search using EnScript with an unknown parameter in the Add Bookmark function, then saving and reopening the case, EnCase crashes. 29542: Link File Parser does not create a bookmark folder for Vista. 29582: In Bookmark Data and Link File Parser, Windows time shows a one hour difference when Account for Seasonal DST is selected by default. 29776: Error in EnScript Help: array = {“asd”, ”cds”, ”vfd’, “fdg”}; should be array {“asd”, “cds”, “vfd”, “fdg”};. 29845: The tab delimited output for Link File Parser does not report all hits. 29905: Running Machine Survey Servlet Deploy exits with an internal error when attempting to deploy a servlet or verify that a servlet is installed. 29915: EnScript documentation for EntryFileClass::Open(EntryClass, uint, CredentialClass) is incorrect. 30117: Running the Find Protected Files EnScript in Case Processor with the option Determine file type using signature analysis checked results in an internal error. 30200: If you have a remediation enabled SAFE, the Sweep Enterprise Scan Registry module does not write a value to a registry key. 30663: Windows Initialize Case EnScript reports incorrect logon dates and times. 30688: You cannot install a servlet on Vista or 2008 machines with WMI on, FW off, and UAC off using the Machine Survey Servlet Deploy EnScript. 30894: The constructor for EntropyClass is missing, so you cannot create EntropyClass objects. 31099: Sweep Enterprise Connection Details screen does not reference all swept nodes. Evidence Files/Logical Evidence Files/Single Files 3555: The File Integrity column displays "verifying" even though the verification is cancelled. 9969: After selecting New from the Single Files context menu in the Table pane, you cannot navigate to a file using the New Entry dialog. 30519: Adding an evidence file to a case may cause a division by zero error. Export Files/Folders 26970: Copy/Unerase does not use times or dates of a file attribute when exporting a file stream. 30484, 30800, 31044: Column headings are missing in Table view when an item is exported to text, RTF, or HTML. © 2009 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and is provided for informational purposes only. 13 Filters/Conditions/Queries 24729: When creating a new filter, clicking OK in the New Filter dialog does not open the new filter code tab. 26443: After deleting a filter, EnCase does not close the source code tab for that filter. 30331: Some files with the same hashes are not excluded after running the Remove Duplicate by hash filter. Hashing/Searching/Signature Analysis 27320: !Bad signature displays at folder level instead of file level. 27772: The Hash Items tab menu mistakenly contains an Import option. 29375: The search hit from a keyword does not display at first. 29589: There are invalid search hits in $UsnJrnl·$J. In the Search Hits tab, the hits are blank in the Preview column and zeroes in Hex view. Internet 4555: EnCase displays an empty Last Accessed column after Internet History search on an evidence file containing Opera browser history. Report 2373: When exporting a report from the Cases > Home tab in .html format, EnCase includes tables containing items from other tabs (such as Entries, Bookmarks, Search Hits, etc.). 26118: Print tags for header and footer do not show expected data for CasePath or FullPath. 27743: An image file does not display in a report after saving the case file. 30078: Bookmarked volume information disappears in Report view when you select Set Include for a folder. SAFE 30013: The servlet is not calling back to the secondary SAFE when the primary SAFE is offline. © 2009 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and is provided for informational purposes only. 14 UI/Controls 29524: When EnCase is in Acquisition or Enterprise mode, the menu option View > Encryption Keys is missing. © 2009 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and is provided for informational purposes only. 15 Known Limitations 10239 and 29960: Unable to preview CD media on a Solaris node in EnCase. Solution: on the Solaris machine, you must disable the service enabling automount. The administrator needs to enter the command svcadm disable volfs. 10535: EnCase can acquire memory processes, but shows that the process is the physical size of the RAM, instead of what the operating system actually sees. 29579: Solaris 9 64-bit servlet will not run until additional library files are added to the operating system. 26383: File association does not work with evidence files in Windows (using the Windows Explorer/Tools/Folder options) due to a Windows configuration dialog limitation. Note, however, that file association works properly when editing the path using the advanced menu in EnCase. 29628: Empty Excel file metadata is not mounted properly using View File Structure. The modified data is in the file but at the very top instead of in the summary section of the binary format. The problem is resolved when you save the file for the first time. 29755: For certain .htm files, Outside In 8.3 Transcript viewer replaces line feed character (0A) with carriage return character (0D). 29787: For certain xlsx files, Outside In 8.3 Transcript viewer removes some quote (hex 22) characters. 29788: In preview SecureDoc 4.6 and higher with EnCase 6.15, if you attempt to preview a remote node that is running a servlet from a SAFE older than version 6.15, the remote node goes to blue screen. You must upgrade the SAFE to version 6.15. 30009: Unable to decrypt Guardian Edge encrypted device using a Vista examiner machine. If you use EnCase on a Vista operating system to decrypt a GuardianEdge encrypted device, you must download the msvcp71.dll from Microsoft at http://msdn.microsoft.com/enus/library/k9a8ehy3(VS.71).aspx http://msdn.microsoft.com/en-us/library/k9a8ehy3(VS.71).aspx and place it in the Encase6\lib\PC Guardian-Guardian Edge\EAHD directory in addition to the two GuardianEdge dll files. 30013: For Sweep Enterprise to connect to remote machines, you must include the port number in the SAFE name in the servlet check-in list. 30093: Installing the SAFE from a Backup1.sbk file on a Vista 64-bit machine causes Error creating service. This only happens when a dongle is not plugged in. If the dongle is in place, this error does not occur. 30363: EnCase takes significant processing time during "Parsing Alternate Data" when attempting to mount a *.dbx file when it is part of a *E01 file. This occurs when there is a large number of deleted email messages in the *.dbx file. © 2009 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and is provided for informational purposes only. 16 30447: The Windows Event Log Parser supports Microsoft® Windows XP, 2008 and Vista. Windows 7 is not currently supported. 30810: Entries are unexpectedly blue checked. A device offset is the byte offset from the beginning of an evidence file. Blue checks are stored as device offsets because they are globally unique across evidence. The area of evidence that makes up an entry is not unique, however, since two entries can represent the same location on disk. When the blue check resolution occurs, EnCase checks all Entries that cover the device offset associated with the blue check. Since more than one entry can cover a location in evidence (for example, deleted files), more than one entry can be blue checked. 30970: Acquired volume may show a different hash value than the preview of the whole disk. This is because when previewing the whole disk, if the drive size is smaller than the size reported by the partition table, the drive has a volume slack of 1. In acquiring a volume through Sweep Enterprise, EnCase uses the size offered by the operating system (without volume slack). Manually decreasing the stop sector by 1 results in the same hash value. 31254: Bookmarks in cases created in older versions of EnCase must be recreated in version 6.15 for EnCase to parse the bookmarks correctly. 31334: The HASP HL driver installs successfully, but Device Manager shows it as an unknown device on Windows Server 2008 (32 and 64-bit) and Windows 7 (32 and 64-bit). This may happen if you use a Security Key Dongle that has older firmware. 31375: Printing from the Doc tab produces several pages instead of a single document. This occurs if you specify both the %f and %p switches. Use only one of the options to avoid possible printer problems. 31399: In the Source Processor Case Target Options dialog, if you select Machines, but no Devices, no data is reported after running an analysis. This is because the Machines option is limited to access and registry only. 31530: The Promise Technology Ultra 66 Controller Card does not include drivers for Windows 7 (32 and 64-bit) or Windows 2008 Server (32 and 64-bit). © 2009 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and is provided for informational purposes only. 17 EnCase Version 6 Guidance Product Version Matrix The Guidance Product Version Matrix (GPVM) displays a version-to-version compatibility table for all of our products. For information about EnCase compatibility with our other products, see the GPVM at: https://support.guidancesoftware.com/node/1108. Support Technical Support You can find product-specific technical assistance online at http://www.guidancesoftware.com, or please contact the Guidance Software Technical Services Department. Support is available between our US and UK offices 24 hours a day, Monday through Friday, excluding public holidays. Calls are automatically routed to the open office. United States (626) 229-9191, ext. 565 Monday - Thursday, 5 AM - 10 PM; Friday 5 AM 7PM Pacific time United Kingdom +44 (0) 175-355-2252, option 4 Monday - Friday, 6 AM - 4 PM UK time Customer Service Please direct service questions and concerns to the Guidance Software Customer Service Department: 215 North Marengo Avenue Second Floor Pasadena, CA 91101 Phone: (626) 229-9191, press 5 Monday - Friday, 7:00 AM - 5:00 PM Pacific time Fax: (626) 229-9199 Email: [email protected] You can access our Customer Service Request Form online at http://www.guidancesoftware.com/support/cs_requestform.aspx. © 2009 Guidance Software, Inc. All rights reserved. Information in these release notes is subject to change without notice and is provided for informational purposes only. 18