OpenText™ EnCase Updates

OpenText™ Encase™ Forensic Version 8.09

The current release of EnCase (as used in our classes) is EnCase® version 8.08.  OpenText is pleased to announce the release of OpenText™ Encase™ Forensic Version 8.09. This version is packed with new features and enhancements, making EnCase more efficient and useful, with visibility into the various stages of evidence processing.

OpenText™ Encase™ Forensic Version 8.09 New Features includes:

Check Point Full Disk Encryption Support. EnCase Forensic now supports decryption of Check Point Full Disk Encryption versions 80.64 ‐ 80.88 for images of Windows 7, 8.1, and 10.

Evidence Processor Logging Options. EnCase Forensic now provides detailed information about processing jobs using trace logs, which can be saved and used for troubleshooting. Processing trace logs are considered a debugging feature and should not be interpreted without taking the following into consideration:

  • EnCase Forensic takes a best effort approach to processing evidence, so it may be common for output logs to record anomalies that are common to evidence processing.
  • The evidence processing task duration may not match the task completion time because this value is not known until the entire evidence file is processed.

Expanded Product Activation and Installation Documentation. The product activation and installation documentation to reflect new licensing and product activation workflows has been updated. We can now use the OpenText My Support Product Activation Page to generate license activationfiles, certificate files, and License Manager .SetUp files.

Firefox Internet Search Artifacts Support. EnCase Forensic now parses keyword search terms entered by the user to perform an Internet search using a search engine. Results are displayed under the Keyword Search folder in the Artifacts tab of an Internet history search. Internet keyword searches using the following search engines are parsed:

  • Google
  • Bing
  • Yahoo
  • DuckDuckGo
  • Twitter
  • Amazon
  • eBay
  • Walmart

Outlook Search Folders Support. EnCase Forensic now parses Outlook search folders that are present in Personal Storage Table (PST) files.

Mobile Acquisition Enhancements. The following enhancements and fixes have been made for EnCase Mobile Acquisition:

  • User Activity Timeline feature for logical acquisition of Android devices has been added. Now you can view what actions were performed on the device at the certain moment of time.
  • The Android logical plug‐in has been improved:
    • Logical acquisition is performed much faster as unnecessary attempts of device rooting can be skipped.
    • File System and Android Backup can be acquired separately during the Custom acquisition.
    • The File System feature contains data stored in the Media Card and External Memory feature; this data can be received without gaining root access.
  • Android Physical plug‐in has been improved:
    • The ability to select the features for acquisition has been added for manual plug‐in selection.
    • The Full Flash feature (SD Card included) has been replaced with two new features: Flash Partitions and File System. Now, more data is acquired and parsed during physical acquisition (including the encrypted data partition).
    • More data is parsed and displayed in the user‐friendly‐format, such as Installed Applications, Authentication Data, Recovered Contacts, Recovered Call History, Recovered Calendar, Recovered SMS History, and Recovered MMS History.
  • More MTK chipsets are now supported; we are now able to perform physical acquisition of even more MediaTek devices.
  • iOS 12 devices are now supported for logical acquisition.
  • Logical and data acquisitions of iOS devices are now faster.

OpenText™ Encase™ Mobile Investigator Version 1.05

OpenText™ Encase™ Mobile Investigator Version 1.05 is now available and comes with new features and improvements to stability, navigation, and usability.

OpenText™ Encase™ Mobile Investigator Version 1.05 New Features includes:

New System Requirements. System requirements for EnCase Mobile Investigator have been changed:

  • Java SE Development Kit 11 (for x64) is now required.
  • Windows Server 2016, 2012, and 2008 R2 64-bit operating systems are now supported.

Additionally, it is now required to have Microsoft Excel version 2010 or higher to run the Mobile Excel Spreadsheet Report.

Viewing Parsed Recovered Data. The process and details for parsing recovered data have been updated in the documentation to read as follows:

EnCase Mobile Investigator allows you to view the parsed recovered Contacts, Call History, Calendar, SMS and MMS from mobile data cases in the grid. Additionally, you can view the records from the grid in Text and Hex view.

Viewing User Activity Timeline. EnCase Mobile Investigator now allows you to view what actions were performed on a device with Android OS 5.0 and higher at the certain moment of time.

In OpenText™ Encase™ Mobile Investigator Version 1.05, the following fixes have been made:

  • Potential issue with opening the Mobile Data Review Report in Edge browser has been fixed.
  • Potential issue with navigation in the Mobile Evidence Timeline Report when viewing it in the Internet Explorer and Edge browsers has been fixed.
  • Potential issue with adding thumbnails of images to the report and text representation for search have been fixed for the Mobile Evidence PDF Report.
  • Potential issue with the correct parsing of the embedded data and displaying the links have been fixed for the HTML Investigative Report.
  • Potential issue with incorrect displaying of the CSV Search Results Report in Excel has been fixed.
  • Potential issue with date filters in the Reports Wizard has been fixed.
  • Potential issue with oversized images and photos in the Mobile Evidence PDF Report has been fixed. The large size of images, especially photos, is preserved, but now they perfectly match the report grid.
  • Potential issue with viewing the correct size of MMS attachment images on Android devices has been fixed.
  • Potential issue with navigation between pages in the Categorized Files viewer has been fixed.

DF210 – Building an Investigation with EnCase® Forensic

There are a few content changes evident in the curriculum for each class notably in DF210 Building an Investigation with EnCase Forensic with the use of the Case Analyzer.  This useful feature has been previously scarcely mentioned in classes at this level, but it now features in DF210.

Also notable was that in the revised manuals OpenText’s training team are suggesting that after each and every instance of processing (using the Evidence Processor) that users should, before examination of the processed results save their case and close and reopen EnCase.  Our lead trainer, Frank Butler, have spoken to a few training staff at OpenText. They say that they have received reports of unexplained crashes post processing, this matter is intended to alleviate that risk.  Our trainers have implemented it in both classes, and we did not have any crashes.  In fairness, we had not experienced crashes before in any case.

Windows 10 upgrades a lot.  Most times very little actually seems to alter.  A recent update changed the appearance of the Windows calculator. During DF210, one of the lessons requires users to copy the result of a calculation and to paste it in the EnCase® lower view pane and use a GoTo function.  If users copy using a right click and Copy function an error occurs saying that the pasted number is out of range. Initially it was supposed that this was because the copy function also copied the commas from larger numbers. However, even on manually removing the commas it gave an error.  Nevertheless, if you use Control C and Control V it works.

Upcoming EnCase® Trainings at Bounga Informatics

DF120 – Foundations in Digital Forensics with EnCase® Forensics
26th to 29th August– few seats left | 17th to 20th September – some seats left

DF210 – Building an Investigation with EnCase®  
1st to 4th July – very few seats left | 3rd to 6th September – some seats left |
23rd to 26th September – some seats left

DFIR350 – Internet-based Investigation with Encase®
8th to 11th July – some seats left

DF320 – Advanced Analysis of Windows Artifacts with Encase® 
22nd to 25th July – some seats left

Click here for Registration.

If you are interested in any of the Encase® products and/or services, please do not hesitate to contact us.