电子数据取证软件厂商Guidance Software Inc近日将旗下著名计算机取证软件EnCase v7更新至 v7.06,此次更新有较大变动,其中加入了原SAFE版本中包含的部分功能
同时推出免费证据获取工具EnCase Forensic Imager (模仿FTK Imager?)
以下是EnCase v7.06更新Release Note:
New Features
Support for Macintosh Logical Volumes
EnCase Enterprise now supports logical volumes for Macintosh systems. This feature functions in
the same way as EnCase handles Windows logical volumes. When connecting to systems via
servlets, the servlet interacts with the operating system to address the volume. Macintosh logical
volumes can include single disks, RAIDs, and encrypted volumes.
Enhanced Macintosh Artifacts Support
Enhanced Macintosh artifacts support in EnCase Version 7.06 includes:
Displaying all HFS+ file system compressed files as uncompressed
Support for directories' hard links
Support for Finder information and extended file attributes
Displaying security Access Control Lists (ACLs)
Enhanced Support for Macintosh OS X and Installer
EnCase now supports Mac OS X 10.8. This update includes an enhanced Mac installer that
supports launchd, a unified, open-source service management framework for starting, stopping
and managing daemons, applications, processes, and scripts.
Enhanced Support for Macintosh Servlets
EnCase now code-signs Macintosh servlets. To use this feature, you must reinstall both the
servlet and the driver. This requires uninstalling the old driver and servlet and installing the new
Installer.pkg, which includes the new servlet and drivers.
Formerly, when using Macintosh servlets, OS X would display a confirmation dialog. With code-
signed servlets, this message does not appear.
Support for Macintosh Trash Items
EnCase now supports Trash items for Mac OS X, including support for multiple types of trash and
tracking multiple items with the same filename.
Enhanced Windows Support
EnCase now provides support for:
Parsing Windows 7 AutomaticDestinations, CustomDestinations (jump lists) and their link
files.
Parsing Windows 7 thumbs.db.
Parsing .lnk file for IDList structures.
Parsing support for Windows 8 artifacts:
Registry parsing
System information parsing
Thumbs.db parsing
Servlet for Windows 8 and Windows Server 2012.
Windows 8 BitLocker encryption.
Updated Documentation for McAfee ePolicy Orchestrator Integration
Documentation for McAfee ePolicy Orchestrator (ePO) is updated with instructions and
screenshots for Version 4.6.
Credant Cached Authorization Credentials
EnCase now caches Credant authorization credentials for forensic administrators. Once a forensic
administrator enters credentials, EnCase caches the credentials, and there is no prompt to enter
them again within a given EnCase session.
Direct Network Preview
Now for the first time EnCase Forensic and Enterprise users can securely preview a live computer
over a network. Direct Network Preview provides the ability to create servlets and installers that
you can run and connect to without using a SAFE.
This functionality is split into two parts:
Creating Servlets. The steps for this process are accessed by selecting Create Direct
Servlet from the Tools menu.
Adding Direct Network Preview Devices. The steps for this process are accessed by
selecting Add Network Preview > Add Direct Network Preview from the Add Evidence
menu.
Automatic Windows Firewall Configuration
By default, the Windows Firewall does not have exceptions configured for SAFE and servlet. This
can result in Windows interactively prompting you to allow incoming connections.
Now when these services run for the first time, they configure the Windows Firewall by adding
necessary exceptions. This happens automatically, and no user intervention is required.
Sweep Enterprise Parallel Processing
Sweep Enterprise now has the ability to sweep multiple targets in parallel, significantly improving
performance.
In this example, you can see in the Status tab that Sweep Enterprise is scanning two machines
and four modules in parallel, instead of serially:
Enhanced Documentation Support for Reports and ROC
The EnCase Version 7.06 User’s Guide now includes full documentation of EnCase Report Object
Code (ROC) and includes enhanced documentation of all aspects of EnCase report creation.
Snapshot Reports Display Additional Information
Snapshot reports now contain new columns which display information from the DLL Report,
Process Report, and information from open ports. New columns displayed include Instance Name,
Children Processes, Open Ports, and DLL Counts.
Enhanced Support for Android OS and Device Acquisition
EnCase supports logical and physical acquisition of devices, including phones and tablets, running
Android OS Version 4, Ice Cream Sandwich, as well as Version 4.1-2, Jelly Bean.
EnCase now analyzes Android physical evidence files (E01) and produces logical evidence files
(L01) containing common smartphone categories: contacts, messages, call logs, and calendars.
The result is a byte for byte copy of the device data partition and a navigable file/folder
hierarchy. However users must manually discover, research, and export high level logical data (for
example, contacts, messages, call logs, and calendars).
Android Backup
EnCase Version 7.06 also provides support for acquiring Android backup data.
Android Backup is used in two features:
1. Android backup file support:
EnCase 7.06 supports parsing of Android Backup (*.ab) files. This is used when these
files are either created manually by the user from an examined device or found as
evidence on a machine. To use this feature select Evidence > Backup Files > Android
Backup. If the backup is encrypted, EnCase decrypts it if you supply the password.
2. Acquisition of an Android device using the backup functionality:
This feature is available only for devices running Android OS versions 4 and above (Ice
Cream Sandwich and Jelly Bean). This is an alternative method for logical acquisition and
complements the existing Android logical acquisition. It is accessible via the Android OS
4.x option in the Devices section of the smartphone acquisition dialog. It uses a slightly
different acquisition method. After starting the acquisition, on the device screen you are
prompted to press OK to start the backup process.
Enhanced Support for Tablets
EnCase Version 7.06 provides support for these tablets:
Google Nexus 7
Acer Iconia Tab A500
Samsung Galaxy Tab 2
Kindle Fire HD (support for Lightspeed browser artifacts and social media)
Smartphone Reports Data Can Be Exported for Use by Microsoft Excel
Data displayed in smartphone reports, in Summary view only, can be exported as comma
separated value files (.csv), and used by Microsoft Excel.
Enhanced Support for Symantec Endpoint Encryption
EnCase now supports Symantec Endpoint Encryption Version 8.2. As with all Symantec Endpoint
Encryption versions, EnCase works with user and admin credentials.
Enhanced Oracle Outside In Support
EnCase now uses Oracle Outside In Version 8.4.