Thursday, February 23, 2012

EnCase 7.03 has been released!

EnCase 7.03 is here!

According to Guidance Software the following changes have been made:
  • There is now an option for a seperate processor dongle.  This will allow an examiner to use a second computer to aid in the processing of cases.  It states that you can queue processes on a seperate machine while you examine already processed evidence.
  • Evidence Processor is 2-3 times as fast.  (I hope so!)
  • Indexing Text in both File Slack and Unallocated Space.
  • System Info in the processor now supports NetShare and USB Registry information.
  • Support for Google Chrome Artifacts has been added!! (Finally!)
  • You can now process from the local view and the network preview.  You no longer need to acquire a case to process it.  Indexing is not supported with this feature yet.
  • A Review package option has been added where you can export search results into an easily opened web browser tool.  (This will hopefully make sharing results a bit simpler.)  An important part of this is that the recipient can review and make tags that can be imported back into EnCase for you to see.
  • The Text and Hex tabs will now show search hits!  You don't have to use the Transcript tab only now!
  • EnCase 7.03 now allows Enterprise functionality involving the SAFE and servlets. 
  • The ability to rescan previewed drives has been added.
  • You now have the ability to view the status of remote devices as they are being acquired.
  • A few default text styles have been added.
  • Support for EXT 4 Linux Software RAID arrays
  • iOS 5 Beta support
Numerous items have been fixed.  Please see the EnCase 7.03 release notes to see everything.  I will mention a few that I have encountered:
  • When acquiring a physical device, only the first logical partition is acquired.
  • The default error granularity for memory acquisitions is 64, causing large sections of memory to be missed in memory acquisitions.  (I'm not sure what it has been changed to.  I will report on this when I see!)
  • Time zone names are not saving and loading correctly.
  • Evidence Processor's file carver module creates multiple identical records.
  • Windows 7 Thumbcache files do not display in Pictures/Doc tabs.  (I am taking this to mean that EnCase 7.03 now supports the thumbcache files.  I will report on this when I have a chance to play with it.)
Things that I have not seen in the release notes:

I have not seen that they allow multiple passes with the source processer. 
I did not see anything about a fix for when EnCase crashes when a partition is rebuilt.

If you have any other questions, please send a post and I will try to answer them over the weekend.

Please check EnCase out at www.guidancesoftware.com

Check me out at www.h11dfs.com
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)