[DFNews] EnCase v7.08发布

EnCase v7.08 近日正式发布，7.08增加了Evidence Processor Manager以及Evidence Processor，不仅可以在本地实现证据处理队列，也支持了通过网络进行分布式证据处理的方式。

以下是Release Note，更新软件下载地址集中于置顶帖中。

---

What’s New in Version 7.08

• Evidence Processor Manager
• Evidence Processor Enhancements
  • Augmented File Carving for Images
  • New Evidence Processor Lock/Unlock Flexibility
• Encryption Support Updates
• Windows Resilient File System (ReFS) Support
• Solaris Volume Manager Support
• Improved Hash Library Management
• Macintosh OS X Disk Image Support
• Safari Internet Artifact Updates
• Smartphone OS Application Support
• Usability Enhancements
  • Create Tags Using Keyboard Shortcuts
  • Create Logical Evidence Files from Search Results
  • Improved Email Alternate Body Handling

Evidence Processor Manager
The new Evidence Processor Manager allows for distribution and control of evidence processing for one or more EnCase Examiners or EnCase Processors.

With the Evidence Processor Manager, you can simplify evidence processing and acquisition by:

• Queuing evidence in the jobs list to be processed.
• Prioritizing the execution of evidence to be processed.
• Distributing the processing workload across multiple processing nodes. Any available node picks up the next job in the queue for the rapid processing of evidence.

Evidence Processor Enhancements
File Carver
The File Carver augments existing file carving capabilities by using Windows Graphics Device Interface (GDI) libraries to accurately carve images according to their sizes and file types. GDI libraries identify the actual length of the file to be carved, resulting in increased probability of carving high fidelity images.

New Evidence Processor Lock/Unlock Flexibility
Evidence Processor now gives you the following options so you can designate only the evidence that you want specifically processed:

• During initial processing, File Signature Analysis can be turned On or Off. The default is On.
• While running Evidence Processor with an existing evidence cache
  • Keyword Search can be turned On or Off
  • Recover Folders can be turned On if it was previously turned Off

Encryption Support Updates
EnCase Version 7.08 provides the following support for encryption products:

• Sophos SafeGuard Easy and Enterprise 6 (32-bit only)
• McAfee Endpoint Encryption 7.0 (32-bit only)
• Check Point Full Disk Encryption 8 (OS X and Windows)

Windows Resilient File System (ReFS) Support
EnCase supports the investigation of machines running the Windows 8 operating system. This includes the ability to acquire and parse allocated files and folders from the ReFS file system.

Solaris Volume Manager
EnCase now supports Solaris Volume Manager (SVM), to parse and investigate logical volumes on Solaris 9 and 10 computers.

Improved Hash Library Management
The Manage Hash Library function now allows you to:

• Select a hash set to work with
• View the contents of a hash set
• Delete individual items from a hash set

Macintosh OS X Disk Image Support
The following Macintosh OS X media types are now supported by EnCase:

• DMG format
• Sparse image format
• Sparse bundle format

Macintosh File Value is a wrapper on top of DMG or sparse image files. All three types of media can be encrypted via either AES-128 or AES-256. EnCase currently supports images encrypted with AES-128, only.

EnCase now supports the following DMG formats:

• UDZO (zip compression algorithm)
• UDBZ (BZip2 compression algorithm)
• UDCO (Apple-proprietary ADC compression algorithm)

Safari Internet Artifact Updates
EnCase supports Safari Versions 5 and 6 including cookie and cache artifacts.

Smartphone OS Application Support 
The following list shows software applications supported by EnCase, arranged by operating system.

Android

• Gmail
• Yahoo mail
• GTalk
• Facebook
• Twitter
• Google+
• Google Now
• Google Docs
• Dropbox
• Chrome Browser

iPhone

• Google Maps
• Apple Maps
• Google Plus

Usability Enhancements
Create Tags Using Keyboard Shortcuts
You can now create tags using keyboard shortcuts. Hot keys are assigned to the first ten tags (Alt-0 to Alt-9)

Search Results Exported to Logical Evidence Files
You can now export items in a set of search results to a logical evidence file (LEF). Search results may contain both entries and records. When you export search results containing only entries or containing only records, EnCase generates a single LEF. When you export search results containing both entries and records, EnCase generates two LEFs.

Improved Email Alternate Body Handling
When email systems append a plain text version of the email together with the HTML/rich text version, this text is called an "alternate body." Formerly, EnCase treated this as an attachment to the message, and displayed an attachment paper clip icon. Now, when an alternate body is the only attachment to an email message, EnCase displays a standard email icon, rather than the paperclip icon.