0% found this document useful (0 votes)
413 views24 pages

EnCase Endpoint Investigator v24.3 Release Notes

Uploaded by

Samir Ahmed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
413 views24 pages

EnCase Endpoint Investigator v24.3 Release Notes

Uploaded by

Samir Ahmed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 24

OpenText™ EnCase Endpoint

Investigator CE 24.3

Release Notes

Product Released: 2024-08-30


1 Introduction
These Release Notes provide an overview of EnCase Endpoint Investigator 24.3, including new
features, delivery information, and supported platforms.

OpenText recommends that you read these Release Notes in conjunction with the documentation
included with the software package. If any conflicts exist, the Release Notes supersede the other
documentation.

We also recommend that you check OpenText My Support for any patches or documentation updates
that may have been posted after the initial release of this product.

1.1 Release Notes revision history


Revision date Sections revised Description of revisions

2024-08-30 First release All new content

SAFE version The SAFE version was updated to refer to 24.2,


2024-09-11
Product licensing the latest current version of the SAFE.

2 About EnCase Endpoint Investigator 24.3


This section provides an overview of EnCase Endpoint Investigator 24.3.

2.1 New features


EnCase Endpoint Investigator 24.3 includes the following new features:

Artifact Explorer – new features and improvements


The Artifact Explorer application included with EnCase Endpoint Investigator has the following new
features and improvements:

2 EnCase Endpoint Investigator 24.3 Release Notes


• Gallery view – Artifact Explorer now has a gallery view that renders image artifacts from the
center pane. The gallery is a separate window from the primary window and can be moved to
a secondary monitor or used on the primary monitor. All images in the main pane of Artifact

Explorer are available for viewing in the gallery. Bookmarks can be added to or removed from
images in the gallery view. Images can also be previewed. The Properties and Content panes
update when an image is highlighted in the gallery so properties and content can be further
investigated.
• Center pane query performance improvements – Query performance has been
substantially improved. Data rendering is also faster.
• Improved artifact search – The search bar in the center pane now searches metadata in
addition to content.
• Classification and categorization changes – New artifact sub-classes have been added,
and improvements have been made to both artifact classification and categorization.

EnCase Portable licensing removed


Product licensing has been removed from the EnCase Portable component included with EnCase
Endpoint Investigator.

Updated OpenJDK Java runtime environment


EnCase Endpoint Investigator 24.3 ships with OpenJDK JRE version 22.0.2.

Mobile acquisition enhancements


• Voicemail transcription is now available for iOS device acquisition and iOS backup import.
• State of Mind parsing for the native iOS Health application has been added.
• Cellebrite UFED Android data can now be imported.
• The process of obtaining WAL files has been improved for iOS device acquisition and iOS
backup import.
• Deleted messages recovery during iOS device acquisition and iOS backup import has been
improved.
• Large message grid (more than 10000 messages) acquisition from iOS devices and import
from iOS backups has been improved.

EnCase Endpoint Investigator 24.3 Release Notes 3


• iCloud Contacts sync data for accounts with or without 2FA can now be imported.

2.2 Discontinued and deprecated features


The following feature has been discontinued in this release:

• Support for acquisition of Gmail, Google Drive, Google Locations via Acquire > Mobile
Device and Acquire > Mobile Backup File has been discontinued.

Note
Acquisition of Google managed user accounts is still fully supported in EnCase
Endpoint Investigator. To acquire from Google Workspace managed user
accounts, go to Acquire > Email > Gmail for Gmail items and Acquire > Storage
> Google Drive for Google Drive files.

There are no deprecated features in the 24.3 release.

The following features are scheduled to be deprecated in release 25.1:

• Support for installation of EnCase Endpoint Investigator on Windows 8.1, Windows Server
2012, and Windows Server 2012 R2 platforms.
• Enhanced agent support for all 32-bit Windows platforms. The end of enhanced agent
support will affect remote data acquisition and check-in remote collections on these platforms.
Unless otherwise specified, no change is planned for standard agent support on 32-bit
Windows platforms.
• Standard and enhanced agent support for 64-bit Windows 7 and Windows 8 platforms.
• Standard agent support for Windows IoT Core (ARM32).
• Standard agent support for macOS 10.13.

3 Downloads
Downloads for EnCase Endpoint Investigator are available on My Support. Enter the following
hashtag into the search bar of the My Support to list relevant product downloads:

#encaseendpointinvestigator24.3SoftwareDownloads

The software for EnCase Endpoint Investigator includes:

Software Download File Name

EnCase Examiner <version> - encase_setup_(x64)_<version>.iso


Endpoint Investigator Setup (x64)

EnCase Mobile Driver Pack encase_mobile_driver_pack-<version>.exe


<version> - Installer

EnCase Processor Node encase_processor_node_<version>.exe


<version> - Setup (x64)

4 EnCase Endpoint Investigator 24.3 Release Notes


Software Download File Name

EnCase Examiner <version> - Localized Language Forensic Setup

EnCase Examiner <version> - arabic_encase_setup_(x64)_<version>.iso


Arabic Setup (x64)

EnCase Examiner <version> - chinesesimplex_encase_setup_(x64)_<version>.iso


Chinese Simple Setup (x64)

EnCase Examiner <version> - chinesetraditional_encase_setup_(x64)_<version>.iso


Chinese Traditional Setup (x64)

EnCase Examiner <version> - dutch_encase_setup_(x64)_<version>.iso


Dutch Setup (x64)

EnCase Examiner <version> - french_encase_setup_(x64)_<version>.iso


French Setup (x64)

EnCase Examiner <version> - german_encase_setup_(x64)_<version>.iso


German Setup (x64)

EnCase Examiner <version> - italian_encase_setup_(x64)_<version>.iso


Italian Setup (x64)

EnCase Examiner <version> - japanese_encase_setup_(x64)_<version>.iso


Japanese Setup (x64)

EnCase Examiner <version> - korean_encase_setup_(x64)_<version>.iso


Korean Setup (x64)

EnCase Examiner <version> - polish_encase_setup_(x64)_<version>.iso


Polish Setup (x64)

EnCase Examiner <version> - portuguese_encase_setup_(x64)_<version>.iso


Portuguese Setup (x64)

EnCase Examiner <version> - russian_encase_setup_(x64)_<version>.iso


Russian Setup (x64)

EnCase Examiner <version> - spanish_encase_setup_(x64)_<version>.iso


Spanish Setup (x64)

EnCase Examiner <version> - turkish_encase_setup_(x64)_<version>.iso


Turkish Setup (x64)

4 SAFE version
Use the latest version of SAFE 24.2 with this product. The latest version of the SAFE is available from
OpenText My Support.

EnCase Endpoint Investigator 24.3 Release Notes 5


5 Product licensing
The CodeMeter product licensing client for EnCase Endpoint Investigator is v7.60d.

The CodeMeter license server is the current, supported product licensing mechanism for EnCase
products. The legacy License Manager application used by some existing customers is deprecated
and will be discontinued in a future release.

Legacy License Manager documentation can be found in the SAFE 20.4 User Guide.

EnCase Forensic and EnCase Endpoint Investigator 24.3 users:

New and current users


If you are a new user, or do not use the legacy License Manager.

• Use CodeMeter license server. Refer to the OpenText EnCase Endpoint Investigator 24.3
User Guide for instructions on installing and configuring the CodeMeter license server.
• Refer to the latest SAFE User Guide for information about SAFE and agent deployment.

Legacy License Manager users


If you currently use License Manager, you may continue to use License Manager until it is
discontinued, or you can migrate to CodeMeter license server.

• If you want to stop using License Manager, refer to your product’s 24.3 User Guide for
instructions on installing the CodeMeter license server.
• If you do not want to stop using License Manager at this time, refer to the SAFE 20.4 User
Guide for information about License Manager. Refer to the SAFE 24.2 User Guide for all
information about the SAFE and agent deployment.
• CodeMeter licensing server is not compatible with EnCase Endpoint Investigator versions
older than v20.x. If you intend to use EnCase Endpoint Investigator versions older than 20.x,
consider keeping enough licenses for your needs with your existing License Manager server.

6 Packaging and documentation


Documentation for EnCase Endpoint Investigator is available on OpenText My Support. Enter the
following hashtag into the search bar of My Support to list relevant product documentation:

#encaseendpointinvestigator24.3Documentation

Documentation for this product includes:

• EnCase Endpoint Investigator User Guide


• EnCase Artifact Reference Guide
• SAFE User Guide

7 Supported environments and compatibility


This section provides details about supported platforms, systems, and versions.

7.1 Supported systems


EnCase Endpoint Investigator works on machines running the following operating systems:

6 EnCase Endpoint Investigator 24.3 Release Notes


• Microsoft Windows 8.1, Windows 10 versions 1607, 1703, 1709, 1803, 1809, 1903, 1909,
2004, 21H1, 21H2, 22H1, 22H2, Windows 11 21H1, 21H2, 22H1, 22H2
• Microsoft Windows Server 2012 and 2012 R2, Windows Server 2016, Windows Server 2019,
Windows Server 2022

Minimum and suggested system requirements for this product are provided in the System
Requirements section of the EnCase Endpoint Investigator User Guide.

7.2 Language support – application user interface


The EnCase Endpoint Investigator user interface is available in the following languages:

Arabic, Chinese Simplified, Chinese Traditional, Dutch, French, German, Italian, Japanese,
Korean, Polish, Portuguese, Russian, Spanish, Turkish

These language versions and the English version of EnCase Endpoint Investigator are available for
download on OpenText My Support.

The EnCase Artifact Explorer application user interface is only available in English.

7.3 Target machine operating systems


Agents are deployed on target machines and work with the operating systems listed in the following
table:

EnCase Endpoint Investigator 24.3 Release Notes 7


Target OS, Version (Processor) for SAFE/Agent v24.2 Core Support Acquisition Active Agent

Target Operating System OS Version Rapid Preview Snapshot Device Volume Memory Acquire Data
(Processor) (Live Preview) Acquisition Acquisition Acquisition Remotely, Check-In
(Physical) (Logical) (Raw Memory) Collection

Windows 11 21H2 – 23H2 Yes Yes Yes Yes Yes, except Yes, except ARM
(x86, x64, ARM32, ARM64) ARM64

Windows 10 1507 – 22H2 Yes Yes Yes Yes Yes, except Yes, except ARM
(x86, x64, ARM32 1, ARM64) ARM64

Windows 7, 8 7 SP1, 8, 8.1 Yes Yes Yes Yes Yes Yes


(x86, x64)

Windows Server 2012 R2, 2016, 2019, 2022 Yes Yes Yes Yes Yes Yes
(x86, x64)

macOS 11, 12, 13, 14 2, 3 Yes Yes No 3 No 3 No Yes


(x64, ARM64)

macOS (OSX) 10.13 – 10.15 Yes Yes Yes Yes Yes No


(x64) (10.13 – 10.14)

Red Hat Enterprise Linux 7, 8, 8.1, 9.0 Yes Yes Yes Yes Yes, with kcore No
(x86, x64) device

Linux Kernel 3.9.5 or higher with procfs Yes Yes Yes Yes Yes, with kcore No
(x86, x64, ARM32, ARM64, IBM Z) device

Solaris 10 – 11.4 (SPARC64) Yes Yes Yes Yes No No

AIX 6.1, 7.1 (PowerPC 64-bit) Yes Yes Yes Yes No No


1
Windows IoT Core also supported; 2 macOS agent deployment limitations are listed in the Known issues section of the release notes; 3 macOS 12 and later can only be previewed with Live
Directory Preview.

8 EnCase Endpoint Investigator 24.3 Release Notes


McAfee ePolicy Orchestrator (ePO) integration
McAfee ePolicy Orchestrator administrators can use ePO to deploy EnCase agents to ePO-managed
nodes. Versions 4.5, 4.6, 5.1, and 5.3 are supported.

7.4 Mobile application data acquisition


EnCase Endpoint Investigator allows you to acquire parsed mobile application data. The parsed
application data includes grids with types of data corresponding to its application, such as Contacts,
Conversation, Downloads, History, and more. Parsed data can be collected from either the device
acquisition or the cloud acquisition.

Android Android 1 BlackBerry 10 Cloud Data


Application iOS (rooted) (not rooted) Backup Import

Amazon Alexa

BB Messenger

Chrome

DJI Go

Dolphin browser

Dolphin X browser

Evernote

Facebook

Facebook
Messenger (iOS 7.x &
higher)

Firefox

Fitbit

Gmail

Google Maps

Google Drive 2

iCloud Backup 3

iCloud Contacts

iCloud Photos

EnCase Endpoint Investigator 24.3 Release Notes 9


Android Android 1 BlackBerry 10 Cloud Data
Application iOS (rooted) (not rooted) Backup Import

Instagram

Jott Messenger

KIK

LinkedIn

Mail.ru

Opera

Opera Touch

Pinger

Skype

Snapchat

Telegram

TextFree

TextPlus

TigerConnect

TikTok

Tinder

Twitter

Viber

Vkontakte

VoiceMail

Waze

WeChat

WhatsApp

Whisper

10 EnCase Endpoint Investigator 24.3 Release Notes


Android Android 1 BlackBerry 10 Cloud Data
Application iOS (rooted) (not rooted) Backup Import

Yik Yak
1
Mobile application data acquisition for GrapheneOS is supported according to the flags noted in the
Android (not rooted) column.

2
Acquisition of Google managed user accounts is supported in EnCase Endpoint Investigator via the
following: Acquire > Email > Gmail for Gmail items and Acquire > Storage > Google Drive for
Google Drive files.

3
iCloud Backup is not a parsed application but is included here because it is accessed via Cloud
Data Import.

7.5 Supported file systems


This section provides details about which versions of other OpenText products are compatible with
this release of EnCase Endpoint Investigator 24.3.

APFS CDFS EXFAT EXT2 EXT3 EXT4

FAT FAT12 FAT16 FAT32 HFS HFS+

HFSX HPFS HPUXFS JFS JFS2 NETWARE

NTFS REISER SOLZFS SUN UDF UFS

UFS2 VXFS XFS YAFFS2 ZFS

7.6 Third party systems


• EnCase Endpoint Investigator 24.3 ships with OpenJDK JRE version 22.0.2.
• EnCase Endpoint Investigator supports Project VIC data model 1.2.

7.7 Encryption support


Vendor Product Supported versions 64-bit support

Apple Apple File System (APFS) 10.15 Yes


Encryption

Check Point Endpoint Security Suite (Full 6.3.1 up to 7.4, 8.0 (for Yes
Disk Encryption) Windows and Macintosh
computers). 80.64 - 80.94
(Windows only).

Credant Mobile Guardian (subsumed 5.2.1, 5.3, 5.4.1, 5.4.2, 6.0 Yes
by Dell) through 6.8, 7.3

EnCase Endpoint Investigator 24.3 Release Notes 11


Vendor Product Supported versions 64-bit support

Dell Data Protection Enterprise 8.3, 8.5, 8.12, 8.13, 8.15, 8.16, Yes
Edition 8.17.2

Dell Full Disk Encryption 8.17, 10.7, 10.8 Yes

GuardianEdge Encryption Plus/Anywhere 7 and 8 No

GuardianEdge Hard Disk Encryption 9.1.5, 9.2.2, 9.3.0, 9.4.0, 9.5.0, Yes
9.5.1

McAfee Endpoint Encryption 4, 5, 6, 7, 7.1, 7.2 (for Yes


Windows and Macintosh
computers)

Microsoft BitLocker and Windows Vista (Enterprise and Yes


BitLocker To Go Ultimate), Windows 7, 8, 10,
Windows Server 2008.

Sophos SafeGuard Easy and 4.5, 5.5, 5.6, 6.0 Yes - SafeGuard
Enterprise (formerly Easy
Utimaco) No - Enterprise

Symantec PGP Whole Disk Encryption 9.8, 9.9, 10, 10.1, 10.2, 10.3 Yes

Symantec Endpoint Encryption 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, Yes


7.0.7, 7.0.8, 8.0, 8.2, 8.2.1,
9.1, 11.1.1, 11.1.3, 11.2, 11.3

Vera Vera for Files 2.1 Yes

WinMagic SecureDoc Full Disk 4.5-8.6 No


Encryption and Self-
Encrypting Drives

7.8 Cloud service support


EnCase Endpoint Investigator can collect user email and related items from the following online email
services:

• Microsoft Exchange Server 2013 or Later


• Microsoft Exchange Server on Office 365
• Google Workspace

EnCase Endpoint Investigator can collect files from the following online file storage and sharing
services:

12 EnCase Endpoint Investigator 24.3 Release Notes


• Amazon S3
• Box
• Dropbox
• Google Workspace
• Microsoft Azure Blob
• Microsoft SharePoint 2013 or Later
• Microsoft SharePoint Office 365
• Microsoft SharePoint Office 365 OneDrive

EnCase Endpoint Investigator can collect files from the following collaboration services:

• Microsoft Teams
• Slack
• Zoom

EnCase Endpoint Investigator can collect data from the following online social sharing services:

• Facebook
• Instagram
• Twitter

7.9 USGCB compliance


EnCase Endpoint Investigator has been validated as USGCB compliant using the following version of
NIST VHD images:

2/27/17 (for Windows 7 only)

EnCase Endpoint Investigator was tested using Retina Network Security Scanner, which is a NIST
validated USGCB scanner (http://usgcb.nist.gov/usgcb/microsoft_content.html).

8 Fixed issues
This section provides information about past issues that have been fixed in this release.

Issue name Issue description

GUIDTS-4267 An issue with signature analysis that resulted in incorrectly identifying the
XLSM file type as Android Application Package has been fixed.

GUIDTS-6174 An issue that caused valid perpetual product certs to not display correctly in
the product About window has been fixed.

GUIDTS-7044 An issue that resulted in blank File Created fields on Red Hat Enterprise Linux
8 volumes has been fixed.

Mobile Potential problems with authentication during iCloud Photos import have been
Acquisition fixed.

EnCase Endpoint Investigator 24.3 Release Notes 13


9 Known issues
This section documents known issues in this release.

Issue number Found in Description

Artifact 24.3 Column sorting in the center pane is case-sensitive while the
Explorer expected sorting is case-insensitive.

Artifact 24.3 Artifact metadata and content export is limited to 1000 or fewer
Explorer items per export. A warning message is displayed if an export of
more than 1000 items is submitted. To export more than 1000
items, export multiple individual sets of 1000 or fewer items at a
time.

EnCase 24.3 When an expired EnCase security key is inserted into a USB port
Portable on a target machine where the EnCase Portable 24.3 device is
being used, the device reads the expired security key and indicates
the license is inactive. The solution is to remove the security key.

Artifact 24.2 When entering the start date of a Between filter using the filter
Explorer entry field, Artifact Explorer may provide unexpected results until an
end date is entered.

Artifact 24.2 When removing bookmarks from large evidence files, it can take
Explorer time and AEX provides no indication of progress in fulfilling the
request. The operation will eventually complete.

Artifact 24.2 In some situations, when Artifact Explorer encounters an error while
Explorer rendering a document in the Content pane, it will indicate rendering
is in progress despite completing the process. A workaround is to
select another artifact and then return to the first artifact to see if an
error has occurred.

Artifact 24.2 Evidence previews from disks, network shares, remote agents, or
Explorer connected services (like Twitter or Slack) are not available in AEX
unless they are first acquired in EnCase Endpoint Investigator.

Artifact 24.2 Remote Processor Nodes do not prepare evidence for Artifact
Explorer Explorer. Evidence must be processed locally.

Artifact 24.2 Shared Evidence Cache is not supported. No Artifacts will be


Explorer available in Artifact Explorer when a shared cache is used in a
case.

14 EnCase Endpoint Investigator 24.3 Release Notes


Issue number Found in Description

AGENT-9043 23.4 The enhanced agent for macOS 10.15 (Catalina) is not functional
when used with EnCase Endpoint Investigator 24.3. The standard
agent functions normally with macOS 10.15 (Catalina). Refer to the
macOS entry in the Target machine operating systems in these
release notes to view the functional capabilities of the standard
agent.

FOR-35475 23.4 When initiating media analysis via Pathways or the Entries context-
view, all image categories are included for analysis. Because of the
substantial memory required, this can cause problems on machines
that do not meet the minimum system requirements. A workaround
is to initiate media analysis via the Evidence Processor and select
only those categories needed for your investigation.

GUIDTS-6920 23.4 Upgrading from Windows 10 machine to Windows 11 on a machine


with a deployed EnCase agent (23.4 or earlier) causes the agent to
stop working. A workaround is to manually redeploy the EnCase
agent after the Windows upgrade.

SEC-30986 23.2 While rapid preview does not actually make changes to files on the
target machine, this feature requires the user to have the “Edit
Files” SAFE permission.

GUIDTS-6014 22.4 When acquiring data remotely, Live (Rapid) Collection will result in
an error unless the Enhanced Agent plugin (.zip file) is installed in
the SAFE Network Plugin Repository.

FOR-31798 22.4 EnCase Endpoint Investigator does not allow you to Acquire Data
Remotely on a target on which you are performing a Check-In
Network Preview.

When users try to Acquire Data Remotely after performing a Check-


In Network Preview, without deploying the enhanced agent, the
following error message is displayed: "You cannot deploy Enhanced
Agent on the target".

When users deployed the enhanced agent on same node where


they are performing a Check-In Network Preview, then try to
Acquire Data Remotely, the following error message is displayed:
• Windows: "Error: Error in “”: Unable to read 16 bytes. In
function call: StartCall. Source (null)”
• Mac: “Error 0x80004005. In function call: StartCall”
These error messages are expected and they indicate that the
Acquire Data Remotely functionality is not available on Check-In
Network Preview.

EnCase Endpoint Investigator 24.3 Release Notes 15


Issue number Found in Description

FOR-33123 22.4 When performing a live device collection using the cross-platform
enhanced agent, the Acquire Data Remotely function in EnCase
Endpoint Investigator does not collect locked files.

GUIDTS-5898 22.4 In Rapid Preview, where a specific sub-folder is collected, folder


location is preserved; however, metadata for top level and ancestor
folders are not collected (for example, Created date).

FOR-30694 22.3 In EnCase Endpoint Investigator, when the user makes a collection
using rapid preview and then initiates a cancel request, the
application currently waits to finish collecting the file it was working
on before canceling. With large files, this can result in the
application appearing to not respond to the request in a timely
manner.

FOR-31030 22.3 The Rapid Preview view stays connected after logging off the
SAFE, when the Rapid Preview is not the active view tab.
Workaround: To disconnect and clear the Rapid Preview display,
users must click Disconnect manually.

FOR-31932 22.3 When users Acquire Data Remotely, if the Job Name is defined
using camel case and then used as the name of the LEF, EnCase
Endpoint Investigator displays an invalid character error message.
Workaround: Define the Job Name using only lower case letters.

GUIDTS-5778 22.3 When using EnCase Endpoint Investigator to process a directory


preview, the console view displays a “Job failed” error message. To
resolve this issue, ensure that the evidence is acquired prior to
initiating evidence processing.

AGENT-6301 22.1 CodeMeter licensing was upgraded to v7.30a with the EnCase
Endpoint Investigator 22.1 release. CodeMeter is not compatible
with Microsoft Windows 7. EnCase Endpoint Investigator 22.1 can
be installed on Windows 7 machines; however, the installer will
throw an error and the CodeMeter component will not be installed.
If using the installer to upgrade EnCase Endpoint Investigator 22.1
from a previous version, the error will still be displayed, and
CodeMeter 7.30a will not be installed. The application will attempt
to use the previous most recent version of CodeMeter for licensing.

16 EnCase Endpoint Investigator 24.3 Release Notes


Issue number Found in Description

AGENT-6551 22.1 When using live directory preview, rapid preview, or remote data
acquisition on macOS systems to collect from protected folders
(Desktop, Documents, Downloads, etc.), the EnCase macOS agent
(enmacos) cannot collect files unless full disk access permission
has been granted. This can be set either via MDM profile if the
agent is deployed through MDM or by manually adding the
enmacos agent to the following allow list: System Preferences >
Security and Privacy > Privacy > Full Disk Access. See full
procedure in Enabling full disk access for macOS agents section in
the SAFE 23.2 User Guide.

DOC-3109 22.1 Media analysis module performance is degraded on systems that


do not have a minimum of 4GB of RAM per logical core. For further
guidance on optimizing memory usage for the Media analysis
module and the Evidence Processor, see Knowledge Base article,
KB0723890.

FOR-25948 22.1 In this release, the new Windows registry keys added to System
Info Parser in EnCase Endpoint Investigator 21.4 have been moved
from the Auto Start folder to the Other folder. Registry keys are
viewed and selected by clicking on the System Info Parser link in
the EnCase Processor Options dialog, viewing the Advanced tab on
the dialog, and opening a folder. In EnCase Endpoint Investigator
22.1, the new keys will appear in the Other folder only for evidence
not processed in a previous version. For evidence processed with
version 21.4, these keys appear in the Auto Start folder. Once
evidence is processed, keys selected from a particular folder would
be found under the corresponding folder in the Artifacts tab.

AGENT-6035 21.4 SAFE version 21.4 uses stronger encryption for the SAFE private
key. This new SAFE private key cannot be read by earlier versions
of SAFE. Clean installation of SAFE version 21.4 cannot be
downgraded to an earlier version as the private key cannot be read.
Downgrading to an earlier version of SAFE is possible if the SAFE
was upgraded to SAFE to 21.4 from an earlier version. SAFE
installations that use a cert cannot be downgraded.

DOC-3021 21.4 The additional Windows Registry keys parsed by EnCase Endpoint
Investigator 21.4 System Info Parser are located in the AutoStart
folder. These will be placed in the appropriate Registry Commands
subfolder in a future release.

EnCase Endpoint Investigator 24.3 Release Notes 17


Issue number Found in Description

FOR-24486 21.4 When users open a case processed by an earlier version of


EnCase Endpoint Investigator the case will not contain newer
registry keys unless processed again with EnCase Endpoint
Investigator 21.4.

GUIDTS-4747 21.4 When acquiring evidence to .Ex01 the Restart Acquisition option
is selectable. but this function does not support .Ex01 file formats.
Attempting to restart acquisition of an .Ex01 file using this function
will not succeed.

AGENT-5363 21.2 The EnCase agent installed on macOS 11 (Big Sur) is installed
without kernel extensions and can make snapshots, logical
acquisitions, and previews. The EnCase agent installed on macOS
11 cannot acquire physical memory, physical devices, or access
locked or mounted devices.

The EnCase agent installed on macOS 10.15 and earlier is installed


with kernel extensions and can acquire physical memory, physical
devices, and access locked or mounted devices on macs unless
the machine is equipped with a T2 encryption chip. Macs equipped
with the T2 encryption chip cannot perform physical disk
acquisitions.

FOR-22695 21.2 When using three periods (...) to enter a date range in EnCase
Endpoint Investigator, running a condition removes one of the
periods, resulting in an error. A workaround is to select the Prompt
for value checkbox on the Terms tab of your condition. When the
condition is run, adding the period where EnCase has removed it
will run the condition without error.

AGENT-5291 21.1 EnCase Endpoint Investigator can generate malformed token errors
when creating check in remote collection jobs where the version of
EnCase Endpoint Investigator Client is different from the EnCase
SAFE. To resolve the issue this issue, update your SAFE and
EnCase Endpoint Investigator client to the latest version.

FOR-21186 21.1 Mapped drives are not visible to EnCase Endpoint Investigator
when adding evidence. The user also cannot drag and drop
evidence into EnCase Endpoint Investigator from a mapped drive.

FOR-21258 21.1 In some situations when running the Chinese Simplified version of
EnCase, the display text may not render properly. Installing the Arial
Unicode MS font and setting it in Tools > Options > Fonts will
resolve the issue.

18 EnCase Endpoint Investigator 24.3 Release Notes


Issue number Found in Description

GUIDTS-4268 21.1 EnCase Endpoint Investigator does not support opening more than
ten concurrent cases. Opening more than ten concurrent cases
causes the recently opened case list to cycle through the cases,
preventing the user from selecting the first opened case.

FOR-15721 20.4 Hash and signature analysis using conditions are not currently
enabled for use with the enhanced agent.

FOR-19247 20.4 Under certain circumstances, EnCase Endpoint Investigator can fail
to parse ZFS volumes on identical devices.

FOR-19252 20.4 Under certain circumstances, EnCase Endpoint Investigator can fail
to parse ZFS volumes in virtual environments when using GPT
partitions.

FOR-19968 20.4 The OneDrive preview feature does not support bookmarking. If
you want to bookmark an item, you must acquire it first, then
bookmark it.

FOR-20225 20.4 In some cases, installing EnCase Endpoint Investigator on a


system that already has EnCase Endpoint Investigator installed will
generate a file lock error on enportv.sys. This can prevent
EnCase fonts from loading properly. Restarting the system after
installation resolves the issue.

FOR-20283 20.4 In some circumstances, installing HASP drivers can cause certain
Windows 10 machines to deliver a stop error. As a result, the HASP
driver installation has been unchecked by default. If you still use a
HASP dongle, OpenText recommends replacing it with either
CodeMeter or an electronic license. Contact OpenText Customer
Service for a replacement.

FOR-20308 20.4 In some circumstances, the File Processor module in Sweep


Enterprise will fail to collect files when run against a machine with
devices formatted in APFS.

GUIDTS-2998 20.4 An issue in EnCase Endpoint Investigator was identified that


prevents indexing of East Asian characters. Searching for more
than a single character does not return results.

AGENT-4536 20.3 The EnCase agent is not supported on target machines with ARM
processors running Windows 10 S mode.

EnCase Endpoint Investigator 24.3 Release Notes 19


Issue number Found in Description

AGENT-4574 20.3 After setting the check in agent time value, Reset Time (Hours),
during SAFE installation, the deployed agents may check in at
times that differ from this setting, but will do so at regular intervals
in accordance with this setting.

AGENT-4617 20.3 When downgrading the SAFE from version 20.3 to version 20.2, the
SAFE will present an error for any users that have been assigned a
role for the Agent Management Platform (AMP).

AGENT-4660 20.3 The command prompt cannot be used to perform a quick update
from SAFE version a.x to SAFE version 20.x. The installer must be
run manually because user input is required when migrating the
SAFE from version a.x to version 20.x.

FOR-19065 20.3 Some APFS snapshots on physical images are not added to the
evidence view after processing. This is a result of system changes
during acquisition that render the snapshot invalid.

AGENT-4120 20.2 Physical acquisition of a Macintosh device with a T2 chip is


possible but unusable since keys are stored in the T2 chip and the
acquired image cannot be decrypted. The workaround is to do a
logical acquisition on the device.

DOC-2410 20.2 Support for McAfee Drive Encryption up to version 7.2.9.14 works
in offline mode (using the XML file). However, online credentials
validated on the live server do not decrypt the evidence. The
current workaround is to manually export the XML file from the
server and use this file for offline decryption.

FOR-17297 20.2 When collecting from a Macintosh running APFS, acquiring a


device before an encryption process is completed can lead to
partially encrypted entries that are unreadable in EnCase Endpoint
Investigator. It is recommended acquiring a device after the
encryption process is complete.

FOR-17894 20.2 When running the Recover Folders option in the Evidence
Processor, the entry count in the Recovering notification is incorrect
because it does not include counts from alternate data streams.
The correct count is displayed elsewhere in the application, where
alternate data streams are included.

20 EnCase Endpoint Investigator 24.3 Release Notes


Issue number Found in Description

GUIDTS-3542 20.2 On some workstations with restrictive Windows policies, EnCase


Endpoint Investigator may be prevented from loading a font used in
the application UI. If you encounter a missing font in the UI, a
solution is available in the following KB article on OpenText My
Support: KB0591780.

FOR-15542 8.10 Indexes generated with previous versions of EnCase Endpoint


Investigator (v8.09 and earlier) are incompatible with EnCase
Endpoint Investigator v8.10. If you want to view indexed data in
EnCase Endpoint Investigator v8.10, you must re-index it.

FOR-16248 8.10 EnCase Endpoint Investigator v8.10 installation fails on machines


running Windows 10, version 1507. Installation of EnCase Endpoint
Investigator v8.10 works on Windows 10 versions that are more
recent than version 1507.

FOR-16505 8.10 When a user provides secure storage credentials for a McAfee full
disk encrypted physical evidence containing partitions, and then
reacquires it, the newly acquired evidence will contain decrypted
data. However, the new evidence will contain the McAfee partition
that designates the other partitions as still encrypted, and it is this
McAfee partition that EnCase Endpoint Investigator uses to flag the
other partitions as encrypted. This results in EnCase Endpoint
Investigator repeatedly prompting the user for credentials. If the
user then cancels the credential dialog, EnCase Endpoint
Investigator will read the decrypted data as if there was no
encryption.

Mobile 8.10 Android 9 is partially acquired by the physical plugin.


Acquisition -
Android

Mobile 8.10 "Connection was broken" appears for ZTE Z799 Android 6.0.1
Acquisition - device during logical acquisition.
Android Logical

Mobile 8.10 Authentication in Google Locations fails with Invalid Credentials


Acquisition - error.
Cloud Import

Mobile 8.10 Authentication has failed for Twitter cloud import with "Invalid
Acquisition - credentials" error.
Cloud Import

EnCase Endpoint Investigator 24.3 Release Notes 21


Issue number Found in Description

Mobile 8.10 iCloud Backup - Authentication fails with Invalid credentials error.
Acquisition -
Cloud Import

Mobile 8.10 Physical Acquisition by DFU mode fails with error.


Acquisition -
iPhone
Physical

FOR-14141 8.09 When selecting an APFS container in the Network Preview Screen,
the data on the APFS volume needs to be frozen before previewing
or collecting it. A small snapshot file is created that remains on the
device until the parsing of the data is complete, at which point the
snapshot is removed. The Allow Live APFS Snapshot global option
enables this snapshot to be created; the option is selected by
default and cannot be cleared without incurring unreliable and
inconsistent results.

FOR-14076 8.09 Copying files from a result set that contains entries from an APFS
volume may fail. If this occurs, an error displays, stating you only
have permission to process a certain number of the selected files.
This behavior does not happen consistently, and does not happen
when copying files from entries, or when copying files from other file
systems.

FOR-14067 8.09 Viewing indexed items selected by Item Type may display
inconsistent results.

FOR-14062 8.09 Under certain conditions, jobs may fail when reprocessing APFS
evidence.

FOR-14049 8.09 Encrypted APFS volumes will not parse on two devices if a correct
password is entered for one device and an incorrect password is
entered for the other.

FOR-14040 8.09 After creating a raw text bookmark, selecting an entry, and then
selecting hash/sig on that entry, EnCase Endpoint Investigator may
crash when clicking the refresh button.

FOR-14032 8.09 For an encrypted APFS volume, clicking Rescan directly does not
parse the volume if more than three incorrect passwords have been
centered consecutively.

FOR-14023 8.09 When repeatedly viewing certain indexed items, EnCase Endpoint
Investigator may crash. This behavior is infrequent.

22 EnCase Endpoint Investigator 24.3 Release Notes


Issue number Found in Description

FOR-14006 8.09 When processing evidence, the Index option in the view menu can
sometimes incorrectly display as enabled or disabled.

FOR-13924 8.09 When using the default disk allocation of 10% for enhanced agent
jobs on VMs or small disks, the job may fail. Changing the default to
be >20% or making the segment size smaller will help prevent this
issue.

FOR-13772 8.09 When reprocessing a version 8.08 case using thumbnails and hash
options, the wrong hash value is displayed. If this happens, delete
the cache and process the evidence again from the beginning.

FOR-11505 8.08 Non-English builds of EnCase Endpoint Investigator are not


supported on 32-bit operating systems.

FOR-11549 8.08 In Japanese, Chinese, and Korean builds of EnCase Endpoint


Investigator running on Windows 10, paths are not displayed
correctly because of an underlying font issue. To work around this
issue, install the Arial Unicode MS font from Microsoft.

FOR-12474 8.08 When previewing and acquiring process memory from targets
running macOS 10.6 and 10.10, EnCase Endpoint Investigator
returns all zeros.

FOR-12677 8.08 Vera encrypted files inside of an unencrypted .ZIP file are not
decrypted when Vera decryption is set to Offline Mode.

AGENT-2859 8.07 Users logged into their SAFE user account can delete their own
SAFE user record.

FOR-10826 8.07 Due to the structure of APFS containers and volumes, navigation of
APFS devices in disk view can appear confusing when moving
across clusters.

FOR-10958 8.07 When dropping APFS evidence into EnCase Endpoint Investigator,
the data fails to load if you process the evidence before opening it.
The workaround is to open the evidence first and then process it.

FOR-11089 8.07 Because EnCase Endpoint Investigator parses


macOS APFS volumes directly, the timestamp values of files match
those found in the terminal command line rather than the
corresponding timestamp values displayed in the Finder.

EnCase Endpoint Investigator 24.3 Release Notes 23


10 Contact information
OpenText Corporation
275 Frank Tompa Drive
Waterloo, Ontario
Canada, N2L 0A1

For more information, visit the OpenText or My Support websites.

© 2024 Open Text

Patents may cover this product, see https://www.opentext.com/patents.

Disclaimer

No Warranties and Limitation of Liability

Every effort has been made to ensure the accuracy of the features and techniques presented in this publication. However, Open Text Corporation and its affiliates accept
no responsibility and offer no warranty whether expressed or implied, for the accuracy of this publication.

You might also like