Scribd
Upload
218 views

EnCase Endpoint Investigator v24.2 Release Notes

Uploaded by

Samir Ahmed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
218 views

EnCase Endpoint Investigator v24.2 Release Notes

Uploaded by

Samir Ahmed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 23

OpenText™ EnCase Endpoint

Investigator CE 24.2

Release Notes

Product Released: 2024-04-29


1 Introduction
These Release Notes provide an overview of EnCase Endpoint Investigator 24.2, including new
features, delivery information, and supported platforms.

OpenText recommends that you read these Release Notes in conjunction with the documentation
included with the software package. If any conflicts exist, the Release Notes supersede the other
documentation.

We also recommend that you check OpenText My Support for any patches or documentation updates
that may have been posted after the initial release of this product.

1.1 Release Notes revision history


Revision date Sections revised Description of revisions

2024-04-29 First release All new content

2 About EnCase Endpoint Investigator 24.2


This section provides an overview of EnCase Endpoint Investigator 24.2.

2.1 New features


EnCase Endpoint Investigator 24.2 includes the following new features:

Artifact Explorer – technical preview


EnCase Endpoint Investigator now includes a technical preview of Artifact Explorer, a new component
with a modern user interface optimized for analyzing artifacts. This technical preview application is
used to view artifacts in evidence files of any case prepared by EnCase Endpoint Investigator 24.2.
You can view, filter, search, sort, tag, and bookmark artifacts from any evidence file within an EnCase

2 EnCase Endpoint Investigator 24.2 Release Notes


Case file. You can seamlessly move back to the core EnCase Endpoint Investigator application to
further analyze the data or publish a report based on your analyses. You can also export file metadata
or artifact content from Artifact Explorer for use with a third-party tool. As a technical preview,
OpenText does not recommend performing live case work with Artifact Explorer at this time. We
welcome your feedback as we prepare for a future production release.

Updated file types table


Over 200 file type associations have been added to the File Types table in EnCase Endpoint
Investigator.

IPv6 support for Linux systems


EnCase Endpoint Investigator now supports IPv6 addressing on Linux machines. Key tasks, such as
snapshots and sweep enterprise, can now identify Linux machines using IPv6. EnScript also supports
IPv6 addressing for Linux machines.

Enhanced mobile acquisition logging


EnCase Endpoint Investigator now provides enhanced logging options when conducting mobile
acquisitions.

Mobile acquisition enhancements


• Support for iOS 17 devices logical acquisition has been added.
• Support for iOS 17 encrypted and non-encrypted backup import has been added.
• Support for Android 14 devices logical and targeted triage logical acquisition has been added.
• Support for Android 14 ADB backup import has been added.
• The Seizure Service agent used for Android logical acquisition has been updated and works
more smoothly with newer versions of the Android OS.
• The Qualcomm EDL drivers have been updated in the Driver Pack.
• New iCloud Photos import allows importing iCloud Photos sync data for accounts with and
without 2FA.

2.2 Discontinued and deprecated features


The following features have been discontinued in this release:

• SAFE EnCase Agent Management server support for TLS 1.1 has been discontinued.
• Red Had Enterprise Linux version 6 has been discontinued.
• Linux kernel 2.6.4 support has been discontinued. See Target machine operating systems
table for current kernel support.

The following features have been deprecated in this release:

• No deprecated issues this release.

3 Mobile application data acquisition


EnCase Endpoint Investigator allows you to acquire parsed mobile application data. The parsed
application data includes grids with types of data corresponding to its application, such as Contacts,

EnCase Endpoint Investigator 24.2 Release Notes 3


Conversation, Downloads, History, and more. Parsed data can be collected from either the device
acquisition or the cloud acquisition.

Android Android 1 BlackBerry 10 Cloud Data


Application iOS (rooted) (not rooted) Backup Import

Amazon Alexa

BB Messenger

Chrome

DJI Go

Dolphin browser

Dolphin X browser

Evernote

Facebook

Facebook
Messenger (iOS 7.x &
higher)

Firefox

Fitbit

Gmail

Google Maps

Google Drive

iCloud Backup 2

iCloud Photos

Instagram

Jott Messenger

KIK

LinkedIn

Mail.ru

Opera

4 EnCase Endpoint Investigator 24.2 Release Notes


Android Android 1 BlackBerry 10 Cloud Data
Application iOS (rooted) (not rooted) Backup Import

Opera Touch

Pinger

Skype

Snapchat

Telegram

TextFree

TextPlus

TigerConnect

TikTok

Tinder

Twitter

Viber

Vkontakte

VoiceMail

Waze

WeChat

WhatsApp

Whisper

Yik Yak
1
Mobile application data acquisition for GrapheneOS is supported according to the flags noted in the
Android (not rooted) column.

2
iCloud Backup is not a parsed application but is included here because it is accessed via Cloud
Data Import.

4 SAFE version
Use the latest version of SAFE 24.2 with this product. The latest version of the SAFE is available from
OpenText My Support.

EnCase Endpoint Investigator 24.2 Release Notes 5


5 Product licensing
The CodeMeter product licensing client for EnCase Endpoint Investigator is v7.60d.

The CodeMeter license server is the current, supported product licensing mechanism for EnCase
products. The legacy License Manager application used by some existing customers is still supported
but will be deprecated in a future release.

Legacy License Manager documentation can be found in the SAFE 20.4 User Guide.

EnCase Forensic and EnCase Endpoint Investigator 24.2 users:

New and current users


If you are a new user, or do not use the legacy License Manager:

• Use CodeMeter license server. Refer to your product’s 24.2 user guide for instructions on
installing and configuring the CodeMeter license server.
• Refer to the SAFE 24.2 User Guide for information about SAFE and agent deployment.

Legacy License Manager users


If you currently use License Manager, you may continue to use License Manager until it is fully
deprecated, or you can migrate to CodeMeter license server.

• If you want to stop using License Manager, refer to your product’s 24.2 User Guide for
instructions on installing the CodeMeter license server.
• If you do not want to stop using License Manager at this time, refer to the SAFE 20.4 User
Guide for information about License Manager. Refer to the SAFE 24.2 User Guide for all
information about the SAFE and agent deployment.
• CodeMeter licensing server is not compatible with EnCase Endpoint Investigator versions
older than v20.x. If you intend to use EnCase Endpoint Investigator versions older than 20.x,
consider keeping enough licenses for your needs with your existing License Manager server.

6 Packaging and documentation


Downloads and documentation for EnCase Endpoint Investigator are available on OpenText My
Support. Documentation for this product includes:

• EnCase Endpoint Investigator User Guide


• EnCase Artifact Reference Guide
• SAFE User Guide

7 Supported environments and compatibility


This section provides details about supported platforms, systems, and versions.

7.1 Supported systems


EnCase Endpoint Investigator works on machines running the following operating systems:

• Microsoft Windows 8.1, Windows 10 versions 1607, 1703, 1709, 1803, 1809, 1903, 1909,
2004, 21H1, 21H2, 22H1, 22H2, Windows 11 21H1, 21H2, 22H1, 22H2

6 EnCase Endpoint Investigator 24.2 Release Notes


• Microsoft Windows Server 2012 and 2012 R2, Windows Server 2016, Windows Server 2019,
Windows Server 2022

Minimum and suggested system requirements for this product are provided in the System
Requirements section of the EnCase Endpoint Investigator User Guide.

7.2 Application user interface – language support


The EnCase Endpoint Investigator user interface is available in the following languages:

Arabic, Chinese Simplified, Chinese Traditional, Dutch, French, German, Italian, Japanese,
Korean, Polish, Portuguese, Russian, Spanish, Turkish

These language versions and the English version of EnCase Endpoint Investigator are available for
download on OpenText My Support.

The EnCase Artifact Explorer application user interface is only available in English.

7.3 Components included with EnCase Endpoint Investigator


EnCase Endpoint Investigator includes third-party components and modules.

• The 7-zip library has been updated to the newest version to address potential security
issues.The 7-zip library included with EnCase Endpoint Investigator is now version 23.01.

7.4 Target machine operating systems


Agents are deployed on target machines and work with the operating systems listed in the following
table:

EnCase Endpoint Investigator 24.2 Release Notes 7


Target OS, Version (Processor) for SAFE/Agent v23.4 Core Support Acquisition Active Agent

Target Operating System OS Version Rapid Preview Snapshot Device Volume Memory Acquire Data
(Processor) (Live Preview) Acquisition Acquisition Acquisition Remotely, Check-In
(Physical) (Logical) (Raw Memory) Collection

Windows 11 21H2 – 23H2 Yes Yes Yes Yes Yes, except Yes, except ARM
(x86, x64, ARM32, ARM64) ARM64

Windows 10 1507 – 22H2 Yes Yes Yes Yes Yes, except Yes, except ARM
(x86, x64, ARM32 1, ARM64) ARM64

Windows 7, 8 7 SP1, 8, 8.1 Yes Yes Yes Yes Yes Yes


(x86, x64)

Windows Server 2012 R2, 2016, 2019, 2022 Yes Yes Yes Yes Yes Yes
(x86, x64)

macOS 11, 12, 13, 14 2, 3 Yes Yes No 3 No 3 No Yes


(x64, ARM64)

macOS (OSX) 10.13 – 10.15 Yes Yes Yes Yes Yes No


(x64) (10.13 – 10.14)

Red Hat Enterprise Linux 7, 8, 8.1, 9.0 Yes Yes Yes Yes Yes, with kcore No
(x86, x64) device

Linux Kernel 3.9.5 or higher with procfs Yes Yes Yes Yes Yes, with kcore No
(x86, x64, ARM32, ARM64, IBM Z) device

Solaris 10 – 11.4 (SPARC64) Yes Yes Yes Yes No No

AIX 6.1, 7.1 (PowerPC 64-bit) Yes Yes Yes Yes No No


1
Windows IoT Core also supported; 2 macOS agent deployment limitations are listed in the Known issues section of the release notes; 3 macOS 12 and later can only be previewed with Live
Directory Preview.

8 EnCase Endpoint Investigator 24.2 Release Notes


McAfee ePolicy Orchestrator (ePO) integration
McAfee ePolicy Orchestrator administrators can use ePO to deploy EnCase agents to ePO-managed
nodes. Versions 4.5, 4.6, 5.1, and 5.3 are supported.

7.5 Supported file systems


This section provides details about which versions of other OpenText products are compatible with
this release of EnCase Endpoint Investigator 24.2.

APFS CDFS EXFAT EXT2 EXT3 EXT4

FAT FAT12 FAT16 FAT32 HFS HFS+

HFSX HPFS HPUXFS JFS JFS2 NETWARE

NTFS REISER SOLZFS SUN UDF UFS

UFS2 VXFS XFS YAFFS2 ZFS

7.6 Third party systems

System Description

Project VIC data model 1.2

7.7 Encryption support


Vendor Product Supported versions 64-bit support

Apple Apple File System (APFS) 10.15 Yes


Encryption

Check Point Endpoint Security Suite (Full 6.3.1 up to 7.4, 8.0 (for Yes
Disk Encryption) Windows and Macintosh
computers). 80.64 - 80.94
(Windows only).

Credant Mobile Guardian (subsumed 5.2.1, 5.3, 5.4.1, 5.4.2, 6.0 Yes
by Dell) through 6.8, 7.3

Dell Data Protection Enterprise 8.3, 8.5, 8.12, 8.13, 8.15, 8.16, Yes
Edition 8.17.2

Dell Full Disk Encryption 8.17, 10.7, 10.8 Yes

GuardianEdge Encryption Plus/Anywhere 7 and 8 No

EnCase Endpoint Investigator 24.2 Release Notes 9


Vendor Product Supported versions 64-bit support

GuardianEdge Hard Disk Encryption 9.1.5, 9.2.2, 9.3.0, 9.4.0, 9.5.0, Yes
9.5.1

McAfee Endpoint Encryption 4, 5, 6, 7, 7.1, 7.2 (for Yes


(formerly SafeBoot) Windows and Macintosh
computers)

Microsoft BitLocker and Windows Vista (Enterprise and Yes


BitLocker To Go Ultimate), Windows 7, 8, 10,
Windows Server 2008.

Sophos SafeGuard Easy and 4.5, 5.5, 5.6, 6.0 Yes - SafeGuard
Enterprise (formerly Easy
Utimaco) No - Enterprise

Symantec PGP Whole Disk Encryption 9.8, 9.9, 10, 10.1, 10.2, 10.3 Yes

Symantec Endpoint Encryption 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, Yes


7.0.7, 7.0.8, 8.0, 8.2, 8.2.1,
9.1, 11.1.1, 11.1.3, 11.2, 11.3

Vera Vera for Files 2.1 Yes

WinMagic SecureDoc Full Disk 4.5-8.6 No


Encryption and Self-
Encrypting Drives

7.8 Cloud service support


EnCase Endpoint Investigator can collect user email and related items from the following online email
services:

• Microsoft Exchange Server 2013 or Later


• Microsoft Exchange Server on Office 365
• Google Workspace

EnCase Endpoint Investigator can collect files from the following online file storage and sharing
services:

• Amazon S3
• Box
• Dropbox
• Google Workspace
• Microsoft Azure Blob
• Microsoft SharePoint 2013 or Later

10 EnCase Endpoint Investigator 24.2 Release Notes


• Microsoft SharePoint Office 365
• Microsoft SharePoint Office 365 OneDrive

EnCase Endpoint Investigator can collect files from the following collaboration services:

• Microsoft Teams
• Slack
• Zoom

EnCase Endpoint Investigator can collect data from the following online social sharing services:

• Facebook
• Instagram
• Twitter

7.9 USGCB compliance


EnCase Endpoint Investigator has been validated as USGCB compliant using the following version of
NIST VHD images:

2/27/17 (for Windows 7 only)

EnCase Endpoint Investigator was tested using Retina Network Security Scanner, which is a NIST
validated USGCB scanner (http://usgcb.nist.gov/usgcb/microsoft_content.html).

8 Fixed issues
This section provides information about past issues that have been fixed in this release.

Issue name Issue description

AGENT-8961 An issue that resulted in user data being collected multiple times on macOS
systems has been fixed.

AGENT-9023 An issue that caused Windows 11 21H1 to display as Windows 10 has been
fixed.

AGENT-9045 An issue with the enhanced agent on Windows machines not stopping
properly in some cases has been resolved.

AGENT-9061 Agent auto-update functionality was changed for platforms that have been
deprecated by their publishers. Since these platforms are no longer
maintained or supported by their respective publishers, OpenText considers
them deprecated. When a SAFE connects to an agent on a deprecated
operating system—for example, macOS 10.12 or HPUX—it does not attempt
to update the agent but does allow communication to maintain basic agent
functionality.

Note: OpenText does not actively test agents on deprecated third-party


platforms. No level of service or functionality is guaranteed or implied. Use at
your own risk.

EnCase Endpoint Investigator 24.2 Release Notes 11


Issue name Issue description

FOR-34852 An issue with EnCase Endpoint Investigator that resulted in misclassification of


some video files has been fixed.

FOR-36376 An issue with EnCase Endpoint Investigator that resulted in an error message
when collecting from Microsoft Teams has been fixed.

GUIDTS-6465 An issue with the EnCase Endpoint Investigator Processor Manager showed a
completed processor option as both enabled (completed) and disabled (not
completed) at the same time. This has been fixed.

GUIDTS-6539 An issue with EnCase Endpoint Investigator not collecting direct messages
from MS Teams has been fixed.

GUIDTS-6723 An issue that prevented direct printing of PDF reports from the Report tab has
been fixed.

GUIDTS-6767 An issue that could cause EnCase Endpoint Investigator to crash when
scanning for Logical Volume Manager has been fixed.

GUIDTS-6775 Upgrading a Windows 10 machine to Windows 11 would cause the installed


EnCase agent (23.4 or earlier) to stop working. Updating to SAFE 24.2 prior to
upgrading the Windows machine fixes this issue.

Mobile • Potential issues with Facebook News feed import have been fixed.
Acquisition • The potential issue with Tinder contact name parsing in dialogs
acquired from iOS and Android devices has been fixed.
• An issue with SMS parsing on devices with iOS 16 and higher has
been fixed.
• The 7-zip library has been updated to the newest version to address
potential security issues.
• Potential problems with connection loss during acquisition of Android
OS/GrapheneOS devices with large memory volumes have been
fixed.

9 Known issues
This section documents known issues in this release.

Issue number Found in Description

Artifact 24.2 Artifact Explorer indefinitely displays a "Loading..." message when


Explorer using Is None Of in a View Profile.

Artifact 24.2 When entering the start date of a Between filter using the filter
Explorer entry field, Artifact Explorer begins searching before an end date
can be entered. A workaround is to create the search using the
funnel icon.

12 EnCase Endpoint Investigator 24.2 Release Notes


Issue number Found in Description

Artifact 24.2 When removing bookmarks from large evidence files, it can take
Explorer time and AEX provides no indication of progress in fulfilling the
request. The operation will eventually complete.

Artifact 24.2 The artifacts count at the bottom of the table does not refresh to
Explorer show the correct count after adding selected bookmarks. A
workaround is to move the scroll bar: the artifacts count will update.

Artifact 24.2 Some values cannot be edited using the Filter Builder:
Explorer – - Is Blank and Is Not Blank do not work using the Filter
Filter Builder Builder.
- Is Any Of and Is None Of do not work using the Filter
Builder.
A workaround is to edit the filter using the column filter funnel.

Artifact 24.2 In some situations, when Artifact Explorer encounters an error while
Explorer rendering a document in the Content pane, it will indicate rendering
is in progress despite completing the process. A workaround is to
select another artifact and then return to the first artifact to see if an
error has occurred.

Artifact 24.2 Evidence previews from disks, network shares, remote agents, or
Explorer connected services (like Twitter or Slack) are not available in AEX
unless they are first acquired in EnCase Endpoint Investigator.

Artifact 24.2 Remote Processor Nodes do not prepare evidence for Artifact
Explorer Explorer. Evidence must be processed locally.

Artifact 24.2 Shared Evidence Cache is not supported. No Artifacts will be


Explorer available in Artifact Explorer when a shared cache is used in a
case.

AGENT-9043 23.4 The enhanced agent for macOS 10.15 (Catalina) is not functional
when used with EnCase Endpoint Investigator 24.2. The standard
agent functions normally with macOS 10.15 (Catalina). Refer to the
macOS entry in the Target machine operating systems in these
release notes to view the functional capabilities of the standard
agent.

FOR-35475 23.4 When initiating media analysis via Pathways or the Entries context-
view, all image categories are included for analysis. Because of the
substantial memory required, this can cause problems on machines
that do not meet the minimum system requirements. A workaround
is to initiate media analysis via the Evidence Processor and select
only those categories needed for your investigation.

EnCase Endpoint Investigator 24.2 Release Notes 13


Issue number Found in Description

GUIDTS-6920 23.4 Upgrading from Windows 10 machine to Windows 11 on a machine


with a deployed EnCase agent (23.4 or earlier) causes the agent to
stop working. A workaround is to manually redeploy the EnCase
agent after the Windows upgrade.

SEC-30986 23.2 While rapid preview does not actually make changes to files on the
target machine, this feature requires the user to have the “Edit
Files” SAFE permission.

GUIDTS-6014 22.4 When acquiring data remotely, Live (Rapid) Collection will result in
an error unless the Enhanced Agent plugin (.zip file) is installed in
the SAFE Network Plugin Repository.

FOR-31798 22.4 EnCase Endpoint Investigator does not allow you to Acquire Data
Remotely on a target on which you are performing a Check-In
Network Preview.

When users try to Acquire Data Remotely after performing a Check-


In Network Preview, without deploying the enhanced agent, the
following error message is displayed: "You cannot deploy Enhanced
Agent on the target".

When users deployed the enhanced agent on same node where


they are performing a Check-In Network Preview, then try to
Acquire Data Remotely, the following error message is displayed:
• Windows: "Error: Error in “”: Unable to read 16 bytes. In
function call: StartCall. Source (null)”
• Mac: “Error 0x80004005. In function call: StartCall”
These error messages are expected and they indicate that the
Acquire Data Remotely functionality is not available on Check-In
Network Preview.

FOR-33123 22.4 When performing a live device collection using the cross-platform
enhanced agent, the Acquire Data Remotely function in EnCase
Endpoint Investigator does not collect locked files.

GUIDTS-5898 22.4 In Rapid Preview, where a specific sub-folder is collected, folder


location is preserved; however, metadata for top level and ancestor
folders are not collected (for example, Created date).

14 EnCase Endpoint Investigator 24.2 Release Notes


Issue number Found in Description

FOR-30694 22.3 In EnCase Endpoint Investigator, when the user makes a collection
using rapid preview and then initiates a cancel request, the
application currently waits to finish collecting the file it was working
on before canceling. With large files, this can result in the
application appearing to not respond to the request in a timely
manner.

FOR-31030 22.3 The Rapid Preview view stays connected after logging off the
SAFE, when the Rapid Preview is not the active view tab.
Workaround: To disconnect and clear the Rapid Preview display,
users must click Disconnect manually.

FOR-31932 22.3 When users Acquire Data Remotely, if the Job Name is defined
using camel case and then used as the name of the LEF, EnCase
Endpoint Investigator displays an invalid character error message.
Workaround: Define the Job Name using only lower case letters.

GUIDTS-5778 22.3 When using EnCase Endpoint Investigator to process a directory


preview, the console view displays a “Job failed” error message. To
resolve this issue, ensure that the evidence is acquired prior to
initiating evidence processing.

AGENT-6301 22.1 CodeMeter licensing was upgraded to v7.30a with the EnCase
Endpoint Investigator 22.1 release. CodeMeter is not compatible
with Microsoft Windows 7. EnCase Endpoint Investigator 22.1 can
be installed on Windows 7 machines; however, the installer will
throw an error and the CodeMeter component will not be installed.
If using the installer to upgrade EnCase Endpoint Investigator 22.1
from a previous version, the error will still be displayed, and
CodeMeter 7.30a will not be installed. The application will attempt
to use the previous most recent version of CodeMeter for licensing.

AGENT-6551 22.1 When using live directory preview, rapid preview, or remote data
acquisition on macOS systems to collect from protected folders
(Desktop, Documents, Downloads, etc.), the EnCase macOS agent
(enmacos) cannot collect files unless full disk access permission
has been granted. This can be set either via MDM profile if the
agent is deployed through MDM or by manually adding the
enmacos agent to the following allow list: System Preferences >
Security and Privacy > Privacy > Full Disk Access. See full
procedure in Enabling full disk access for macOS agents section in
the SAFE 23.2 User Guide.

EnCase Endpoint Investigator 24.2 Release Notes 15


Issue number Found in Description

DOC-3109 22.1 Media analysis module performance is degraded on systems that


do not have a minimum of 4GB of RAM per logical core. For further
guidance on optimizing memory usage for the Media analysis
module and the Evidence Processor, see Knowledge Base article,
KB0723890.

FOR-25948 22.1 In this release, the new Windows registry keys added to System
Info Parser in EnCase Endpoint Investigator 21.4 have been moved
from the Auto Start folder to the Other folder. Registry keys are
viewed and selected by clicking on the System Info Parser link in
the EnCase Processor Options dialog, viewing the Advanced tab on
the dialog, and opening a folder. In EnCase Endpoint Investigator
22.1, the new keys will appear in the Other folder only for evidence
not processed in a previous version. For evidence processed with
version 21.4, these keys appear in the Auto Start folder. Once
evidence is processed, keys selected from a particular folder would
be found under the corresponding folder in the Artifacts tab.

AGENT-6035 21.4 SAFE version 21.4 uses stronger encryption for the SAFE private
key. This new SAFE private key cannot be read by earlier versions
of SAFE. Clean installation of SAFE version 21.4 cannot be
downgraded to an earlier version as the private key cannot be read.
Downgrading to an earlier version of SAFE is possible if the SAFE
was upgraded to SAFE to 21.4 from an earlier version. SAFE
installations that use a cert cannot be downgraded.

DOC-3021 21.4 The additional Windows Registry keys parsed by EnCase Endpoint
Investigator 21.4 System Info Parser are located in the AutoStart
folder. These will be placed in the appropriate Registry Commands
subfolder in a future release.

FOR-24486 21.4 When users open a case processed by an earlier version of


EnCase Endpoint Investigator the case will not contain newer
registry keys unless processed again with EnCase Endpoint
Investigator 21.4.

GUIDTS-4747 21.4 When acquiring evidence to .Ex01 the Restart Acquisition option
is selectable. but this function does not support .Ex01 file formats.
Attempting to restart acquisition of an .Ex01 file using this function
will not succeed.

16 EnCase Endpoint Investigator 24.2 Release Notes


Issue number Found in Description

AGENT-5363 21.2 The EnCase agent installed on macOS 11 (Big Sur) is installed
without kernel extensions and can make snapshots, logical
acquisitions, and previews. The EnCase agent installed on macOS
11 cannot acquire physical memory, physical devices, or access
locked or mounted devices.

The EnCase agent installed on macOS 10.15 and earlier is installed


with kernel extensions and can acquire physical memory, physical
devices, and access locked or mounted devices on macs unless
the machine is equipped with a T2 encryption chip. Macs equipped
with the T2 encryption chip cannot perform physical disk
acquisitions.

FOR-22695 21.2 When using three periods (...) to enter a date range in EnCase
Endpoint Investigator, running a condition removes one of the
periods, resulting in an error. A workaround is to select the Prompt
for value checkbox on the Terms tab of your condition. When the
condition is run, adding the period where EnCase has removed it
will run the condition without error.

AGENT-5291 21.1 EnCase Endpoint Investigator can generate malformed token errors
when creating check in remote collection jobs where the version of
EnCase Endpoint Investigator Client is different from the EnCase
SAFE. To resolve the issue this issue, update your SAFE and
EnCase Endpoint Investigator client to the latest version.

FOR-21258 21.1 In some situations when running the Chinese Simplified version of
EnCase, the display text may not render properly. Installing the Arial
Unicode MS font and setting it in Tools > Options > Fonts will
resolve the issue.

GUIDTS-4268 21.1 EnCase Endpoint Investigator does not support opening more than
ten concurrent cases. Opening more than ten concurrent cases
causes the recently opened case list to cycle through the cases,
preventing the user from selecting the first opened case.

FOR-15721 20.4 Hash and signature analysis using conditions are not currently
enabled for use with the enhanced agent.

FOR-19247 20.4 Under certain circumstances, EnCase Endpoint Investigator can fail
to parse ZFS volumes on identical devices.

FOR-19252 20.4 Under certain circumstances, EnCase Endpoint Investigator can fail
to parse ZFS volumes in virtual environments when using GPT
partitions.

EnCase Endpoint Investigator 24.2 Release Notes 17


Issue number Found in Description

FOR-19968 20.4 The OneDrive preview feature does not support bookmarking. If
you want to bookmark an item, you must acquire it first, then
bookmark it.

FOR-20225 20.4 In some cases, installing EnCase Endpoint Investigator on a


system that already has EnCase Endpoint Investigator installed will
generate a file lock error on enportv.sys. This can prevent
EnCase fonts from loading properly. Restarting the system after
installation resolves the issue.

FOR-20283 20.4 In some circumstances, installing HASP drivers can cause certain
Windows 10 machines to deliver a stop error. As a result, the HASP
driver installation has been unchecked by default. If you still use a
HASP dongle, OpenText recommends replacing it with either
CodeMeter or an electronic license. Contact OpenText Customer
Service for a replacement.

FOR-20308 20.4 In some circumstances, the File Processor module in Sweep


Enterprise will fail to collect files when run against a machine with
devices formatted in APFS.

GUIDTS-2998 20.4 An issue in EnCase Endpoint Investigator was identified that


prevents indexing of East Asian characters. Searching for more
than a single character does not return results.

AGENT-4536 20.3 The EnCase agent is not supported on target machines with ARM
processors running Windows 10 S mode.

AGENT-4574 20.3 After setting the check in agent time value, Reset Time (Hours),
during SAFE installation, the deployed agents may check in at
times that differ from this setting, but will do so at regular intervals
in accordance with this setting.

AGENT-4617 20.3 When downgrading the SAFE from version 20.3 to version 20.2, the
SAFE will present an error for any users that have been assigned a
role for the Agent Management Platform (AMP).

AGENT-4660 20.3 The command prompt cannot be used to perform a quick update
from SAFE version a.x to SAFE version 20.x. The installer must be
run manually because user input is required when migrating the
SAFE from version a.x to version 20.x.

FOR-19065 20.3 Some APFS snapshots on physical images are not added to the
evidence view after processing. This is a result of system changes
during acquisition that render the snapshot invalid.

18 EnCase Endpoint Investigator 24.2 Release Notes


Issue number Found in Description

AGENT-4120 20.2 Physical acquisition of a Macintosh device with a T2 chip is


possible but unusable since keys are stored in the T2 chip and the
acquired image cannot be decrypted. The workaround is to do a
logical acquisition on the device.

DOC-2410 20.2 Support for McAfee Drive Encryption up to version 7.2.9.14 works
in offline mode (using the XML file). However, online credentials
validated on the live server do not decrypt the evidence. The
current workaround is to manually export the XML file from the
server and use this file for offline decryption.

FOR-17297 20.2 When collecting from a Macintosh running APFS, acquiring a


device before an encryption process is completed can lead to
partially encrypted entries that are unreadable in EnCase Endpoint
Investigator. It is recommended acquiring a device after the
encryption process is complete.

FOR-17894 20.2 When running the Recover Folders option in the Evidence
Processor, the entry count in the Recovering notification is incorrect
because it does not include counts from alternate data streams.
The correct count is displayed elsewhere in the application, where
alternate data streams are included.

GUIDTS-3542 20.2 On some workstations with restrictive Windows policies, EnCase


Endpoint Investigator may be prevented from loading a font used in
the application UI. If you encounter a missing font in the UI, a
solution is available in the following KB article on OpenText My
Support: KB0591780.

FOR-15542 8.10 Indexes generated with previous versions of EnCase Endpoint


Investigator (v8.09 and earlier) are incompatible with EnCase
Endpoint Investigator v8.10. If you want to view indexed data in
EnCase Endpoint Investigator v8.10, you must re-index it.

FOR-16248 8.10 EnCase Endpoint Investigator v8.10 installation fails on machines


running Windows 10, version 1507. Installation of EnCase Endpoint
Investigator v8.10 works on Windows 10 versions that are more
recent than version 1507.

EnCase Endpoint Investigator 24.2 Release Notes 19


Issue number Found in Description

FOR-16505 8.10 When a user provides secure storage credentials for a McAfee full
disk encrypted physical evidence containing partitions, and then
reacquires it, the newly acquired evidence will contain decrypted
data. However, the new evidence will contain the McAfee partition
that designates the other partitions as still encrypted, and it is this
McAfee partition that EnCase Endpoint Investigator uses to flag the
other partitions as encrypted. This results in EnCase Endpoint
Investigator repeatedly prompting the user for credentials. If the
user then cancels the credential dialog, EnCase Endpoint
Investigator will read the decrypted data as if there was no
encryption.

Mobile 8.10 Android 9 is partially acquired by the physical plugin.


Acquisition -
Android

Mobile 8.10 "Connection was broken" appears for ZTE Z799 Android 6.0.1
Acquisition - device during logical acquisition.
Android Logical

Mobile 8.10 Authentication in Google Locations fails with Invalid Credentials


Acquisition - error.
Cloud Import

Mobile 8.10 Authentication has failed for Twitter cloud import with "Invalid
Acquisition - credentials" error.
Cloud Import

Mobile 8.10 iCloud Backup - Authentication fails with Invalid credentials error.
Acquisition -
Cloud Import

Mobile 8.10 Physical Acquisition by DFU mode fails with error.


Acquisition -
iPhone
Physical

FOR-14141 8.09 When selecting an APFS container in the Network Preview Screen,
the data on the APFS volume needs to be frozen before previewing
or collecting it. A small snapshot file is created that remains on the
device until the parsing of the data is complete, at which point the
snapshot is removed. The Allow Live APFS Snapshot global option
enables this snapshot to be created; the option is selected by
default and cannot be cleared without incurring unreliable and
inconsistent results.

20 EnCase Endpoint Investigator 24.2 Release Notes


Issue number Found in Description

FOR-14076 8.09 Copying files from a result set that contains entries from an APFS
volume may fail. If this occurs, an error displays, stating you only
have permission to process a certain number of the selected files.
This behavior does not happen consistently, and does not happen
when copying files from entries, or when copying files from other file
systems.

FOR-14067 8.09 Viewing indexed items selected by Item Type may display
inconsistent results.

FOR-14062 8.09 Under certain conditions, jobs may fail when reprocessing APFS
evidence.

FOR-14049 8.09 Encrypted APFS volumes will not parse on two devices if a correct
password is entered for one device and an incorrect password is
entered for the other.

FOR-14040 8.09 After creating a raw text bookmark, selecting an entry, and then
selecting hash/sig on that entry, EnCase Endpoint Investigator may
crash when clicking the refresh button.

FOR-14032 8.09 For an encrypted APFS volume, clicking Rescan directly does not
parse the volume if more than three incorrect passwords have been
centered consecutively.

FOR-14023 8.09 When repeatedly viewing certain indexed items, EnCase Endpoint
Investigator may crash. This behavior is infrequent.

FOR-14006 8.09 When processing evidence, the Index option in the view menu can
sometimes incorrectly display as enabled or disabled.

FOR-13924 8.09 When using the default disk allocation of 10% for enhanced agent
jobs on VMs or small disks, the job may fail. Changing the default to
be >20% or making the segment size smaller will help prevent this
issue.

FOR-13772 8.09 When reprocessing a version 8.08 case using thumbnails and hash
options, the wrong hash value is displayed. If this happens, delete
the cache and process the evidence again from the beginning.

FOR-11505 8.08 Non-English builds of EnCase Endpoint Investigator are not


supported on 32-bit operating systems.

EnCase Endpoint Investigator 24.2 Release Notes 21


Issue number Found in Description

FOR-11549 8.08 In Japanese, Chinese, and Korean builds of EnCase Endpoint


Investigator running on Windows 10, paths are not displayed
correctly because of an underlying font issue. To work around this
issue, install the Arial Unicode MS font from Microsoft.

FOR-12474 8.08 When previewing and acquiring process memory from targets
running macOS 10.6 and 10.10, EnCase Endpoint Investigator
returns all zeros.

FOR-12677 8.08 Vera encrypted files inside of an unencrypted .ZIP file are not
decrypted when Vera decryption is set to Offline Mode.

AGENT-2859 8.07 Users logged into their SAFE user account can delete their own
SAFE user record.

FOR-10826 8.07 Due to the structure of APFS containers and volumes, navigation of
APFS devices in disk view can appear confusing when moving
across clusters.

FOR-10958 8.07 When dropping APFS evidence into EnCase Endpoint Investigator,
the data fails to load if you process the evidence before opening it.
The workaround is to open the evidence first and then process it.

FOR-11089 8.07 Because EnCase Endpoint Investigator parses


macOS APFS volumes directly, the timestamp values of files match
those found in the terminal command line rather than the
corresponding timestamp values displayed in the Finder.

22 EnCase Endpoint Investigator 24.2 Release Notes


10 Contact information
OpenText Corporation
275 Frank Tompa Drive
Waterloo, Ontario
Canada, N2L 0A1

For more information, visit the OpenText or My Support websites.

© 2024 Open Text

Patents may cover this product, see https://www.opentext.com/patents.

Disclaimer

No Warranties and Limitation of Liability

Every effort has been made to ensure the accuracy of the features and techniques presented in this publication. However, Open Text Corporation and its affiliates accept
no responsibility and offer no warranty whether expressed or implied, for the accuracy of this publication.

You might also like