In the event that EnCase crashes, it is important to remember that there are troubleshooting steps available that can help cut down the time of resolving the issue. The primary means of this is providing crash information.

If you have not previously configured EnCase to generate a crash dump log, you will need to follow the simple steps below. With the addition of a single file (dbghelp.dll), EnCase can be configured to gather critical information automatically as follows:

1. For EnCase version 6.3 and earlier, download the debugging file (dbghelp.dll) to your forensic computer and save it to the root of the EnCase directory where EnCase.exe is located (typically C:\Program Files\EnCase6):
    
   • 64-bit version
      
   • 32-bit version
      
   • NOTE: For EnCase versions 6.4 and higher, the appropriate .dll will be placed in the directory automatically upon installation, although Debug Logging will still be turned OFF by default.
      

2. Launch EnCase, and from the Tools > Options dialog, you will see an option on the right side of the window for Debug Logging:
   

   There are three options:

   • Off - Default setting. No crash logging is performed.
      
   • Stack - This is the recommended option for most EnCase crash issues. In memory, the stack is the area where data is added or removed for the execution of a function. This data most likely contains data that the crashing subsystem used, the system .dlls that were loaded at the time, and the version of EnCase used. The data captured in a Stack dump log will generally only contain system file information and will not usually contain case specific data.
      
   • Heap - The heap is a superset of the stack, which also contains data from the process memory that the program uses while running. Any data available to EnCase could possibly be included in the heap, including bookmarks, notes, etc. This results in a considerably larger dump file (potentially in the gigabyte range). Please note that a Heap dump log will likely contain case specific data, including data from the evidence file.
      

   Generally, setting this option to Stack provides most of the information needed to debug the crash. If this does not provide enough information, you may be asked to set this to Heap.

   • NOTE: If the Heap option is disabled (grayed out), the proper .dll is not in place.

3. Click [OK] and restart EnCase.
4. Perform whatever action you were doing when EnCase crashed.

5. After EnCase crashes, you will have a .log and .dmp file in the root folder of EnCase.

   • NOTE: If you are experiencing a situation on a Windows XP machine where EnCase disappears without a crash dialog, try to replicate this on a Windows 2000 system. Different error handling in Windows 2000 may enable the crash to be captured in instances where it is not captured by Windows XP.
      
   • NOTE: If the case contains sensitive information, you can review the .log file using a text editor to edit out any confidential information; you can do the same for the .dmp file using a Hex editor.
      

6. Compress the dump files into a single file using WinZip or WinRAR (or some other compression tool) and submit them to Technical Services. The Stack dumps should be small enough to e-mail (technicalsupport@guidancesoftware.com); the Heap dumps can be quite large – if this is the case, please contact Technical Services for FTP information, or submit the files on DVD or other media.

Please call Guidance Software Technical Support at 626.229.9191 (US) or +44 (0)175 355 2252 (UK), option 4, if you have any questions.