Presentation is loading. Please wait.

Presentation is loading. Please wait.

SEARCHING, VIEWING AND BOOKMARKING

Published byMiranda Small Modified over 6 years ago

Similar presentations

Presentation on theme: "SEARCHING, VIEWING AND BOOKMARKING"— Presentation transcript:

1 SEARCHING, VIEWING AND BOOKMARKING
Chapter 7 Key Concepts 1

2 SEARCH TYPES 3 Types Index Searches – Evidence data is indexed when you use the Evidence Processor prior to searching Searches the index for results Raw Searches – Searches based on non-indexed, raw data Tag Searches – Searches based on user-defined tags

3 INDEX SEARCH Results are almost instantaneous!
Entries from the Evidence Processor: Contain pointers to the occurrences of the specific work on the device. Generating an index (used in the Processing Evidence Files) Searching the index Generating the index – Creates a file associated with devices. It can be time consuming if the evidence is very large, and thus create a fairly large index file. Search index – Should be completed early on in the workflow sequence Case must contain the device to index Right-click evidence processor Select indexing text Results are almost instantaneous!

4 RAW SEARCH Uses Keywords to search selected data Takes a while to get results You can be precise and flexible if you can utilize GREP expressions You will begin to know when to use Index vs RAW with experience EnCase encourages the Index Search method If you need results from PDF, compressed or even Office files later than 2007 you will need indexed searching to even get hits on your searches.

5 RAW SEARCH continued Allows you to find related files and folders
By name or time Go to file button in the evidence folder structure Permissions tab will tell you who had access to the file You can then add evidence with a bookmark Bookmarking multiple files does NOT allow you to create a note/comment for the bookmark Search and Results tab Copy Files Copy Folders Add Results to Hash Library Save Results

6 SEARCH RESULTS Columns must be enabled in order to include them in a view: General Columns: Unique Offset, Description (file, archive), True Path, Full Path, Symbolic Link, Entry Modified Metadata Received (time), Sent (time), Has Attachment Internet Metadata Action URL, Icon URL, Requesting URL, URL Host, URL Host Name, URL Name

7 CREATING A SEARCH QUERY
Keywords Stored for future use within EnCase Home ->Search ->enter the keyword or words A dynamic list is displayed on the right side Shows the term and the number of occurrences You cType “Tyler” Click ->Play an double-click a query and it will show info. regarding the term The results will display in the Table Pane of the Search View You can review file entries in the transcript and compressed views You can save the results in the Results view Searches ->Save as Searches folder in your under your case folder

8 RAW SEARCH KEYWORDS Creating Decide what you would like to search
All evidence and devices (launch from table tab) Limited set of data ->Entries tab select items (blue check) RAW search selected RAW Search All New RAW Search All

9 KEYWORDS New Keyword Dialog box
Expression – your search string, phrase or GREP expression Name – Label that appears with the keyword in Search Hits View (very useful when using GREP) Case Sensitive – Upper and lowercase letters GREP – used to narrow a search and limit false-positives, or when only portions of a word are known ANSI Latin 1 – default code for Windows OS Unicode – foreign language character sets (Office, Windows 2K and above). You still need to use the ANSI Latin-1 or another appropriate code page in order to get results. Unicode Big-Endian – Non-Intel based data scheme multiple byte numerical values – reverse Endian (most significant first to least significant)

10 KEYWORDS – Page 2 New Keyword Dialog box
UTF-8 – Universal Character Set Transformation Format. The most common format that applications encode their Unicode. 8 bit form of Unicode. Offers foreign language support. UTF-7 – Special format that encodes Unicode within US-ASCII in a way that all mail systems can accommodate. Whole Word – Keyword as a whole word and not within a larger word. Cuts down on false positives.

11 KEYWORD OPTIONS Keyword Search Options
Search Entry Slack – search the slack areas between the end of the logical data to the end of the physical file for all items searched Use Initialized Size – Search only the initialized size of an entry as opposed to the logical or physical. If the initialized size is smaller than the logical size, the space after the initialized size is zeroed out. Searches only data a user would see within a file. Undelete entries before searching – Logically “undelete” deleted files prior to searching. Will find keyword fragmented between a starting cluster and an unallocated cluster. Searching for portions of words is also encourages, GREP search. Search Only Slack Area of Entries in Hash Library – Used with hash analysis. If the file is identified from the hash library, then it will not be searched. The slack area of these files will be searched. If this option is turned off, EnCase will ignore the hash analysis.

12 ENTERING KEYWORDS New RAW Search Add Keyword List
Adding a Keyword List New RAW Search Add Keyword List Can be entered by the keyboard or pasted from a text document (one expression per line) You still have the ability to add / remove the code pages associated with the keywords OK – Search begins

13 Viewing Results Adding a Keyword List New RAW Search
Add Keyword List Can be entered by the keyboard or pasted from a text document (one expression per line) You still have the ability to add / remove the code pages associated with the keywords Use the Go to file to get to the originating location/file Use Back to return to Search View Keyword searches not initiated from Evidence Processor are stored with the case Keyword searches that are conducted within the Evidence Processor can belong to multiple cases

14 Refreshing Search Results
RAW allows you to see results as the search finds them. Refresh RAW Search Hits icon in the search tab to refresh hits. Refresh will turn green when new hits are available TAG Searches Search for instances of a particular tag you have created. (more in later lessons) Search Summary Summary tab Results to LEF Export to a Logical Evidence File (entries and records)

15 CONTINUE THE INVESTIGATION
Switching Views Doc view to see items as they were such as .html documents Select file then go to originating evidence Bookmarking Evidence Search, Results or Evidence Views Can add comments as well Choose your folder to add the evidence to or create a new one. Use back button to return to the results view of your query

16 FIND RELATED Allows you to find related files and folders
By name or time Go to file button in the evidence folder structure Permissions tab will tell you who had access to the file You can then add evidence with a bookmark Bookmarking multiple files does NOT allow you to create a note/comment for the bookmark Search and Results tab Copy Files Copy Folders Add Results to Hash Library Save Results

17 This workforce product was funded by a grant awarded by the U. S
This workforce product was funded by a grant awarded by the U.S. Department of Labor’s Employment and Training Administration. The product was created by the grantee and does not necessarily reflect the official position of the U.S. Department of Labor. The Department of Labor makes no guarantees, warranties, or assurances of any kind, express or implied, with respect to such information, including any information on linked sites, and including, but not limited to accuracy of the information or its completeness, timeliness, usefulness, adequacy, continued availability or ownership. Except where otherwise noted, this work by Central Maine Community College is licensed under the Creative Commons Attribution 4.0 International License.

Download ppt "SEARCHING, VIEWING AND BOOKMARKING"

Similar presentations

Intro to WinHex CSC 414.

Intro to WinHex CSC 414.
Office Links - Sharing Data in Microsoft Office A Mixed Bag of Treasures Chester N. Barkan Registrar Long Island University, C.W.Post Campus.

Office Links - Sharing Data in Microsoft Office A Mixed Bag of Treasures Chester N. Barkan Registrar Long Island University, C.W.Post Campus.
1 of 6 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.

1 of 6 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
1 of 6 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.

1 of 6 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
1 of 6 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.

1 of 6 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
With Internet Explorer 8© 2011 Pearson Education, Inc. Publishing as Prentice Hall1 Go! with Internet Explorer 8 Getting Started.

With Internet Explorer 8© 2011 Pearson Education, Inc. Publishing as Prentice Hall1 Go! with Internet Explorer 8 Getting Started.
© 2008 The McGraw-Hill Companies, Inc. All rights reserved. WORD 2007 M I C R O S O F T ® THE PROFESSIONAL APPROACH S E R I E S Lesson 22 Macros.

© 2008 The McGraw-Hill Companies, Inc. All rights reserved. WORD 2007 M I C R O S O F T ® THE PROFESSIONAL APPROACH S E R I E S Lesson 22 Macros.
Adding User Interactivity – Lesson 51 Adding User Interactivity Lesson 5.

Adding User Interactivity – Lesson 51 Adding User Interactivity Lesson 5.
XP 1 Microsoft Word 2002 Tutorial 1 – Creating a Document.

XP 1 Microsoft Word 2002 Tutorial 1 – Creating a Document.
Lesson 17 Getting Started with Access Essentials

Lesson 17 Getting Started with Access Essentials
Unit 6 Review Flashcards Unit 6 Review Flashcards ALA: Pre-Algebra Unit 6 Integers.

Unit 6 Review Flashcards Unit 6 Review Flashcards ALA: Pre-Algebra Unit 6 Integers.
Subtracting Integers ALA: Pre-Algebra Unit 6 Integers.

Subtracting Integers ALA: Pre-Algebra Unit 6 Integers.
Microsoft Outlook 2010 Chapter 3 Managing Contacts and Personal Contact Information with Outlook.

Microsoft Outlook 2010 Chapter 3 Managing Contacts and Personal Contact Information with Outlook.
Greater Than > Less Than Review Greater Than > Less Than Review ALA: Pre-Algebra Unit 1 Whole Numbers.

Greater Than > Less Than Review Greater Than > Less Than Review ALA: Pre-Algebra Unit 1 Whole Numbers.
Using Evaluation and Data To Support Continuous Improvement: Recognizing Key Turning Points COSGROVE & ASSOCIATES BRAGG & ASSOCIATES.

Using Evaluation and Data To Support Continuous Improvement: Recognizing Key Turning Points COSGROVE & ASSOCIATES BRAGG & ASSOCIATES.
Exponent Flashcards ALA: Pre-Algebra Unit 6 Integers.

Exponent Flashcards ALA: Pre-Algebra Unit 6 Integers.
Creating and Editing a Web Page

Creating and Editing a Web Page
Computer Skills (1) Internet Explorer. To open the Internet Explorer: –Double click on the Internet Explorer icon on Desktop. –Or, from Start  All Programs.

Computer Skills (1) Internet Explorer. To open the Internet Explorer: –Double click on the Internet Explorer icon on Desktop. –Or, from Start  All Programs.
Pumps. DIAPHRAGM PUMPS DIAPHRAGM PUMP DIAGRAM(cont’d)

Pumps. DIAPHRAGM PUMPS DIAPHRAGM PUMP DIAGRAM(cont’d)
Unit 7 Review Flashcards Unit 7 Review Flashcards ALA: Pre-Algebra Unit 7 Algebra.

Unit 7 Review Flashcards Unit 7 Review Flashcards ALA: Pre-Algebra Unit 7 Algebra.

Similar presentations

Ads by Google