How to search compo...
 
Notifications
Clear all

How to search compound files

6 Posts
4 Users
0 Likes
1,689 Views
(@gorvq7222)
Posts: 229
Reputable Member
Topic starter
 

Hi,

Last week my friend told me that she made a terrible mistake. She conducted raw serch and found no search hits within M$ docx files. She did not know what's wrong in the first place until her clients told her that some words actually exist in those docx files…She exported those docx files and examine them very carefully. Yes she found those wors exactly the same with keywords.

She asked me what's going on with EnCase raw search. Why no search hits in docx files…I show her how to conduct raw search on compound files as below in my blog
http//www.cnblogs.com/pieces0310/p/4620425.html

 
Posted : 05/07/2015 12:59 pm
(@anirudhrata)
Posts: 17
Active Member
 

In the same way in Encase 7, you can first select expand compounded files option in the evidence processor, and then proceed to index or search for keywords.

 
Posted : 05/07/2015 9:44 pm
nightworker
(@nightworker)
Posts: 134
Estimable Member
 

in encase 6 you need to file mounter enscript to auto mount all docx files before search. if you look in unallocated you need to recover it and parse it with same way. other tools similar menu expand compound files or something. docx files are zip files which contain xml files

 
Posted : 06/07/2015 2:46 pm
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
 

By the sounds of it, you are using Encase 7. The key here is that Encase 7 Raw Search does not work in the same way as keyword searching in Encase 6.

So in 7, raw keyword searching runs against the physical sectors on the disk, therefore any data stored in zip/rar files, Office documents (docx etc) or PDF files will not be located.

The Encase 7 Index search will search these compressed files and documents, however (by default) it does not index unallocated clusters and therefore no results will be recovered from there.
Even if Unallocated was indexed, there is no way to get back to the search hit as the Index searching just records that there is a hit in there, although it does split unallocated into "chunks" so you could figure out which chunk it came from but finding the sector may still be difficult.

So, as I see it, in Encase 7 in order to find all the hits you need to run both Raw keyword searches and Index searches in order to locate all relevant hits.

AFAIK there is no way of combining the two searches or results from the different types of searches or to use GREP in the indexed searches.

Hope this helps

 
Posted : 06/07/2015 3:28 pm
(@gorvq7222)
Posts: 229
Reputable Member
Topic starter
 

Thank you guys. I do worry about search in compound files. Some people having been using EnCase for several years and they have no doubt that raw search will hit in compound files…they really don't know the fact that raw search could not hit keywords in compound files, actually those words do exist inside the compound files…

I used to conduct raw search in EnCase v6, and I'd like to see if EnCase v7 raw search could hit keywords inside compound files or not. You won't believe it~search results is 0 but those keywords do exist inside compound files…Let my show you my test as below
http//www.cnblogs.com/pieces0310/p/4628600.html

As you could see that those keywords do exist in those two compound files, but no any hits…

 
Posted : 07/07/2015 6:46 pm
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
 

Trust me, Guidance are aware of this and have been for over a year, I wouldn't expect any changes to the way the software works.
Maybe in version 8 but I wouldn't hold your breath.

 
Posted : 09/07/2015 11:05 am
Share: