±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35244
New Yesterday: 3 Visitors: 180

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

EnCase 8 “Is Deleted” field.

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

pajkow
Senior Member
 

EnCase 8 “Is Deleted” field.

Post Posted: May 12, 18 07:34

Just got a question as I could not figure it out.
Using EnCase 8.06.01.05 and when doing the reporting I want to add the field “Is Overwritten”
In the report template created my own with those fields:

table(type=Bookmark, path="Files of Interest\\test", columns="Name,ItemPath,Created,Modified,Accessed") par

There is no field for “Is Overwritten” and adding manually “Overwritten”, or “Is Overwritten” does not work but the columns is there.
Any suggestions?  
 
  

hommy0
Member
 

Re: EnCase 8 “Is Deleted” field.

Post Posted: May 14, 18 01:15

Hi,

Within EnCase reporting, the field for "Is Overwritten" is included under Entry Fields. This can be added by via the bookmark folder (and add folder to report - customising metadata - and look at Entry Fields) or by modifying the report template, and the formatting for the bookmark type. The bookmark type can be identified via the the bookmark folder, where the field required will need to be added for each type (image, entry etc).

Finally, the field will show whatever value is assigned to "Show True" and "Show False" in EnCase global options (from tools menu).

I don't believe this field can be added to a Bookmark Table, since the IsOverwritten field appears to not be present on Bookmarks.


Code:
style("Bookmark") {
  counter(markindex) text(") ") filelink() {cell(field=Name) } par
}
style("Metadata") {
  fieldname(field=Name) tab cell(field=Name) par
  fieldname(field=Created) tab cell(field=Created) par
  fieldname(field=Written) tab cell(field=Written) par
  fieldname(field=Accessed) tab cell(field=Accessed) par
  fieldname(Entry, field=IsOverwritten) tab cell(Entry, field=IsOverwritten) par

Regards  
 
  

pajkow
Senior Member
 

Re: EnCase 8 “Is Deleted” field.

Post Posted: May 16, 18 15:31

Sorted, Thank You Kindly ! Wink  
 

Page 1 of 1