How to find file fr...
 
Notifications
Clear all

How to find file fragments using EnCase 8

2 Posts
2 Users
0 Likes
709 Views
(@ebmetric)
Posts: 10
Active Member
Topic starter
 

Hi there, I started working with EnCase 8.08. At the moment I'm trying to figure out possible ways, how to find artifacts/partial fragments of file on image.

At this point I have raw image (dd), where I presume could have been file with XLSX/XLS or PDF extension, which I'm trying to find, additionally I have original PDF file, I am looking for.

For this task I choose EnCase, because it has something called Intelligent Tail Analysis (correct me if I'm wrong). Are there other ways I could search the files, presuming I have as an example file I'm searching for?

Thank You for Your time in advance! )

 
Posted : 23/04/2019 6:48 pm
(@hommy0)
Posts: 98
Trusted Member
 

Hi,

From what you describe I assume you are looking for deleted content and searching the unallocated clusters.

The feature you mention about Intelligent Tail Analysis is part of the File Block Hash Map Analysis enscript, and is available from App Central, at the URL below. Also this works extremely well if you have the sample file/s you are looking for.

https://www.guidancesoftware.com/app/File-Block-Hash-Map-Analysis

As an aside if you were talking about allocated files (or those encase has marked as deleted), the Extents tab of the view pane (lower pane) will list the file fragments of a highlighted file

Regards

 
Posted : 23/04/2019 7:40 pm
Share: