GUIDANCE SOFTWARE S ENCASE FORENSIC EDITION

GUIDANCE SOFTWARE'S ENCASE FORENSIC EDITION

For the expert, EnCase's view of a PST and its MAPI objects is valuable . Add the filtering, enscript, and searching capabilities to this mix, and you have a powerful tool.

Implementation

After collecting the evidence relevant to your case, consider using the readily available filters for locating different types of mail files. Simply select Filters in the bottom pane and double-click the filter you would like to use. At this point, you can choose to mount and view the files within EnCase, or you can export them for use in other programs you prefer.

It's important to remember that a PST is a binary file structure that is not interpreted correctly without mounting the file inside of EnCase. Do this by right-clicking your PST of interest and selecting View File Structure. Then the regular searching features inside EnCase will work on the file.

The following illustrates the selection for viewing the file structure and the filters available for quickly accessing .pst files in your evidence. More features are available in the newer versions of EnCase, which continues to improve the experience with .pst files. This screenshot shows the interface for Version 5.

If you frequently work with and understand the internal structure of a particular web-based e-mail client, then you can employ powerful searches using EnCase. Depending on how you want to approach the case, you can search for the individual files or use a low-level search for the specific strings. Many times, if you try directly viewing files you've found on your suspect system as HTML files, you will miss most of the information that is buried in the file.

Use EnCase to dig into files or search for e-mail remnants across a large volume. For example, you can find the original message inside a Hushmail e-mail cached on a suspect's computer.

This is a screenshot of an EnCase search for hushAppletFrame.message to find the message inside the cached web files. This allowed us to clue into the message body and other details rather quickly to find the original message. This screenshot shows the interface for EnCase Version 4, which is still widely used.



Anti-Hacker Tool Kit
Anti-Hacker Tool Kit, Third Edition
ISBN: 0072262877
EAN: 2147483647
Year: 2006
Pages: 175

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net