Filter operating sy...
 
Notifications
Clear all

Filter operating system files

3 Posts
3 Users
0 Likes
272 Views
(@kevinma)
Posts: 5
Active Member
Topic starter
 

I am new to EnCase 7. Currently, I try to extract all the office documents (Word, Excel, PowerPoint, PDF) from the E01 image. However, the E01 image contains lot of operating system files and office templates that I don't want to review.
Is there any method to filter or hide these type of files? roll
I know there are some Reference Data Set (RDS) from National Software Reference Library (NSRL), but don't know how to apply it in EnCase 7.

 
Posted : 02/03/2014 8:48 pm
(@jonathan)
Posts: 878
Prominent Member
 

The first Google result for "encase manual" is an EnCase manual. If you open it and search for "NSRL", page 64 shows how to work with the NSRL hash sets.

 
Posted : 02/03/2014 9:06 pm
(@mkel2000)
Posts: 24
Eminent Member
 

I am new to EnCase 7. Currently, I try to extract all the office documents (Word, Excel, PowerPoint, PDF) from the E01 image. However, the E01 image contains lot of operating system files and office templates that I don't want to review.
Is there any method to filter or hide these type of files? roll
I know there are some Reference Data Set (RDS) from National Software Reference Library (NSRL), but don't know how to apply it in EnCase 7.

While I understand what you're trying to do, if your goal is to extract just office documents then I would suggest creating a condition that returns whatever file types you're looking for based on file extension. Conditions are relatively easy to create and you can either hard-code the file extensions or better yet set it to prompt for the values you're looking for so you can re-use the condition to sort for any file extensions.

Version 7's handling of hash sets when it comes to displaying files that don't match a hash set frankly stinks and is virtually unusable in its present form. You'll save yourself quite a bit of frustration by using a condition to do what you're trying to do.

 
Posted : 06/04/2014 12:36 am
Share: