Encase 7 search hit...
 
Notifications
Clear all

Encase 7 search hit export?

4 Posts
3 Users
0 Likes
1,133 Views
(@username)
Posts: 6
Active Member
Topic starter
 

Hi all, (*updated for Clarity*)

It might be simple however I cannot find the solution.

How do you export keyword hits, hits preview, etc in encase v7.09?

In EnCase 6.19.7 its very easy and simple to perform a keyword search, for example "forensics". Once the search is over and you get your hundreds and thousands of hits, it is then viewable under the tab "Search Hits". In this view you see every hit, regardless if its in the same file multiple times, so you may have 10 hits across 2 files and you can see the 10 hits in the table pane with all its attributes, Hits, Hit preview, etc. Blue check all, right click, export and then you can export as a text file.

How do you do this in EnCase Version 7? (v7.09)

So I perform the Keyword search, get my multiple hits, but in the table pane I only get the two lines which are the two files, not the 10 lines (each hit) from the two files which v6 would show. Then in the "Review" tab I can see all the hits in the one file, I can save that view of that one file however that's now what I need.

I need to export all the search hits, context etc as you can in v6 but in v7, is it possible and how?

Thanks in advance.

 
Posted : 14/08/2014 1:53 am
(@mkel2000)
Posts: 24
Eminent Member
 

I think I understand what you're looking for.

In version 7, the search hits preview is gone from the table view. In order to see the search hits you need to use the view pane's Transcript tab. Once you've selected the Transcript tab then you'll see the Compressed View tab below it. Turn on Compressed view and you'll see all the hits in the file highlighted in the Table view along with enough characters on either side of the hit to approximate version 6's search hit preview feature. You might have multiple lines of hits within the highlighted file or you might have just a few. In order to see the hit in greater context, then place the cursor at the beginning of the line you're interested in in the View pane and then turn off the compressed view. At that point you can either highlight and bookmark relevant text, or you can right click on the file in the table pane and select Go To File. Go To File will take you to the file as it exists in the evidence view but still keeps you in the Search tab. The green arrow will let you navigate back to the Search hits list.

If you want to export the file, you'd need to use the Go To File option (I think, I've never tried it.) If you're just interested in a small amount of text from the file, I'd bookmark it and then export the bookmark report to an RTF format; then you can do whatever you want with the text.

 
Posted : 15/08/2014 4:01 am
(@kmizota)
Posts: 4
New Member
 

The "Keyword Search with Range Bookmarking" app on EnCase App Central might help.

This EnScript-based app allows you to run a keyword search and bookmarks a specified # of characters on either side of the hit.

For your needs, you could export the contents of the Bookmark table which includes the hit and specified surrounding context. The app is provided by the Guidance Software Training division at no cost. Hope this helps.

 
Posted : 15/08/2014 6:33 am
(@username)
Posts: 6
Active Member
Topic starter
 

Hi mkel20, kmizota,

Thanks for your help, kmizota, that EnScript is exactly what I am after. does the job required. bookmarking every hit.

The only thing which would make it perfect is if it created a new column of the hit its self. As having the Hit and the preview seperatly makes it easier to filter through for what i need it for. But Encase conditions will also do.

Cheers

 
Posted : 21/08/2014 7:18 pm
Share: