EnCase v7 search hi...
 
Notifications
Clear all

EnCase v7 search hits in compound files?

8 Posts
6 Users
0 Likes
604 Views
(@gorvq7222)
Posts: 229
Reputable Member
Topic starter
 

I used to conduct raw search in EnCase v6, and I'd like to see if EnCase v7 raw search could hit keywords inside compound files or not. You won't believe it~search results is "zero" but those keywords do exist inside compound files…Let my show you as below link
http//www.cnblogs.com/pieces0310/p/4628600.html

Some people using EnCase v7 "believe" that raw search do hit compound files successfully without fail because compound files being expanded and analyzed after evidence processing completed.

Actually as you could see in above link those keywords do exist in those two compound files, but no any hits…

 
Posted : 09/07/2015 9:44 am
(@mrmoo28)
Posts: 16
Active Member
 

I've just come across this issue myself, I can't seem to find a way to keyword search the contents of expanded compound files the same way EnCase 6 does straight away, bar manually going into each compound file and running a raw search from within - a task which would take forever!

In the past I've just exported the archives and ran a grep with cygwin, which gives me output I can analyse too. It would be nice to do this within EnCase 7 though..

 
Posted : 09/07/2015 9:18 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

@gorvq7222

Was it really needed to start a new thread, besides the original one? ?
http//www.forensicfocus.com/Forums/viewtopic/t=13160/

Both being not exactly "news", as yunus pointed out this behaviour to you before, here
http//www.forensicfocus.com/Forums/viewtopic/t=12980/

jaclaz

 
Posted : 09/07/2015 9:31 pm
(@gorvq7222)
Posts: 229
Reputable Member
Topic starter
 

Of course it is necessary to do so. The purpose is let more people know about the fact that EnCase raw search could not "reach" compound files…even experienced forensic guys may have no idea about this matter, not to mention those who don't use EnCase often.

I tell some people finished EnCase I, II training the above issue, they are very surprise and admit that the lecturer did not tell them the truth about raw search in compound files. The lecturer always tell them how good the search function is…

Some forensic guys admit that they did not notice this serious problem for past few years…they totally trust the raw search results…Raw search could not "reach" compound files is really beyond their imagination, how come this ridiculous thing happen??? Now they have to review their cases and forensic reports to take necessary action. God bless them and those innocent suspects.

 
Posted : 10/07/2015 5:54 am
(@hommy0)
Posts: 98
Trusted Member
 

bar manually going into each compound file and running a raw search from within - a task which would take forever!

In EnCase 7 - If from the VIEW drop-down menu you goto "RECORDS" then find a folder (under the name of the evidence file) called "ARCHIVE". The Archive folder contains your mounted compound files. If you blue tick the compound files in question (those you wish to keyword search, and use the "OPEN" button.

This will then load all of the selected compound files into view, which will then allow you to run a RAW keyword search across all of the mounted compound files.

This method will also work if you wish to view all the mounted registry hives.

As far as recall in EnCase 6 you also had to mount a compound file (docx as an example) before it could be fully keyword searched, and yes using the File Mounter enscript gave the functionality for keyword searching at the same time as mounting.

 
Posted : 10/07/2015 4:55 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

God bless them and those innocent suspects.

And all the guilty acquitted too.

Statistically it is more likely that a failure in parsing "compound files" led to miss some incriminating evidence rather than failing to find exculpatory evidence.

Still, the particular issue is a known one, and while it would be a good thing to make more professionals aware of it, it is not like posting the same thing again and again in the same forum will produce much more than making the frequently visiting members annoyed by it.

You may want to contact Jamie and ask him if he could "pin" (or set as "sticky") a link to a complete article by you illustrating all the various failures of the mentioned software, bith generic ones and the specific ones with Chinese/Asian characters you lately posted about.

jaclaz

 
Posted : 10/07/2015 6:16 pm
Chris_Ed
(@chris_ed)
Posts: 314
Reputable Member
 

Also, bear in mind that with v7 GSI want users to move away from "raw" keyword searches and instead use indexes - which don't suffer from the problem you outline above.

I do miss being able to view the mounted compound files in basic entry view though.

 
Posted : 10/07/2015 6:16 pm
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
 

Also, bear in mind that with v7 GSI want users to move away from "raw" keyword searches and instead use indexes - which don't suffer from the problem you outline above.

But suffers from major problems such as not being able to find where the search hits in unallocated clusters/pagefil/hiberfil actually are?

Seems like they are targeting users who only view live files or need to search large number of documents easily.

 
Posted : 10/07/2015 8:07 pm
Share: