±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 34295
New Yesterday: 7 Visitors: 234

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

EnCase 8 “Is Deleted” field.

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

EnCase 8 “Is Deleted” field.

Post Posted: Sat May 12, 2018 7:34 am

Just got a question as I could not figure it out.
Using EnCase 8.06.01.05 and when doing the reporting I want to add the field “Is Overwritten”
In the report template created my own with those fields:

table(type=Bookmark, path="Files of Interest\\test", columns="Name,ItemPath,Created,Modified,Accessed") par

There is no field for “Is Overwritten” and adding manually “Overwritten”, or “Is Overwritten” does not work but the columns is there.
Any suggestions?  

pajkow
Senior Member
 
 
  

Re: EnCase 8 “Is Deleted” field.

Post Posted: Mon May 14, 2018 1:15 am

Hi,

Within EnCase reporting, the field for "Is Overwritten" is included under Entry Fields. This can be added by via the bookmark folder (and add folder to report - customising metadata - and look at Entry Fields) or by modifying the report template, and the formatting for the bookmark type. The bookmark type can be identified via the the bookmark folder, where the field required will need to be added for each type (image, entry etc).

Finally, the field will show whatever value is assigned to "Show True" and "Show False" in EnCase global options (from tools menu).

I don't believe this field can be added to a Bookmark Table, since the IsOverwritten field appears to not be present on Bookmarks.


Code:
style("Bookmark") {
  counter(markindex) text(") ") filelink() {cell(field=Name) } par
}
style("Metadata") {
  fieldname(field=Name) tab cell(field=Name) par
  fieldname(field=Created) tab cell(field=Created) par
  fieldname(field=Written) tab cell(field=Written) par
  fieldname(field=Accessed) tab cell(field=Accessed) par
  fieldname(Entry, field=IsOverwritten) tab cell(Entry, field=IsOverwritten) par

Regards  

hommy0
Member
 
 
  

Re: EnCase 8 “Is Deleted” field.

Post Posted: Wed May 16, 2018 3:31 pm

Sorted, Thank You Kindly ! Wink  

pajkow
Senior Member
 
 

Page 1 of 1