Forums
Main Category
General (Technical,...
Encase - Carving fi...
 
Notifications
Clear all

Encase - Carving files from unallocated space

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by j2222 14 years ago
8 Posts
8 Users
0 Reactions
3,914 Views
RSS
jimmy
 jimmy
(@jimmy)
Eminent Member
Joined: 18 years ago
Posts: 47
Topic starter 02/12/2008 11:28 am  

I have been working on Encase V 6.11, I have also worked on WinHex including X-ways forensics.

Apparently, I wanted to know if files in Encase can be carved from unallocated space.

A Similar option is available in WinHex And X-ways which has file recovery by Type.

If someone in this forum has information in regards with this kindly please share it with details.

p.s. I have tried the File Signature option in Encase V6.11, But i believe its helpful in verification of file signature mismatch.


   
Quote
 Walkabout_fr
(@walkabout_fr)
Trusted Member
Joined: 19 years ago
Posts: 67
02/12/2008 12:52 pm  

Hi Jimmy

I only have Encase v5 but I believe what you're looking for is part of a script (sweep case) in v5. If you launch that script, you have to check the "find file" option and double click on it to tweak some basic settings …

Then, it's pretty self forward …


   
ReplyQuote
iruiper
 iruiper
(@iruiper)
Estimable Member
Joined: 19 years ago
Posts: 145
02/12/2008 7:11 pm  

That option also exists in v.6. You can find it under the File Finder section in the Case Processor EnScript.


   
ReplyQuote
 biddly_718
(@biddly_718)
New Member
Joined: 17 years ago
Posts: 1
02/12/2008 9:07 pm  

Does anyone know how to add custom files to the file finder feature in case processor? It asks for the headers and footers, but i've been unable to find reliable information on them for .wmv files.

Thanks.


   
ReplyQuote
neddy
 neddy
(@neddy)
Estimable Member
Joined: 21 years ago
Posts: 182
03/12/2008 3:37 am  

Try having a look at 'Foremost' on the Helix disc. You will find some helpful information about file headers in the config file for the application and you should be able to use these in the EnCase custom file header option.


   
ReplyQuote
 ddewildt
(@ddewildt)
Estimable Member
Joined: 17 years ago
Posts: 123
03/12/2008 6:12 am  

Does anyone know how to add custom files to the file finder feature in case processor? It asks for the headers and footers, but i've been unable to find reliable information on them for .wmv files.

Thanks.

Hi Biddly,

Click on "Import from File Signatures Table" then in the list there is a Multimedia category. In there is a "Windows Media (ASF compression)" which should cover wmv files.

Hope that helps!


   
ReplyQuote
 SFGAirborne
(@sfgairborne)
New Member
Joined: 14 years ago
Posts: 4
15/11/2011 1:04 am  

That option also exists in v.6. You can find it under the File Finder section in the Case Processor EnScript.

I didn't want to start a whole new topic, but wanted to say this was helpful…I've just started playing with EnCase V6.18, and have been trying to figure out where to find my Sweep Case functionality.

Is Case Processor a full replacement for Sweep Case, or does it just include the file finder utility?

Thanks!

–SFGAirborne


   
ReplyQuote
 j2222
(@j2222)
Eminent Member
Joined: 20 years ago
Posts: 36
18/11/2011 11:46 pm  

If you are after a more fully featured carver, I wrote and uploaded this

https://support.guidancesoftware.com/forum/downloads.php?do=file&id=1158

It will carve based on header and fixed length, or embedded length or footer etc. and is configurable for things like PDFs, basic JPEG, Office etc

EnCase 6 only.

Regards,
James


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: