I am a student working on a mock case. We are restricted to using Encase Law Enforcement V6.17.0.90. I just registered so I hope this is the right place and I am giving enough information.
I am trying to get a filter to show all duplicate hashes. I am examining two drives and need to find files that match between the two. I would also like a filter that shows duplicates by name.
I have been looking in for the filters in the program as well as online. Anyone know a place where they are located or capable of writing them?
Also I am drawing a blank how to export files so I can crack them in prtk, the right click export does not seem to be what I want.
You want copy/unerase not export.
To export the files you want to later attack with PRTK what you need to do is blue check the file, and then right click at the volume level and click on copy/unerase or copy folders. The difference between the two is this
Copy/unerase - Will not export/recreate folder structure. It will create a flat folder containing all of the exported files.
Copy Folders - Will export/recreate folder strucutre. When using this method be careful not to run into long file path issues. Though with this test case it should be no problem. When using Copy Folders, you will need to click on the volume root to get all of the folder structure.
To find duplicate hashes what you will need to do is create a hash set. First click on search and hash the drive you want. Blue check files if you only want to hash them. When you go to search, if you've blue checked files, make sure to only search/hash the selected files. You then need to add them to a hash set. After hashing is done, blue check every hashed file you care about, right click in the table pane and click create hash set, give it a name.
From the View menu, choose Hash Sets. Blue check the hash sets to include in the library (be sure to check the new one you just created). Right click on any hash set and choose Rebuild Library. Then hash the second drive, and you'll see if they are any identified hashes. You can tell by looking under the Hash Value/Set/Category columns in EnCase. I hope this helps/makes since as it was typed quickly. There used to be a good video on youtube, but it's been removed.
Thanks a lot for the help, I will try that out after I finish going through these emails.
Joe
Here's a filter to show you all unique files (i.e., it filters out subsequent occurrences of dupes)
http//
…I think that's what you want. But if you truly want to show only duplicate files, then you can just reverse false and true (this will show you only the second, third, fourth, etc., occurrences of duplicate files, not the first).
Jon