Anyone figure out how to filter EnCase evidence based on timeline only to include week days, in order to prove a system being used during work days?
I haven't tried this before and not sure where to find this, or even if EnCase can do this in the filters or conditions.
Cheers
Rob
Anyone figure out how to filter EnCase evidence based on timeline only to include week days, in order to prove a system being used during work days?
I don't think can be done with default setup. You probably need to write your own filter (requires some knowledge of EnScript).There just might be a way of creating a condition for it – a series of Last Accessed/etc. with a Range would do it, but it seems rather clumsy to enumerate each week – unless the period you are interested in is fairly small.
Here's an example filter
class MainClass {
bool IsWeekday(DateClass date) {
if (date != DateClassNull) {
int day = date.DayOfWeek();
// 0 = Sunday, 6 = Saturday
return (1 <= day && day <= 5);
}
return false;
}
bool Main(EntryClass entry) {
return (
IsWeekday(entry.Created()) ||
IsWeekday(entry.Written()) ||
IsWeekday(entry.Modified()) ||
IsWeekday(entry.Accessed()) ||
IsWeekday(entry.Deleted())
);
}
}
Of course, you have to decide which timestamps you care about, and to verify correct handling of timezones and daylight savings time (AFAIK, this should be the correct way of doing this in EnCase, but please don't take my word for it).
Jon