In Encase v6 you could carve only selected files, is there a way to do that in v7? Also in v6 you could do a keyword search from 0xFF D8 FF E0 00 (yoya) and view the jpg that way also. Does anyone have a solution? Thanks
To identify JPG's within a selection of files I have found the following EnScript very useful, that being the
This enscript performs a keyword search of your choosing (i.e. for the JPG header) against a selection of files (blue tick or tag) and will then bookmark it, in this instance as a picture.
Also if you wish to identify the JPG yourself, to view this as a picture - highlight the JPG header then on the view pane there is a Decode tab (next to Hex) here you can find the decode type for a picture.
From the evidence tab you can select the files of interest and use the command "raw search selected". You created a keyword with a grep expression for the JPG's header. An you will have the results in the result tab. The Text and Hex view in the View pane displays and highlight the search hits. As mentionned by hommy0 you can display the image by selecting the decode tab in the view pane and select the Picture view within the picture folder. However you have to do that manually for each hit. With this method you will find JPGs and also thumbnails embedded in JPGs.
You can also use the process module "file carver" to carve JPG. With this module the carving will be better as EnCase will use header and footer to perform the search and will not display a thumbnail emebedded in JPG as a result.
It was to explain to ID274 how to carve only on selected files as the command raw search selected is available in the evidence tab. I am sure the Enscript works and it is useful to use as you do not have to do it manually, it bookmark all hits and displayed it with the correct decoding.
On the other hand I do not see the point to have the image and her thumbnail ? you have to sort out your images to not included thumbnail in your report.
As for me I use the file carver module if I have to do it with EnCase but X-Ways gives better carving result and Adroit does a real good job to carve images!
It was to explain to ID274 how to carve only on selected files as the command raw search selected is available in the evidence tab. I am sure the Enscript works and it is useful to use as you do not have to do it manually, it bookmark all hits and displayed it with the correct decoding.
On the other hand I do not see the point to have the image and her thumbnail ? you have to sort out your images to not included thumbnail in your report.
As for me I use the file carver module if I have to do it with EnCase but X-Ways gives better carving result and Adroit does a real good job to carve images!
Hi sam,
I have tried encase and adroit, adroit is better for sure.
How do u compare the result of carving between encase and xways? Certain jpg can only be carved in xways but not encase? Thx
