I need to use Encase v.6 for specific case due to client preferences. I've not used Encase for a while so I'd like some reminders and/or tips. I'm looking for a .ppt file that is not showing up. I've recovered folders. I've done a file signature analysis. I've run the file carver (which I did not fully populate). Can anyone provide some headers of .ppt/.pptx files or any other useful enscript for finding this critter. It's not showing up as I am assuming it's in unallocated but you know what they say about assuming.
Any help is appreciated.
You could always try using some other tools on the disk image. Then once you have found what you are looking for (and know where it is), then you can go back to EnCase and re-find the file and document the process in EnCase.
That's a really good idea. Other than FTK, do you have any suggestions? I'm so sick of messing with grep and hex that I'd try just about anything anyone could mention. Thanks for the idea!
It could also be within a .zip, .pst, or other file…
If you carved the entire drive, and could not find the PPT, the only things I can think of are
- the file is not on the drive
- the file is encrypted
- the file is compressed
- inside an other compound file, encoded
- the header is damaged
- Combination of all of the above
[/listo]
tdID and scalpel will do some magic for carving files, including PPT.
You can find the various PPT/PPTX signatures on Gary Kessler's web site.
Many data carvers will detect PPTX files as ZIP files
I look for the string
"application/vnd.openxmlformats-officedocument.presentationml.presentation"
within the compressed data to determine if it is a PPTX file