Remove Known Files

in Encase selected Conditions –> Hash Conditions –> Remove Known Files
it ran the has libraries but it does not remove the known files merely reporting in the file category what it is eg Windows file.

How do i remove it , so that there are less file to examine, the known files removed will save a lot of time.

There's no 'remove file' in EnCase as far as I know. Known files typically get a label 'KNOWN' – that's all.

In general, filter out known files. If you want to operate on files (index, say), select only the files that come out of the filter (or series of filters). If you want to search, ensure you check the right box – something about only searching the slack space of known files, and ignoring the main file contents. It's not very clearly stated in the dialog, though.

There is a "remove known files" filter that simply causes EnCase not to show the known's to the user. The problem you might be having is that this filter is case sensitive by default and set to filter on "Known". If your NSRL has the hashes set to "known" (lower case "k"), nothing will happen when you run the filter.

To fix the problem, right click on the "remove known files" and select "Edit". Then deselect the "Case Sensitive" box. (This is from memory, so it might not be exact… but you get the idea).

hope that helps.

You have to rename all the libraries as "Known" as miket065 said - case sensitive. It is a bit of a two step process after you get the hash steps loaded in EnCase you have to check them all, right click on the list of files and choose "Set Category…" type in Known then Ok it. You'll probably get a white screen of wait so let it do its thing. You might have to rebuild your library depending on order in which you do things but after that you can set your conditions to remove known. Usually get a good 30% reduction in files on a standard Win box.

Guidance used to host a third party app on their website that automates the renaming process.