36. Encase 7 processing steps

Evidence Processor (EP) options	Execution Steps	View Results	Additional Steps
PE Recover Folders	Only for FAT and NTFS	Entries Tab Tree View Panel .Lost Files .Recovered Folders
PE Expand Compound Files	Includes ZIP, DOCX, etc.
PE Find Email	Search for specific email storage files PST/PBX/MBX etc.	Records Tab	Evidence Tab In `Table View` right-click and `View File Structure`
Webmail: PE File Carver `Carve HTML` `Carve Webmail Files`		Records Tab
PE Find Internat Artifacts `Search Unallocated Space`	Parses `index.dat` of IE and similar files of other browsers	Records Tab
Evidence Tab	`Filter...`	Results Tab	View a subset of evidence items
Search Tab Index Search Use AND and OR logic. See Encase Help for additional query options	Uses transcript of PDF and other compound files	Search Tab Results Tab In the bottom View area, use `Find Next` `Previous Item` `Next Item` to iterate through the matching items.	Use green Play button to execute index query. Note that results are displayed in the Search Tab but also duplicated in the Results Tab. Supposedly, the results tab appears "less cluttered"
PE Keyword Search or Evidence Tab `Raw Search`	Global keyword search. Keyword are saved in the case cache	Search Tab Keyword hits Results Tab	Use green Play button to execute keyword query. The keywords must be selected to be included in the query
Entries Tab Tree View Selected Items	`Raw Search` allows to search selectively inside the evidence tree. See textbook p 354 for details. Options: `Search Entry Slack` allows searching for FAT32 directory entries and inside file slack `Search Initialized Size` for NTFS only. Searches only what user would see in the file. `Undelete Entries Before Searching` searches across cluster boundaries	Search Tab Keyword hits Results Tab	Use green Play button to execute keyword query. Note: the keywords must be saved in a separate `.keyword` file The keywords must be selected to be included in the query

<<< Hash Library Building Steps

Index

>>>