Categories
CEIC 2012 Conference Document Discovery eDiscovery Electronic Discovery

Day 3 CEIC – “Culling all eDocs and eMail!”

EnCase is well know for being a powerful tool with regards to computer forensics. Some may even know its a powerful tool for eDiscovery, but the first session I sat through today highlighted some key features inside EnCase v. 6 that can help you with you filtering out the files, folders, documents and emails you need for your specific situation. If you are able to work this eDiscovery case with a image of a server or computer it can make your life a little easier although you can connect to your subject server or PC via network connection for instances where it is not possible.

Within Encase utilizing Conditions is where this software can make your eDiscovery run more smoothly. When you set up conditions you can pin point specific documents, files, or folders that was specific to your case.

In the bottom right pane navigate to conditions and right click to add a new folder. A point made by the session teachers was to keep your folders organized. Keeping folders unique and organized can save headaches in the future when looking for that information.

When you set up a new condition you are looking for something specific and you need to determine which tab is going to give you the results you want. Unless you know the specific file name or size you will not want to utilize those tabs. With our specific exercise we utilized the Description tab to “cull” our eDocs and eMails.

When you add the condition and choose the description tab you will need to select the operator. Selecting the operator will tell EnCase what to do with the data will input. If you want to neglect all of the system folder you would want to choose “Find” under the operator and enter something like this (see image too):

bad

bitmap

cluster

deleted

folder

internal

invalid

overwritten

physical disk

sector

stream

system

unallocated

volume

Inserting these keyword will tell EnCase that you want it to search the Description tab for ONLY these words and exclude the rest. Once your done you double click the condition in the bottom right pan and it will run. If your like me you realize right away that this will yield way to many results, but that’s the beauty of it. You can use conditions to be a broad or narrow as you want.

If you want to narrow down the documents more you can add a second condition to find documents within certain folders. You can insert specific paths you know these documents are in. The list you add to utilize this search may look like this (see second image too):

\Windows\

\WinNT\

\Program Files\

\Program Files (x86)\

\System Volume Information\

\I386\

\Temporary Internet Files\

\History\

\Cookies\

\MSOCache\

\Cygwin\

\Lost Files\

I would suggest playing with these tools and going to Guidance Software directly if you want to get more information about these tools and how to utilize the conditions more to speed your eDiscovery cases up!

 

Daniel Parsons

Computer/Mobile Forensic Examiner

Binary Intelligence

dparsons@binaryintel.com

www.binaryintel.com

www.twitter.com/binaryintel