Microsoft Word EnCase Forensic Version 11 User's Guide doc
Yüklə 2,21 Mb. Pdf görüntüsü
|
- Bu səhifədəki naviqasiya:
- Save As
- Add Raw Image
- Export
- Copy Folders
- Create Logical Evidence File
- Expand All
- Include Single Folder
- To initiate Copy/UnErase
60
EnCase Forensic Version 6.11 Userʹs Guide
Begin using the EnCase application in the main window. The main window organizes the applicationʹs features. Features accessible from the main window are run from the system menu, the toolbar, and various right‐click menus. As the application runs, a status message displays in the status line at the bottom of the window. The main window consists of a
System menu Toolbar
Window containing panes
Status line Panes divide and organize the window and contain trees, tables, and data in various representations. Figure 4 The Main Window as it appears in EnCase Enterprise with an open case, 1) indicates the system menu, 2) the toolbar, 3) a window pane, and 4) the status line.
Navigating the EnCase Interface 61
The menus, commands, and icons displayed in the toolbar change depending on the context configuration of the application. The Logon and Logoff icons, for example, appear in enterprise‐ capable applications only. The Edit menu does not appear when the application is opened in acquisition only mode, which occurs when the application is opened on a machine that does not have a dongle or appropriate licenses. Additional functionality modules add commands and icons.
The system menu organizes commands provided by the EnCase application. The system menu appears in the main window. The system menu, along with the right‐click, context‐specific menus, provides commands to execute application functionality.
The system menu contains the following commands: File
Edit
View
Tools
Help
When clicked, the commands in the system menu display the corresponding menu. The Edit menu does not display in acquisition mode, although the Edit command always displays in the system menu. Some of the commands in the menus displayed by the system menu commands are context dependent. Context‐ dependent commands appear in the menus, but are disabled unless the current application context makes them available.
62
EnCase Forensic Version 6.11 Userʹs Guide
The File menu provides commands that manipulate application files and global application settings. You can
create new case files open existing case files
save case files and global settings print the contents of files
add devices to cases add raw images to cases
exit the application
You may see different options on the File menu, depending on your context. The File menu provides the following commands: New displays the Case Options dialog where you define the case you want to add. Open displays the Open dialog where you select a previously saved case. Save saves the previously saved case file, or displays the Save dialog where you enter the filename, path, and file type for the case file you want to save. Save As displays the Save As dialog where you enter the filename, path, and file type for the case file under a different name. Save All displays the Save All dialog where you enter the filename, path, and file type for both the case file and EnCase global settings.
Navigating the EnCase Interface 63
Report, Code), depending on what is displayed in the Table pane.
settings. Add Device displays the Add Device wizard where you define the preview and acquire parameters for a device. This command appears in the menu only when a case is open. Add Raw Image displays the Add Raw Image dialog where you select image files to be added to the open case. This command appears in the menu only when a case is open. Exit closes the program. If content has changed, you are prompted to save it.
The Edit menu commands work with the objects and content in the currently selected tab. Edit menu commands are context‐specific, changing as you move from one tab to another, or select objects or content in a tab. Specific Edit menus are discussed in sections describing the features that have an Edit menu associated with them.
64
EnCase Forensic Version 6.11 Userʹs Guide
The Edit menu shown here provides the following commands: Export displays the Export dialog, where you select fields in a file to copy data to a text file, and specify the path for the file containing the data. Copy/UnErase starts the Copy/UnErase wizard for copying evidence files and folder entries to one or more destination files. This command does not change the evidence file. Copy Folders displays the Copy Folders dialog, where you can process the content of a selected folder or folders in a variety of ways. Bookmark Data displays the Bookmark Data dialog, where you can create and define a new data bookmark. Create a Hash Set displays the Create Hash Set dialog for selected files already hashed. You can name and categorize the hash set to be created. Create Logical Evidence File displays, for a selected file or collection of selected files, the Create Logical Evidence wizard, so you can create a new logical evidence file to contain those files.
acquired device as a network share. This command appears only if the Virtual File System module is installed.
branch of the tree, or for a fully expanded branch of the tree, contracts the branch. Expand All expands all branches of the tree. Contract All contracts all branches of the tree. Set Included Folders is a toggle switch. It initially sets Select All for the selected object in a tree and its branches. Choosing it again clears the selected nodes. Include Sub Folders toggles Select All for the selected object in a tree and its branches. Include Single Folder toggles Select All for the selected object in a tree, ignoring its branches.
The Copy/UnErase command recovers and unerases files with byte‐per‐byte precision. To initiate Copy/UnErase: 1.
Click Edit > Copy/UnErase. 2.
Select the file or files to copy. 3.
Select whether to have each recovered file appear in a new file or to merge them to a single file. Yüklə 2,21 Mb. Dostları ilə paylaş:
|