Tagging in Encase v7

Now this feature is quite the treat. Previously you had to bookmark groups of files that shared common criteria, such as “C4P categories, malware, to-be-reviewed” etc., which was serial in nature, and often duplicative. So along comes tagging – and it’s sort of fun to use!

First a screen shot:

These are the four tags that come by default with the Encase v7 preview. Behind the Tag Manager pane you will see that I have tagged the RECYCLER entry with all four tags. I expanded the column for you to see the content of the tag, but by default the tag column is small, you wont see the text, but the colors should mean something to you. Furthermore, where you click within the tag cell will determine which tag is applied.

Where you click is defined by the order of the tags in the tag manager. The tags/ordering is saved with the case, and Case Templates (another cool feature) can be created that incorporate your own custom tagging. The new Conditions (which appear to run against the entire case) work well here: search for Tag contains “Review” and get a listing of all files that need to be Reviewed by your reviewer.

I believe this is a great step forward in providing ways to include junior level forensic analysts with senior level analysts all working on the same case. Remember “Evidence Caches” can be copied so that analysts can have their own working copies. I am not sure if a single copy can simply be shared; at this time Encase v7 is constantly reading/writing from the HDD of your examiner, so while theoretically the cache files should remain static, I don’t know enough about the inner workings to be sure. And with only a single dongle for testing, that will have to wait until later.