My Road to Digital Forensics Excellence

Encase v7 Conditions

Posted by Paul Bobby on May 3, 2011

Remember, I’m working with the restricted v7 preview of Encase; so things are bound to change.

The v7 preview that we have comes with zero conditions and filters; so I decided to create one. The following screen shows the test:


I then created a quick condition to display only those files with an extension of .JPG:


In Encase v6, executing this condition on the above Table Pane (i.e. those 11 files) would reduce the Table Pane down to five entries. In Encase v7, things are a little different:


We get a whole new tab displayed called “Results”, and in this tab is listed all files across all evidence sources that meet the condition. This is very FTK-like. I like the functionality, it will certainly come in handy, but I also want the old functionality to allow me to slice-and-dice the Table Pane. So far I haven’t discovered if that is possible.


One Response to “Encase v7 Conditions”

  1. Hi Paul,

    I am glad to here you are pleased with the results view. As we continue down the release time frame we will be adding more powerful features to that view as well. In addition, EnCase 7 will still have the ability to filter and condition on entries and records. We have provided default filters – to use these, on either the Entries or Records tab, under the Filter toolbar options select Run. Then you should be able to navigate on your system to the following folders:

    C:\Program Files\EnCase7\Filter\Entries
    C:\Program Files\EnCase7\Filter\Records

    I believe on Windows 7 you should see shortcut paths to these locations on the left hand side file navigation.

    I appreciate your feedback and feel free to post your findings and suggestions on the Guidance support portal as well.

    Ashley | Guidance Software, Inc. | Product Manager

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: