Tuesday, October 23, 2007

EnScript to export x bytes around selected search hits

A friend was doing some eDiscovery work and needed to export some search hits for review by an attorney. He decided he wanted to export some of the text around the search hit so the reviewing party would have some context to evaluate the located search hit.

This EnScript was written to export x number of bytes before and after a selected search hit. To use, perform your keyword search like normal, then select (blue check) the search hits you want to export and run the EnScript. The EnScript will export whatever number of bytes before and after that you specify. If the search hit is closer to the beginning or end of the file than the number of bytes you specified to be exported, then the available amount of data from the beginning or to the end will be exported.

Written for EnCase v6, but should run in v5

Download Here

5 comments:

Jason Tuesday, 20 November, 2007  

How do you view the results?

Lance Mueller Tuesday, 20 November, 2007  

The results are exported into your default export folder, usually C:\Program Files\EnCase6\Export

Jason Wednesday, 21 November, 2007  

Is there a way to make the results a bookmark or something a little easier to add to a report rather than a dmp file? Thanks for your work.

Richard Friday, 26 September, 2008  

The software works beautifully as far as it goes, but I have a couple of suggestions (Just what you need, right?)

1. Instead of only making the html report optional, make the .dmp files optional (I need the html, not the .dmp's and deleting them is a pain).
2. Add a way to split the output every 1000 hits (saves me having to blue check in blocks of 1000 by hand).
3. Add a proximity check so that if I have the same keyword more than once within the (4K) range of data being extracted, the other ones are ignored and don't produce multiple copies of essentially the same material.

Richard Friday, 26 September, 2008  

I just found a bug in the HTML output from the EnScript. Some of the blocks of text being pulled are web pages or formatted text. When the report is generated, these completely screw up the layout of the HTML pages (kiss the nice boxes and columns good bye).

Richard

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles