Tuesday, April 7, 2009

Export files with selected search hits

, So this EnScript was a suggestion from a reader named Scott (you know who you are). The premise behind this is many times examiners are asked to run several keywords (sometimes hundreds) then export the files here the keyword were found and produce them for review.

This EnScript automates the export process by allowing you to select the search hits in the "Search Hit" tab and then running the EnScript. It will then go through all the selected search hits and export all the files that contain those search hits into folders named after the keyword. For example, if I searched for "lance", "mueller" and "lance mueller",and selected the root of each one of these search hit results in the Search Hit tab, a root folder named "Exported Search Hits - 04.07.09 07.24.29AM" will be created in the default export folder specified for the case. Inside this folder will be subfolder for each keyword: "lance", "mueller" and "lance mueller".



Inside each of these folders will be all the files that contain that specific keyword. An index file is created in the root folder that specifies the keyword, hit offset, original path of the file in the evidence and the new path of that file in the export folder tree.





In the example below, if you select the "enscript" and/or "\e\n\s\c\r\i\p\t" search hits, two folders would be created will all the files that contain those keywords.



A few comments:
1. Duplicates - If a keyword such as "lance mueller" is found in several locations in a particular file, it is only exported once into that specific keyword folder. If the file ALSO contains another keyword, then it will also be exported once into the folder for that keyword. If a keyword is found in multiple locations in the sam file, it is only exported once, but all the hits and offsets are referenced in the index. The last column will indicate the file was previous exported, but the hit offseet will reference the current hit.



2. File naming - The exported files have a number appended to the original filename to prevent multiple files that have the same name, but reside in different locations in the evidence to be exported into the same export folder and overwrite themselves. A number is places at the end of the name stem, before the extent ion. The original name and path is noted in the index file with the corresponding new name as it exists in the export folder.

3. GREP searches - keywords that are used that contain illegal directory name characters, i.e. /,\.:, etc. are stripped and replaced with a bullet: "·"
The original keyword is specified in the index file.

Download here

7 comments:

SS Tuesday, 07 April, 2009  
This comment has been removed by the author.
SS Tuesday, 07 April, 2009  

Very nice job Lance (& Scott) - This Enscript is a great time saver!

Anonymous Sunday, 11 October, 2009  

Great script. The only suggestion I have is that the script maintains the date/time stamps of the file that it exports. I've exported a number of files from a case using the script and the Last Modified and File Created date are updated to the data and time the file was exported.

Anonymous Sunday, 11 October, 2009  

Hi, just wanted to retract my suggestion above as I have just realised that the bug is not with your script but with EnCase. So far I have found that version 6.13 and 6.14 does not preserve the Last Modified date when exporting files.

Lance Mueller Monday, 12 October, 2009  

Anonymous,

Thanks for your comments. This EnScript was never designed to preserve the original modified dates, although it can easily be done. EnCase does not preserve them by default when using "copy/unerase" feature either, but that option is available in the EnScript language.

Anonymous Monday, 09 August, 2010  

Lance,
Have you seen any similar EnScripts that will do the same for items in the Records tag? I'm looking for a way to highlight search hits and then flag the entry in Records so these can be exported to msg.

Anonymous Monday, 01 November, 2010  

I know this is an old entry, but revisiting the preservation of metadata when using copy/unerase function. If I tag the search hits and right-click on copy/unerase, all three dates (I'm on Windows 7) are preserved?

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles