kevinma wrote:
I am new to EnCase 7. Currently, I try to extract all the office documents (Word, Excel, PowerPoint, PDF) from the E01 image. However, the E01 image contains lot of operating system files and office templates that I don't want to review.
Is there any method to filter or hide these type of files? <img src="images/smiles/icon_rolleyes.gif" alt="Rolling Eyes" title="Rolling Eyes" />
I know there are some Reference Data Set (RDS) from National Software Reference Library (NSRL), but don't know how to apply it in EnCase 7.
While I understand what you're trying to do, if your goal is to extract just office documents then I would suggest creating a condition that returns whatever file types you're looking for based on file extension. Conditions are relatively easy to create and you can either hard-code the file extensions or better yet set it to prompt for the values you're looking for so you can re-use the condition to sort for any file extensions.
Version 7's handling of hash sets when it comes to displaying files that don't match a hash set frankly stinks and is virtually unusable in its present form. You'll save yourself quite a bit of frustration by using a condition to do what you're trying to do.
↧