A bit of going under the bonnet of EnCase to see what has changed from v6 to v7, it’s data presentation and if data can be accessed with other tools like Infozoom.
EnCase v7 introduced a brand new browser-like user interface, which used to be dashboard-like features in v6, also usage of EnCase conditions are more restricted that direct data comparison a bit more challenging. Furthermore, in the enterprise version, it is no longer possible to do simple data search in enterprise sweep results.
One workaround would be to write your own Enscript program to do those tasks for you. However, because Enscripts language and libs were also changed during the transition from v6 to v7, writing your own Enscript will be quite time consuming. You might consider generating reports from sweep results, but don’t do that because the report files have a different format that doesn’t allow you to export it into any way that you can use in other tools. You can, however, use the EnCase review feature. The review feature allows you to get the data into MS Explorer, which then gives you the option to export it into MS Excel.
And then in MS Excel one can do external analyses and return with results back to EnCase to do a new sweep or whatever is necessary. Here we use Infozoom for the first time on the exported data instead from MS Excel. Infozoom gives a good overview into the meaning of the data, especially through its overview feature which is quite simple to use.
At some point, while testing the above, we received information regarding the EnCase sweep results that they are actually stored in an SQLite file, both with L01 files as in version 6, so in theory any datalytics tool with access to the SQLite file can open and analyse the data..
As we used Infozoom before to dig through sweep results and other data provided by EnCase, it was logical to try to access SQLite from Infozoom too. There is odbc access to SQLite and Infozoom can use odbc this was a logical step which works with interesting and useful results.
No comments:
Post a Comment