There are some major positives that I would like to share!
The right-click has returned. The majority of the functions that were available with a right-click in EnCase 6.x have finally returned, some are listed below...
- Recover Folders (This is great and I will explain in detail below the list.)*
- Remove Recovered Folders
- Bookmark
- Copy Files / Folders (An issue with this is explained below.)***
- View File Structure (YAY)
- Add To Hash Library
- Hash / Run Signature on Selected (See below for added bonus to this)*
- Acquire E01 / Ex01
- Acquire L01
- Disk View (A Limitation listed below)**
- Restore
- Scan Disk Config
- Share with PDE / VFS
- Share with Enterprise View
- Modify Time Zones
- Send To File Viewers
- This is independent of the Evidence Processor!
- This means that you can do it multiple times prior to running the Evidence Processor, and select which volumes to run the recover folders on.
- If you select disk view from a right-click you will go to the cluster of that file. Not the Sector.
- The limitation is that there is no way to un-check the cluster view box and stay where you are located. Once you un-check cluster view you are taken to the start of the volume.
- Make sure to document the Physical Sector in the data bar (GPS) so that you can return to the correct Sector!
- Instead of going into full detail here I will create a new post concerning this issue.
www.h11dfs.com
Hew
No comments:
Post a Comment