 |
Root (global): In any view (Cases, Bookmarks, Keywords, etc.), this is the root folder. It is displayed even if there is nothing else created in the view window. |
 |
Case: This icon is displayed in all views. |
 |
Device: A physical hard drive icon. This icon does not represent a volume or logical device, such as a partition. |
 |
Network Share Device: This icon appears when the VFS or PDE Module virtually mounts a case, device or folder. |
 |
Volume or Logical Device: Represents a volume, logical disk, and/or a partition. |
 |
RAID, Dynamic Disk: RAID disks and Dynamic Disks. |
 |
Rebuilt RAID or Dynamic Disk: RAID or Dynamic disk, successfully rebuilt within the EnCase environment. |
 |
CD ROM: Indicates a CD ROM. |
 |
CD ROM session: Indicates a session on a multi-session CD ROM. |
 |
Folder: An allocated folder. |
 |
Deleted folder: A folder that is deleted. |
 |
Deleted, Overwritten folder: A folder that is deleted and over-written by another file (see Deleted, Overwritten file). |
 |
Folder, Invalid Cluster: A directory entry whose file type bit is set to "folder;" and whose starting cluster is set to zero. |
 |
Lost Files/Recovered Folders: Lost Files, Recovered Folders or indicates examining an NTFS or FAT drive. |
 |
Deleted file: A deleted file on the suspect's computer that has been undiluted by EnCase; nothing is changed in the evidence file. |
 |
Deleted and Overwritten file: EnCase determines that the starting cluster found in the directory entry for this file is occupied by another file and makes no further attempt to undelete this file. The name of the overwriting file is displayed in the status bar, and its contents (not that of the deleted file) displayed. Remnants of the original file may exist. Further examination should include checking the starting cluster, and the size of both files, to enable the examiner to determine if the data has been over-written. If it has not, the original file data may be on the hard drive in the slack space of the new file. |
 |
Invalid Cluster: A filename entry that does not have a starting cluster number. EnCase cannot locate the file's contents. Invalid cluster numbers are normally generated from system-deleted files, where the starting cluster number is changed to zero. This evidence indicates that the filename existed and the dates that it was created, modified, and accessed. |
 |
File, Hard Linked: A condition when multiple Names have a direct connection to the same Anode. EnCase splits the data into a file named "Hard Link Data #". All corresponding Hard Links point to this file for the data. (for example: /bin/ls uses inode 64860; /var/ftp/bin/ls also uses inode 64860). |
 |
Internal File: A file created by file systems such as NTFS, HFS, Linux, EXT2. |
 |
Recycle Bin: The suspect's recycle bin. |
 |
Unallocated space, MBR, unused disk area, FAT tables, VBR, Volume slack: A representation of these areas of the disk, showing that no files are currently allocated to these areas. |
 |
Text: A view of the selected file in ASCII. |
 |
Hex: A view of the selected file in Hexadecimal for each character displayed. |
 |
Picture: Displays a picture if the selected file type is a graphic image. |
 |
Report: Displays the data that appears in the report for the selected item. |
 |
Console: Displays the console contents (C:\Program Files\EnCase4\console.txt); status information about the results of processes such as scripts, searches, and Recovered Folders, for example. |
 |
Filters: Displays the available filters for the current view. |
 |
Queries: Displays the available queries for the current view. |
 |
Disk: In the bottom pane, displays the contents of the disk divided into individual sectors, which are represented as blocks. Each block pattern and color has its' own definition as follows: |
| |
 |
 |
Bookmark: Puts EnCase in Bookmark view. |
 |
Highlighted Data Bookmark: Created by sweeping data (clicking and dragging the mouse over data) in one of the sub-panes. This is a customizable bookmark. |
 |
Notes Bookmark: Allows the user to write additional comments into the report. It is not an evidence bookmark. |
 |
Folder Information Bookmark: Bookmarks the tree structure of a folder or device information of the selected media. The options include showing the device information, such as drive geometry, and the number of columns to use for the tree structure. |
 |
Notable File Bookmark: A file bookmarked by itself. This is a customizable bookmark. |
 |
File Group Bookmark: A bookmark that is part of a group of selected files. There is no comment on this bookmark. |
 |
Snapshot Bookmark: Contains the results of a system Snapshot of dynamic data for incident response and security auditing. This information is acquired running the Scan Local Machine (v4) EnScript against a preview of the local drive. |
 |
Log Record Bookmark: Contains the results of the log parsing EnScript. |
 |
Open Ports Bookmark: Contains the snapshot data for all open ports on a target system. |
 |
Process Bookmark: Contains the snapshot data about all processes running on a target system. |
 |
Open Files Bookmark: Contains the snapshot data on any open files on a target system. |
 |
Network Interfaces Bookmark: Contains the snapshot configuration of any of the network interfaces on a target system. |
 |
Network Users Bookmark: Contains the snapshot of the network users with system access. |
 |
IDS Events Bookmark: Contains a snapshot of IDS events |
 |
Registry Bookmark: The results of a Windows registry parsing EnScript (such as Initialize Case (v4)). This icon is also displayed in certain scripts when selecting the registry. |
 |
File Types: Selecting this icon presents the File Types view. |
 |
File Signatures: Selecting this icon presents the File Signatures view |
 |
File Viewers: Selecting this icon presents the File Viewers view. |
 |
Keywords: Selecting this icon presents the Keywords view. |
 |
Search Hits: Selecting this icon presents the Search Hits view. |
 |
Preview icon: When displayed inside any other icon, this icon indicates that there is a preview being performed on the selected device |
 |
Floppy disk \ Zip disk: Indicates a floppy disk or Zip disk preview\acquisition, and is also displayed in the Add Device window as a valid removable device. |
 |
Empty floppy disk: No floppy media in the selected drive. |
 |
FastBloc protected device: A FastBloc write protected device available for preview or acquisition. |
 |
Palm: A Palm PDA device or evidence file is present. |
 |
Parallel Port \ Network Crossover: A device has been added using a parallel port or a network crossover cable. |
 |
Security Ids: EnCase extracted file and folder security information (owner, group and permissions) for an NTFS file system as well as owner, group and permission settings for a Unix, or Linux system |
 |
Text Styles: Selects the text style to view Code Pages in different settings, like variations in color and text line length. EnCase is configured with default text styles, but additional styles can be added, edited, and deleted from this tab by either right-clicking and selecting the command from the contextual menu or clicking the button in the toolbar |
 |
EnScripts: Small programs or macros designed to automate forensic procedures. |
 |
Hash Sets: A collection of hash values of files that belong to the same application. |
 |
App Descriptors: This view enables examiners to organize the hash values of live processes running on a system scanned by the Snapshot function. |
 |
Machine Profiles: This view enables examiners to create a custom profile of the authorized applications or processes that should be running on a target machine. |
 |
Encryption Keys: This view enables users to generate key pairs to be used with EnCase Enterprise. |
 |
EnScript Types: A reference resource containing the EnScript language classes. The right-pane displays each functions parameter. |
 |
Redirect: Indicates the file that overwrote a deleted file, displayed in the status bar. The contents being displayed are not the contents of the deleted file. |
 |
EnScript Member Functions: Functions that are defined within the Script or Class. |
 |
EnScript Function Arguments: Arguments that are used in EnScript functions |
 |
EnScript Argument Passed by Reference: Arguments of functions that are passed by reference. |
 |
EnScript Enumerations: Enumerators for functions or classes |
 |
EnScript Constants: Constants that are used in Scripts or Functions |
