Viewing Keyword Search Results by Hits in Forensic 8
Digital Forensics | Oct 12, 2016
EnCase Forensic 8.02 is available now. This post highlights one of the changes that we added in direct response to examiner feedback.
Over the last few months, I’ve traveled all over the country, with a few trips over to Europe, talking about the release of EnCase Forensic 8. I’ve been getting a ton of excellent suggestions for improvements. One of the most common requests I received was to bring back the option to view keyword search results by hit versus by item only.
So I did. I mean, some very talented developers did it. But I wrote it down on my notepad, flew back to Pasadena, and asked them if it was possible to do it. They said, “Yes.” Some time passed, and now I’m writing this blog post.
Below are some screenshots and quick notes demonstrating how to view your keyword search results by hit. This post will also point out changes to the UI to make viewing keywords and other search results a little clearer. There’s even a bonus examiner feedback item. I’ll make note of at the end of the post—a little extra credit for those of you who read more than just the headlines of blog posts.
First, what was…
After creating a keyword list and running a new search in versions 7 and Forensic 8.01, examiners would go to the "View dropdown" menu and select the "Search" option to view the results. That’s right …select the SEARCH option to view the results. That does not make a lot of sense to me. Here’s a picture if that helps:
Yeah – I didn’t think so.
Now that we’re in the Search tab, you need to select the Keywords sub-tab in the tree pane. It’s the one with the arrow pointing at it in the image below.
See it? Great.
To the right the Table Pane displays all the items that contain at least one keyword hit. By selecting one of these items and selecting the “Text” tab in the View Pane on the bottom, examiners can see the hits contained in the item. They’re highlighted in yellow. It looks like a dog got lost in the snow.
To view results in a more orderly way, select “Compressed View” in the View Pane and it will center the keywords found in an item and display contextual information to either side of the hit. Next to the Compressed View option there are two arrows, one up and other down, these arrows let you click through the items in the Table Pane while viewing each item’s hits in the View Pane.
In compressed view, navigating items with the up and down arrows make it easier to view keyword hits but it’s still a cumbersome work-around when all an examiner wants to do is see the results of their keyword search.
Now, what is…
As before you’ll run a new search using a keyword list. In the second release of Forensic 8, we have removed the misleading Search option from the dropdown view menu and instead broke down those Search sub-tabs (Index, Tags, Keywords) into their own pages.
Select "Keyword Hits" to view the results of your keyword search. That makes a lot more sense, right?
All keywords are displayed in the Tree Pane, but notice there’s nothing in the Table Pane. In Forensic 8.02 you have the choice to view your keyword results either by item OR by hit. Click the number under "Items" or "Hits" next to the keyword whose results you want to view. Depending on the on which number you select, your results will be displayed accordingly. If you select the number under the Items column, you’ll see your keyword results displayed the same as they were before.
And you can view the hits in the same compressed view as before.
But if the examiner selects the number under the Hits column, the Table Pane will display the individual keyword hits using some new Table Pane columns, including the "Codepage" and "Ansi Preview" columns.
In this view examiners can see all the keyword hits right away, including immediate context, and easily scroll down the list looking for relevant data.
This option, to view keyword search results by hit, came directly from the examiner feedback. It’s this feedback that will continue to drive the improvements and features in the upcoming Forensic releases. So please keep posting comments on the support portal, emailing your sales representatives, tuning into webinars to take advantage of the live Q&A, logging requests with Technical Services (those folks are awesome), and raising your hands during training to point out areas where EnCase Forensic can be improved.
As promised, we have one more new change in the 8.02 release. This is a minor one, but it too came from feedback directly after the initial release of Forensic 8 — examiners now have the option to add gridlines to the Table Pane. In the initial release we had removed gridlines from the Table Pane to give the UI a cleaner, modern look. You told us it made the UI harder to work in, and since this is a tool to be used and not a painting to hang on a wall, we listened and brought back gridlines.
To turn on gridlines just go to the hamburger menu on the top right of the Table Pane, select Change table options…, and check the box next to "Show vertical gridlines".
That’s it from me, but please keep that feedback coming. We really appreciate it.
Robert Batzloff is a product manager with Guidance Software. Rob has worked at Guidance for two years and played a large role in the development of EnCase Forensic 8 and the new EnCase Endpoint Investigator. Outside of overseeing the ongoing development of Guidance Software forensic products, Rob manages EnCase App Central — where examiners can download over 170 free EnScripts or submit their own as part of the EnCase Developer Network. His career in product management began with a technology start-up in San Francisco.For more information on EnCase Forensic or to request a demo, visit: https://www.guidancesoftware.com/encase-forensic