Version 7 Tech Tip #1: Matching Parent E-Mails with Attachments in Searches

James Gagen

This is the first in a series of brief, but frequently asked questions and answers about working with EnCase® Forensic Version 7. We hope they save you time and help you close cases faster.

One of the questions we are often asked in Technical Services about working with e-mail searches is, "When I find a relevant e-mail attachment, how can I find the e-mail that the attachment belongs to?" Searching in e-mail may result in keywords being found in both e-mails and attachments. This is how to locate the e-mail to which the attachment belongs:
First, index your case to search for items in e-mail.

Next, perform your index search and locate all items that contain hits. These may be a combination of e-mails and attachments.

Tag the items. You may want to create a new tag just for this set.

To identify the e-mails to which the tagged attachments belong, use this filter: "Filter E-Mails and their Tagged Attachments (v1.0.0)" EnFilter. You can find it in the support portal here.

Once you have this set, you can tag the e-mails and add them to your set of currently tagged items.

You will now have all e-mails containing hits, and the attachments with hits along with the parent e-mail for the attachments.

Optionally, you can also filter with the "Find Unique Records by Hash" EnFilter on EnCase App Central here to remove any messages with matching HASH. 

James Gagen is a Senior Technical Services Engineer at Guidance Software.

No comments :

Post a Comment