This is the first in a series of brief, but frequently asked questions and answers about working with EnCase® Forensic Version 7. We hope they save you time and help you close cases faster.
One of the questions we are often asked in Technical Services about working with e-mail searches is, "When I find a relevant e-mail attachment, how can I find the e-mail that the attachment belongs
to?" Searching in e-mail may result in
keywords being found in both e-mails and attachments. This is how to locate
the e-mail to which the attachment belongs:
Next, perform your index search and locate all items that contain hits. These may be a combination of e-mails and attachments.
Tag the items. You may want to create a new tag just for this set.
To identify the e-mails to which the tagged attachments belong, use this filter: "Filter E-Mails and their Tagged Attachments (v1.0.0)" EnFilter. You can find it in the support portal here.
Once you have this set, you can tag the e-mails and add them to your set of currently tagged items.
You will now have all e-mails
containing hits, and the attachments with hits along with the parent e-mail for
the attachments.
James Gagen is a Senior Technical Services Engineer at Guidance Software.
No comments :
Post a Comment