This script is designed to create an EnCase logical evidence file (LEF) from the contents of one or more folders specified by the user.
Folders may be identified by logical or UNC paths. Trailing backslash characters should be omitted from each path as this will corrupt the internal paths of files written to the resultant LEF.
This is a known limitation when capturing files via volume-shadow-copy device-paths, which aren’t fully supported. Such paths require the trailing backslash character to be present. This may be fixed in a future release.
Paths can be passed via the command-line if so desired. This can be achieved by creating a Windows shortcut to EnCase, one set to run the script using the ‘-r’ command-line switch.
The script can also create a shortcut referencing the current set of target paths. This shortcut will cause EnCase to run in minimized mode and exit after processing. The script’s dialog will still be presented so that the user can perform additional configuration.
The resultant LEF can be an L01 or Lx01 file. The script will set the appropriate type according to the file-extension set in the script-dialog.
The script will scan the contents of the chosen folders and display a list of their contents. The user can then select the files they would like added to the LEF. Files with a non-null logical size will be pre-selected automatically. Please note that the table pane may not refresh correctly when sorting large numbers of files. Scrolling up and down should fix this.
The user also has the option of selecting items programmatically through the use of conditions, which can be saved for later use. The script can only use conditions created by itself: it can’t use standard EnCase conditions.
When a condition is run it will replace any existing selection. The script will still show non-selected items so that the user can verify that the condition has worked as expected.
The script provides the option to include selected folders as file-system-objects in their own right. For this to work, the folders must be shown as selected when viewed in the table pane. The timestamps of such folders will be included as a matter of course.
Note that it may not be possible for EnCase to access UNC paths whilst running under User Account Control (UAC). This can apply even if the user running EnCase would normally have access to those folders.
For more information and a resolution for Windows Vista and Windows 7 see the following Microsoft Technet article -
This script was developed for use as part of EnCase training. For more details, please visit the following links:
Tested under EnCase 24.02.00.103.
Please upgrade to one of the following broswers: Internet Explorer 11 (or greater) or the latest version of Chrome or Firefox