This script is designed to process the records from a source logical evidence file (LEF) and write them as entries into a new LEF.
Entries cannot store the metadata supported by records, so the examiner has the option of writing this information into a separate file whose name will be the name of the source-record followed by ‘meta’ and one of the following file-extensions as specified by the user:
The script will process all the record-LEFs that have been blue-checked in the Evidence tab of EnCase. In most cases, the name of the output LEF will match that of the input LEF.
However, when a new output LEF is to be created, the script will check if a LEF of the same name has already been extracted. If so, it will append the input LEF’s evidence-GUID to the name of the new output LEF to prevent the existing LEF from being overwritten.
Please note that long file paths may cause problems when trying to extract entries from the LEFs created by the script. For more details concerning the enablement of long file paths in Windows, please see the following Microsoft article:
Progress can be monitored using the console. Settings are saved for later use.
This script was developed for use as part of EnCase training. For more details, please visit the following links:
Tested under EnCase 24.02.00.103.
Please upgrade to one of the following broswers: Internet Explorer 11 (or greater) or the latest version of Chrome or Firefox