This EnScript plugin (formerly called the Last Folder Plugin) provides a number of utility functions.
Firstly, the plugin allows the examiner to use the menu or toolbar option, or the CTRL + SHIFT + L keyboard combination, to open the export-folder last-used by a script that is ‘Last Folder’ compatible.
Secondly, the plugin allows the examiner to use the menu or toolbar option, or the CTRL + SHIFT + E keyboard combination, to open the current case’s export-folder.
Thirdly, the script can be used to convert a line-delimited list of search-terms to a single-line query that can be used for indexed searching. Each term will be quoted automatically, and the terms can be joined with AND or OR logic. The resultant query will be copied to the clipboard ready to be pasted into the Indexed Items search box.
The fourth function facilitates easy removal of EnScript configuration (*.ini) files specified by the user. It also allows the user to browse to the folder containing those files.
The fifth function allows the examiner to select the contents of all blue-checked folders en masse.
Notwithstanding that this function can be used under quite a few tabs, it is particularly useful when the examiner wishes to select the attachments of email messages that are shown as selected in the table pane but not the tree pane. This can happen when the emails in question have been located by other means (e.g., by using the Item Ancestor Resolution EnScript), added to a result-set, tagged, and then blue-checked.
The same result can be achieved manually, but it is less than ideal if the attachments are contained in a large number of emails.
Linked to the previous function, the sixth function allows the examiner to blue-check the email(s) containing selected attachments. Note that the script will select the first email it finds at a level above the attachment being processed. This function can only be used in the Artifacts view.
It should be noted that the last two functions are node-specific, i.e., they are activated by using the right-click context-menu. A restriction in EnScript means that newly blue-checked items won’t be visible until the view has been refreshed, e.g., by collapsing and expanding the root folder, or by switching to another tab and switching back again.
The seventh function is also node-specific and is limited to the File Types tab where it allows the examiner to set EnCase as the viewer for one or more selected file-types. This may prove useful in malware investigations when the examiner wishes to prevent files from being inadvertently copied to the local system and opened by an external viewer. This option will append a UNIX timestamp to the existing FileTypes.ini
file before creating a new file containing any updates that have been made. The File Types tab will then need to be closed and reopened in order to see all the updates in EnCase.
The last function provides a toolbar option that will open the EnCase app configuration folder so that the examiner can view the FileTypes.ini
file and any backup created by the previous function.
This script was developed for use as part of EnCase training. For more details, please visit the following links:
This version provides a function allowing the user to set EnCase as the viewer for mulitple file-types; also, to view the folder containing the FileTypes.ini
file.
Please upgrade to one of the following broswers: Internet Explorer 11 (or greater) or the latest version of Chrome or Firefox