Evidence Cache Folder

The evidence cache folder is a container folder for a variety of files associated with the parsing of the evidence file when it is first loaded and also the subsequent processing by the EnCase evidence processor. At a minimum, it will contain the device caches, device index, and keyword search results. The location of this folder is defined when you first create a new case, as shown in Figure 5-14 in the entry named Primary Evidence Cache. Each device in the case has a GUID, as shown in the report area for the device in Figure 5-28. If this same file were to be reacquired, it would be assigned a new GUID even though the hashes would be identical. When the evidence cache is created for a device in a case, the folder containing ...

Get EnCE EnCase Computer Forensics: The Official EnCase Certified Examiner Study Guide, 3rd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

EnCE EnCase Computer Forensics: The Official EnCase Certified Examiner Study Guide, 3rd Edition by

Evidence Cache Folder

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly