Searching for Data

EnCase provides for two basic methods for searching for data. One approach is that of using an indexed search. To do so, one must first create an index using the EnCase Evidence Processor, which we just covered. Searches are then conducted against the index, and results are nearly instantaneous. The other method of searching is that of raw searching, whereby keywords are created, and the entire stream of selected data is searched for strings matching those keywords. A related search method is the ability to search smaller sets of data while in the View pane. Each method has its time and place, with each having advantages and disadvantages. Indexed searching takes significant time to build an index but pays it back later with ...

Get EnCE EnCase Computer Forensics: The Official EnCase Certified Examiner Study Guide, 3rd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

EnCE EnCase Computer Forensics: The Official EnCase Certified Examiner Study Guide, 3rd Edition by

Searching for Data

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly