Knowledgebase: E3
Sorting Data
Posted by Jack H. Ward on 02 February 2018 08:41 AM

Sorting means defining the file types in the evidence containing binary data while calculating the MD5, SHA1, and SHA-256 hash codes. It is recommended that you perform sorting upon adding evidence to expedite working with Electronic Evidence Examiner and get access to its advanced features.

File types are defined by the file signature (header).

Sorting can be performed for the following evidence types:

Evidence type

Sorted data

Sorting if Evidence is Embedded

Mailstorage evidence

Attachments

+

(except GroupWise, Thunderbird, and Windows mail)

Chat database evidence

Images

+

(Skype version 4.0 or higher and Miranda database)

Internet Browser data evidence

Files

+

(Internet Explorer and Mozilla Firefox)

Filesystem evidence

Files

+

Forensic Container evidence

Files

+

OLE storage evidence

Binary streams

+

Archive evidence

Files

+

Registry file evidence

Keys of binary type

+

E3 mobile data case

Binary files

-

iTunes backup evidence

Binary files

-

SQLite database evidence

Attached files

+

Project-a-Phone Data evidence

Binary files

+

JTAG Memory Dump

Binary files

+

Xbox evidence

Files

+


The following types of files will be sorted after sorting:

  • Documents
  • Emails
  • Chats
  • Databases
  • Spreadsheets
  • Graphics
  • Multimedia
  • Executable
  • Compressed
  • XML
  • Text
  • Encrypted
  • Financial filed
  • Game Console Files
  • Others (unknown)
Some system files, for example, $boot, are not sorted.

The Recovered from Unallocated Space type contains data from unallocated space sorted into the categories mentioned above. This data includes deleted files carved from the disk space marked as free.

Once the sorting process is completed, sorted files can be searched using the Sorted Files Search. This search works quicker than a common search.

(0 vote(s))
Helpful
Not helpful

Comments (0)