Knowledgebase:
Viewing Sorted Data
Posted by Jack H. Ward, Last modified by Jack H. Ward on 02 February 2018 09:07 AM

By default, sorted files/folders in the Data View pane and Case Content pane are marked in blue (sorted files) and purple (sorted files linked to a hash database) and they have the Yes value in the Sorted field on the Content Analysis tab of the Properties pane.

If any other type of content analysis was performed for a file/folder, it will be marked blue as well.

The Sorted Files viewer allows the user to view either sorted files for all case data (grouped by categories) or sorted files for a selected location.

To view sorted files corresponding to a selected location:

1.Select the location (folder/disk/mailstorage/etc.). It must be marked in blue.

2. Right-click and select Navigate to Sorted Content.
3. Sorted files for the selected location are displayed in the Sorted Files Please note that the subfolders hierarchy is ignored and files from all subfolders are displayed in one pane.

To select data only from some subfolders of the selected location:

1. Use the  button in the upper-right part of the Sorted Files viewer to expand the Parameters.

2. Click Browse to define the necessary subfolders.
3. Click Run Query.

To view all sorted files from the case:

1 .Select the Sorted Files pane.

2. Click the Sorted Files node to view all sorted files for the case or select the category node to view only files of one type.
3. Files are displayed in the Sorted Files. Click the column header to sort files by date/name/etc.

Managing the Sorted Files Viewer

Use the   button in the upper-right part of the pane to expand the Parameters pane. The parameters are the same as used in Sorted Files Search.

To view files with MD5 starting with some value, enter this value in the MD5 begins with field in the top of the screen and click Run Query.

To view files with filename starting with some value, enter this value in the Filename field in the top of the screen and click Run Query.

To view files whose extensions did not match the file header while sorting, select the Only files with extension mismatch option and click Run Query.

 Files Linked to Hash Database

Files linked to the hash database (i.e., files whose MD5s are found in the  hash database) are displayed in purple and have a link sign  in the External Link column.

To view the link of a sorted file to the hash database, right-click the linked file (it will be purple) and select Show links. All hash databases that contain a sorted file MD5 will be displayed.

Managing Sorted Files Viewer

By default, there are 5,000 items displayed on the page.

To go to the next page, click Continue Query. To return, use the Previous page and First page buttons.

To define the number of items displayed on the page, enter the corresponding value in the Items on page field and click Run Query.

Click Stop Query to stop receiving the results. After this, you can move between the generated pages using Previous page, Next page, Last page, and First page buttons.



Attachments 
 
 Button 1.png (0.53 KB)
(0 vote(s))
Helpful
Not helpful

Comments (0)