Electronic Evidence Examiner allows you to add to a case and investigate different types of evidence from an investigated computer.
The possibility to add evidences comes with the following packages:
- E3: Universal (logical/physical drivers, folders, image files, mailstorages, network mailstorages, chat databases, Internet browser data, registry files, game console data, E3 mobile data cases, iTunes backups, JTAG memory dumps, Project-a-Phone data evidence, forensic containers, OLE storages, archives, dump files, SQLite databases)
- E3: P2C (logical/physical drivers, folders, image files, mailstorages, network mailstorages, chat databases, Internet browser data, registry files, game console data, E3 mobile data cases, iTunes backups, forensic containers, OLE storages, archives, dump files, SQLite databases)
- E3: DS (E3 mobile data cases, JTAG memory dumps, SQLite databases, Project-a-Phone folders)
- E3: EMX (mailstorages)
- E3: NEMX (network mailstorages)
- E3: Internet (chat databases and Internet browser data)
- E3: Viewer (E3 mobile data cases, forensic containers, Project-a-Phone folders)
How to Add Evidence
To add evidence to a new or existing case, do the following:
- Create a new case or open an existing one.
- On the Evidence tab, in the Evidence group, click Add Evidence;
- or right-click the case node and select Add New Evidence;
- or click Add Evidence on the Welcome screen (if you add an evidence before creating or opening a new case, the case will be created automatically and saved to C:\Users\<User>\My Documents\Paraben Corporation\Paraben’s Electronic Evidence Examiner by default. The name of the case file will be case.e3).
- The Add New Evidence window opens.
- Select the evidence Category and the Source type. Use the Autodetect option to browse to a file or folder and have Electronic Evidence Examiner autodetect evidence for the selected category. Use the Autodetect option in the Other category to autodetect evidence of any available type.
- If you use the Autodetect option, select whether the evidence is found in a file or folder.
- Navigate to the Evidence Source and select it. You can select several evidences of the file type, they will all be added to the case.
- Enter the Evidence name (opened file/folder name by default) and click OK.
- When opening mailstorage evidence or NTFS file system evidence, you will be asked to enter its options. For an NSF database, you may need to enter additional information (User ID file and Password). If the database is encrypted, navigate to the User ID file and enter its password, otherwise just click OK.
- The evidence is added to the case.
- If sorting can be performed in the added evidence, you are offered to perform it immediately after adding evidence. It is recommended to perform sorting and keyword indexing to expedite working with evidence and for quicker searches.