Knowledgebase:
Adding OLE Storage Evidence
Posted by Jack H. Ward, Last modified by Jack H. Ward on 29 January 2018 03:20 AM

OLE Storage Evidence is a link to any file of OLE storage format that allows the user to view its structure and examine it.

To add new OLE storage evidence to the case:

1.On the Evidence tab, in the Evidence group, click Add Evidence; or right-click the case node and select Add New Evidence; or click Add Evidence on the Welcome screen. (If you add evidence before creating or opening a new case, the case will be created automatically and saved to the default location. The name of the case file will be e3).
2. The Add New Evidence window opens.
3. Select Other as the evidence category and OLE storage as the Source type.



4. In the standard Open window, navigate to the desired file. Click Open.
5. Enter the Evidence name (by default, the name of the file to be added) and click OK.
6. The OLE storage is added to the case. The OLE Storage structure is displayed in the Case Content. After you click each node, its contents will be displayed in a grid in the Data View The contents of some rows can be seen in the Text, Hex, and File viewers.
 
The investigation of OLE storage evidence is possible with the following packages:

  • E3: Universal
  • E3: P2C

 



Attachments 
 
 Adding OLE Storage Evidence.png (23.97 KB)
(0 vote(s))
Helpful
Not helpful

Comments (0)