Knowledgebase:
Adding File System Evidence (Dump File)
Posted by Jack H. Ward, Last modified by Jack H. Ward on 29 January 2018 03:19 AM
Electronic Evidence Examiner allows you to add raw memory dump files as evidence. These files contain information on all processes that were running on the computer when the dump was created.

Memory dump files created by Win32dd, Mandiant’s Memoryze, ManTech Memory DD, and other are supported. 

To add new file system evidence (dump file) to the case:

1.On the Evidence tab, in the Evidence group, click Add Evidence; or right-click the case node and select Add New Evidence; or click Add Evidence on the Welcome screen. (If you add evidence before creating or opening a new case, the case will be created automatically and saved to the default location. The name of the case file will be e3).
2. The Add New Evidence window opens.
3. Select Other as the evidence category and Dump file as the Source type.



4. In the standard Open window, navigate to the location of the dump file. Click Open.
5.Enter the Evidence name (by default, the name of the file to be added) and click.
6. The dump file evidence is added to the case.

The investigation of dump file evidence is possible with the following packages:

  • E3: Universal
  • E3: P2C





Attachments 
 
 Adding File System Evidence (Dump File).png (24.10 KB)
(0 vote(s))
Helpful
Not helpful

Comments (0)