Forensic Container is a secure encrypted database that contains data acquired by Electronic Evidence Examiner or DP2C. Data in a forensic container is encrypted and cannot be accessed by any other means except Electronic Evidence Examiner or Evidence Reviewer.
Electronic Evidence Examiner allows you to create a new forensic container (*.p2d).
The forensic container consists of files of two types:
- The main file: This file contains the container hierarchy. The file name is <forensic container name>.p2d.
- Data files: These files contain the data acquired to the forensic container. The size of each file is limited to 4GB (e.g., if the data acquired by Electronic Evidence Examiner contains 5GB of data, it will be split into two files, 4GB and 1GB, respectively). Each file name is <forensic container name>_part<n>.
To add new Forensic Container evidence to the case:
1. On the Evidence tab, in the Evidence group, click Add Evidence; or right-click the case node and select Add New Evidence; or click Add Evidence on the Welcome screen. (If you add evidence before creating or opening a new case, the case will be created automatically and saved to the default location. The name of the case file will be e3).
2. The Add New Evidence window opens.
3. Select Paraben Tools as the evidence category and Forensic container file as the Source type. Click OK.
4. Navigate to the forensic container main file (<forensic container name>.p2d), select, and open it. Please make sure that forensic container data files (<forensic container name>_part<n>) are stored in the same folder as the forensic container main file and none of them are missing.
5. Enter the Evidence name (opened forensic container name by default) and click OK.
6. Enter the forensic container password and click OK.
7. The forensic container evidence is added to the case.
The investigation of Forensic Container data evidence is possible with the following packages:
- E3: Universal
- E3: P2C
- E3: Viewer