Computer Forensics and eDiscovery Resources

White Papers / Presentations

TitleDLAuthorDescriptionDate/VersionFile Type
  Statistical Validation And Data Analytics In eDiscovery Geoff Black New! My presentation on Statistical Validation And Data Analytics In eDiscovery for IQPC eDiscovery West 2010 in San Francisco. Includes notes and updated with audience Q&A as well. April 29, 2010 pptx
  Timeline Analysis Geoff Black Timeline Analysis - CEIC 2007 May 09, 2007 ppt
  Evidence of Folder Renaming Geoff Black Using the MFT Standard Information Attribute and FileName Attribute to find renamed folders in an NTFS system Sept. 17, 2005 pdf
  VM Ware How-To David Shaver Special Agent David Shaver's slide show and tools on how to restore an Encase image to a working VMWare machine May 23, 2006 zip

EnCase EnScripts

Version 6

  Timeline Report Geoff Black This script gathers file information on all or selected files/folders and presents it in a timeline view. The user can select the timeframe to check and output either HTML or tab-delimited text format. Great for intrusions and reporting! REQUIRES EnCase v6.8.1 or greater (updated and tested through Version 6.13). v1.8.1
January 17, 2010		 zip
  md5 - Timeline Report - 2BC231669681C114A89A8802D6738F3A
  dotNet DLL COM EnScript Demo Geoff Black Every once in a while I see people looking for help building dll's in .Net for use with EnScript through COM. This used to be simple with something like VB6, but .Net changed the rules when it came along. It's been a while, but the topic still comes up. There are some tricks that are definitely non-obvious, so I put together this package a few years ago to help. Hopefully you find it useful. Tested in VC#.NET2005 and whatever version of EnCase was around in April 2007. Ancient (in computer years)
April 17, 2007		 zip
  md5 - dotNet DLL COM EnScript Demo - b4ed3eb7955b4ab637650c64bc5cef21

Version 5 (not supported)

  Timeline Report Geoff Black This script gathers file information on all or selected files/folders and presents it in a timeline view. The user can select the timeframe to check and output either HTML or tab-delimited text format. Great for intrusions and reporting! REQUIRES EnCase v5.05f or greater (updated and tested through Version 6.5). v1.7.4
May 29, 2007		 zip
  md5 - Timeline Report - A5AEC5CB10A01B980C44D584427F2C55
  Add List of Local Files to New LEF Geoff Black Useful if you have a list of files on a mapped drive that you'd like to add to a LEF while maintaining the full folder path. Much easier than dragging and dropping single files into EnCase. Jan. 23, 2007 zip
  md5 - Add List of Local Files to New LEF - A26343A8F135505D93A5DEF1315A6B30
  COM - create db Geoff Black COM example showing how to create a database in MSSQL Server using an ADODB connection using the Case Name value for the database name. It also tests to make sure the database, user, and access do not already exist before attempting to create them. Alter "hostname" in each of the three locations for your server name. Alter the two file locations in strSQL to suit your preferences. Tested with MSDE 2000 Release A (SP3a) and EnCase v5.04a. Oct. 9, 2005 zip
  md5 - COM - Create DB - 9E250B0F0916F2C67C2643A2AB7CC60E

Version 4 (not supported)

  Timeline Geoff Black This script gathers file information on all or selected files/folders and presents it in a timeline view. The user can select the timeframe to check and output either HTML or tab-delimited text format. Sept. 12, 2005 zip
  md5 - Timeline - F512F9A88BB2C16F4460B5829E683E65
Disclaimer: All resources are provided "As Is" with no expressed or implied guarantees whatsoever. In no event shall the provider (Geoff Black / geoffblack.com) be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, business interruption; loss of use, data, or profits) however caused and on any theory of liability arising in any way out of the use of these resources, even if advised of the possibility of such damages.

Home     Forensics & eDiscovery