 |
New: On the top toolbar, this icon opens a new case. |
 |
Open: On the top toolbar, this icon opens an existing case. |
 |
Save: On the top toolbar, this icon saves the open case. |
 |
Print: On the top toolbar, this icon prints the open EnCase window. |
 |
Add Device: On the top toolbar, this icon allows live or saved evidence to be added to a case. |
 |
Search: On the top toolbar, this icon starts a search. |
 |
Refresh: On the top toolbar, this icon refreshes the EnCase window. |
 |
View Cache, View Search Hits, etc.: On the top toolbar, this blue flag enables activities such as Cache, Search Hits, etc. |
 |
Delete / Close: On the top toolbar, this icon allows for the deletion of selected items. |
 |
Acquire: On the top toolbar, this icon appears after a device is previewed or an evidence file is opened, allowing acquisition. |
 |
Cases (Cases\Home): This icon appears on the Cases tab, and in the Cases/Home subtab. |
 |
Entries: This icon is displayed in the Entries subtab beneath Cases and in the Home subtab beneath Entries. |
 |
Single Files: This icon appears when selecting the Activate Single Files option when right clicking on a device or volume in the Entries subtab |
 |
Devices (Devices\Home): A physical hard drive icon. This icon does not represent a volume or logical device, such as a partition. A pink square overlay appears around the icon a preview network connection is dropped. It appears throughout EnCase, and in the Devices and Devices\Home subtab beneath Cases. |
 |
Secure Storage: This subtab, beneath Cases, allows usesr to parse evidence files for EFS-encrypted items in conjunction with the EnCase EDS module |
 |
Email: This subtab, beneath Cases, shows E-mail artifacts found in the case. The Home subtab, and Email folder in the Tree Pane also display the same icon. |
 |
Back: This icon takes the user back up one level when drilling down to items in the table |
 |
Show Excluded / Show Deleted: This box appears blank on the top toolbar in the tabs where items can be deleted or excluded (e.g., Bookmarks, Keywords, Text Styles, etc.) When selected, a check appears in the box, and deleted or excluded items appear in the table. |
 |
Add Note: Appears on the top toolbar while in the Bookmarks subtab beneath Cases to allow the user to add a note bookmark to appear in the report. |
 |
Edit: This icon appears on the top toolbar when the option is available (such as in the Keywords table) |
 |
Attachments: This subtab appears under the Email subtab and displays any attachments associated with recovered E-mail. |
 |
History: This subtab, beneath Cases, shows Web History artifacts found in the case. The History folder in the Tree Pane also display the same icon. |
 |
File Extents: This subtab, beneath Entries, shows file extent info when a file is selected with the information available. |
 |
References / Bookmarks: This subtab, beneath Entries, shows bookmark data when available on the selected file. |
 |
WebCache: This subtab, beneath Cases, shows Web artifacts found in the case. The WebCache folder in the Tree Pane also display the same icon. |
 |
Network Share Device: This icon appears when the VFS or PDE Module virtually mounts a case, device or folder. |
 |
Volume / Logical Device: Represents a volume, logical disk, and/or a partition, and appears in the left pane of the Devices subtab to indicate a device |
 |
RAID, Dynamic Disk: RAID disks and Dynamic Disks. |
 |
Rebuilt RAID or Dynamic Disk: RAID or Dynamic disk, successfully rebuilt within the EnCase environment.This icon also represents Disk Elements under the Devices tab. |
 |
CD ROM: Indicates a CD ROM. |
 |
CD ROM session: Indicates a session on a multi-session CD ROM. |
 |
Folder: An allocated folder (yellow). |
 |
Deleted folder: A folder that is deleted (yellow with a red X). |
 |
Deleted, Overwritten folder: A folder that is deleted and over-written by another file - gray with a red X (see Deleted, Overwritten file). |
 |
Folder, Invalid Cluster: A directory entry whose file type bit is set to "folder;" and whose starting cluster is set to zero. The icon is displayed as a pink folder. |
 |
Lost Files/Recovered Folders: Lost Files, Recovered Folders or indicates examining an NTFS or FAT drive (white folder). |
 |
Deleted file: A deleted file on the suspect's computer that has been undefined by EnCase; nothing is changed in the evidence file. |
 |
Deleted and Overwritten file: EnCase determines that the starting cluster found in the directory entry for this file is occupied by another file and makes no further attempt to undelete this file. The name of the overwriting file is displayed in the status bar, and its contents (not that of the deleted file) displayed. Remnants of the original file may exist. Further examination should include checking the starting cluster, and the size of both files, to enable the examiner to determine if the data has been over-written. If it has not, the original file data may be on the hard drive in the slack space of the new file.This icon also represents CRC Errors in the Devices tab. |
 |
Read Errors: Smaller than the above icon and lighter red, this icon represents Read Errors on the acquired device in the Devices tab. |
 |
Invalid Cluster: A filename entry that does not have a starting cluster number. EnCase cannot locate the file's contents. Invalid cluster numbers are normally generated from system-deleted files, where the starting cluster number is changed to zero. This evidence indicates that the filename existed and the dates that it was created, modified, and accessed. |
 |
File, Hard Linked: A condition when multiple Names have a direct connection to the same Anode. EnCase splits the data into a file named "Hard Link Data #". All corresponding Hard Links point to this file for the data. (for example: /bin/ls uses inode 64860; /var/ftp/bin/ls also uses inode 64860). |
 |
Internal File: A file created by file systems such as NTFS, HFS, Linux, EXT2. |
 |
Recycle Bin: The suspect's recycle bin. |
 |
Unallocated space, MBR, unused disk area, FAT tables, VBR, Volume slack: A representation of these areas of the disk, showing that no files are currently allocated to these areas. |
 |
Text: A view of the selected file in ASCII. |
 |
Hex: A view of the selected file in Hexadecimal for each character displayed. |
 |
Picture/Gallery: Displays a picture if the selected file type is a graphic image. |
 |
Report: Displays the data that appears in the report for the selected item. |
 |
Table: When clicked in the Table pane, shows the table of items. |
 |
Timeline: When clicked in the Table Pane, displays a chart with blocks identifying times and dates associated with files |
 |
Code: When clicked in the Table Pane, displays the code for EnScripts and filters. |
 |
Console: Displays the console contents (C:\Program Files\EnCase5\console.txt); status information about the results of processes such as scripts, searches, and Recovered Folders, for example. |
 |
Filters: Displays the available filters for the current view. |
 |
Conditions: Displays the conditions to use for filtering. |
 |
Queries: Displays the available queries for the current view. |
 |
Disk: Displays the contents of the disk divided into individual sectors, which are represented as blocks. |
| |
 |
 |
Bookmarks: Icon for the Bookmarks tab and subtab. |
 |
Logs: Icon for a Log entry in Bookmarks. |
 |
Highlighted Data Bookmark: Created by sweeping data (clicking and dragging the mouse over data) in one of the sub-panes. This is a customizable bookmark. |
 |
Notes Bookmark: Allows the user to write additional comments into the report. It is not an evidence bookmark. |
 |
Folder Information Bookmark: Bookmarks the tree structure of a folder or device information of the selected media. The options include showing the device information, such as drive geometry, and the number of columns to use for the tree structure. |
 |
Notable File Bookmark: A file bookmarked by itself. This is a customizable bookmark. |
 |
File Group Bookmark: A bookmark that is part of a group of selected files. There is no comment on this bookmark. |
 |
Snapshot Bookmark: Contains the results of a system Snapshot of dynamic data for incident response and security auditing. This information is acquired running the Scan Local Machine EnScript against a preview of the local drive. This icon also appears on the Home subtab for Snapshots. |
 |
Open Files Bookmark: Subtab under Snapshots that contains the snapshot data on any open files on a target system. |
 |
Open Ports Bookmark: Subtab under Snapshots that contains the snapshot data for all open ports on a target system. |
 |
IDS Events Bookmark: Subtab under Snapshots that contains a snapshot of IDS events |
 |
Log Records Bookmark: Subtab under Snapshots that contains the results of the log parsing EnScript. |
 |
Processes Bookmark: Subtab under Snapshots that contains the snapshot data about all processes running on a target system. |
 |
Network Interfaces Bookmark: Subtab under Snapshots that contains the snapshot configuration of any of the network interfaces on a target system. |
 |
Network Users Bookmark: Subtab under Snapshots that contains the snapshot of the network users with system access. |
 |
Registry Values Bookmark: Subtab under Snapshots that contains the results of a Windows registry parsing EnScript (such as Initialize Case). This icon is also displayed in certain scripts when selecting the registry. |
 |
Drivers Bookmark: Subtab under Snapshots containing |
 |
File Types: Selecting this icon presents the File Types view. |
 |
File Signatures: Selecting this icon presents the File Signatures view |
 |
File Viewers: Selecting this icon presents the File Viewers view. |
 |
Keywords: Selecting this icon presents the Keywords view. |
 |
Search Hits: This subtab under Cases presents the Search Hits view. The icon appears on the Home subtab beneath Search Hits, as well as the Search Hit root in the Tree Pane. |
 |
Preview icon: When displayed as an overlay at the bottom right corner of any other icon, this blue triangular icon indicates that there is a live preview being performed on the selected device |
 |
Floppy disk \ Zip disk: Indicates a floppy disk or Zip disk preview\acquisition, and is also displayed in the Add Device window as a valid removable device. |
 |
Empty floppy disk: The floppy icon, surrounded by a pink overlay, indicates that no floppy media is available in the selected drive. |
 |
FastBloc protected device: A FastBloc write protected device available for preview or acquisition, indicated by a blue border overlay. |
 |
Palm: A Palm PDA device or evidence file is present. |
 |
Parallel Port \ Network Crossover: A device has been added using a parallel port or a network crossover cable. |
 |
Security IDs / Permissions (Entries subtab): Displays EnCase extracted file and folder security information (owner, group and permissions) for an NTFS file system as well as owner, group and permission settings for a Unix, or Linux system. |
 |
Text Styles: Selects the text style to view Code Pages in different settings, like variations in color and text line length. EnCase is configured with default text styles, but additional styles can be added, edited, and deleted from this tab by either right-clicking and selecting the command from the contextual menu or clicking the button in the toolbar |
 |
EnScripts / Code: Shows available EnScripts (small programs or macros designed to automate forensic procedures). When Code is selected in Table Pane, displays EnScript code in that window. |
 |
Run: The Run button appears on the top toolbar when code for an EnScript is selected and ready to run. |
 |
Hash Sets: A collection of hash values of files that belong to the same application. |
 |
App Descriptors: This view enables examiners to organize the hash values of live processes running on a system scanned by the Snapshot function. |
 |
Machine Profiles: This view enables examiners to create a custom profile of the authorized applications or processes that should be running on a target machine. The icon also appears on the Home subtab beneath Machine Profiles. |
 |
Allowed: Subtab beneath Machine Profiles that shows allowed permissions. |
 |
Encryption Keys: This view enables users to generate key pairs to be used with EnCase Enterprise or EnCase Network Authentication Server (NAS). |
 |
EnScript Types: A reference resource containing the EnScript language classes. The right-pane displays each functions parameter. |
 |
Redirect: Indicates the file that overwrote a deleted file, displayed in the status bar. The contents being displayed are not the contents of the deleted file. |
 |
EnScript Member Functions: Functions that are defined within the Script or Class. This icon appears in the Tree Pane under EnScript Types. |