This script allows the examiner to view, bookmark and extract the contents of the current case's hash library.

The user can choose to examine either the primary library, the secondary library or both. The user can also opt to process all hash-sets or only those that are active.

Two output options are available, both of which can be filtered using an internal condition.

The first option is to dump filtered hash items to a tab-delimited output file. This is the best option to use if the case's hash libaries contain a large number of hash-values.

The second option is to display the filtered items in a secondary dialog. This will allow the examiner to bookmark filtered hash-items selectively or all together.

Note that while the second option is useful for showing the relationship between hash-libraries, hash-sets and hash-items, it requires all of the information to be stored in RAM, which is not a good idea if the hash libraries in question contain a lot of data.

This script was developed for use in EnCase training. For more details, please click the following link:

• OpenText EnCase Training