This script is designed to locate one or more files from a known set. It works with records as well as entries.

Notwithstanding that the script does not mount compound-files, it will search the contents of files that have already been mounted.

The known files can be accessed directly, or the script can build a list of them in advance.

In order to operate as quickly as possible, the script matches first on size, then on hash-value.

A file will only be hashed (a) if it has a matching size, and (b) if it hasn't been hashed already.

This mode of operation speeds processing significantly especially if the files being checked have already been loaded into the current view.

Accordingly, files should not be hashed prior to running this script unless there is a specific reason for doing so.

The tab-delimited list used for analysis need not be created by the script, but it must have a minimum of two columns: 'Logical Size' and 'MD5'.

Output is by way of the console and the status-bar; also a named result-set.

For additional information, please see the following Twitter post:

• https://twitter.com/SimonDCKey/status/1256173643207446533

This script was developed for use in EnCase training. For more details, please click the following link:

• OpenText EnCase Training