This script allows the examiner to identify the ancestors of items listed in a given result-set.

This makes it possible, for example, to identify the e-mail that has a compound-file attachment containing files of interest. This will allow the e-mail to be bookmarked and/or extracted.

The script works by scanning the current case and determining the relationships between primary devices (typically evidence files) and the mounted volumes they contain.

This information is stored in a SQLite database, which is then used to construct a tree showing the path to each target item starting with the source-entry on the primary device.

The tree will be presented to the examiner so that he/she can choose the ancestors that should be added to the result-set that will be created by the script.

It should be noted that email certain attachments, e.g., those in PST/OST files, will be contained in a folder of the same name when viewed in the tree presented to the examiner, which represents the entry view rather than the artifact view.

The path of each source-file on the primary device will be shown in the description column.

In many cases, the examiner will want to use this script to identify the PST/OST emails containing notable attachments.

To try and make this process as easy as possible, the script provides an option to select the grandparent of each leaf-node.

This will work provided there is a simple child-parent relationship between each notable attachment and the containing email when viewed in the Artifacts tab. It will not work if the notable attachment is contained in a mounted compound file attached to the email.

The examiner should be aware that the script may take some time to finish particularly if there are many items to process; also if there a large number of mounted volumes in the case.

This script was developed for use in EnCase training. For more details, please click the following link:

• OpenText EnCase Training