Processing Dell Evidence File in EnCase

MET CJ710 Virtual Lab Topics

Accessing the CJ710 VLab
Saving Files
Trouble-shooting New Case Window
Process Dell Evidence File
Open Case with Processed Evidence

Instructions

  1. Connect to the MET-CJ710-VLAB Virtual Lab.

  2. Open EnCase from the desktop and select New Case.

  3. On the “Options” window, make the following changes:
    • Enter a name for your case in the “Name” field
    • Uncheck the “Use base case folder for primary evidence cache” option
    • Uncheck the “Backup every” option

  4. Click OK; if you get a window asking “Disable Backup?”, choose Yes.

  5. Select Add Evidence.

  6. Select Add Evidence File.

  7. Double click the EvidenceFiles folder.

  8. Double click the 4Dell Latitude CPi file.

  9. Click Process Evidence > Acquire and Process.

  10. Click OK and accept the following prompt.

  11. Click OK on the next screen.

  12. While the file is processing, double click on the bottom right corner to get a detailed progress bar.


    13. When the process is finished it will show status “Complete”.

  13. Click on the “Evidence” tab to go back.

When you exit the Virtual Labs, this case will be deleted. To avoid doing all these steps again, you can open a preprocessed evidence file by following the steps in the Open Mr_Evil Case with Processed Evidence instructions.