Last week my friend told me that she made a terrible mistake. She conducted raw serch and found no search hits within M$ docx files. She did not know what's wrong in the first place until her clients told her that some words actually exist in those docx files...She exported those docx files and examine them very carefully. Yes she found those wors exactly the same with keywords.
She asked me what's going on with EnCase raw search. Why no search hits in docx files...I show her how to conduct raw search on compound files as below:
1. Run EnScript: File-Mounter so you could expand compound files
2. Choose file type: docx
3. Now you could see those docx files become volume with xml files
4. Conduct raw search and you could see search hits inside docx files now
I told her that Forensic is a strict science and she should double check the search results again to make sure she won't make any mistakes. In Court we swear that the evidence that we shall give, shall be the truth, the whole truth and nothing but the truth. I suggest her to re-examine at those evidence and forensic reports she signed in recent years, and see if any wrong with raw search in compound files.
浙公网安备 33010602011771号