Contact Information Contact Center Operating Hours Contact Monday through Thursday Friday Phone: 1.801.796.0944 8 AM 5 PM Eastern Time 8 AM 3 PM Eastern Time Online chat: http://support.paraben.com 10 AM 7 PM Eastern Time 10 AM 5 PM Eastern Time Other Contact Information Fax Postal Mail E-Mail 1.571-918-4054 Paraben Corporation PO Box 277 Aldie, VA 20105-0277 USA For product or sales inquiries: forensics@paraben.com For training inquiries: training@paraben.com For problems with your program: http://support.paraben.com 2015 Paraben Corporation E3: P2C Getting Started Guide 2
Table of Contents Contact Information... 2 Introducing E3: P2C... 5 E3:P2C Related Tools... 6 DP2C... 6 P2X Pro... 6 Installing and Configuring E3:P2C... 7 Computer System Requirements... 7 Installing Electronic Evidence Examiner... 8 E3:P2C License Activation... 9 Internet Licensing... 9 Direct Machine Licensing... 10 Dongle Licensing... 12 Installing the FOCH/NIST Database... 13 Working with E3: P2C... 14 Exploring E3:P2C Interface... 14 2015 Paraben Corporation E3: P2C Getting Started Guide 3
E3:P2C Data Examination Process... 16 Creating Case... 16 Adding Evidence... 18 Content Analysis... 21 Examining Files... 26 Data Triage... 28 Creating Reports... 30 Exporting Data... 33 Batch Export... 36 Additional Features... 37 Unavailable Options... 38 2015 Paraben Corporation E3: P2C Getting Started Guide 4
Introducing E3: P2C Aurora Edition 1.0 Paraben s E3:P2C is a forensic tool that allows you to examine disk drives, images, and other data such as: Email databases E3 mobile data cases Network email databases Forensic containers Chat databases OLE storages Windows registry files Archives Internet browser data Dump files Game console data SQLite databases iphone/ipad/ipod Touch backup files E3:P2C allows you to sort files into categories, preview files, view text and hex information, and hash the files using MD5 to ensure that they have not been changed or corrupted. You can use E3:P2C to analyze all data on a computer hard drive including deleted data. 2015 Paraben Corporation E3: P2C Getting Started Guide 5
E3:P2C Related Tools Paraben makes three other tools that complement the operations of E3:P2C. DP2C P2X Pro DP2C Dp2C is a targeted data triage collection tool. DP2C runs from a USB drive in either forensic mode by booting into DP2C or non-forensic mode by running DP2C on a live system. Acquired data is saved to a Forensic Container storage, usually on a network share or an external drive, for analysis in E3:P2C or E3:VIEWER. DP2C can do triage image of specific data collections or it can also do bit-stream images. P2X Pro P2X Pro allows you to mount disk images and access them as if they were a read-only drive on your computer. P2X Pro assigns a drive letter to each mounted virtual hard drive on your computer. When mounted, you can access files and applications as though they were installed on your computer. Malware and other malicious software contained in an image can infect your computer if accessed using P2X Pro. 2015 Paraben Corporation E3: P2C Getting Started Guide 6
Installing and Configuring E3:P2C The E3:P2C deployment consists of the following steps: Installation of Electronic Evidence Examiner Activation of the E3:P2C package Installation of the FOCH database (optional) Computer System Requirements The following computer system requirements are necessary for running E3:UNIVERSAL: Operating system: Microsoft Windows 7 SP1 or newer 32-bit and 64-bit operating system RAM: 4 GB (8 GB recommended).net Framework version 4.5 of higher 2015 Paraben Corporation E3: P2C Getting Started Guide 7
Installing Electronic Evidence Examiner To install Electronic Evidence Examiner: 1. Download Electronic Evidence Examiner through your registration site account. 2. Run the Electronic Evidence Examiner installation file. 3. On the Welcome page, click Next. 4. On the End-user License Agreement page, accept the terms of the license agreement, and then click Next. 5. On the Select Installation Folder page, do one of the following: Type the location of the folder where you want to install Electronic Evidence Examiner, and then click Next. Click Browse and select the location of the folder where you want to install Electronic Evidence Examiner, and then click Next. Click Next to keep the default location. 5. You are now ready to begin the installation. Click Install. 6. The installation starts. When the installation process finishes, the last page of the Installation wizard is displayed. Clear the Open the Electronic Evidence Examiner Driver Pack download page checkbox (these drivers are not required for E3: P2C) and click Finish. 7. Electronic Evidence Examiner is installed and you can activate your package now. 2015 Paraben Corporation E3: P2C Getting Started Guide 8
E3:P2C License Activation When you launch Electronic Evidence Examiner, you are prompted to activate the product. The following types of activation are available: Internet licensing Direct Machine licensing Dongle licensing Additionally, you can request a trial version of E3:P2C (https://www.paraben.com/forms/request-trial) to try the full product functionality for a limited time period. Internet Licensing You can connect to the web license server as a Paraben user or an E3 user created under your Paraben account. For more information on E3 users, see the help file. To activate E3:P2C via Internet licensing, do the following: 1. Start Electronic Evidence Examiner and click Activate in the dialog displayed on start. 2. The Activation wizard opens. 3. In the Activation wizard, select the Internet License option (selected by default) and click Activate. 4. The Connect to Web License Server dialog is displayed. 2015 Paraben Corporation E3: P2C Getting Started Guide 9
5. Enter your Paraben user or E3 user login and password and click Connect. To automatically connect to the server under the same account in the future, select Save credentials for future use checkbox. You can change the settings of this option in Case > Options > Common. 6. Electronic Evidence Examiner connects to the web license server and checks what packages are available for this account. 7. If the E3:P2C package is available (not activated on another computer), it become activated. You can start working with E3:P2C. Direct Machine Licensing This type of activation is preferable if you intend to use E3:P2C on one computer only. You can to activate the product (either the permanent, trial version, or temporary activation key) over the Internet or by telephone. To activate E3:P2C over the Internet, do the following: 1. Start Electronic Evidence Examiner and click Activate in the dialog displayed on start. 2. The Activation wizard opens. 3. Select Direct Machine License and click Activate. 4. On the next page of the wizard, select the Over the Internet activation type and click Next. 2015 Paraben Corporation E3: P2C Getting Started Guide 10
5. The Enter Your Product ID page opens. Click Add and enter the Product ID of the package you want to activate (you can enter one or more Product IDs). Then click Activate. You can find your Product ID in the email message that was sent to you after you bought the product. 6. After the package is activated, the last page of the Activation wizard opens. 7. Click Finish to exit the wizard. To activate E3:P2C by telephone, do the following: 1. Start Electronic Evidence Examiner and click Activate in the dialog displayed on start. 2. The Activation wizard opens. 3. Select Direct Machine License and click Activate. 4. On the next page of the wizard, select the By telephone activation type and click Next. 5. The Phone Activation page opens. 6. Follow the steps described on the page: call the support center and dictate the Product ID(s) and the Registration key displayed on the Phone Activation page. You can find your Product ID in the email message that was sent to you after you bought the product. 2015 Paraben Corporation E3: P2C Getting Started Guide 11
7. When you receive the Activation key, enter it in the corresponding field and click Activate. 8. After the package is activated, you will see the last page of the Activation wizard. 9. Click Finish to exit the wizard. Dongle Licensing To activate E3:P2C via dongle, do the following: 1. Purchase a dongle while purchasing the E3:P2C package. The dongle must be purchased separately it is not included in the purchase price of your tool. The fee is $89.00 and can be added to your sales quote or to your shopping cart order. 2. Get the dongle delivered to you. 3. Download Dongle Manager and install it on any computer with Internet connection. 4. Plug the dongle into your computer, start Dongle Manager, and update the dongle. 5. Install the Dongle Manager on the computers where E3:P2C will be used. 6. Plug in the dongle and start E3: P2C. As long as the dongle is plugged in, E3:P2C will work. If you ordered a dongle but want to use E3:P2C before your dongle arrives: You can request a temporary activation key that will expire in 30 days. The key can be requested from the Paraben support center. 2015 Paraben Corporation E3: P2C Getting Started Guide 12
Installing the FOCH/NIST Database The FOCH (Filter Out Common Hashes) database is a set of hashed files that are associated with many common operating systems and is based on the NIST database of known hash values. E3:P2C uses this set of hashed files to filter out the common files so that it doesn t have to sort and rehash them each time you perform scanning. To install the FOCH Database, do the following: 1. Download the database from https://www.paraben.com/downloads/tools/foch.exe. 2. Start the Foch.exe application. 3. Type the location where you want to place the database. It should be in a folder named CommonFiles (NIST) placed in the root directory where you installed Electronic Evidence Examiner. The correct location is provided by default if you select the default location for installing Electronic Evidence Examiner. 4. Click Install. For more detailed information on installing and using the FOCH database, see the help file. 2015 Paraben Corporation E3: P2C Getting Started Guide 13
Working with E3: P2C Once E3:P2C is licensed, you can start using the program. Exploring E3:P2C Interface 2015 Paraben Corporation E3: P2C Getting Started Guide 14
The interface is divided into the following parts: The Ribbon: This part of the interface contains controls for work with E3: P2C. Main window containing the following areas: o o o o Tree-view area (on the left): Consists of the Case Content pane, which displays all the case items and Sorted Files pane, which displays files sorted by categories. Data View area (in the center): Displays the content of folders and grids and other panes, such as Sorted Files, Search, Case History, and others. Viewers and Bookmarks area (on the right): Consists of different viewers, which display images, thumbnails, text, and hex data, the Properties pane, which displays file properties, and the Bookmarks pane, which displays the bookmarks created in the case. Tasks and secondary panes area (at the bottom): Consists of the Tasks pane, which allows the user to view the status of search, export, sorting, and report generating tasks, the Hashes pane, which displays the attached hash databases, and the Common Log pane, which allows the user to view the Common Log created during one session of E3: P2C. You can add, remove, or resize panes as you work to see more or less information. The panes can also be dragged and organized in any way. If you want to reset the display to the default settings, on the View tab, in the Layout Management group, click Restore Layout. 2015 Paraben Corporation E3: P2C Getting Started Guide 15
E3:P2C Data Examination Process E3:P2C offers you the following functions for evidence examination: Creating a case Adding evidence Performing content analysis Examining files Viewing triage data Creating reports Exporting data Performing batch export Each of these functions is outlined in this guide with more comprehensive information available in the help file that can be opened from the Case menu of E3: P2C. Creating Case When you initially start E3: P2C, you need to create a case. There are two ways of creating a new case: automatic and manual. To create a new case automatically, click Add Evidence on the Welcome screen that appears at E3:P2C start-up. The Case (<n>).e3 case is created automatically in C:\Users\<user name>\documents\paraben Corporation\Paraben s Electronic Evidence Examiner\. The Add Evidence window opens. 2015 Paraben Corporation E3: P2C Getting Started Guide 16
To create a new case manually: 1. In the Case menu, click Create New Case. 2. The New Case wizard appears. 3. On the Case Properties tab, enter the case name (the name of the *.e3 file where the case will be saved) and the case description. The Case name is a required field. 4. Select the Additional Information tab, enter the investigator information (if necessary), and click Finish. 5. Select the folder in which the case will be stored (C:\Users\<User>\Documents\Paraben Corporation\Paraben s Electronic Evidence Examiner by default) and click Save. 6. A new case is created. 2015 Paraben Corporation E3: P2C Getting Started Guide 17
Adding Evidence After creating a case, you need to add evidence to it. Adding evidence is the process of selecting which files and information you want to examine. E3:P2C allows you to specify what types of evidence you would like to add and includes: Logical drive: Reads files and folders stored on the hard drive in the hierarchical order. You can select an entire disk or a folder on the disk. Physical drive: Reads all data on the disk regardless of whether it is stored in a logical folder on the disk drive or in an unallocated space. Separate Folder: Reads a folder on a physical drive connected to the computer on which the case is opened, or a network folder, or a folder on a CD/DVD disc, or a whole CD/DVD disc. Image file: Reads a stored hard drive image. Has the ability to read images in most common formats. Email database: You can select an email database created by a specific email application or you can use the auto-detect option. Chat database: You can select a chat database created by a specific online chat application or you can use the auto-detect option. Registry files: You can view registry data stored in files of binary hive format. Internet Browser Data files: You can view data created by Internet Explorer, Mozilla Firefox, and Google Chrome. Game Console Data files: You can investigate data extracted from XBOX game consoles. 2015 Paraben Corporation E3: P2C Getting Started Guide 18
Forensic Containers: You can investigate data stored in encrypted Forensic Containers (data collected by DP2C or exported from an E3 case). E3 mobile data/ds cases: Reads data stored in cases created by Paraben s DS or E3 while investigating smartphones, feature phones, PDAs, and other devices. ios backups: Reads backups created via itunes from iphone/ipad/ipod Touch devices. Other: You can investigate OLE storages, archives or compressed files, raw memory dump files, and SQLite database files. When you use the auto-detect option, you can select a file or a folder. For most files and data sources, you should select File. Select Folder only if the object you want to examine is the folder itself. For most auto-detect options, you should select the file and E3:P2C will determine what type of file it is. To add evidence, do the following: 1. Create a case. 2. On the Evidence tab, in the Evidence group, click Add Evidence; or click Add New Evidence in the case node context menu; or select Add Evidence on the Welcome page of the program. 3. In the Add New Evidence window, select the type of evidence that you want to add, and then click OK. 4. Browse to the file or folder with evidence data, and then click Open. 2015 Paraben Corporation E3: P2C Getting Started Guide 19
5. Enter the Evidence name. By default, this is the name of the object you select when you browse. Click OK. 6. When opening some mail archive evidence or NTFS file system evidence, you will be asked to define its options. Select the options you want to use when adding the evidence, then click OK. 7. When the evidence is added, it is displayed in the Case Content pane of E3: P2C. 2015 Paraben Corporation E3: P2C Getting Started Guide 20
Content Analysis After you add evidence, you can sort data into certain categories, index keywords in this data, scan portable executable files in it for the signs of malware, and perform text extraction from graphical files. The content analysis operations expedite your work with binary files of different formats and allow you to perform quick searches by indexed keywords, detect suspicious files that might be malware, and perform text searches by text contained in graphic files. E3:P2C automatically sorts files into the following types: Documents Email Chat Spreadsheets Graphics Databases Executable Compressed Multimedia Text XML Encrypted Financial Files Others Image Analyzer Results Recovered from Unallocated Space 2015 Paraben Corporation E3: P2C Getting Started Guide 21
The following table represents types of evidence and the availability of content analysis for them: Evidence Type Sorting Malware Scan File System evidence E-mail database + (Attachments) Text Extraction from graphic files Keyword Indexing Recursive content analysis in embedded evidence + + + + + + (Attachments) + (Attachments) + + (except GroupWise, Thunderbird, and Windows mail) Archive + + + + + Forensic Container + + + + - OLE storage + + + + + E3 mobile data/ds case iphone/ipad/ipod Touch backup evidence + (Binary files) + (Binary files) SQLite database + (Embedded binary files) + (Binary files) + (Binary files) + (Embedded binary files) + (Binary files) + (Binary files) + (Embedded binary files) + - + - + + 2015 Paraben Corporation E3: P2C Getting Started Guide 22
Evidence Type Sorting Malware Scan Text Extraction from graphic files Keyword Indexing Recursive content analysis in embedded evidence Xbox evidence + + + + + Chat databases + (Only for Hello database) Internet Browser data + (Temporary files) + (Only for Hello database) + (Temporary files) + (Only for Hello database) + (Temporary files) + + (Skype version 4.0 or higher and Miranda database) + + (Internet Explorer and Mozilla Firefox) Registry file - - - + + Dump file - - - - - To perform content analysis, do the following: 1. Select the evidence (case node, evidence node, disk, folder, etc.) you wish to perform content analysis in. 2. In the context menu, select Content Analysis from the Content Analysis sub-menu, or click Content Analysis on the Analysis tab in the Content Analysis group, and then click Content Analysis in the drop-down menu. 3. On the General options page, do the following and click Next: 2015 Paraben Corporation E3: P2C Getting Started Guide 23
Select the Sort Data checkbox to sort data into different categories according to their file types. Select the Index keywords checkbox to index keywords in files for faster text searches. Select the Extract and index keywords from graphic files (OCR) checkbox to extract text contained in image files and automatically add keywords from the text to a keyword database and select the Language for keyword extraction. Select the Scan for malware checkbox to scan portable executable files for the signs of being malware. 4. On the Data analysis options page, define the following options and then click Next: Recursive sorting and keyword indexing in: Select the types of data that should be analyzed within the embedded evidence (see the help file for more information on embedded evidence). Include files of undetected format: If this option is selected, files whose type cannot be defined will be placed to the Unknown category during sorting, otherwise they will be skipped. Perform data analysis in deleted data: If this option is selected, deleted data in the file system evidence will be recovered and content analysis for it will be performed. Save current wizard options as default: If this option is selected, then the defined sorting and indexing options are saved as the default options. 5. On the Advanced options page, select the Skip MSI installations, Skip CAB archives, Skip CHM help files and Skip unknown OLE streams options to make searching and keyword indexing faster. Click Next. 2015 Paraben Corporation E3: P2C Getting Started Guide 24
6. On the Image Analyzer page, define the following options: Use Image Analyzer: If this option is selected, the Image Analyzer will be used while sorting graphic files Engine sensitivity: The larger the value of the engine sensitivity, the more images will be put in the Highly suspect and Suspect categories. Use file filter: If this check box is selected, then only files of the defined size will be checked by Image Analyzer. Use resolution filter: If this check box is selected, then only images of the defined size will be checked by Image Analyzer. Image analysis will be performed only when you perform file sorting. 7. Click Finish. 8. The content analysis task starts. Its progress is displayed in the Tasks pane, where it can be viewed, paused, stopped, and started. The results of file sorting can be viewed on the Sorted Files pane. For keyword indexed files, keyword searches can be performed (see the help file for more information). The results of the malware scan can be viewed on the Content Analysis tab of the Properties viewer. Text extracted from graphic files can be viewed on the Extracted Text viewer for the selected file and keyword searches can be performed in the images with extracted text. 2015 Paraben Corporation E3: P2C Getting Started Guide 25
Examining Files After sorting and indexing the files, the next step is their examination. E3:P2C provides you with several options for examining files and data sources. These include the following tools: File viewer Text viewer Hex viewer Thumbnails viewer File slack hex viewer File slack text viewer Extracted Text viewer Email Data viewer Chat RTF viewer The viewers can be enabled on the View tab, in the File Viewers and Advanced Viewers groups. When you select a certain item, you can examine it in different viewer tabs that are displayed to the right of the Data View pane. If some of the viewers are not available for the selected item, they are inactive. For example, if you select a folder with no graphics, the Thumbnails viewer tab will be inactive. 2015 Paraben Corporation E3: P2C Getting Started Guide 26
To view files, file information, and their content, do the following: 1. Make sure that all the viewer options are selected on the View tab, in the File Viewers and Advanced Viewers groups. 2. Select the file you want to examine. 3. Click the appropriate viewer tab to see the information displayed in the format you want. For example, click Hex View to view the file in Hex format and so forth. 4. Click the edge of the pane to resize it if necessary. File properties including its size, creation date, file name, and other properties are displayed in the Properties pane, which is located to the right of the program window. 2015 Paraben Corporation E3: P2C Getting Started Guide 27
Data Triage E3:P2C allows you to view data of email clients, chat messenger clients, and Internet browsers installed on the investigated computer. You can also view recently used files and Documents folders. E3:P2C auto-detects this data in the registry and displays it in the sub-nodes of the Data Triage node. Auto-detection is available only for the following types of evidence: Physical drives and images of the physical drives that have a system partition System logical drives and images of system logical drives Registry hives The Data Triage node is placed under the partitions node if a physical drive/physical drive image evidence is added and on the same level as the Root node if a system disk/system disk image evidence is added. 2015 Paraben Corporation E3: P2C Getting Started Guide 28
To view detected data in Data Triage, do the following: 1. Add a physical drive or a system drive evidence to the case. 2. In the Case Content pane, expand the evidence node. 3. Click the plus sign next to the Data Triage node. The following nodes are displayed: E-mail Databases: Detected installed e-mail databases. Chat Databases: Detected installed chat databases. Internet Browser Data: Detected installed Internet browsers (including Internet Browser data). My Documents Folders: Detected My Documents folders (based on the number of users on the investigated computer). Recently Used Files: The list of the most recently opened files. Parsed Registry Data: Groups of registry keys including information about auto run programs, list of installed programs that can be uninstalled, list of Windows services, etc. 2015 Paraben Corporation E3: P2C Getting Started Guide 29
Creating Reports An E3:P2C report is a summary of the currently open case that can be printed, e-mailed, etc. E3:P2C allows you to create the following types of reports: HTML Investigative Report: This report includes any information defined by the user (evidence of different types, bookmarks, and supplementary files). Data is displayed in the HTML format without hyperlinks. Simple Text Report: This type of report includes the same information as the HTML Investigative Report displayed in a similar way, but in text format. Simple RTF Report: This type of report represents information in Rich Text Format and can be opened in any text editor that supports formatted text. CSV Text Report: This type of report represents information in a tab-delimited format and can be opened in Microsoft Excel. HTML Evidence Summary Report: This report includes information about all evidence added to the case, information about the Investigator (optional), and supplementary external files. Data is displayed in HTML format. HTML Email Message Report: This report includes information on email messages stored in the investigated mail archive. Data is displayed in the HTML format. Malware Scan Results Report: This report includes information on all scanned executable files. Data is displayed in CSV format. 2015 Paraben Corporation E3: P2C Getting Started Guide 30
Mobile Evidence Timeline Report: This report contains timeline representation of mobile data in the HTML format. Mobile Evidence PDF Report: This type of report contains mobile data in the PDF format. Mobile Data Review Report: This type of report includes detailed information on all mobile data acquired by the Android Logical plug-in. Information is represented in the HTML format with hyperlinks, providing a most convenient view of mobile case data. When you create reports, you can select specific files and information that you want to add to the report. You can select this information by clicking the Add to Report/File Export option in the context menu of an item in the Case Content or Data Viewer pane. You can also export evidence along with the report. To create reports, do the following: 1. Navigate to the data in the Case Content or Data View pane and then select the check boxes next to the records, files or folders you want to include. 2. On the Analysis tab, in the Reports group, select Generate Report. 3. On the General options page of the Reports wizard, select the type of the report and the location where you want to save it. 4. Click through the remaining pages of the wizard and select the options you need for your report. These options include file types, file properties, case information, whether you want to create a report with all evidence or only selected data, and so forth. The report options vary depending on the type of the report you select. For more information on the options, see the help file. 5. Click Finish to begin the process of creating a report. 2015 Paraben Corporation E3: P2C Getting Started Guide 31
6. The report generation starts and the report generation task is added to the Tasks pane where it can be viewed, paused, stopped, and started. Depending on the size and the options you select when creating a report, the generation process might take several minutes. 7. The generated report opens automatically if the corresponding option was selected in the Report Wizard options. 2015 Paraben Corporation E3: P2C Getting Started Guide 32
Exporting Data E3:P2C allows you to export files and folders found in the evidence to your computer or a location you specify or grid rows to spreadsheets. E3:P2C exports the files along with a hash file that can be used to ensure that the data has not been changed. Use the check boxes in the Case Content or Data View pane to select which files and folders you want to export. You can: Export currently selected data (file, folder, grid, or grid rows) Export data selected across the case (checked data) Export data to spreadsheet Export sorted files To export the currently selected data: 1. Select a folder or a grid in the Case Content or select multiple files and folders in the Data View pane by clicking corresponding items. Use the Shift and Ctrl keys for multi-selection. 2. On the Export tab, in the Common Export group, click Export or click Export in the context menu. 3. For folders, select whether you want to export selected folders with all their subfolders (Recursive) or just files stored in selected folders (Non-recursive). 2015 Paraben Corporation E3: P2C Getting Started Guide 33
4. Select whether the data will be exported to a folder or an encrypted Forensic Container. 5. Browse to the location you want to export data to (folder location or a Forensic Container file to which the data is to be exported). 6. Define the Forensic Container password (if export to a Forensic Container is selected). 7. Сlick Export. 8. The export process is displayed in the Tasks pane, where it can be stopped, paused, and started. To export data selected across the case: 1. Select the checkboxes near the files, folders, grids, and grid rows you want to export in the Case Content or Data View pane. 2. On the Export tab, in the Export to Native Format group, click Export Checked Files. 3. For folders, select whether you want to export selected folders with all their subfolders (Recursive) or just files stored in selected folders (Non-recursive). 4. Select whether the data will be exported to a folder or an encrypted Forensic Container. 5. Browse to the location where you want the data to be exported (folder location or a Forensic Container file to which the data is to be exported). 6. Define the Forensic Container password (if the export to a Forensic Container is selected). 7. Click Export. 2015 Paraben Corporation E3: P2C Getting Started Guide 34
8. The export process is displayed in the Tasks pane, where it can be stopped, paused, and started. To export data to spreadsheet: 1. Manage a grid in the Data View pane to make all necessary columns visible and hide all unnecessary columns, and define the columns order (see the help file for more information). 2. Select the rows to be exported in the Data View pane. Use the Shift and Ctrl keys for multiselection. 3. Click Export Info to Spreadsheet in the context menu or in the Export tab, in the Common Export group. 4. Define the location and the name of CSV file to be created and click Save. 5. When the export process finishes, you receive a confirmation message. Click OK. 6. Data is exported. To export sorted files from a case: 1. Perform sorting. 2. Open the Sorted Files pane and select the category for exporting or the Sorted Files node to export all categories or select several files from the selected category using Shift and Ctrl keys. 3. Click Export in the context menu or on the Export tab, in the Common Export group. 2015 Paraben Corporation E3: P2C Getting Started Guide 35
4. Select where the files will be saved and click OK. 5. The export process is displayed in the Tasks pane, where it can be stopped, paused, and started. Batch Export E3:P2C allows you to perform searches in multiple mail storages of different formats and export the search results to EML, EMX, MSG, PST, and Attachments only formats. To perform a batch export, do the following: 1. On the Export tab, in the Mailstorage Export group, click Batch Export. 2. The Batch Export Wizard opens. 3. On the Welcome page, click Next. 4. On the Source Options page, define the parameters of the source mail archive detection. 5. On the Filter Options page, define the parameters for selecting data from source mail archives. 6. On the Export Options page, define the options for exporting search results. 7. On the Common Options page, define the common options for the export process. 8. Сlick Finish. 9. The export process starts. 2015 Paraben Corporation E3: P2C Getting Started Guide 36
Additional Features This quick start guide outlines the basic features you need to begin working with E3: P2C. However, E3:P2C has a powerful set of additional features for more convenient, more complete analysis. Below you can see a list of these options and their short descriptions. For more details on each, please see the Electronic Evidence Examiner help file. Advanced Search: Allows you to look for text strings in the evidence (including regular expression search, Boolean search, and keywords search) or sorted evidence data. Sorted Files Search: Allows you to search for files by type, size, creation date, etc. Keywords Search: Allows you to filter out already found keywords according to your search request thus making the search process much faster. Bookmarks: Allow you to create links that help to find locations and files in the evidence quickly. Case History: Displays a list of performed case-related tasks and processes. Options wizard: Allows you to change and save the default settings for E3: P2C. Forensic Container creation: Allows you to create an encrypted Forensic Container to store your data safely and export files and folders to it. Mounting: Allows you to mount images of physical/logical disks and forensic storages to your computer. Printing messages: Allows you to print out a message from the Mailstorage evidence. 2015 Paraben Corporation E3: P2C Getting Started Guide 37
Unavailable Options You can find some unavailable options in the E3:P2C interface, for example, Start Acquisition, Import From, or Cloud Import on the Evidence tab, in the Mobile Data group. These options are available in Electronic Evidence Examiner packages that allow mobile device acquisition. If you are interested in using these options, you can purchase an E3: DS package (for mobile forensic analysis) or upgrade your package to E3: Universal (for both computer forensic and mobile forensic analysis). 2015 Paraben Corporation E3: P2C Getting Started Guide 38