Pdf metadata extract control Library system azure asp.net .net console forensic-explorer-user-guide.en10-part1468

Ch a p t e r 9 - W o r k i n g w i t h d a t a

101 | Page

Chapter 9 - Working with data

In This Chapter

CHAPTER 9

- WORKING WITH DATA

9.1

Working with data ........................................................................................................................... 102

9.2

Highlighted and checked items ....................................................................................................... 102

9.2.1

Highlighted items ............................................................................................................... 102

9.2.2

Checked items .................................................................................................................... 103

9.3

Add and edit bookmarks ................................................................................................................. 104

9.4

Open with ........................................................................................................................................ 104

9.5

Expand compound file ..................................................................................................................... 105

9.6

Export .............................................................................................................................................. 105

9.6.1

Export Folders and Files ..................................................................................................... 105

9.6.2

Export Logical Evidence File (.L01) ..................................................................................... 107

9.6.3

Export Delimited Rows (.csv or .tab).................................................................................. 109

9.7

Send to Module ............................................................................................................................... 110

9.8

Columns ........................................................................................................................................... 110

9.9

Sorting ............................................................................................................................................. 111

9.10

Flags ................................................................................................................................................. 113

9.11

Filtering Data ................................................................................................................................... 114

9.11.1

Date range filter ............................................................................................................ 114

9.11.2

Text filter tool ................................................................................................................ 115

9.11.3

Explorer Tool ................................................................................................................. 118

9.11.4

Folders Filter .................................................................................................................. 119

9.12

Copy rows to clipboard .................................................................................................................... 119

Pdf metadata extract - add, remove, update PDF metadata in C#.net, ASP.NET, MVC, Ajax, WinForms, WPF

Allow C# Developers to Read, Add, Edit, Update and Delete PDF Metadata

remove pdf metadata; metadata in pdf documents

Pdf metadata extract - VB.NET PDF metadata library: add, remove, update PDF metadata in vb.net, ASP.NET, MVC, Ajax, WinForms, WPF

Enable VB.NET Users to Read, Write, Edit, Delete and Update PDF Document Metadata

embed metadata in pdf; adding metadata to pdf

102 | Page

Ch a p t e r 9 - W o r k i n g w i t h d a t a

9.1

WORKING WITH DATA

Forensic Explorer modules and data views share common functions used to view,

analyze and manage case content. These functions are either performed directly

within the view, or are access by a right-click menu, as shown Figure 80 below:

Figure 80, Right-click menu in the File System list view

9.2

HIGHLIGHTED AND CHECKED ITEMS

In Forensic Explorer actions are performed on ͞items͟. An item is an addressable piece

of data. An item can be a device (e.g. physical drive, logical drive or image file), a file,

folder, partition, metadata entry, FAT, MFT, VBR, MBR, unallocated clusters, directory

entry, or other such data.

In order to perform an action on an item it is usually either first ͞highlighted͟ or

͞checked͟ (or both). An action on a highlighted file is independent to an action on a

checked file.

9.2.1

HIGHLIGHTED ITEMS

A highlighted item is one that has been selected with the mouse and the item has

changed color. It is possible to highlight one or more items.

To highlight multiple consecutive items:

Highlight the first file with the mouse and then press and hold the Shift key;

While holding the Shift key down click the last file. This will highlight all the

files in-between the first and last file.

VB.NET PDF Image Extract Library: Select, copy, paste PDF images

Get image information, such as its location, zonal information, metadata, and so on. Extract image from PDF free in .NET framework application with trial SDK

batch pdf metadata; change pdf metadata creation date

C# PDF Image Extract Library: Select, copy, paste PDF images in C#

information, such as its location, zonal information, metadata, and so on. Able to edit, add, delete, move, and output PDF document image. Extract image from PDF

online pdf metadata viewer; remove metadata from pdf acrobat

Ch a p t e r 9 - W o r k i n g w i t h d a t a

103 | Page

To highlight multiple not consecutive items:

Highlight the first required file with the mouse and then hold the Ctrl key;

While holding down the Ctrl key, highlight each of the other required files.

Figure 81, Highlighted items

9.2.2

CHECKED ITEMS

A checked item is one which has been a tick in its selection box:

User checked item;

A folder in which not all items inside that folder (or its sub-folders) have

been checked.

To check an individual item, use the mouse to place a tick in the selection box.

To check multiple items:

Follow the instruction above to highlight multiple files;

Then press the Space Bar to turn the check ticks on, or off.

COUNTING CHECKED ITEMS

It is useful in many situations to quickly identify how many items are currently

checked. This information is provided in the status bar of a Folders view, as shown in

Figure 82 below:

C# PDF Page Extract Library: copy, paste, cut PDF pages in C#.net

|. Home ›› XDoc.PDF ›› C# PDF: Extract, Copy and Paste PDF Pages. C#.NET Sample Code: Extract PDF Pages and Save into a New PDF File in C#.NET.

pdf keywords metadata; pdf xmp metadata viewer

VB.NET PDF Library SDK to view, edit, convert, process PDF file

Feel free to define text or images on PDF document and extract accordingly. Multiple metadata types of PDF file can be easily added and processed.

analyze pdf metadata; preview edit pdf metadata

104 | Page

Ch a p t e r 9 - W o r k i n g w i t h d a t a

Figure 82, Checked item count in Folders view

9.3

ADD AND EDIT BOOKMARKS

Forensic Explorer enables any item (file, folder, keyword, search hit etc.), or sections of

items, to be marked and listed in the Bookmarks module. Bookmarks are used to note

items of interest. ookmarked items in a list view can be identified by a ͞yes͟ entry in

the ͞ ookmarked͟ column.

To add a bookmark:



Right-click in the data view and select Add Bookmark from the drop down

menu.

This will open the Add Bookmark window. See Chapter 16 - Bookmarks Module, for

more information on adding and editing bookmarks.

9.4

OPEN WITH

The Open With command uses the standard Windows Open With function to open a

file from a list view using an external application (such as Windows Paint, or Microsoft

Word) using the standard Windows . To use Open With:

Highlight the required file;

Right-click and select Open With from the text menu.

If the highlighted file is not already associated with a program, the Windows Open

With window will display and allow the file type to be associated.

The file to be opened is copied to the case ͞Temp͟ folder: ͞\My Documents\Forensic

Explorer\Cases\[Case Name]\Temp\͟ and then opened by the external application.

C# PDF Text Extract Library: extract text content from PDF file in

XDoc.PDF ›› C# PDF: Extract PDF Text. C# PDF - Extract Text from PDF in C#.NET. Feel Free to Extract Text from PDF Page, Page Region or the Whole PDF File.

change pdf metadata; batch pdf metadata editor

VB.NET PDF Text Extract Library: extract text content from PDF

PDF ›› VB.NET PDF: Extract PDF Text. VB.NET PDF - Extract Text from PDF Using VB. How to Extract Text from PDF with VB.NET Sample Codes in .NET Application.

acrobat pdf additional metadata; clean pdf metadata

Ch a p t e r 9 - W o r k i n g w i t h d a t a

105 | Page

9.5

EXPAND COMPOUND FILE

A compound file is a file that is a container for other files or data. A simple example is

ZIP compressed file.

Typically compound files should be expanded early in a case to enable Forensic

Explorer full access to the content. This should be performed prior to a keyword or

index search so that they may include the expanded data.

Forensic Explorer currently supports the expansion of the following compound files:



ZIP (Note: Decompressed Zip files are read into RAM. A size limit of 100mb is

set. Files over 100mb will not be decompressed).



OLE (DOC, XLS, PPT, ODT)

To expand a compound file:

Highlight the file in the list view;

Right-click and select Expand Compound File from the drop down menu.

The file changes to a container which holds the expanded content (similar to a folder).

For example:



͞HLA_IT_University_HI-RES_Photos_EXTERIORS.ZIP͟ is the original file;



͞HLA_IT_University_HI-RES_Photos_EXTERIORS.ZIP͟ is the container for

the expanded content.

To expand all compound files in a case:

In the File System module, click on the Analysis Scripts drop down button in

the toolbar and run the ͞Expand ompound Files͟ script.

To display only expanded files in the File System module

In the File System module Folders Filter, select the ͞Expand ompound Files͟

to show only these files.

9.6

EXPORT

9.6.1

EXPORT FOLDERS AND FILES

The export Folders and Files function is used to copy files from the case to the local

disk.

To export folders and files:

VB.NET PDF Form Data Read library: extract form data from PDF in

Data: Read, Extract Field Data. |. Home ›› XDoc.PDF ›› VB.NET PDF: Read, Extract Field Data. VB.NET PDF - Read and Extract Field Data in VB.NET.

rename pdf files from metadata; edit pdf metadata acrobat

C# PDF Library SDK to view, edit, convert, process PDF file for C#

Feel free to define text or images on PDF document and extract accordingly. Multiple metadata types of PDF file can be easily added and processed in C#.NET

pdf metadata viewer online; edit multiple pdf metadata

106 | Page

Ch a p t e r 9 - W o r k i n g w i t h d a t a

Highlight or check the required items;

Right click and select ͞Export > Folders and files…͟ from the drop down

menu;

The following Export Files window will then open;

Figure 83, Export files window

Source:



Files can be exported with their logical or physical size.

Destination:



Separate files: The exported files may be saved individually or as a single

merged file.



Keep folder structure: Will determine whether the exported files are

saved with the complete path information from the case, or if they are

saved into the root level of the selected location.



Keep date/times: Specifies whether the date and times of the exported

files will retain their metadata as displayed by Forensic Explorer, or

whether dates and times will reflect the creation of the exported files.



Split large files: Large files can be split into designated sizes.

Ch a p t e r 9 - W o r k i n g w i t h d a t a

107 | Page



Destination folder: The destination folder specifies the location where

the files will be saved. The default location is the ͞Exported͟ folder in the

case path.

EXPORT FOLDERS AND FILES USING A SCRIPT

One of the default scripts provided with Forensic Explorer is Scripts\File

System\Export File Types.pas. This script will export files by type (extension) and can

be edited as required. For more information about scripts, see Chapter 18 - Scripts

Module.

9.6.2

EXPORT LOGICAL EVIDENCE FILE (.L01)

A Logical Evidence File (LEF) is a forensic image containing selected individual files,

rather than the image of an entire partition or physical device. LEF͛s are usually

created when:

A device is previewed and evidence worthy of preservation is identified, but

an image of the entire partition or device is not warranted; or

When a subset of a files from an existing forensic image is be provided to a

third party.

Common LEF formats are .L01 (Guidance Software - www.guidancesoftware.com) and

.AD1 (Access Data - www.accessdata.com). Forensic Explorer will read both L01 and

AD1 formats and can export files to .L01 format.

To export files to an .L01 file:

Select or highlight the required file/s;

Right click and select Export > Logical evidence file (.L01) from the drop

down menu. The following window will appear:

108 | Page

Ch a p t e r 9 - W o r k i n g w i t h d a t a

Figure 84, Export to Logical Evidence File (.L01)

Include folder data: If selected, the folder is treated as a file and its content

included in the image. This may not be desirable, as the folder data can

contain information about other files that have not been selected to be part

of the L01 content. If this option is disabled, the image will contain only the

folder name.

Calculate image MD5: If selected, an MD5 hash for the entire L01 file is

calculated and stored within the file.

Note: Individual files within the LEF are automatically MD5 hashed and each

value is stored.

VALIDATING .L01 FILES

To validate an .L01 files in Forensic Explorer

Add the .L01 file to a case, or a preview:

Add the “L01 Hash” column to the list view of the File System module (refer

to paragraph 9.8 for information on adding a column). This column shows the

MD5 hashes created at the time of acquisition and stored within the .L01 file;

Ch a p t e r 9 - W o r k i n g w i t h d a t a

109 | Page

Use the Hash Files button to calculate the current MD5 hash for each file:

Figure 85, Hash Files button in the File System module toolbar

Add the “MD5 hash” column to the File System module, List view.

Compare the L01 Hash MD5 Hash results. The acquisition hash and the

recalculated hash should be identical.

9.6.3

EXPORT DELIMITED ROWS (.CSV OR .TAB)

The export delimited rows function is used to copy list view data into a format suitable

for import into a spread-sheet or similar program.

To export delimited rows:

Highlight or check the required files;

Right click and select ͞Export > Delimited rows (.csv or .tab)͟ from the drop

down menu;

The following window will appear:

Figure 86, Export delimited rows

Select the source and whether the file is to be TAB or comma delimited. Enter the

name of the destination file and click OK to proceed with the export. Only currently

visible columns will be exported.

110 | Page

Ch a p t e r 9 - W o r k i n g w i t h d a t a

9.7

SEND TO MODULE

Send to Module is a method of passing specific files from one module to another. For

example, a Windows registry file can be highlighted in the list view of the File System

module and passed to the Registry module for processing (see 15.2 for more

information).

9.8

COLUMNS

To add columns or remove columns in a list view:

Right click on the List view and select Columns > Edit Columns from the drop

down menu. The Column Headers window will open;

Figure 87, Column Headers

Add available columns to the current columns and Move Up or Move Down

for the required position (position can also be controlled by dragging and

dropping column titles once they are added). Remove unwanted columns

with the remove button.

It is possible to add columns using a script. An example of this is where the metadata

properties from a Microsoft Word document, e.g. Author, Title etc. are extracted and

placed in to columns. See 8.11.1 for more information.

Documents you may be interested