It's important to note a few things with regards to the value filter.įirstly, this filter will only be applied to metadata tags that have passed the name filter. This allows, for instance, the examiner to target pictures taken by a particular make or model of camera. In addition to being able to filter the tags that are bookmarked, the examiner can choose to bookmark an image only if it contains a tag matching a secondary filter, one based on value. The examiner does however have the option of hiding detailed GPS information so that only the latitude and longitude will be shown. Note that Exif GPS tag information will always be shown for any picture that contains it regardless of the name/ID filter-condition that's been set. Custom tag-names can be entered manually they can also be imported from a tab-delimited text file. The second exception is where the examiner has chosen to use one or more custom tag names these names will override the default Exif tag-names shown in bookmarks created by the script they will also be used for the purpose of filtering. When this happens, the tag-name property will contain the hex value of the tag-id so that the examiner can still search for that value should he or she know of its significance. The first exception is where an unknown tag is encountered. In most cases the name will have the same value as the ID but there are two exceptions to this. This data can be filtered so that only Exif tags with a given name or ID will be included. It's important to remember that the GPS information embedded within an Exif image will only be as good as the accuracy of the GPS fix at the time the picture was taken.Īn additional data bookmark will be created in order to store the Exif metadata that's been parsed for each picture. If Google Earth is installed on the Examiner's machine then he/she can have EnCase use COM to open the file once the file has been written. Note that the latter option is not possible with pictures from unallocated clusters nor pictures embedded within other files. The examiner is required to specify the path to the file when the script runs he/she can also opt to export the associated picture so that a thumbnail of it can be seen from within Google Earth. If no range is specified then every Exif picture with GPS coordinates will be placed in the 'In Range' bookmark folder.Īny GPS information found for pictures that are 'in-range' will be written to a single Keyhole Mark-up Language (KML) file that can be opened using Google Earth. The script will bookmark an Exif picture into one of three bookmark folders depending on (a) whether it contains any GPS coordinates and (b) whether those coordinates fall within the geographical range specified by the examiner. Subject to additional filtering (see below), any occurrence of an Exif picture will be bookmarked and checked to see if the data that follows contains GPS information. The examiner can choose to have the script specifically identify pictures whose Exif GPS coordinates are located within a specified distance (in kilometres) from a designated point. The console output can help you to determine these either in EnCase or, if the program crashes, using the console log-files in %USERPROFILE\Documents\EnCase\Logs. If this happens you will need to re-run the script without processing the problematic areas. These may contain corrupt data, which can cause the script to crash and/or cause EnCase to hang due to excessive memory usage. Note that the option to parse items that are selected in the current view does not work with records.īe careful when parsing deleted or deleted-overwritten files also areas of unused disk space. The examiner can choose to search all items, those that are selected, tagged or those that are entries representing unallocated clusters. This script searches specified items with a view to finding Exif picture files containing Global Positioning System data.