Case Tree Context Menu
Some of the commands:
Export subtree: This context menu command in the Case Data window allows you to export a pseudo-graphical representation of the selected subtree in a Unicode text file, which is best viewed with a fixed-width font. The exported tree reflects the current state of subdirectories (expanded or collapsed). The menu command is available for evidence objects and also for directories if you hold the Ctrl key when right-clicking a directory in the case tree. Remember to fully recursively expand a portion of the tree that you want to export, you can click the root of that portion and press the asterisk (multiplication) key on the numeric keypad.
Attach external files: This command allows to attach external files as child objects to their original counterparts (after decrypting, translation, convertion, OCRing, ...) in multiple evidence objects at the same time automatically if they are named after the unique ID of the original files. (The filename extension is ignored.) You can name the files after the unique ID when you copy them off the image with the Recover/Copy command, and you do not need to preserve the path, as the unique ID already fully identifies the file. Useful if you wish to apply external tools to the copied files which have problems with overlong paths, if you wish to bring back the result into the volume snapshot.
When attaching external files (e.g. after decrypting, converting, translating, ...), you are given four options:
1) the attached file can become a child object of the original file
or
2) the attached file can become a sibling of the original file (shown next to it, in the same directory)
or
3) the attached file can replace the original file (original file no longer present)
or
4) the attached file can replace the original file, and the original file can become a child object of the new file if still needed.
You can select the attachment method separately for ordinary files and e-mail attachments. The three latter methods are particularly useful for e-mail attachments because only direct child objects of .eml files are embeddedd in the parent .eml file when recovering/copying those .eml files. So if you would like to have the decrypted/converted/translated version of an attachment embedded in the .eml file, that version should not become grandchild object as in previous versions. If you want original and new version both to be embedded, make them siblings. If you do not need the original version embedded, replace it completely or preserve it only as a child object of the new version (i.e. grandchild of the .eml file).
The attached files adopt the classification of the original files, e.g. as extracted e-mail messages or OLE2 objects. If the original files have no special classification, the attached files will be simply marked as attached files.
Export Files for Analysis: This menu command in the Case Data window can be applied to the entire case and from there to selected evidence objects, or to the active evidence object only. It uses the interface for external analysis of files to invoke external automated analysis tools such as DoublePics.
There is a context menu for directories, too. It is displayed when right-clicking a directory depending on the General Options and depending on whether you hold the Shift key at the same time. Otherwise right-clicking a directory means to explore it recursively.