Evidence Objects
You may add any currently attached computer medium (such as hard disk, memory card, USB stick, CD-ROM, DVD, ...), any image file, directory or ordinary single file to the active case. It will then be permanently associated with this case (unless you remove it from the case later), displayed in the tree-like case structure, and designated as an evidence object or source of evidence. A subfolder is created in the case folder for each evidence object, where by default files will be saved that you copy/recover from that evidence object, so it will always be obvious from which object exactly (and from which case) recovered files originate. If you wish to add more than 1 file from the same directory to the case, please add the whole directory, just exclude or remove those files that are irrelevant.
In the evidence object properties window, you may enter a title or number for that evidence object according to your own conventions. You may change the order of evidence objects in the case tree using the small arrow buttons in the upper left corner, except for "dependent" evidence objects (partitions that belong to a physical disk). The date and time it was associated with the active case is recorded and displayed. The internal designation of the evidence object is displayed as well as its original size in bytes. You may enter comments of arbitrary length that apply to the evidence objects, and a technical description of it is added by X-Ways Forensics automatically (as known from the Technical Details Report command in the Specialist menu, plus some essential information about Windows installations, if found in a partition). You may have the program calculate one or two hashes (checksum or digest) on the evidence object and verify them later, so that you can be sure that data authenticity has not been compromised in between. Hashes stored in evidence files are imported automatically when added to a case. You may disable the automated log feature for a specific evidence object if the log feature is enabled for the case as a whole.
To add images or media to a case. you can use the "Add" commands in the case data window's File menu. When adding images, you can also select that the volume snapshot of newly added evidence objects should be refined immediately. Another way how to add opened images or disks to the case is the "Add" command in the context menu of the data window's tab.
The command "Replace with New Image" in the context menu of an evidence object allows you to replace a disk that is used as an evidence object in your case with an image (useful if you first preview the disk before you acquire it, i.e. created an image of it), without losing your volume snapshot, search hits, comments, etc. Can also be used to simply tell X-Ways Forensics the new path of an image in case the image was moved or the drive letter has changed, or if the image filename was changed, or if the type of the image was changed (e.g. raw image to be replaced with a compressed and encrypted .e01 evidence file). In the case of a physical, partitioned evidence object it is recommended to apply this command to that parent object (i.e. the physical disk). The change will then automatically also be applied to the child evidence objects (i.e. partitions). If the new image is an image of a different disk or a different evidence file container or an evidence file container that has been filled further, i.e. if the volume snapshots cannot match, you will likely get a warning because the size of the new image is different from the size of the previous image. Time and again, users of X-Ways Forensics try to use this command to replace an evidence object in a case with a different evidence object, although that doesn't make any sense because that way the technical description, the volume snapshot, any search hits, comments and report table associations don't fit the other evidence object. These users then typically complain that they receive an error message. The message is displayed because X-Ways Forensics usually notices based on the size that the new image is a totally different image. If you don't need evidence object A any more in your case and you need add an evidence object B, then you can simply remove A and add B. There is no alternative to that, and an alternative is neither reasonable nor required.
It is possible to open an evidence object even if the disk or image is not currently available, via a special command in the evidence object's context menu, to see at least the volume snapshot. That means you can see all the file metadata stored in the volume snapshot (filename, path, file size, timestamps, attributes, etc.), can use most filters etc., but cannot see any data in sectors and cannot open/view any files.
In the Case Root window, evidence objects can be marked as important with a yellow flag, via the context menu or by hitting the Space bar. You will see that yellow flag in the Case Data window and when selecting evidence objects, for example for recursive exploration from the Case Root or when generating a report.
In the properties of evidence objects with a FAT file system you can optionally define which time zone the local timestamps in that file systems are based on, if you have an idea/opinion about that. That time zone depends on the settings of the computer or device that wrote to the file system. (Keep in mind that those settings may have changed over time and thus a single time zone may not be adequate to get all timestamps right.) If you define the time zone reference, file system level timestamps are presented according to the selected display time zone and not in their original local time any more. They are internally converted from local time to UTC (based on your time zone reference) and then from UTC to the display time zone, at the moment when the timestamps are displayed. The effect is not permanent, the reference time zone settings can be changed at any time. The definition of a time zone reference is lost if you open a case in versions older than v19.3.
When copying files from FAT file systems to an evidence file container, file system level timestamps of these files are usually marked in the container as based on an unknown local time zone so that they will not be time zone adjusted when reviewing the container in the future. If however you are certain about the original time zone and define the time zone reference for the source evidence object, the timestamps are converted to UTC within the container based on the reference time zone and marked in the container as timestamps in UTC, permanently. In that state the timestamps later will be adjusted according to the selected display time zone, even if you change your mind and change the reference time zone in the source evidence object. The evidence file container is self-contained and separate from the source evidence object once files have been copied.