This is our tried and tested procedures when conducting a forensic analysis using our preferred tools which include encase ver 4.22a , AccessData forensic toolkit and various other tools.

1 - open encase and load evidence files
2 - verify evidence files and check for lost folders on each evidence file where applicable
3 - conduct file sig / hash analysis over all files
4 - conduct a gallery review over alloacted space
5 - run script to extract the following:
bmp,jpg,png etc from unallocated space
bmp,jpg,png etc from swapfile.sys
pictures from word docs etc

6 - i have concluded that email analysis is best done utilising FTK email analysis tool
7- extract history records from unallocated space using histex
8 - extract history records from netanalysis


Hope this makes sense and is of use to anyone..

I also have the ENCE pdf file which covers encase forensic procedures in more detail. I will post it if anyone would like a copy



regards


8lgm