About a year ago, we began using tools outside of EnCase to perform imaging. This caused some initial confusion when importing evidence into EnCase and certain expected fields were no longer filled in. The following was written to compare which case fields were common between EnCase (version 6.17 I believe) and FTK Imager (2.9). The following is a mapping of fields.
|FTK Field||EnCase Field|
|Unique Description||Evidence Name|
|Evidence Number||Evidence Number|
Although we now primarily use Tableau’s Imager (TIM) and Guymager, any time we do use FTK Imager we will place the case number and suspect’s name in the notes section. This gives us some added flexibility in passing along information depending on who is processing and what application they are using. Of course, the imaging log file is present, but knowing not to rely exclusively on field names was a learning lesson. This has not been tested with EnCase version 7.