Nuix Proof Finder Reference Guide

Similar documents
Nuix Proof Finder Reference Guide

Overview. Top. Welcome to SysTools MailXaminer

Desktop & Laptop Edition

Server Edition USER MANUAL. For Mac OS X

ACCESSDATA FTK RELEASE NOTES

Server Edition USER MANUAL. For Microsoft Windows

AccessData Forensic Toolkit 5.5 Release Notes

Server Edition. V8 Peregrine User Manual. for Microsoft Windows

BackupVault Desktop & Laptop Edition. USER MANUAL For Microsoft Windows

Exchange Protection Whitepaper

AccessData Forensic Toolkit Release Notes

User Guide Ahmad Bilal [Type the company name] 1/1/2009

Server Edition. V8 Peregrine User Manual. for Linux and Unix operating systems

Dell License Manager Version 1.2 User s Guide

Apptix Online Backup by Mozy User Guide

ZENworks 2017 Update 2 Endpoint Security Utilities Reference. February 2018

The Connector. Version 1.2 Microsoft Project to Atlassian JIRA Connectivity. User Manual

An Overview of Webmail

ZENworks 11 Support Pack 4 Endpoint Security Utilities Reference. October 2016

ForeScout CounterACT. Configuration Guide. Version 3.4

RenameMan User Guide. ExtraBit Software

TIBCO Spotfire Automation Services

Discovery Attender. Version 2.2. White Paper. Discovery Attender is a member of the Attender Utilities family.

Stellar Phoenix Outlook PST Repair - Technician User Guide

Data Express 4.0. Data Subset Extraction

Kernel for Exchange Server. Installation and Configuration Guide

Contact Information. Contact Center Operating Hours. Other Contact Information. Contact Monday through Thursday Friday

ForeScout Extended Module for Advanced Compliance

Release Notes. LAW PreDiscovery, Version 6.8. Enhancements Resolved Issues Current Issues Additional Information

AccessData ediscovery 6.3 and Patches Release Notes

User Guide. FTR Manager For more information visit

Stellar OST to PST Converter - Technician 8.0. User Guide

ForeScout Extended Module for Tenable Vulnerability Management

AccessData Forensic Toolkit 5.6 Release Notes

TIBCO Spotfire Automation Services 7.5. User s Manual

Document Management System GUI. v6.0 User Guide

Dell EMC License Manager Version 1.5 User's Guide

Zen Internet. Online Data Backup. Zen Vault Express for Mac. Issue:

RSA WebCRD Getting Started

Version 11. NOVASTOR CORPORATION NovaBACKUP

SPList Export for SharePoint 2007 User Manual

24) Type a note then click the OK button to save the note. This is a good way to keep notes on items of interest.

Metasys Database Manager Help Code No. LIT Software Release 9.0 Issued August 2017

KYOCERA Net Viewer User Guide

Perceptive Data Transfer

Release Notes. Enhancements Resolved Issues Current Issues Additional Information

DISK DEFRAG Professional

Tzunami Deployer Documentum Exporter Guide

Searching Guide. September 16, Version 9.3

Computer Forensics: Investigating Data and Image Files, 2nd Edition. Chapter 3 Forensic Investigations Using EnCase

DocAve 6 Lotus Notes Migrator

DiskBoss DATA MANAGEMENT

Nintex Reporting 2008 Help

Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS)

Nuix ediscovery Specialist

DREAMFACTORY SOFTWARE INC. Snapshot User Guide. Product Usage and Best Practices Guide. By Sathyamoorthy Sridhar June 25, 2012

RSA WebCRD Getting Started

AccessData Advanced Forensics

CITO2 Installation & User Instructions

Intella Getting Started Guide

Veritas NetBackup for Lotus Notes Administrator's Guide

SILWOOD TECHNOLOGY LTD. Safyr Metadata Discovery Software. Safyr Getting Started Guide

Tzunami Deployer Oracle WebCenter Interaction Exporter Guide

Business Insight Authoring

Release Notes. LAW PreDiscovery, Version Enhancements Resolved Issues Current Issues Additional Information

User Manual. Dockit Archiver

ifax Mail linking software for TIFF converter user's guide

User Guide. BlackBerry Workspaces for Windows. Version 5.5

ABBYY FineReader 14. User s Guide ABBYY Production LLC. All rights reserved.

ithenticate User Guide Getting Started Folders Managing your Documents The Similarity Report Settings Account Information

Release Notes. LAW PreDiscovery, Version 6.6. Enhancements Resolved Issues Current Issues Additional Information

PrimoPDF User Guide, Version 5.0

The Connector Version 2.0 Microsoft Project to Atlassian JIRA Connectivity

QDA Miner. Addendum v2.0

AccessData. Forensic Toolkit. Upgrading, Migrating, and Moving Cases. Version: 5.x

ifax Mail linking software for TIFF converter user's guide

User Guide. Kronodoc Kronodoc Oy. Intelligent methods for process improvement and project execution

ediscovery 6.1 and Patches Release Notes

Using Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS)

Aquaforest CheckPoint Reference Guide

Tzunami Deployer HPE Content Exporter Guide Supports migration of EMC HPE Content Manager into Microsoft SharePoint using Tzunami Deployer

Contents. A April 2017 i

Veritas ediscovery Platform

Shoviv Exchange Recovery Manager

Legal Notices. AccessData Corp.

2008 TIPS and TRICKS LAW CONFERENCE

Pulse LMS: User Management Guide Version: 1.86

DupScout DUPLICATE FILES FINDER

If you require more information that is not included in this document, please contact us and we will be happy to provide you with further detail.

Globalbrain Administration Guide. Version 5.4

CityVault Client Manual

AccessData FTK Quick Installation Guide

Summation & ediscovery Patches Release Notes

Tzunami Deployer Oracle WebCenter Interaction Exporter Guide

Summation Patch Release Notes

Configuration of trace and Log Central in RTMT

Hypertext Transfer Protocol Over Secure Sockets Layer (HTTPS)

1. Introduction Features Operating Environment Machine Data...6

Calendar & Buttons Dashboard Menu Features My Profile My Favorites Watch List Adding a New Request...

AccessData Forensic Toolkit Release Notes

Transcription:

Nuix Proof Finder Reference Guide Working with Cases and Loading Data Version 7.2

Working with Cases Nuix enables you to create new cases and add evidence to existing cases. During this process, you specify the files, directories, or mail stores you want to add to the case. Nuix then ingests the items and processes them, adding Nuix metadata and indexing them for search, analysis, review, and export tasks. There is no specified limit for adding items to a single case. Creating a Case The first step in getting data into Proof Finder is to create a case, which is the container for a collection of data that hold an evidence for a particular investigation. You can create a new case by selecting New Case from the Welcome Screen or select File > New Case from the File menu. Or August 2017 Nuix Proof Finder Reference Guide PAGE 2 of 23

New Case Settings The New Case dialog box allows you to create a simple case or join several small cases together into a compound case. To create a case: 1. Specify a case name. 2. Select the directory location to save the case. 3. Specify the investigator (name or ID) for the case. 4. Briefly describe the case so that it is easily identifiable. 5. For Case type, select either Simple or Compound. When you create a simple case, you can add to it any collection of items (emails, documents, images, etc.), which are then ingested and indexed. A compound case is one that ties together multiple simple cases that have already been processed; you cannot add individual items to the collection during this step when you create a compound case. 6. Select OK to save the case. August 2017 Nuix Proof Finder Reference Guide PAGE 3 of 23

You can edit these details later by navigating to File > Case Properties. The information you specify here is saved as a part of the case properties. Proof Finder creates the case and the Add Case Evidence dialog box displays allowing you to add evidence for further processing. Open an existing Case To open an existing case, follow one of these methods: Select a case from the list of recently opened cases that are displayed on the welcome screen. Select Open Case from the welcome screen. Select File > Recent Cases or File > Open Case from the File menu. Editing Case Information To edit the descriptive case information defined when a case was created, select File > Case Properties. The Case Properties dialog box displays. August 2017 Nuix Proof Finder Reference Guide PAGE 4 of 23

The Case Properties dialog box allows you to edit the case Name, Investigator and Description. This dialog also allows you to set the investigation time zone (the time zone associated with the source data), which controls all of the date/time presented in Nuix. This allows investigators to view the result sets and Event Maps based on the geography/time zone of the custodian(s). Nuix also applies this time zone to the exported metadata during all exports. Nuix stores all date/time values in absolute time or system time. Absolute time or system time is recorded as the number of ticks since epoch: http://en.wikipedia.org/wiki/system_time. For each date/time, Nuix calculates the offset based on the time zone, then stores the system time. Helpful Links The following helpful links are listed on the right side of the Proof Finder Home window: Help Topics shows a listing of help topics as a quick reference including: ChangeLog License Agreements How to Search Scripting Reference Online Help - navigates to the online version of the product documentation Download Updates shows helpful information including: Download, Install, Purchase, Activate Proof Finder License Terms and Conditions Six Things to Look Out for as You Get Proof Finder Working August 2017 Nuix Proof Finder Reference Guide PAGE 5 of 23

Loading Data Adding Case Evidence After creating a new case, you can add evidence to be ingested through the Add Case Evidence dialog box which appears immediately after setting the properties of the case. The Add Case Evidence dialog box allows you to add, remove and edit the metadata of case evidence before Proof Finder retrieves and processes it. Evidence can be added as either as a static folder, folder of files, image or mail store or as a repository of evidence that can be re-scanned to index new files added. Each piece of evidence can contain multiple files, directories or mail stores. The evidence names within cases should be unique, in case you ever combine the simple case into a compound case. From the Add Case Evidence dialog box, select Add > Add Evidence, the Add/Edit Evidence dialog box displays. When you select Add, the following options are available: Add Files - allows the selection of files from a computer, network or external drive (For example: PST, EDB, NSF, MBOX, etc.). Add Folders - allows the selection of a directory that includes all files to be processed. This option is recommended for importing an EnCase or Compressed EnCase image. Add Split "DD" Files - allows the selection of the initial DD image files from a directory to add to the case. DD files can be segmented image format files. All the file segments reside in the same directory, and adding the initial or leading segment (file) adds the remaining segments as well. Add this Computer - allows the addition of the computer to the local host as evidence. Add Load File allows the addition of an Autonomy, Concordance, or EDMR XML load file to the case. Add Network Location - Select from the following optional locations: Add Mail Store - Selects an individual mail store via POP or IMAP. Use this method to connect to Novell GroupWise or for corporate mail servers that support POP and IMAP connections, as August 2017 Nuix Proof Finder Reference Guide PAGE 6 of 23

well as loading Gmail, Hotmail and other internet-stored email data. To collect information from any of these sources, the appropriate credentials must be provided to Nuix. In the Add Mail Store dialog box, specify the mail store type, server hostname, server port, username and password, and click OK. Note: Connecting to corporate mail servers can result in exporting large volumes of data, which can put a heavy strain on the server. Also storing a binary copy of the items harvested from a Mail Store should be considered as best practice as pointers to items can often change within mail servers. From the Add Case Evidence dialog box, select Add, the Add/Edit Evidence dialog box displays. You will need to describe the set the evidence that you are adding, including certain metadata properties: Content - allows for free text entry. Evidence Name - allows the evidence to be uniquely and intelligently describe the evidence for future reference with your case. You should use unique, meaningful evidence names, as you can both search for these names and view them in the Document Navigator but not change them once the evidence is processed. Comments - allows to add an optional description or further information about the evidence you are adding. Custodian - optionally allows the assignment of a custodian name to all the evidence which has been added for processing. This custodian name can be added or modified post processing within the case. Source Time Zone - should be set to reflect the original time zone in which the evidence was harvested. Nuix will record date/time values exactly as it finds them in the evidence stores, Nuix stores date/time values in UTC format. The Source Time Zone can be used to adjust date/time values when creating load files/report and rendering items to PDF or to TIFF format for items that do not store time zone information if the default Investigator time zone is not used. Source Encoding - Numerous encoding options are available to choose. Evidence Metadata - allows you to add custom metadata to every item within a given set of evidence, either manually or by importing it via a.csv file. You can also add the custom metadata to every item within a given set of evidence, either manually or by importing it via a.csv file. You can also set the processing settings for each load of evidence from the Settings section at the bottom right corner. Note: You can only add custom metadata when you add the evidence for processing. Once Proof Finder loads the data, you can only add tags and comments to items. Adding evidence as a repository allows the evidence location to be re-scanned and any new files added to the repository to be indexed in addition to the originally indexed evidence. When adding an Evidence Repository, add the root folder that contains the evidence. Each immediate sub-folder inside this folder will be added as a separate evidence container. Each immediate sub-folder can also be added as a new custodian on ingestion if August 2017 Nuix Proof Finder Reference Guide PAGE 7 of 23

desired with the name of the sub-folder creating the custodian name. Evidence Processing Settings When you add evidence to a simple case or reload data from a source location, you can specify the type of processing you wish Proof Finder to perform on the data. The available tabs for Evidence Processing Settings are: Data Processing Settings - lets you set various options for how the data will be processed. MIME Type Settings - lets you set Proof Finder to not process a particular evidence type, based on the MIME type of the evidence. Parallel Processing Settings - lets you set how individual worker machines will operate in a distributed processing environment. Decryption Keys - allows you to configure keys and passwords required to decrypt PGP and S/MIME emails. Audit Filtering - The Audit Filtering tab is only visible for audited license types, and allows you to define a digest list to exclude items from the audit report. This tab displays only if you are using an Audit license. Data Processing Settings Data Processing Settings - allows granular control over how evidence is ingested and reloaded. August 2017 Nuix Proof Finder Reference Guide PAGE 8 of 23

Proof Finder offers the following options for processing evidence: Perform Item Identification - allows items recognized with full metadata or minimal metadata if only performing a light scan on folder of files. Calculate Processing Size Up-Front - enables the progress bar to display progress during the ingestion process by the physical file size of the evidence. Traversal - Three options are provided for traversing the documents when ingesting. Process Loose Files but not their contents - will ingest only the files found at the directory level without further extraction of attachments or internal items. Process Loose Files and forensic images but not their contents - allows forensic images to be treated like a file directory along with any loose files for ingestion without any further extraction. Full traversal - extracts all the items. Evidence Settings: Reuse Evidence Stores - allows new evidence to be added to existing evidence indexes, which in turn will result in faster searching and exporting. August 2017 Nuix Proof Finder Reference Guide PAGE 9 of 23

Calculate Audited Size - allows the audit size field to be populated with a valid file size for items. This option is selected by default even if not set as it is essentially an audited license. Store Binary of Data Items - allows a binary copy of the item to be stored within the case directory as a static copy up to the maximum size set. Note: Selecting this option will increase the case size considerably from approximately 50% - 200% of the original data size. This option will also slow the optimum indexing speed down by approximately 15-20%. Deleted File Recovery & Forensic Settings: Note: * These options are generally used for larger forensic images. Since Proof Finder's case limit is preset to 15 GB it would be unlikely these options could be used unless it is an extremely small image. *Recover deleted files from disk images - recovers all the deleted files from disk images. *Extract end-of-file slack space from disk images - extracts the end of file slack space from disk images. *Smart process Microsoft Registry files - to smart process registry files *Extract from mailbox slack space - extracts files from mailbox slack space. *Carve file system unallocated space - carves files from the system unallocated space. Family Text Settings: Create family search fields for top level items - creates an extra field in the text index that contains the text of the top level item as well as the text of the descendants of that item. Note: This field is hidden in the UI and is only used to facilitate faster searching. Hide Immaterial Items (text rolled up to parent) - prevents the extraction and presentation of immaterial items in the results pane. The extracted text from hidden immaterial items is rolled up to its parent item so it is available for searching. Text Indexing Settings: Analysis language - allows the selection of the language to be used. Only one language can be used per evidence store and cannot be changed when using the Reuse Evidence Store option. Use stop words - allows the English language stop words to not be indexed. Note: DTSearch excludes stop words from its index by default. This can result in different search counts being returned when comparing the results of Proof Finder and DTSearch based proximity queries. Use stemming - allows the stemming of all words during processing. Note: Proof Finder does not store both the stemmed and unstemmed variants of the words in the index therefore it is very important to understand how stemming impacts a data set. Enable exact queries - stores the text content of items so as to enable the use of punctuation and capitalization when searching, essentially doing an exact string match. Note: Remember to use single quotes ( ) around your search term to invoke exact queries. Item Content Settings: Process text - allows you to capture text from the processed evidence items. Enable near-duplicates - enables the creation of word shingles to allow for near duplicate detection within the case. Enable text summarization - enables the identification of word shingles to allow for Near Duplicate detection and clustering within the case. Named Entity Settings Extract named entities from text - enables the capture of named entities from text for further analysis.» Include text stripped items - allows you to include text stripped items while extracting named entities from text. Extract named entities from properties - enables the capture of named entities from properties for further analysis. Image Settings: Generate thumbnails for image data - generates a thumbnail image for any image processed within the dataset. Perform image colour and skintone analysis - captures skintone information on any images processed within the dataset. Digest Settings: Digests to Compute - allows the generation of extra digests, in addition to the default MD5, for file August 2017 Nuix Proof Finder Reference Guide PAGE 10 of 23

signature checking up the maximum file size set. Select from SHA-1, SHA-256, and SSDeep. The default Maximum digest size is set to 256 MB. Maximum Digest Size - specifies the digest size which limits the number of bytes used to compute a digest. Email Digest Settings - allows you to select additional fields to add to the default fields used in digest creation from emails only. Select from Include BCC and Include Item Date. August 2017 Nuix Proof Finder Reference Guide PAGE 11 of 23

Mime Type Settings The MIME Type Settings tab allows you to control types of evidence items processed by Proof Finder, including options for ignoring particular parts of the evidence item, based on the item s MIME type. Select the MIME Type that needs to be processed. The table lists the following options: Enable MIME Type - processes the MIME Type. Note: By deselecting this option, all other options are cleared and therefore the selected MIME type is not processed. Process descendants - processes descendants found within items of this MIME type. Some examples of descendants are files within a zip archive, or files attached to one or more email messages stored within an email store. Process text mode - processes the text of the selected MIME types. You can select the Process Text, Text Strip, or No Processing options. If you have selected the text Strip option, by default the descendants are unselected. August 2017 Nuix Proof Finder Reference Guide PAGE 12 of 23

Process images - allows generation of thumbnails and capture of skin-tine information when processing images for the selected MIME types. Process named entities - processes Named Entities on the selected MIME type. The Enable named entity recognition option from the Data Processing Settings tab must be selected to enable the identification and capture of named entities within the data set for further analysis. Store Binary - stores the binary of the selected MIME type. The Store Binary of Data Items option from the Data Processing Settings tab must be selected to store the binary format within the databases in the case directory. TIP: Use (Ctrl+F) to search MIME types easily by entering keywords. Parallel Processing Settings The Parallel Processing tab allows you to control how the Proof Finder workers operate while processing (ingesting) the data. If you are using Proof Finder in a parallel processing environment, review the information about distributed processing in the Installation and Configuration Guide. August 2017 Nuix Proof Finder Reference Guide PAGE 13 of 23

Proof Finder offers the following Worker settings: Number of Workers - sets the number of nuix_single_worker.exe instances to use during a processing job. In the majority of cases, you should always set this to the maximum available based on your license. However, there are some cases when the number of workers needs to be reduced and the amount of RAM increased to successfully process a dataset. By default, the value is set to the maximum allowed by your license. Memory Per Worker (MB) - sets the amount of RAM that each nuix_single_worker.exe has available during a processing job. Proof Finder does not immediately consume the allocated memory, but rather sets this to a threshold for the Java Virtual Machine. By default, the value is set to 1,000. Note: The sum of ("Number of Workers" "Memory per-worker") + "System Options Application Memory" should be at least 2GB less than the total available RAM on the system. Worker Temp Directory - specifies the temporary location used by the Proof Finder during processing. Proof Finder will use this directory as cache for any files that it needs to write to disk. Note: When processing Lotus Notes data, Proof Finder will create one copy of the active NSF file for August 2017 Nuix Proof Finder Reference Guide PAGE 14 of 23

each nuix_single_worker.exe. For example: If you are processing one 10GB NSF file, with a 4-core license, Proof Finder creates four copies of the NSF file in the case temp directory. August 2017 Nuix Proof Finder Reference Guide PAGE 15 of 23

Decryption Keys The Decryption Keys tab allows you to configure keys and passwords to be used when processing: Encrypted PGP and S/MIME email messages Mail Xtender key store volumes Encrypted Lotus Notes ID files On encountering an encrypted email, Proof Finder reads private keys from its configured key ring collections or key stores and on finding a matching key ID within the collection or store, decrypts the email. PGP Email Decryption Proof Finder allows you to import key ring collections from both ASCII-armored and binary files. To add key ring collection: 1. Select Add and select the files to be added. The keys are then added to the Decryption Key August 2017 Nuix Proof Finder Reference Guide PAGE 16 of 23

Management list where it displays: Unique Identifier - displays a unique key ID (the last few digits of the finger print of the key). It allows the user to distinguish multiple keys and sub-keys of the same user in a key ring collection. User ID - displays the user identity such as user s email address, name or any unique string that identifies the user to PGP. Key Type - for PGP, the key type is PGP/MIME keyring. Password - allows you to enter a password for each key. 2. Enter the passwords for the keys and select OK to save changes. S/MIME Email Decryption Proof Finder allows you to import PKCS12 key store files with.p12 or.pfx extensions. To add key store files: 1. Select Add and select the files to be added. 2. On selecting Open, the Enter Password dialog box displays prompting you to enter a password for the key store file. The key store files are password protected at the file level therefore you must provide a password before the file is added to the Decryption Key Management list. 3. Once you have entered the passwords, the list is populated with keys found within the key stores where it displays: Unique Identifier: Displays the S/MIME key alias. User ID: Displays the friendly name configured for the key, if any. Key Type: For S/MIME, the key type is PKCS#12 File. Password: Proof Finder does not support individual passwords for S/MIME keys but supports key store level password protection. Mail Xtender Volumes Proof Finder allows you to import Mail Xtender key store volumes with a.emx extension. Each volume has a password, which must be associated with the volume file. To add a key store file: 1. On the Decryption Key Management tab, select Add Keystore. 2. Select a Mail Xtender volume file (this is the same file that will be added as evidence to the case). The Mail Xtender volume identifier will be read from the selected file and will be added as an entry to the password table. 3. Type the password for the file in the Key Password field. 4. Repeat these steps for other volumes to be added to the case evidence. Alternatively, a regular expression can be specified and all volume identifiers that match the regular expression can have the same password applied to them. To add a regular expression: 1. On the Decryption Key Management tab, select Add password Regex. 2. From the Data type dropdown, select Mail Xtender. 3. Enter a regular expression search string in the Regular Expression field. The simplest one that will match all volume identifiers in a case is.*. 4. In the Password field, enter the password that will be applied to all volumes that match the regular expression. 5. Select OK. August 2017 Nuix Proof Finder Reference Guide PAGE 17 of 23

Lotus Notes ID Proof Finder allows you to import Lotus Notes ID files and map them to NSF mail stores that are in the evidence. Notes ID files and their corresponding password are required to decrypt encrypted NSF files. To add a Lotus Notes ID file: 1. On the Decryption Key Management tab, select Add Lotus Notes ID. The Lotus Notes ID File Mapping dialog box displays. 2. In the NSF file field, specify the encrypted NSF file name you wish to associate with an ID file. It is optional to specify the complete path of the filename. 3. In the ID file field, browse to the location to the corresponding ID file. 4. In the Password field, enter the corresponding password for the ID file. 5. Select OK. The supplied passwords are validated against the ID file before proceeding and displays an error if incorrect. Ensure you have valid credentials to proceed. Once the password is validated, the entry is then added to the Decryption Keys list and will be applied to the encrypted NSF during extraction. Processing Tab The Processing tab displays information about the job that is being processed in real time. Nuix displays the progress of the job, file statistics, and an overall job status with a time to completion. This tab is displayed only when you load data into a newly created case, or when you add evidence to a case. Once closed, it is no longer available for viewing, but processing statistics are always available for viewing in the Results pane, when you View by: Statistics. The tab is divided into three main areas: Progress - logs the processing events, including the data being ingested and other related operations, with a time stamp. August 2017 Nuix Proof Finder Reference Guide PAGE 18 of 23

Statistics - displays the types of files processed, with the number corrupted, encrypted, deleted, and related job percentages. Job Status - displays the status of the overall job. At the bottom of the tab, you can also view the elapsed time since the job began, and a status bar showing percent complete. From this tab, you can perform the following tasks: Pause a job - halts the processing job temporarily, at which point the Resume button becomes active. Pausing and then clicking Stop is the same as just clicking Stop. Resume a job - continues processing from the point where it was left off. Stop a job - displays a dialog that provides two options for stopping case processing, Stop and Abort. Refer to Interrupting a Processing Job for more information. Interrupting a Processing Job While it is not advisable to interrupt a processing job, Proof Finder can be paused or stopped while it is ingesting data. From the Processing tab, select one of the following options to interrupt the processing of case evidence: Pause - temporarily halts the processing job and the Resume button becomes active. Select Resume to continue processing. Pausing and then selecting Stop quits the processing and cleans up the case. Note: Pausing is a temporary state. You cannot pause a processing job on Proof Finder, restart your computer and open Proof Finder back to resume processing. If you are looking to exit out of Proof Finder completely, select Stop or Abort option. Stop - displays Stop Processing dialog box, select Stop to quit processing and clean up the case, Abort to quit processing and exit the case, or Cancel to resume processing. August 2017 Nuix Proof Finder Reference Guide PAGE 19 of 23

Note: Stopping or aborting processing can take time as Proof Finder needs to get to a point at which it can stop/abort. The Statistics Tab The Statistics tab offers an itemized listing of all file types processed in the case and their respective frequency within the dataset, including a listing of the raw file extensions found and any files classified as irregular files. The Statistics tab offers a good overview of the items in the case and should be carefully reviewed after you load data into a new case and subsequently each time you add evidence to a case. Open a new Statistics tab by going to Reports > New Statistics Tab. The tab is divided into three main areas: Processed Files - shows statistics (processed, corrupted, encrypted, and deleted) by file type, including percentage of that file type within all items processed. The Processed Files section includes the files marked as irregular files. Raw File Extensions - shows the number of items for each file extension type found within the raw ingested files. Irregular Files - shows how many of the processed items were marked irregular, and the percentage of each irregular file type within all items marked as irregular. Files listed as Irregular are still represented in the Processed Files section, the Irregular Files designation is simply an additional attribute associated with the item. Note: Nuix does not rely on an item's extension to determine its file type. Nuix checks the contents of the file to ensure it accurately associates the file type. This eliminates the chance to hide evidence simply by changing the file extension. The Statistics tab differs from the View by: Statistics feature in the Results pane. While the Statistics tab shows information about all case evidence, the latter view only shows information about the items in a given result set. Statistics for processed files include: File Type - lists all of the file types encountered during the ingestion process. Processed - lists the total number of items processed for the specific file type. Corrupted - lists the total number of items that Nuix was unable to process, or found to be corrupted for a specific file type. Encrypted - lists the total number of items that Nuix detected as encrypted. Deleted - lists the total number of permanently deleted items found in Microsoft mail container formats for a specific file type. Percentage Encountered - lists the percentage, by item count, of the total dataset consumed by the specific file type. Statistics for raw file extensions include: Raw File Extension - lists all of the file extensions of the raw evidence encountered during the ingestion process. Processed - lists the total number of items processed for the specific raw file extension. August 2017 Nuix Proof Finder Reference Guide PAGE 20 of 23

Percentage Encountered - lists the percentage, by item count, of the total dataset consumed by the specific raw file extension. Types of irregular files include: Text Stripped - items where Nuix recognized the file type, but does have a routine to cleanly extract all text and metadata in accordance with the file types API. The results in an item that is searchable, but the text may be garbled or not be properly formatted. Unrecognized - items where Nuix did not recognize the header and was therefore unable to assign a mime-type. Bad Extension - items whose file type (MIME type) is not consistent with their file extension. Corrupted - items that Nuix has been unable to process. Deleted - items that Nuix extracted from the slack space of Microsoft email boxes or are flagged as deleted within an Encase Logical Evidence Files (LEF). Encrypted - items that Nuix has determined to contain encrypted content. Nuix still extracts metadata, and as much information as possible from an encrypted file, but Nuix is unable to index all of the content. Unsupported Items - items for which Nuix was unable to extract any content or text. Non-Searchable PDFs - items that are determined to be a PDF through header recognition, but do not contain text that can be indexed. Empty - items that are zero (0) bytes in size. You can perform the following operations within the Statistics tab: Open a result set containing items for a specific file type by double-clicking on any row in the Statistics tab. Sort a column in ascending or descending order by single-clicking in the column header. The default is ascending. Export the Statistics view by using File > Export > Export View to export file type column values as displayed in the user interface. Similarly, copying and pasting the table to a CSV displays the file type column values as displayed in the user interface. To export file type strings that are used for mimetype search queries, use -Dnuix.investigator.statistics.exportQueryFileType=true command line parameter to Nuix. The Statistics Tab is for the entire case, and does not take into account excluded items. Reload Data Evidence can be reloaded into a case, updating the existing record and text for the items by selecting the Import function after selecting the items to be reloaded from the results pane. August 2017 Nuix Proof Finder Reference Guide PAGE 21 of 23

The following options are offered when reloading evidence: Import Annotations - allows the import of annotations into the current case. Detailed instructions for importing annotations are provided in the next section. Import Replacement Files - allows the import of single files or complete directories of files replacing the data, text and pointer to the new native source file for each record. This can be useful to replace encrypted documents with their 'plain text' version. Files imported in this way are assigned latest MD5 as well as recording the original MD5 from processing to ensure files can be matched for chain of custody within the case. After selecting the files to reload, the Evidence Processing Settings dialog displays to allow you to select the how the data should be processed when reloaded. Note: The items to be reloaded do not have to be in the same structure or location as the source data but it is recommended that replacement files are stored along with the original source evidence as they will be required for any action that points to those files, e.g. exporting or launching native. Reload Items from Data Source - allows the original source evidence to be reloaded for the selected files with new Evidence Processing Settings. This option can be useful in cases where only a light traversal of the evidence was done in the first instance or an option such as near duplicates was not checked when the evidence originally processed. Scan for New Child Items - determines whether any new child items have been added to the selected items. If new child items are found, these items can be ingested into the case. Sync Items and Descendants - allows you to sync items with their descendants. Importing Annotations from a File If you have exported the annotations from a case that has been reviewed, which is typically a subset of another case, you can import those annotations back into the parent case where Nuix automatically applies them to the appropriate items. To import annotations from a CSV file: 1. Open the parent case into which you want to import the annotations. 2. From the File menu, select Import > Import Annotations. The Open CSV Annotation File dialog displays. 3. Browse to the location where the.csv file is located, select the annotation file, and click Open. The Import Annotations dialog is displayed, showing the GUIDs, Annotations Type (tag or comment), item name, current annotations that exist in the parent case, and the new annotations that were supplied in the case subset (or child case). 4. Click OK to import the annotations into the parent case. For each item, Nuix appends the tags applied in the case subset to any existing tags in the parent case. Nuix only applies unique new tags; duplicate tags are ignored. Technically, this means that an item could be tagged with both Responsive and Nonresponsive tags, for example, if one of those tags was applied to the item in the parent case and another in the child case. After the items are tagged, the Annotation Complete dialog is displayed indicating how many items were annotated. 5. Click OK. Best Practices 1. Select the options which best suit your analysis requirements as selecting unnecessary options will only increase indexing time. 2. Ensure you have enough disk space available for the index, specifically for large cases and if storing the binary data. 3. Due to the complexity of datasets; Proof Finder cannot predict indexing times. 4. Consider splitting large cases/data sets into logical groupings such as, by custodian or data type so that you can divide the processing work load and also easily filter by these groupings later. 5. Processing in smaller batches reduces risk of reprocessing everything in the event of some failure. August 2017 Nuix Proof Finder Reference Guide PAGE 22 of 23

6. Add each grouping of data as either new evidence or as a new case and then join the cases later into a compound case. 7. Plan a consistent naming schema for your cases (simple and compound) 2015 Nuix Software. All rights reserved. Nuix believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. The information in this publication is provided as is. Nuix makes no representations or warranties of any kind with respect to the information in this publication and specifically disclaims implied warranties of merchantability or fitness for a particular purpose. Using, copying, and distribution of any Nuix software described in this publication requires an applicable software license. 2013 Nuix Software. All rights reserved. Nuix believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. The information in this publication is provided as is. Nuix makes no representations or warranties of any kind with respect to the information in this publication and specifically disclaims implied warranties of merchantability or fitness for a particular purpose. Using, copying, and distribution of any Nuix software described in this publication requires an applicable software license. August 2017 Nuix Proof Finder Reference Guide PAGE 23 of 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback