Join Us!

Encase 8.11 Process...
 
Notifications
Clear all

Encase 8.11 Processor Issues  

  RSS
mkel2000
(@mkel2000)
New Member

I have a case I'm working on that has multiple images; the largest disk's original size was 2TB. What I have done for some time is run multiple passes with Processor to cut down the number of files that I have to index, create thumbnails for, etc. The first pass is to run Hash Analysis using Encase NSRL hash sets, File Signature Analysis and Protected File analysis. Once I get that done, I filter out the Known files based on hash analysis and create a results set with everything else. I then run processing against the results set that includes indexing, thumbnails, email, etc. I can usually cut out several hundred thousand files this way that I don't need to do further processing on.

With 8.11 I discovered that Encase re-runs hash analysis, file signature analysis and protected file analysis every time you run Indexing. It even says it will do this in the right pane of the Processor window if you uncheck one of those items in the processing list. I don't recall in past versions Encase re-running these processes. Encase even warns you that once your run those processes you can't run them again without deleting cache files.

Does anyone know how long Encase has re-run these processes when Indexing if they've already been run? It doesn't make much sense to me given the processing options are selectable/deselectable. I don't want to Index or otherwise process hundreds of thousands of files I will never look at. The 2TB image I mentioned took 12 hours just to hash the first time around and I'm running a system with the fastest and latest components I can buy.

Mark

Quote
Posted : 01/04/2020 8:02 pm
nightworker
(@nightworker)
Active Member

Is there any encase users for process still use it for just email examination ….
Encase is dissapointing legend

ReplyQuote
Posted : 02/04/2020 9:32 pm
Em-Belkasoft
(@em-belkasoft)
New Member

Have you tried other forensics tools to see how they index stuff and what kind of index operations they execute? You might prefer them.

ReplyQuote
Posted : 15/05/2020 5:19 pm
Share: