Join Us!

Freeing up room on ...
 
Notifications
Clear all

Freeing up room on Encase cache drive  

  RSS
honor_the_data
(@honor_the_data)
New Member

Hello everyone. I'm fairly new to Encase and now I'm running into the issue of my cache drive being nearly full.

How can I delete the caches for cases that I've already completed?

Could I also delete those old cases from the list of recent cases?

Quote
Posted : 31/05/2019 2:14 pm
jpickens
(@jpickens)
Active Member

When you setup your case option, its best to see where its saving your Cache data. By default it does it in your C\users\_yourname_\Documents\Encase\…. path. This is not optional and should be saved to a disk with large storage. Change it to a larger storage path. Also processing anything with cache being saved to your OS drive is dangerous because it can cause OS issues.

From there you'll know where to delete old cache files, but make sure you don't need them any longer before you do.

ReplyQuote
Posted : 31/05/2019 2:54 pm
honor_the_data
(@honor_the_data)
New Member

Thanks jpicken. All of my case caches are going to F\EnCase\EvidenceCache. Within F\EnCase\EvidenceCache I have 16 folders with names like D94J1145A7ECEFC91AAEC499A33B7890.

I do not see anything in the case options that would allow me to correlate those folders to specific cases.

Is there a way to confirm which folder corresponds to which case?
If so, can the folder just be deleted?
Is there a way to delete the cache from within EnCase?

ReplyQuote
Posted : 31/05/2019 3:07 pm
honor_the_data
(@honor_the_data)
New Member

I figured out a clunky way to free up space on my cache drive.

1- Open a cache folder, e.g. F\EnCase\EvidenceCache\D94J1145A7ECEFC91AAEC499A33B7890 (I just realized that the long string is the evidence GUID)
2- Open the performanceCounters_########.csv file.
3- Review the EVIDENCE_NAME, and EVIDENCE_PRIMARY_PATH the determine the related case
4- Open that case OR Create a new case (e.g. Cache_Cleanup) and add the evidence using the EVIDENCE_PRIMARY_PATH
5- Select the evidence whose cache you wish to remove
6- Select the Overwrite evidence cache option
7- Deselect every processor task (or at least the ones that take up a lot of room, like the index)
8- Run processor

Going forward I will create a cache folder for each individual case, rather than using the same folder for each case.

ReplyQuote
Posted : 31/05/2019 5:18 pm
Share: