Hey All,
I was curious how each of you setup your working drive. What I mean is what is your directory structure for the particular case. I am trying to figure out the best directory structure to use to keep all of my case data organized on my working drive and configure EnCase accordingly.
Any information would be great.
Tom
I create separate folders for each case with the following naming convention
"year-month-day-clientlastname"
(The date is when the contract is signed and/or the evidence collected.)
Example "2009-04-28-Smith"
Within each folder I create sub-folders to store the drive images, case notes, "files of interest", "photos," etc.
I generally put everything in a directory on my analysis drive; images and data goes into the root folder, based on type and volume. Analysis information, case notes, etc., also goes into the appropriate subfolder. I don't often use EnCase, but when I do, I specifically point the ancillary directories (Temp, Index, etc.) to the structure. This way, everything can be archived and/or copied in one folder (or the drive itself removed and archived, if necessary), and the drive wiped easily, as appropriate.
First, I try to make sure that nothing is placed on my OS drive. This can be tricky since it means making sure that the default TEMP and AppData spaces for each application is set to the correct path so I move the profile for the Examiner account to other than the boot drive, in order to play it safe.
Second, I place the actual evidence (e.g., device images) on a drive that is separate from where I'll keep the case files out of an overabundance of caution; if I discover contraband in the image and the DoJ decides that they want to take the entire drive, I still have my case notes and don't have to find another location to move them to nor do I have to wipe unallocated space on the evidence drive before turning it over.
For each case, I create a case folder and under that folder I create a separate folder for each application I may be using. This helps me to make sure that everything required by or produced by a specific application is contained within a folder named for the application. Within each of these, I tend to follow the folder layout preferred by the application. For example, EnCase Case Creator creates the Temp, Index and Export folders so I stick with these.
Finally, I create a folder at the same level as the application folder for my report as I don't use any specific application to generate this. Also, I have had my report files subpoenaed so this makes it easy if I need to produce these for a discovery order.
I use a similar naming system to AWTLPI, but I have my image files on one drive and my case files (stuff generated by FTK or X-Ways), results reports, exported files, case photos and such on another drive. The major reason for the 2 drives is speed. Indexing is substantially faster if your index is on a separate drive to your image file.
I create separate TrueCrypt volumes for each case with YYYYMMDDCaseID as the name.
The rest is similar to the others' solution. App report folders, and final report.