Wonder what your thoughts are on how much testing is enough.
Scenario is that I get involved in quite a lot of extracting mail form Exchange and Enterprise Vault, and passing the resultant PSTs and log files on to external counsel. In the past this has sometimes exceeded 100GB, even date-limited.
In the past I've used FTK Imager to hash/copy (export in FTKI)/hash-the-copy/compare-the-hashes. If all's well, we give the copies and hashes to external counsel and once their Lit Support people get the stuff onto their systems and verify the hashes, we delete the PSTs and log files from our systems.
BUT the separate hash/copy/hash operations often mean having to split the work over a period of days.
I've been looking for something else to do the job and today tested NUIX's Evidence Mover by copying a folder with sub-folders from my computer to an external USB. I hashed the original files with FTK Imager first and then compared the original hashes with Evidence Mover's MD5 hashes and all seems OK.
Then tested again, copying some PST files (up to 8GB) from a network drive to the same external USB, with the same hash operations. Again, all seems OK.
Question - is this enough testing?
If not, what would anyone recommend? If I can rely on Evidence Mover then I would intend skipping the initial hash in FTK Imager.
Cheers
Try Upcopy.
It will be faster than FTK for copying and verifying a good copy with hash verification. It has a lot of other functions too, like copy specific file types/all file types, with directory structure/flatten directory structure, with or without a logfile created, by date range, etc…
It runs fast, can process a mounted Shadow Copy File, and maintains MAC dates/times of the copied files. And it's free.
… tested NUIX's Evidence Mover by copying a folder with sub-folders from my computer to an external USB. I hashed the original files with FTK Imager first and then compared the original hashes with Evidence Mover's MD5 hashes and all seems OK.
Then tested again, copying some PST files (up to 8GB) from a network drive to the same external USB, with the same hash operations. Again, all seems OK.Question - is this enough testing?
I get the impression that you are trying to do acceptance testing without a test plan.
If you have to ask if your testing is enough, the answer is probably 'no'. If you don't know if your testing is completed, the answer is definitely 'no'.
Not knowing these products, I am probably just exposing my ignorance. Anyway
what situations do you want to avoid? I guess have the product overwrite information on the destination? Or fail because of lack of writing privileges on the destination drive? have a disk fail during copy without indication that failure happened? Etc.
Can you you create test cases for those? Copy a 8 Gb folder to a 4Gb medium? Or to a 8 Gb NTFS formatted drive, but with no permission to write, or with quota enabled, and not enough of it? or a target drive with faulty formatting? Add EICAR test virus to the source folder so that antivirus grabs it as it's written to the destination drive? Disconnect the drive connector (or the power connector) during the operation? Manually fault a sector after copy, and check if verification catches it later? Does verification include testing time of copy, or can you end up sending an old copy to someone who shouldn't see it?
Do you have a workflow to start from that targets such problems? If you always format the target medium to FAT32, before copy, NTFS-related faults may depend on how often this work step fails to be performed, etc. Are there other workflow-failed situations to investigate?
Are these only tests before the deployment of a new tool, or are there also tests within a workflow performed each time? If there is a failure, do you only know that it happened, but can't pinpoint when? Do you need to?
Testing is a really discipline of its own … it usually requires something similar to a vulnerability analysis (where everyone is trying to find potential faults) to be able to create apporpriate tests.
Thanks athulin.
I guess I had an unwritten test plan, a couple of things I noted which influence the decision as to whether to adopt or not
1. Evidence Mover creates a logfile in the destination location, file is called “$$$Transfer Log.txt”.
If you copy from one source to a destination, then another source to the same destination, you have to remember to rename or move the first logfile before doing the second copy, otherwise Evidence Mover will overwrite the first logfile - which is not good in our line of business.
2. If you copy a folder - let's say C\test - then the contents of the folder (plus sub-folders if you choose that option - will get copied BUT the the folder itself doesn't get copied.
Most issues you raised don't apply i.e. internal corporate resource so always NTFS, I always have full control over the source and destinations.
This particular issue was quite easy to control, but others may not be - I'm off to find out about test plans.
bshavers - I'll have a look at UPCOPY once I have some kind of formal test plan in place (which may only be a single sheet of paper I'm guessing at the moment)
Cheers