Thanks for all the comments, they are well appreciated.
Eliminating files using hashes and conditions is a good idea. But do you not eliminate the file slack results? I cannot see a search option in EnCase to just search the "file slack space" and not the file itself.
The search menu only allows me to search the file *and* the file slack space, is there a different search configuration I can use? How can you just search the file slack only?
e.g. Good_file1.exe which is a known good/valid file may have some search results in file slack I want to see.
Eliminating files using hashes and conditions is a good idea. But do you not eliminate the file slack results? I cannot see a search option in EnCase to just search the "file slack space" and not the file itself.
Bottom tick box in the 'Keyword Search Options' is 'Search only slack area of entries in hash library'.
Rich
You can easily verify whether this holds true for your search and your system by seeing if EnCase pegs your CPU… if it does, you are not I/O bound.
Actually, it's the other way round. It's generally this disk queue thats pushing the CPU up.
by sorting out the I/O issues in our setup keyword search times have improved on average by 35%. This involves some pretty serious kit, but encase can in most cases run "faster". Most intensive jobs (extractions, searches etc) have improved by between 20% and 50% during testing.
terms and conditions apply…….
If you are working locally the best thing you can do is use raid or SSD, then up the memory. Cores are bottom of the list. (encase only)