Announcement

Collapse
No announcement yet.

index attachments and absolute path

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • index attachments and absolute path

    Hi all,

    First of all, congrats for this great piece of software!! We have been testing the free version and it work really well. I have a couple of questions about it, anyway:

    a) Index attachments: It looks like the attachments of email (word, excel, etc.) are not indexed. Is there any chance that this would be developed in next versions? I think this functionality is really critical, especially in e-discovery cases, and by the looks of the software (i.e. correct parsing of attachment names, etc.) it seems it wouldn't be hard to implement (just guessing here...)

    b) Absolute/Relative path: Working with data stored on external drives, we have encountered that if the drive is plugged to a different computer (receives a different letter D,E,F,etc.), the indexer keeps working, but it is not possible to preview files. The cause of this seems that the indexer keeps track of the data using absolute paths rather than relative ones. Is there any workaround regarding this issue (apart from changing drive letters from Windows Drive Manager)?

    Thanks in advance,

  • #2
    Thanks for the comments.

    a) Yes, OSF currently only indexes the filenames of attachments and allow you to view them from the internal viewer, but it does not index the content of the attachment files.

    We are looking into rectifying this very soon. We had always planned to do this eventually and it fell by the wayside. I'll keep this thread posted regarding this feature.

    b) We've thought about this and you're right, it is a scenario to consider. And as you noted, yes, you can re-map the drive letters accordingly.

    Note that, even if the user can change the drive letter (and the paths were relative), the user may still not be aware that the paths are different until they attempt to open the files -- and if it is a common filename such as c:\windows\win.ini -- it may also exist on the different drive despite actually being a different file).

    Having said that, we've made a note to look into what we can do for this scenario and will revisit it later. It may simply prompt the user to specify the new location of the drive if the paths no longer point to a valid file.
    Ray
    PassMark Software

    Comment


    • #3
      Thanks for the feedback Ray.

      We will be looking forward to the next version then!

      I would like to start a list of request (sorry if they have been asked before in the forums) regarding future versions:

      - Indexing of OST files (Outlook offline cache)
      - Indexing of NSF files (Lotus Notes mail database)
      - Recursive indexing/parsing (A word document, inside a Zip file, inside a mail, inside a PST file, etc.)
      - Multiple index selector
      - Corrupted (bad signature) / Encrypted files detection

      Hope this helps!

      Comment


      • #4
        A reasonable amount of recursive indexing for normal files (as opposed to E-mails) is already supported. For example a Word doc in a Zip should be OK. As should an E-mail in a PST in a Zip.

        - Multiple index selector
        Can you expand on what you mean by this point? We already support multiple indexes and switching between them, but maybe you mean something else.

        - Corrupted (bad signature) / Encrypted files detection
        Corrupted and encrypted files should all be picked up in the index log as errors. You can view the log after indexing.

        I have noted the request for OST and NSF. This probably won't be the highest priority for the next few months.

        Comment


        • #5
          Hi again,

          About the multiple index selector, I meant the ability to search in two indexes at the same time (instead of a dropdown list where you can only choose one index, to be able to select multiple indexes using a checkbox). I think dtSearch is able to do this IIRC.

          I'll try to describe a useful scenario: you index the information of a single computer, but for some reason you separate into two different indexes the office documents and the html pages. Imagine you want to search both information at the same time: either you need to select one index, query it, and then repeat the operation with the second one, or you just create a third index that contains all info from the computer. With a checkbox you could simply check both of them and launch the query. This escenario maybe makes more sense when you are working with different computers/suspects, as sometimes you just want to look for something everywhere.

          I didn't thought about going through the index logfile to look for corrupted media. Thanks!

          About the OST and NSF files, there are already tools to convert these to something more "mainstream" as PST, MSG or EML files, but there are few apps (most of them really expensive and not all of them work as advertised) that are able to process this kind of files natively. Anyway, as it's free to ask, I would love to see them implemented in future releases.

          Thanks for the quick answer! And kudos again about OSF. It was about time to see "new blood" in the forensic software department!!

          Comment


          • #6
            If there is the possibility that you need to search office and HTML files at the same time then it makes sense to include these both into a single index from the start. We would only suggest splitting up the index if you didn't need to simultaneously search them both, or if there was a truly huge amount of documents to be indexed (e.g. a million HTML files and a million DOC files). At the moment indexes are associated with a case file. So it would take more than just check boxes to search all indexes from all cases simultaneously. Again, I'll note down the request, but I think we have higher priorities for a while.

            Comment


            • #7
              Ok, but i meant searching in multiple indexes inside the same case (not across different cases). Imagine a case where there are 5 computers involved.

              Anyway, I agree to your point. It's not one of my top ten desired features either.

              thx

              Comment

              Working...
              X