Tweet
Is it possible to use OSForensics to identify and extract "User-Generated" files from a forensic image file?
I have imaged seven workstations to E01 format.
1. My next step is to extract out just "User-Generated" files from each of the seven forensic images; I have a defined list of "User-Generated" file extensions, which I need to export maintaining the original file/folder paths, including:
DOC
DOCX
PPT
PPTX
XLS
XLSX
PDF
ZIP
OST
PST
EML
MSG
MBOX
DWG
2. Once I have a discrete folder for each of the seven forensic image files, our practice will then index all of the "User-Generated" files for attorney review in Relativity.
So, the resulting folder of data to be indexed for Relativity review, using the example of John Smith's forensic image, would look like:
JOHN_SMITH\Desktop\Invoices.xlsx
JOHN_SMITH\Downloads\Report.docx
In future OSF releases, if it is not possible currently, it would be very, very helpful if there was a view in OSForensics which automatically organized files by file type in discrete folders, such as all Word files in a Word folder, all Email files in an email folder, all SQLite database files in a SQLite database folder, etc. Then, for example, if a user could just select the folders of data one wanted, and then with another mouse click export the folder(s) of "User-Generated" files either maintaining the original folder path, or simply loose in one top level folder, this would make OSForensics a fantastic staging tool for electronic discovery cases. Basically, it is best practice to segregate user generated files from system files before ingesting data into electronic discovery processing tools such as LAW or Nuix as the customer is traditionally charged for the GB count of files ingested into the electronic discovery processing tools; billing a customer for some forensic hours to segregate out user generated files typically saves the customer thousands of dollars and avoids the needless processing of system files.
I have imaged seven workstations to E01 format.
1. My next step is to extract out just "User-Generated" files from each of the seven forensic images; I have a defined list of "User-Generated" file extensions, which I need to export maintaining the original file/folder paths, including:
DOC
DOCX
PPT
PPTX
XLS
XLSX
ZIP
OST
PST
EML
MSG
MBOX
DWG
2. Once I have a discrete folder for each of the seven forensic image files, our practice will then index all of the "User-Generated" files for attorney review in Relativity.
So, the resulting folder of data to be indexed for Relativity review, using the example of John Smith's forensic image, would look like:
JOHN_SMITH\Desktop\Invoices.xlsx
JOHN_SMITH\Downloads\Report.docx
In future OSF releases, if it is not possible currently, it would be very, very helpful if there was a view in OSForensics which automatically organized files by file type in discrete folders, such as all Word files in a Word folder, all Email files in an email folder, all SQLite database files in a SQLite database folder, etc. Then, for example, if a user could just select the folders of data one wanted, and then with another mouse click export the folder(s) of "User-Generated" files either maintaining the original folder path, or simply loose in one top level folder, this would make OSForensics a fantastic staging tool for electronic discovery cases. Basically, it is best practice to segregate user generated files from system files before ingesting data into electronic discovery processing tools such as LAW or Nuix as the customer is traditionally charged for the GB count of files ingested into the electronic discovery processing tools; billing a customer for some forensic hours to segregate out user generated files typically saves the customer thousands of dollars and avoids the needless processing of system files.
Comment