You can point to a single directory to automatically process all loose files and emails within the directory. The following rules apply:
• Clearwell allows a single discovery, scanning, and/or processing job to be active on an appliance at one time. All other discovery/scan/processing requests are queued up behind the currently-running request and are started in order when the previously scheduled job has completed.
• In order to process documents for multiple cases simultaneously, it is necessary to create those cases on different nodes of a Clearwell cluster. The node that a case is created on can be specified on the Configure Case page. This setting cannot be changed after the case is created; however, it is possible to move a case from one node to another through the backup/restore process.
• The file discovery scanning rate is approximately one million documents per 30 minutes.
You can use the Add Case Folder Source page to add the documents (email files and loose files) for a case.
Note: If you will be processing the same documents into multiple cases, you must create a separate physical copy of the files for each case and create a case folder.
To add sources to a case:
1. Under the Case Management tab, click on the Case menu and select a case. 2. Click Case > Sources to open the Manage Sources page.
3. Select Add Case Folder Source from the menu in the lower-left corner of the page, and click Go.
The settings on the Add Case Folder Source page depend upon whether the Pre- processing module is included in your system. If pre-processing is included, you can specify the document types to explicitly include in processing or exclude from processing.
Without pre-processing options:
4. Enter the following information. An asterisk (*) indicates a required field. Table 4-10 Case Folder Information
Field Description
Source Name* Enter a name for this source (up to 255 characters). Use only letters, numbers, and underscores. The name should help identify the type of source, such as “Atlanta Collection.”
Source
Directory* Click Browse and select the top level folder for the case on the Clearwell appliance or enter a remote directory name, click Go, and select the appropriate folder. Click OK. Your network access depends on the Windows name and password specified in the system settings under Indexing (refer to "Defining System Settings" in the System Administration Guide).
Alternatively, enter the full path of the source directory in Uniform Naming Convention (UNC) format (up to 256 characters). For
Folders Select the folder level appropriate for this source:
•Create a single folder. Add all documents to a single folder. •Create a folder for every subfolder. Create a new folder for each
subfolder in the original source tree. Include only the levels of interest.
Note: When you point to subfolders within a case folder directory, the system does not process any files that are found at higher levels. To check that your case folder setup is accurate, you can obtain the document count in Windows Explorer at the case folder level and make sure that the count matches the file count on the Case Status page.
Folder Custodian Custodians allow users to search for case documents according to the individual identified as responsible for the documents.
Select a default custodian associated with all files discovered in the source directory in one of the following ways:
•To use no custodian, select None.
•To define a new custodian, select New custodian, enter a custodian name, and click OK.
•To assign the custodian with the same name as a subfolder name, select Per subfolder name. This is a convenient way to assign custo- dians to folders. Use the custodian name as the folder name, and then select this option.
•To select a specific custodian, choose the custodian from the menu. Example:
The directory structure is c:\my case documents, with the files
..\Custodian 1 and ..\Custodian 2. If you select a level of “1” and set the folder/email custodians to the folder name, all emails/files under “Custodian 1” will be assigned the custodian “Custodian 1.” To override the default custodian for specific files, refer to “Defining Case Custodians” on page 47.
Email Container
Custodian Select a default custodian associated with all emails containers discovered in the source directory in one of the following ways: •To use no custodian, select None.
•To define a new custodian, select New custodian, enter a custodian name, and click OK.
•To assign the custodian with the same name as a subfolder name, select Per subfolder name. This is a convenient way to assign custo- dians to folders. Use the custodian name as the folder name, and then select this option.
•To select a specific custodian, choose the custodian from the menu. To override the default custodian for specific files, refer to “Defining Table 4-10 Case Folder Information (Continued)
5. Click Save to save the new source, or click Cancel to discard your changes.
Processing Physical Evidence Files (LEF and E01)
Note: To process any of Guidance's forensic imaging formats, load the file within Encase and convert it to a logical evidence file (LEF) or an E01 file. If you create an E01 file, ensure that you create an MDM file as well.
Processing
Options Specify the date and time range for indexing the source files. For loose files, the range applies to the last modified date/time and for email files it applies to the sent date/time.
•Click , enter the time in 24-hour format, and select a month and day
.
or
•Enter the date and time directly as: MM/DD/YYYY HH:MM:SS. Note: The date/time restrictions do not apply to new files that are added to directories that have already been indexed. To use the date/time restrictions, place new files to be indexed into new directories.
Document Types These settings are visible only if the pre-processing module is included.
Select check boxes for the document types that you want to include in processing. To select or deselect all of the document types, check or clear the check box at the top of the list.
File Extensions to
Exclude Enter the file extensions of files to exclude from indexing, such as EXE and DLL files. Use a space or comma to separate multiple entries. These values apply to loose files only, not to email attachments. All email attachments are processed regardless of the file exclusion list. Check integrity
of newly added email files
Select the check box to automatically verify the integrity of email files that prior to indexing.
Process newly added folders/ files
Select the check box to automatically index all newly added folder and files.
Table 4-10 Case Folder Information (Continued)
LEF Files
Clearwell can process LEF files directly. To add an LEF file:
• Place the LEF in a folder and add the folder as a source. Clearwell will process it like any PST, NSF, or loose file. E01 Files
A special process is required to prepare physical evidence files (E01s) for processing as part of a case folder source, because E01 files do not include readily accessible metadata. To extract the metadata that is required for processing in Clearwell, you must first process the E01s using the Clearwell E-Discovery Mapfile Generator. The MSI file for the generator
(ClearwellE-DiscoveryMapfileGenerator.msi) is available from the 5.1 directory on the Clearwell customer FTP site.
Note: The Clearwell E-Discovery Mapfile Generator is only supported on the 32-bit version of Encase.
To prepare E01 files for processing with Clearwell:
1. Download the EnScript installer file (MSI file) from the Clearwell FTP site and copy it to a machine that has EnCase installed.
2. Run the EnScript installer and follow the on-screen instructions.
This installs the Mapfile generator on the machine. The Mapfile generator is, in essence, an Encase plugin.
3. Start EnCase and open the case that contains the evidence files.
4. Locate Clearwell E-Discovery Mapfile Generator in the EnScript tab of your EnCase application.
5. Right-click Clearwell E-Discovery Mapfile Generator and choose Run to open the Mapfile Generator dialog box.
Figure 4-11 Selecting Evidence Files
Note: It is recommended to always hash the file first, otherwise it will be necessary to do this at the time of discovery to support the de-NIST of files which could result in slower performance.
6. Select the evidence files, and click OK to create the MDM file.
Note: The MDM file must reside in the same folder as its associated evidence files (E01 files). As long as this is the case, Clearwell will automatically recognize the evidence files when processing the case folder.
7. Click Case > Sources, and add the case folder containing the evidence files and the corresponding MDM files.
Your case folder can contain any combination of loose files, emails, email container files, and L01/E01 files. For more information, refer to “Adding Case Folder Sources” on page 40.
Note: The E01 /MDM file pairs created by the MapFile Generator are portable. However, be sure to note the timezone in which the data was collected and stored in the EO1 files. The timezone needs to be set within Clearwell to ensure the dates associated with the loose files match the information in Encase.