_to long paths

[garybrevans]

Scenario.

 

1. Index data from several data sources.
2. Review data.
3. Some files are indexed and the location is reported as '_to long paths'.

First, it should be '_too long paths' if anything.

 

My question is this.

 

It seems that once Intella decides that the path to the file is too long, it gives up completely and just reports exactly that. If that file is indexed and relevant to the case, how do you then work out from what original data source the file came from?

[Chris]

Hello Gary,

 

Your message puzzled me a bit as there is no "_to long paths" or "_too long paths" in Intella's source code, but I believe I have figured it out. Could it be that you are using the Intella EnScript to export items from a disk image to a folder? This script uses this folder (incl. the typo) for paths of a certain length. If I recall correctly, it applies rather strict rules on maximum path and file name lengths so that the exported files can still be manipulated with Windows Explorer, which has much stricter rules than the NTFS file system that it is usually working on.

 

Intella has no issues indexing and exporting the much longer path names that NTFS allows.

 

If the issue is indeed with the EnScript, please ensure that you are using the latest versions of the script (v0.5) and Intella: the latest script can export to logical evidence files, which can be indexed by Intella. This will be a lot faster and keeps the full path intact.

[garybrevans]

Thanks, we are using the v0.5 EnScript so we will give the logical evidence files a go.

[garybrevans]

So, we went ahead and started exporting from EnCase image files to LEF using the EnScript. This introduces a number of issues.

 

1. There is no apparent way of setting the LEF segment size.

2. There is no apparent way of selecting individual devices.

 

So in a multiple device case what you end up with is one huge LEF containing dozens (or hundreds) of segments containing the output from a number of devices.

 

When you then go to review material by 'Location' in Intella it becomes unresponsive for a bit whilst it refreshes all the relevant locations. Then it displays something like this::

 

This_is_my_evidence.L01\full path\

This_is_my_evidence.L02\full path\

This_is_my_evidence.L03\full path\

 

and so on for as many segments as you have. Of course, this is extremely unhelpful in determining the actual device where the data resides. As long as you have named the device something relevant, this name features much further down the path. One of the ways in which we use selective searching in Intella is to select the device in the Location view. Using this method, this can no longer be achieved this way.

 

It would be very useful if the Intella EnCase EnScript had options for 'LEF Segment Size' and 'Selected Files Only'.

 

If anyone has any other ideas or comments I would be glad to hear them.

 

Thanks.

[Chris]

Hello Gary,

 

Thank you for your feedback!

 

The Intella EnScript is a contribution from our user community. I will forward this information to the creator of the EnScript.

 

As for the Location facet, I will ask our developers what we can do to make this more usable.

[igor_r]

When you then go to review material by 'Location' in Intella it becomes unresponsive for a bit whilst it refreshes all the relevant locations. Then it displays something like this::

 

This_is_my_evidence.L01\full path\

This_is_my_evidence.L02\full path\

This_is_my_evidence.L03\full path\

 

and so on for as many segments as you have. Of course, this is extremely unhelpful in determining the actual device where the data resides. As long as you have named the device something relevant, this name features much further down the path. One of the ways in which we use selective searching in Intella is to select the device in the Location view. Using this method, this can no longer be achieved this way.

 

Hello Gary,

 

How did you add an evidence to Intella? Did you use "Folder" or "Disk Image" source type? Actually only the first part of a disk image should be expandable in the Location panel. The rest files (L02, L02 and so on) should not contain any folders.

 

Could it be that you added each L01 part as a separate source?

 

See the attached screenshot.

[garybrevans]

Thanks, I will check up on that but as you can see you still have a potentially long list of segments which is just 'noise'.

[garybrevans]

Add a .L01 to Intella for indexing and in every case, as well as the files within the .L01 you also get a load of chuff in the root when viewing 'Location'. What is it and how do you get rid of it?

 

Second question, is it possible to remove items from a case once indexed?

[ŁukaszBachman]

Hi Gary!

 

Would you be willing to give this a shot in Intella 1.8 (Beta version is available, official release is around the corner)? This version includes some improvements in the area of load file processing, so it would be good to verify if it behaves the same way.

 

To answer your second question: right now it's not possible to remove items from a case. In one of the future releases we will allow for removing single data sources from the index (we are already looking into that).