Preferred way of loading in large datasets

[dpmills]

I have been told that there is potentially going to be a very big set of data (all data, not just hard drive images) coming my way and that I can control how it is delivered, so I thought I would check and see if it makes a difference.

 

In terms of processing, would Intella be happier with a DD/E01/L01 of the files, or just folders filled with files? I usually load in data using folders, but I know that if there's large numbers of files in folders, sometimes it can slow down the loading speed of things like Windows Explorer. Is that an issue with how Intella loads in data? I don't want to choke the system if it could be avoided.

[jon.pearse]

Hi,

 

In general, we would recommend using a folder source because the speed will likely be better when using the official 1.9.1 release. That said, we have made some changes since the 1.9.1 release where the time to process forensic image files is similar to a folder source. If you want to try disk images then we can send the installer to you via our support portal (create a ticket and ask for this version).

 

There are some things that you may want to be aware of when processing folder and evidence file sources:

• An advantage of using L01 files is that they can handle long file paths. If you use a folder source and have long file paths, you may miss data because of the Windows file path length limitations.
• Another thing is that dates for files may change when copying data across drives etc. If the data was first imaged to a L01 file, the dates will be preserved.
• Also there are potential issues with file names that contain symbols illegal on Windows when using a folder source. For example: Your original data comes from Mac OS X system where it's possible to use a colon in a file name like "file:" If you export such data into a file system then those files won't be created and will be missing. But if you index it as a disk image, Intella will be able to index it fine.