Nuix3 Desktop User Guide
Version 3.2
April 2011
Document Number: 003-002-001
@Nuix Pty. Ltd. 2011. All rights reserved.
Nuix believes the information in this publication is accurate as of its publication date. The informationissubjecttochangewithoutnotice.
THEINFORMATIONINTHISPUBLICATIONISPROVIDED“ASIS.”NUIXMAKESNOREPRESENTATIONSORWARRANTIESOFANYKINDWITHRESPECTTOTHEINFORMATIONINTHISPUBLICATION,ANDSPECIFICALLYDISCLAIMSIMPLIEDWARRANTIESOFMERCHANTABILITYORFITNESSFORAPARTICULARPURPOSE.
Use,copying,anddistributionofanyNuixsoftwaredescribedinthispublicationrequiresanapplicablesoftwarelicense.
Audience
Preface
TheNuix3DesktopUserGuidedescribeshowtousetheproduct,andincludespracticaltipsandbestpracticesforusingNuixefficientlyandeffectively.
AudienceTheintendedaudienceforthisguide,andthetypeofeDiscoveryworkflowsandtaskssupportedbyNuix3Desktop,includes:
• LitigationsupportspecialistswhouseNuixforprocessing,searching,andexportingclients'data.Theseworkflowsfavorspeed,scale,andtheabilitytoworkwithlargedatasetsveryquickly.
• CorporateinvestigatorswhouseNuixtoexploreandanalyzetheirowncorporatedataaspartofinternalinvestigationsorasprecursorstolitigation.
• Attorney'swhoareinterestedinquicklyandeasilyassessingthefactsandmeritsofthecasetheyhavebeenpresented.
Preface iii
Organization
OrganizationTheguideisprimarilyorganisedintochaptersthatfollowanend‐to‐endeDiscoveryworkflow,andincludestask‐basedinstructionsforactivitiessuchasloadingthedata,searching,analysing,reviewing,andexporting.
IfyouneedmoregranulardetailsaboutaparticularoptionorcontrolinNuix,refertotheInterfaceOverview.
TheIntroductioncontainsanoverviewoffeaturesandsalientinformationaboutlicencing,productarchitecture,andenhancementsforVersion3.Supplementaltopicsaboutscripting,theAPI,supportedfiletypes,andtroubleshootingarelocatedintheAppendices.
Related DocumentationSeethecustomerportalforthefollowinginformationthatmightalsoberelevanttoyouruseofNuixDesktop:
• NuixScriptingSite• NuixKnowledgeBasearticles• NuixServerUserGuide
iv Preface
ContentsPreface ..........................................................................................................iii
Audience.................................................................................................................................iii
Organization ......................................................................................................................... iv
RelatedDocumentation................................................................................................... iv
Introduction ................................................................................................... 1
KeyCapabilities....................................................................................................................2
LicenceTypes........................................................................................................................3
Architecture...........................................................................................................................4
KeyEnhancementsinVersion3 ...................................................................................5
Interface Overview ........................................................................................ 7
Menus .......................................................................................................................................8FileMenu............................................................................................................................................9EditMenu........................................................................................................................................10GoMenu...........................................................................................................................................11WindowMenu...............................................................................................................................12ReportsMenu................................................................................................................................13ScriptsMenu..................................................................................................................................13HelpMenu ......................................................................................................................................14NetworksMenu............................................................................................................................15
Tabs ........................................................................................................................................ 17ProcessingTab .............................................................................................................................18WorkbenchTab............................................................................................................................19FastReviewTab...........................................................................................................................53StatisticsTab .................................................................................................................................54WordListTab ...............................................................................................................................56AddressesTab...............................................................................................................................58HistoryTab.....................................................................................................................................59FastReviewStatisticsTab .......................................................................................................60WorkbenchTabforaFastReviewJob ...............................................................................62
Contents i
DialogueBoxes ...................................................................................................................63AddTags/RemoveTagsDialogueBoxes .......................................................................... 63CasePropertiesDialogueBox................................................................................................ 65ExcludeItemsDialogueBox ................................................................................................... 66ExportCaseSubsetDialogueBox......................................................................................... 68ExportDigestListDialogueBox ........................................................................................... 70ExportItemsDialogueBox ..................................................................................................... 71LegalExportDialogueBox ...................................................................................................... 75NuixScriptConsoleDialogueBox........................................................................................ 97SystemDiagnosticsDialogue ................................................................................................. 98
CustomizingtheInterface ..........................................................................................100
KeyboardShortcuts ......................................................................................................102Keyboardshortcutsformenuitems ................................................................................ 102KeyboardshortcutsintheResultspane ........................................................................ 103
Install ......................................................................................................... 105
PrerequisiteHardwareandSoftware ...................................................................106Using32‐bit,64‐bit,orBoth................................................................................................ 106MinimumSystemRequirements ....................................................................................... 106HardwareSizingGuidelines ................................................................................................ 107SoftwareRequirements......................................................................................................... 108
InstallingNuixDesktop ...............................................................................................110
Configure ................................................................................................... 111
SettingGlobalOptions .................................................................................................113MetadataProfiles ..................................................................................................................... 113DigestLists.................................................................................................................................. 129WordLists ................................................................................................................................... 133DefaultTabs................................................................................................................................ 135SearchOptions .......................................................................................................................... 136LaunchOptions ......................................................................................................................... 137ViewerLimits............................................................................................................................. 138Memory ........................................................................................................................................ 139
SettingCaseProperties ...............................................................................................140
AllocatingMemory(RAM)forBetterPerformance ........................................141
DisablingRemoteDesktopClientPrinterRedirection ..................................143
ii Contents
SettingUpDistributedProcessinginNuix(Optional) ...................................144
TheDataWorkflowinaDistributedEnvironment .........................................145ConfiguringtheMasterandWorkerMachines ........................................................... 146CreatingtheSharedNetworkDrives ............................................................................... 148
Load Data .................................................................................................. 151
PreparingtoLoadCertainTypesofData.............................................................152ProcessingUnsupportedForensicImageFileFormats........................................... 152ProcessingEncryptedLotusNotesFiles ........................................................................ 153AccessingGroupwiseasaTrustedApplication .......................................................... 155
CreatingaCaseandLoadingData...........................................................................157CreatingaNewCase................................................................................................................ 157SettingAdvancedOptions .................................................................................................... 158AddingCaseEvidence ............................................................................................................ 163
InterruptingaProcessingJob ...................................................................................168
WorkingwithExistingCases.....................................................................................170
Search ........................................................................................................ 173
PerformingSimpleSearches .....................................................................................174SearchwithKeywordsandDates...................................................................................... 174SearchwithFilters ................................................................................................................... 175
PerformingAdvancedSearches ...............................................................................176
SavingandManagingSearchQueries....................................................................178SaveaSearchQuery ................................................................................................................ 178LoadaSearchQuery ............................................................................................................... 178DeleteaSearchQuery ............................................................................................................ 178
SearchQuerySyntax .....................................................................................................179SimpleQueries........................................................................................................................... 179WildcardQueries...................................................................................................................... 179FuzzyQueries............................................................................................................................. 181Logical(orBoolean)Operators.......................................................................................... 181PhraseQueries........................................................................................................................... 184RegularExpressionQueries ................................................................................................ 185RangeQueries ............................................................................................................................ 187IndexedFields............................................................................................................................ 188
Contents iii
Analyse ...................................................................................................... 209
ViewingThumbnailsofImages................................................................................211ReviewImages .......................................................................................................................... 212ApplyTagstoAllCopiesofanImage............................................................................... 212
ReviewingIndividualWords.....................................................................................213ReviewtheWordList ............................................................................................................. 214FiltertheResultswithanImportedWordList ........................................................... 214
ReviewingFileTypeStatistics..................................................................................215
ManagingIrregularFiles.............................................................................................217IrregularFileTypes................................................................................................................. 217SuggestedExceptionHandlingWorkflow ..................................................................... 223
ReviewingDomainandEmailAddresses ............................................................224
AnalysingCommunicationsOverTime ................................................................226
AnalysingPatternsofCommunication .................................................................228
Review and Tag ......................................................................................... 231
WorkingwithReviewJobs.........................................................................................233CreatingaReviewJob ............................................................................................................ 233JoiningaReviewJob ............................................................................................................... 239ManagingReviewJobs ........................................................................................................... 240DeletingaReviewJob............................................................................................................. 241
CreatingSubsetsofCasesforReview ...................................................................242
CreatingTags ...................................................................................................................246CreateTagsforaCase ............................................................................................................ 246AssignTagstoaReviewJob ................................................................................................ 247
ReviewingItems .............................................................................................................249ApplyingTagstoItemsfromtheReviewandTagPane.......................................... 251
Export Data ............................................................................................... 257
ExportingInformationfromaView.......................................................................258
ExportingItemsinNativeFormat ..........................................................................260
ExportingItemsintoaNewCase ............................................................................262ExportingSubsetsofItems .................................................................................................. 262ExportingAnnotations........................................................................................................... 262
iv Contents
CreatingaDigestList ....................................................................................................263
ExportingtoaLegalLoadFile ..................................................................................264OutputFilesforLegalExports ............................................................................................ 265AboutConcordanceLoadFiles ........................................................................................... 265AboutSummationLoadFiles .............................................................................................. 270
EnsuringExcludedContentisNotProduced .....................................................272
Audit .......................................................................................................... 275
EventsMonitored...........................................................................................................276
ViewingtheAuditHistoryforaCase.....................................................................277
AuditedInformationforExportOperations.......................................................278
Appendices ................................................................................................ 279
RunningNuixfromtheCommandLine ................................................................280‐Dname=value............................................................................................................................ 280‐Xparam ........................................................................................................................................ 283‐nologo .......................................................................................................................................... 283casefile........................................................................................................................................... 283‐scriptscriptfile ......................................................................................................................... 284
AboutSupportedFileTypes ......................................................................................285Processingforensicimages.................................................................................................. 285
SupportedFileTypes:OrganizedbyKind...........................................................287Containers ................................................................................................................................... 287Databases..................................................................................................................................... 290Drawings ...................................................................................................................................... 290Email .............................................................................................................................................. 291Images ........................................................................................................................................... 292MultimediaFiles ....................................................................................................................... 293OtherDocuments...................................................................................................................... 293Presentations ............................................................................................................................. 295Spreadsheets .............................................................................................................................. 296SystemFiles ................................................................................................................................ 296WordProcessorDocuments................................................................................................ 298
SupportedFileTypes:OrganizedbyCommonName.....................................300
SupportedFileTypes:OrganizedbyFileType..................................................314
Contents v
RenderingDocumentstoPDForTIFF ..................................................................326FileTypesExcludedfromImageConversion............................................................... 326FileTypesExcludedfromLegalExport.......................................................................... 327ImageTypesConvertedtoPDF/TIFF3.............................................................................. 28
vi Contents
CHAPTER 1 Introduction
ThecoreofNuixisanadvancedprocessingenginethatinterrogatesvirtuallyanydataset(emails,harddisks,diskimages,etc.),indexingtheresultsandmakingthemavailableforimmediateanalysis.Manytoolsallowyoutosearchforkeywords,butNuixallowsyoutoalsosearchforemails,documents,metadataandimages.
Thischaptercontainsthefollowingtopics:
• “KeyCapabilities”onpage 2• “LicenceTypes”onpage 3• “Architecture”onpage 4• “KeyEnhancementsinVersion3”onpage 5
Introduction 1
Key Capabilities
Key CapabilitiesSomekeycapabilitiesofNuixDesktopinclude:
• Allowsmultipleinvestigatorstocollaborateonasinglecase.• Auditsallinvestigatoractivitiesonacaseandfindsprevioussearches.• Processesvirtuallyanytypeof"datacontainer",whetheritisanemailserver(Microsoft,LotusNotes,
Groupwise,etc.),aharddiskoraforensicimageofaharddisk,ordocumentsonafileshare.• Testedtoterabytesofdata.• DecodesChinese,Japanese,Korean,ArabicandCyrillictextcorrectlyintoUnicodeandsupports
investigationofthetexttothesamelevelofcompletenessasEnglish,withtheexceptionofEnglishlanguagestemming.
• Directlyinterrogatesalldatasetsanddoesnotrelyondata‐conversiontoolsorMAPIto"see"data.MAPIisdesignedtoretrieveactivedata,butnotdeleteddata.However,NuixemploysitsownprocessesandretrievespermanentlydeletedemailsfromPST/OSTandEDB/STMfiles.
• Worksatthebinaryleveltohelpaccessdeletedandalteredemailsfrommailboxes.• Extractsitemsthatmightbe100+levelsdeep,makingthemavailableforsearch.Forexample,animage
inadocumentembeddedinawordfile,whichitselfisembeddedinanotherfile(100+times)whichisinaPSTfile,whichhasbeenexported,zippedandemailed.
• Providesinstantaneoussearchresults.• Identifieseverypersonassociatedwithanevidenceitem(whosentitintoacompany,whosentit
aroundtheorganisationandwhosentitout).• Identifieshiddenimages,evenapictureshrunkto1x1pixels,irrespectiveofthesizeoftheoffice
document.• Identifiespornographyandeverybodyassociatedwithsuchanimagewithinseconds.• Identifiesiftwodocumentsarethesame,eventhoughthesuffixandprefixofthefilenameshavebeen
changed.• Diagrammaticallyshowsthesocialandbusinessnetworksofpartiesofinterest.• Letsyouidentifyunauthoriseddocumentoremailmessagesthatarebeingsendtoexternaldomainsin
30secondsandleakedintellectualpropertyinthreeseconds.• Withauser‐friendlyinterface,Nuixisdesignedtobeusedbyanybody.
2 Introduction
Licence Types
Licence TypesThefollowinglicensesareavailablewithNuixDesktop.
Note:Scriptingisincludedwithalllicensingtypes.TheabovedetailscanandareoftenchangedandamendedbyNuix.
Refertoyouroriginalinvoicefordetailsonthelicencetypeyoupurchased.Foradviceonwhatisthemostappropriatelicenceforyourenvironment,contactNuix([email protected])oryourlocalReseller.OtherlicencestypesthatarenolongersoldbutareingeneraluseareNuixForensicDesktop(doesnotincludeeitherFastRevieworLegalExports)andNuixLegalDesktop(whichissimilartoNuixDesktop).
Licence Type Description Licence Restrictions
Forensic Desktop Provides processing, investigation and item level export functionality. Forensic Desktop is offered as an entry level option for forensic practitioners.
Does not include Case Evidence Pre‐Filter
Does not include Fast Review
Does not include Legal Exports
Does not include Sub‐Case Exports
Legal Desktop Provides processing, investigation and item level and legal export functionality. Legal Desktop is offered as an mid level option for organizations with light processing requirements but still have a need to create load files.
Does not include Case Evidence Pre‐Filter
Does not include Sub‐Case Exports
Enterprise Workstation
Provides processing, investigation and item level and legal export functionality. Legal Desktop is offered as an high‐level option for organizations with significant processing requirements.
No restrictions, all features are enabled.
Reviewer Provides review and analysis functionality. Reviewer licenses are offered in conjunction with the Nuix_Server and and Enterprise Workstation license to facilitate a multi‐user, concurrent, collaborative review within Nuix.
Does not include data ingestion.
Does not include item level, legal, or sub‐case exports.
ARX Provide Analysis, Review and eXport functionality. ARX licenses enable additional power users to perform full analysis and export operations.
Does not include data ingestion.
Standard ARX does not include Legal Export
Entrprise ARX has no export restric‐tions
Nuix Server Provides a mechanism for multiple users to interact with the same case simultaneously as well as distribute multi‐ple licenses from a single dongle.
Only used for case collaboration and license distribution. The Nuix_Server has no processing or export functionality.
Introduction 3
Architecture
ArchitectureNuixisdevelopedusingOpenSourcetechnologies:
• DevelopmentLanguage‐Java• RelationalDatabase‐ApacheDerby• TextIndexingEngine‐ApacheLucene• TextExtraction‐DevelopedbyNuix• DefaultScriptingAPI‐RubyscriptorECMAScript(JavaScript)
Nuixoperatesonboth32and64‐bitversionsofWindows‐withseamlessaccesstothesamecasefromeitherarchitecture.
4 Introduction
Key Enhancements in Version 3
Key Enhancements in Version 3Nuix3providesthesamefamiliarpowerandprecisionwithacompletelynewuserexperience.
Keyenhancementsinclude:
• Newuserinterfacethatenablesnewworkflowsandmoreefficientinvestigations.• Suppressingirrelevantcontentwithexclusionsets.• Viewingallemailaddressespresentinaspecificresultset.• Moreadvancedfiltering,includingfilteringonemailattachments.• IngestingOCRtextandassociatingitwithexistingitems.• Aquerybuildertohelpyoumoreeasilybuildadvancedsearchqueries.• Simplifieddatefiltering.• Filteringimmaterialitemstosuppressfolders,containers,embeddeditems,etc.• Fastreviewisnowperformedoverdocumentfamilies,ratherthanindividualitems,formoreeffective
andspeedyreviewing.• Creatingnestedsetsoftagsratherthanjustflatclassifications.• Scriptingisnowavailableforalllicencetypes.
Introduction 5
Key Enhancements in Version 3
6 Introduction
CHAPTER 2 Interface Overview
TheNuix3Desktopuserinterfaceissubstantiallydifferentfromthepriorversionofthesoftware.BorrowingonthemesfromMicrosoftOutlookandleveragingmoreefficientworkflows,existingandnewfeaturesaremorereadilydiscoverableandeasiertouse.
Thischaptercontainsthefollowingtopics:
• “Menus”onpage 8• “Tabs”onpage 17• “DialogueBoxes”onpage 63• “CustomizingtheInterface”onpage 100• “KeyboardShortcuts”onpage 102
Interface Overview 7
Menus
MenusNuix3Desktopcontainsasetofstandardmenustohelpyouruncommandsfromtheuserinterface.Manyofthecommandsonthesemenusarealsolocatedcloserincontextwiththetaskswithwhichtheyareassociated,suchasonright‐clickmenus.
Themenusare:
• File‐Commandsformanagingcases,printingfunctions,andexitingtheapplication.• Edit‐Commandsforediting,managing,andfindingitemsinthecase.• Go‐Commandsfornavigatingthroughitemsinacase,andformanagingsearchqueries.• Window‐Commandsformanagingtheuserinterface,suchasshowingandhidingelementsand
openingnewWorkbenchandFastReviewtabs.• Reports‐Commandsforopeningtabsthatreportonstatistics,wordlists,addresses,andaudithistory.• Scripts‐Commandsforlaunchingandmanagingscripts.• Help‐Commandsforviewingonlinehelpandtheproductversion,openingsystemlogsanddiagnostic
tools,anddownloadingupdates.• Networks‐CommandsforcustomizingthedisplayoftheNetworksview.Thismenushowsonthe
menubaronlywhenyouhaveselectedViewby:NetworksintheResultspane.
8 Interface Overview
Menus
FILE MENU
TheNuix3DesktopFilemenucontainscommandsformanagingcases,printfunctions,andexitingtheapplication.
TheFilecommandsperformthefollowingtasks.
File Command Function
New Case Creates a new case, including setting case metadata and options.
Open Case Opens an existing case by browsing existing cases on the system. Nuix opens to the location of the last case opened.
Recent Cases Opens an existing case by selecting from a list of of last ten recently opened cases, or clear the list of recent cases. These cases are also available from the default window that displays when you open Nuix.
Add Case Evidence Adds evidence to an existing case.
Close Case Closes the currently opened case, leaving Nuix open.
Import Imports annotations (tags and comments) in bulk from a CSV file into the opened case.
Export Exports a variety of data from the currently open case, including contents of a view, items in their native format, a subset of items into a new case, annotations, a digest list, or items and metadata to a legal load file.
Global Options Configures options and information for the case, including those for metadata profiles, digest lists, word lists, default tabs, search options, launch options, viewer limits, and memory.
Case Properties Edits the properties associated with the opened case, including name, description, and investigator information.
Interface Overview 9
Menus
EDIT MENU
TheNuix3DesktopEditmenucontainscommandsforediting,managing,andfindingitemsinthecase.
TheEditcommandsperformthefollowingtasks.
Print Prints from the Results pane, including result sets and views, as well as from tabs in the Preview pane. Includes page setup options and scaling settings that allow you to set the scaling mode and percentage when printing an object that supports scaling.
Exit Closes the opened case and exits the Nuix3 Desktop application.
Edit Command Function
Cut Cuts text from any text field or box in Nuix, including the Search and Comment text fields and the message preview. Works with text blocks that can be highlighted.
Copy Copies text from any view in Nuix, including the Results, History, Statistics views. Works with text blocks that can be highlighted.
Paste Pastes text into text fields in Nuix, such as Search and Comment fields, or to other text applications, such as Notepad.
Add Tags Adds a tag to the selected item(s), including to items in the associated family and/or duplicates.
Remove Tags Removes a tag from the selected item(s), including from items in the associated family and/or duplicates.
Add to Review Job Adds the selected items to an existing Fast Review job, including items in the associated family.
File Command Function
10 Interface Overview
Menus
GO MENU
TheNuix3DesktopGomenucontainscommandsfornavigatingthroughitemsinacase,andformanagingsearchqueries.
TheGocommandsperformthefollowingtasks.
Remove from Review Job
Removes the selected items from an existing Fast Review job, including items in the associated family.
Exclude Items Excludes items from being available for further case activity. This suppresses the items within the data set, including items in the associated family and /or duplicates, using a new or existing exclusion rule.
Select All Selects all displayed values in column and grids in the Results, Word List, Statistics, History, and Thumbnail views. It also selects the visible (expanded) nodes that in the Document Navigator; it does not select unseen nodes.
Select None Clears (deselects) all displayed values in column and grids in the Results, Word List, Statistics, History, and Thumbnail views. It also clears the selected nodes in the Document Navigator.
Find Searches the text within a selected view or within the selected text in the Preview pane.
Go Command Function
Next Item Displays the next item in the result set.
Previous Item Displays the previous item in the result set.
Next Batch Displays the first item in the next family of items during a Fast Review job.
Show All Descendants Finds and displays all child items for the selected item(s) in a new Workbench tab.
Edit Command Function
Interface Overview 11
Menus
WINDOW MENU
TheNuix3DesktopWindowmenucontainscommandsformanagingtheuserinterface,suchasshowingandhidingelementsorresettingthewindowpaneswithinthetabstotheirdefaultlayouts.YoucanalsoopenanewWorkbenchorFastReviewtabfromhere.
TheWindowcommandsperformthefollowingtasks.
Show All Top‐level Items Finds and displays the highest‐level parent item for the selected item(s) in a new Workbench tab.
Show All Families Finds and displays all items in the families of the selected items.
Load Search Opens a previously saved search query.
Delete Search Deletes a previously saved search query.
Save Search Saves the current search query in the Search bar for reuse.
Window Command Function
Show Document Navigator Shows or hides the Document Navigator.
Show Results Shows or hides the Results pane.
Show Preview Shows or hides the Preview pane.
Show Review & Tag Shows or hides the Review and Tag pane.
Reset Layout Returns the panes within the tabs to their original default layout.
New Workbench Tab Opens a new Workbench tab.
New Fast Review Tab Opens a new Fast Review tab.
Close Tab Closes the active (selected) tab.
12 Interface Overview
Menus
YoucanconfigurethedefaultsetoftabsshownwhenyouopenacasethroughGlobalOptions(File>GlobalOptions>DefaultTabs).Youmustcloseandreopenacaseforanychangestotakeeffect.
REPORTS MENU
TheNuix3DesktopReportsmenucontainscommandsforopeningtabsthatreportonstatistics,wordlists,addresses,andaudithistory.
TheReportscommandsperformthefollowingtasks.
YoucanconfigurethedefaultsetoftabsshownwhenyouopenacasethroughGlobalOptions(File>GlobalOptions>DefaultTabs).Youmustcloseandreopenacaseforanychangestotakeeffect.
SCRIPTS MENU
TheNuix3DesktopScriptsmenucontainscommandsforlaunchingandmanagingscripts.AllNuix3Desktoplicensetypessupportscripting.
NuixhasaScriptsdirectoryfororganizingscriptsthatcanberunfromthismenu.Scriptsinthisdirectorydisplayinthemenu,andscriptsthatyouplaceintosub‐foldersinthedirectoryaredisplayedbyfolderinthemenu.Intheimageshown,numerousscriptshavebeencollectedintologicalfolders,whichdisplayintheScriptsmenuandallowfororganizedaccesstothescripts.Ifnoscriptsexist,thismenudisplaysonlythelasttwocommands.
Window Command Function
New Statistics Tab Opens a new Statistics tab.
New Word List Tab Opens a new Word Count tab.
New Addresses Tab Opens a new Addresses tab.
New History Tab Opens a new History tab.
New Fast Review Statistics Tab Opens a new Fast Review Statistics tab.
Interface Overview 13
Menus
Note:Theabovescreenshotshowsafullypopulatedscriptingfolder.Thescriptingmenuitemwillonlyshowtheoptionsbelowafterdefaultinstallation.
TheScriptscommandsperformthefollowingtasks.
HELP MENU
TheNuix3DesktopHelpmenucontainscommandsforviewingonlinehelpandtheproductversion,openingsystemlogsanddiagnostictools,anddownloadingupdates.
Scripts Command Function
Script_Name Launches the specified script from the Nuix Scripts directory, if any exist.
Open Scripts Directory Opens the Nuix directory where you place scripts that can be accessed by Nuix3 Desktop.
Show Console Opens the Nuix Script Console that allows you to type or paste scripts and run them, and shows all programmatic output from the script, including informational updates and errors.
14 Interface Overview
Menus
TheHelpcommandsperformthefollowingtasks.
NETWORKS MENU
TheNuix3DesktopNetworksmenucontainscommandsforcustomizingthedisplayoftheNetworksview.ThismenuonlydisplayswhenyouselectViewby:NetworkintheResultspane.
TheNetworkstabdisplaysadynamicallyarrangeddiagramofallcommunicationswithintheresultsset.TheNetworksdiagramcanbeusedtodeterminecommunicationspatternsincludingfrequencyofcommunicationsaswellasanyunusualorone‐offcommunications.Thediagramdynamicallyupdatesasyouchangethefiltersandsearchcriteria.
TheNetworkscommandsperformthefollowingtasks.
Help Command Function
Help Topics Displays the local version of the Nuix Help that is installed with the product.
System Diagnostics
Reports a variety of information about the system on which Nuix3 Desktop is installed, including hardware, software, application dependencies, and system file and license properties. Also used as part of the customer support process. See “System Diagnostics Dialogue” on page 98.
Open Log Directory
Opens the Nuix directory where application log files are written, which help the Nuix Support staff troubleshoot Nuix errors or failures.
Download Updates
Opens the secure web page where you can download Nuix and dependent third‐party software.
About Nuix License_Type
Displays the name and version of your Nuix3 Desktop license type.
Networks Command Function
Centre Graph Centers the graphic within the Networks view.
Lock/Unlock All Nodes Locks the graphic in place or unlocks it. When you lock the graphic, you can pull the nodes apart manually to highlight specific communication threads.
Interface Overview 15
Menus
Node Display Options Sets a variety of display options for the text on the nodes, including truncating the text to less than 15 characters or showing no text, and options for displaying the addresses, such as showing only the personal name, only the address, either the personal name or address based on availability, or showing the fully formatted email address.
Edge Display Options Sets whether to show the number of communications between two nodes. You can choose Blank to hide the link count, or select Link Count to show it.
Colour Schemes Sets the colour or shades used in the Networks view. A different color is used when the communications between two people reach a certain value. Choose between Vivid, Classic, or Grayscale.
Networks Command Function
16 Interface Overview
Tabs
TabsNuix3Desktopcontainsseventabsthathostavarietyofworkflowsandcaseinformation.TheprimarytabistheWorkbenchtab,whichcontainsaholisticviewofthedatawithinthecaseandsupportsmostofthenecessaryeDiscoverytasks.Youcanopenmultipletabsofthesametypeasneededtomanageyourwork.TheProcessingtabdisplayswhenyoucreatethecase,afterthedataisingested,toshowyouinformationabouttheresultsoftheprocessingoperation,butnolongerdisplaysthenexttimethecaseisopened.
YoucancontrolwhichtabsdisplaybydefaultwhenyouopenacasebygoingtoFile>GlobalOptions>DefaultTabsandselectingtheonesyouwishtoseewhenyouopenthatcase.Tomaintainahighlevelofperformance,notalltabscanbeshownbydefault.
Theseventabsare:
• Processing‐Liststheprocessingoperationswithtimestamps,aswellasfiletypestatisticsandanoverallprocessingjobstatus.Thistabisonlyavailableimmediatelyaftertheprocessingoperationhascompleted.UsetheStaticsandHistorytabstoreviewthefiletypesandtotalprocessingtimeinformationaftertheProcessingtabisclosed.
• Workbench‐Hoststheprimarytasksofexcluding,filtering,andsearchingfordatawithinthecase.Youcanalsoanalyzedata,previewindividualitems,andtagfromthistab.Thistabissettodisplaybydefaultwhenyouopenacase.
• Statistics‐Displaysinformationabouttheprocessedandirregularfilesbyfiletype,includingnumberprocessed,corrupted,andencrypted,aswellasapercentageofeachfiletypeencountered.
• WordList‐Displaysalistofeverywordthatappearsinthedatasetorwordsmatchingacustomwordlist,andacountofthenumberofitemscontainingthatword.
• Addresses‐Displaysalistingofalldomainandemailaddressesinthecasealongwithacountofthenumberofitemsperdomainandaddress.
• History‐DisplaysinformationabouthowNuixDesktophasbeenused.Allcasesearchesandprimaryinteractionsarelogged,withtimestampsandtheuserthatperformedtheaction.
• FastReview‐Letsyoucreatejobsthatcanbebatchedupforreviewbyinvestigators.Foreachjob,youcanspecifytagsandwordstohighlight.Youcanthenassociateitemstoeachjob,andthoseitemsarepresentedindividuallyinalinearfashionfortagging.
Interface Overview 17
Tabs
PROCESSING TAB
TheProcessingtabdisplaysinformationaboutthejobthatisbeingprocessedinrealtime.Nuixdisplaystheprogressofthejob,filestatistics,andanoveralljobstatuswithatimetocompletion.Thistabonlydisplayswhenyouloaddataintoanewlycreatedcase,orwhenyouaddevidencetoacase.Onceclosed,itisnolongeravailableforviewing,buttheprocessingstatisticsarealwaysavailabletoviewintheResultspane,whenyouViewby:Statistics.
Thetabisdividedintothreemainareas:
• Progress‐Logstheprocessingevents,includingthedatabeingingestedandotherrelatedoperations,withatimestamp.
• Statistics‐Displaysthetypesoffilesprocessed,withthenumbercorrupted,encrypted,deleted,andrelatedjobpercentages.
• JobStatus‐Displaysthestatusoftheoveralljob
Atthebottomofthetab,youcanalsoviewtheelapsedtimesincethejobbegan,andastatusbarshowingpercentcomplete.
18 Interface Overview
Tabs
Fromthistab,youcanperformthefollowingtasks:
• Pauseajob,whichtemporarilyhaltstheprocessingjob,atwhichpointtheResumebuttonbecomesactive.PausingandthenpressingStopisthesameasjustpressingStop.
• Resumeajob,whichcontinuesprocessing.• Stopajob,whichdisplaysadialoguethatprovidestwooptionsforstoppingcaseprocessing,Stopand
Abort.
See“InterruptingaProcessingJob”onpage 168formoreinformation.
WORKBENCH TAB
TheWorkbenchtabhoststhemaintasksinvolvedwithinteractingwiththecollectionofevidenceyouhaveloadedintothecase.Itprovidesaviewofthesourcedatastructure,excludeditems,filters,searchtools,resultsets,andpreviewsofindividualitems.OpenanewWorkbenchtabbygoingtoWindow>NewWorkbenchTab.
TheWorkbenchtabisdividedintofivemainareas:
• DocumentNavigatorPane‐Displaystheevidenceinitsoriginalhierarchicalstructure,anyexcludeditems,thefiltermechanisms,andahistoryofsearchesperformedinthecase.
• SearchBar‐Containsasearchtextfieldwithadatefilter,andatoolforbuildingmorecomplexqueries.
• ResultsPane‐Displaysitemsthatmatchtheresultofanyexclusion,filterorsearchactions,andsupportforreviewingoranalysingtheresultsetinsevendifferentviews:listofitems,thumbnailsofimages,awordlist,itemsstatistics,amapofeventsovertime,andbycommunicationnetwork.
• PreviewPane‐Displaysafulltextpreviewoftheselecteditemalongwithmetadataabouttheitem,andofferssupportforviewingsimilarorrelateditems,addingcommentsandopeningthemessageinitsnativeapplication.
• ReviewandTagPane‐Providessupportfornavigatingthroughtheresultsetandtaggingdocumentsthroughsingleselectionsorhotkeys.
Document Navigator PaneTheDocumentNavigatorpane,locatedontheWorkbenchtab,iscomprisedoffourtoolsthatallowyoutoquicklysiftthroughtheevidence,includeandexcludeitems,filteritemsbasedonawidevarietyofmetadataproperties,andrerunpriorsearchqueries.
TheDocumentNavigatorislocatedbydefaulttotheleftsideoftheWorkbenchtab,andcanbepoppedoutofthewindowframeand/orresizedwithintheWorkbenchwindowasnecessary.Youcanalsoshow
Interface Overview 19
Tabs
orhidethesectionswithinit,oradjusttheirverticalsizetomeetyourviewingneeds.Whenyounarrowthenumberofitemsinthecasethatyouwishtoacton,eitherbyde‐selectingevidenceorfilteringonmetadata,theDocumentNavigatorhighlightstheassociatedareainyellowtoindicatethatyouhavereducedthescopeofthedataset.
ThefourtoolswithintheDocumentNavigatorpaneare:
• Evidence‐Displaysthecompleteoriginalsourcestructureoftheevidenceloadedintothecase.Youcanalsofilterthedatayouwishtoworkwithbyselectingorclearing(deselecting)theevidencefromthiscontrol.
• ExcludedItems‐Liststheitemsyouhaveexcludedfromconsideration,organisedbynameanddisplayingtheirlocationwithinthedataset.Afteryouexcludeitems,theyaresuppressedfromtheResultsviewandDocumentNavigator.Theywillstillappearaspartofthechildren/attachmenttabsinthePreviewpane.
• FilteredItems‐Displaysallthebuilt‐inNuixfiltersandoffersaquickwaytoscopedowntoasetofitemsbasedonitemmetadata,suchasitemtype,annotation,digestlist,wordlist,skintoneanalysis,irregularitems,language,orreviewjob.
20 Interface Overview
Tabs
• SearchHistory‐Liststhesearchesthathavebeenraninthecaseandthenumberofitemsfoundbyeach,organizedbytimeframe.Youcanrerunsearchesperformedminutes,hours,ordaysagobyselectingtheminthiscontrol,withouthavingtoretypethequery.
Evidence NavigatorTheEvidencenavigatorislocatedwithintheDocumentNavigatorpaneontheWorkbenchtab.Itdisplaysthedataloadedintothecaseinitsoriginalsourcefolderhierarchy,allowingyoutobrowsetheevidencebyfolder,orfilterthesetoffilestovieworanalyzebyselectingonlythenodesyouneed.
TheEvidencenavigatorshows:
• Withinthetitlebar,thenumberofitemsinthecasethatarenotpartoftheexcludeditems,andthenthetotalnumberofitemsinthecollection,followedbythepercentageofitemsthathavenotbeenexcluded.Forexample:(18491/18919;97.74%)
• Thenameyoucreatedforthesetofevidenceastherootfolder,withthetotalnumberofitemsinthatsetofevidencethathavenotbeenexcluded.Bydefault,alldataisselected.
• Childfoldersthatshowthesourcefoldersthatwereprocessed,withthetotalnumberofitemsineachfolderthathavenotbeenexcluded.
• Irregularfileicons,ifapplicable,whichNuixassignstoitemsuponingestioniftheitemsmeetthecriteria.Theirregularfileiconsare:
Non‐searchablePDFs
TextUpdated
Interface Overview 21
Tabs
• TheExcludedItemicon ,foritemsthathavebeenaddedtotheexcludeditemslist.
Inthenavigator,youcanalsoperformtheseactions:
• Filterthedatayouworkwithbyclearing(deselecting)nodesorfoldersinthetree.Whenyoudo,thenavigatorturnsyellowtoindicatethatthefullsetofdataisnotbeingusedforsearchandreviewtasks.
• Expandthenodesinthetreebyclickingontheplussign,andcollapsethembyclickingontheminussign.
• Atthetopofthetree,selectResettoclearanyfiltersandincludetheentiresetofevidenceoncemore.• Atthetopofthenavigator,showorhidethissectionbyclickingonthedouble‐arrowiconintheblue
titlebar.• Viewtheentiretreelefttorightbyusingthescrollbaratthebottom.
Excluded Items NavigatorTheExcludedItemsnavigatorislocatedwithintheDocumentNavigatorpaneontheWorkbenchtab.Itdisplaystheitemsthatyouhavechosentoexcludefromallfutureactionswithinthecase,suchassearching,reviewing,analyzing,andtagging.Excludeditemswillnotappearintheresultssetsyougenerate.Thisallowsyoutocullthedataandsuppressirrelevantitems,asneeded.
BadExtension
Unrecognised
UnsupportedItems
Empty
Encrypted
Deleted
Corrupted
TextStripped
22 Interface Overview
Tabs
TheExcludedItemsnavigatorshows:
• Withinthebluetitlebar,thetotalnumberofexcludeditemsinthecase,andthenthetotalnumberofitemsinthecollection,followedbythepercentageofitemsthathavebeenexcluded.Forexample:(428/18919;2.26%)
• Thenameyoucreatedfortheexclusionsetastherootfolder,withthetotalnumberofexcludeditemsdefinedbythatset.Bydefault,alldatayouhaveexcludedinthecaseisselected(checked).
• Childfoldersthatshowtheitemsbeingexcludedintheiroriginalsourcestructure,withthetotalnumberofitemsineachfolderthatareexcluded.
• TheExcludedItemicon ,to indicate an item is excluded.
Inthenavigator,youcanalsoperformtheseactions:
• Re‐includeitemsthatyouhaveexcludedbyclearing(deselecting)thefoldersornodesinthetree.• Expandthenodesinthetreebyclickingontheplussign,andcollapsethembyclickingontheminus
sign.• Atthetopofthenavigator,showorhidethissectionbyclickingonthedouble‐arrowiconintheblue
titlebar.• Viewtheentiretreelefttorightbyusingthescrollbaratthebottom.
Tofindallitemsthathavebeenexcluded,followthesesteps:
1. Clearallofthefilters.
2. UncheckalloftheExcludedItems.
3. Searchforhas‐exclusion:1
Tofindallitemsthatarepartofaspecificexclusionset,followthesesteps:
1. Clearallofthefilters.
2. UncheckalloftheExcludedItems.
Interface Overview 23
Tabs
3. Searchfor:exclusion:Exclusion.Set.Name
Filtered Items Navigator
TheFilteredItemsnavigatorislocatedwithintheDocumentNavigatorpaneontheWorkbenchtab.Itdisplaysthebuilt‐inNuixfilters,whicharebasedonmetadatagatheredfromingesteditems.Youcanviewabreakdownoftheitemsinthecollectionbasedonavarietyofmetadatacriteria,suchasitemtype,emailattachments,irregularitems,annotateditems,skintonedimages,taggeditems,reviewjobs,andmore.
Note:Thissectiondoesnotincludeanyexcludeditems.Itemscanappearinmultiplefilters(foldersinthenavigationtree)iftheymeetthemetadatacriteria.Eachfolderdisplaysacountofitemsincludedinthatfilter.
TheFilteredItemsnavigatorshowsalistingof:
• AllItems‐Itemsbyfiletype,organizedundertheparentfoldercalledAllItems.Thisfolderincludesallitemsinthecollection,exceptexcludeditems.
• EmailAttachments‐Itemsthatareattachedtotheemailsinthecollection.• EmailsandLooseFiles‐Acombinationoftheemailsandloosefiles,whichareitemsthatwerefound
inthesourcefoldersthatwerenotemailsoremailattachments.
24 Interface Overview
Tabs
• IrregularItems‐ItemsthatNuixhasdeterminedtobeirregular,listedbytypeofirregularfile:
• Commented‐Itemstowhichyouhaveappliedcomments.YoucansearchthroughcommenteditemsforaparticularwordorphrasebyusingthecommentsearchsyntaxintheSearchbarinadditiontoselectingthisfilter.Forexample:comment:"ethical"searchesallcommenteditemsforthatstring.
• SkinTonedImages‐Allimagecontentorganizedbyapercentageoffleshtones,listedbythecategoriesofSevere,High,Medium,andLow.YoucanusetheThumbnailviewinconjunctionwiththisfiltertolookforinappropriatecontentintheSevererangeofOCRcandidatesintheLowrange.
• Languages‐ItemsthathavespecificrangesofcharactersintheUnicodealphabet,whichenablesyoutoidentifyitemswithArabic,Chinese,Cyrillic,Hangul(Korean),JapaneseandNon‐Latincharacters.Itemswithmorethanonecharactersetdisplaymorethanonce.NuixdoesnotinterpretthetexttodeterminewhichlanguagenordoesitdifferentiateLatinbasedlanguages.
• ReviewJobs‐Itemsassignedtoreviewjobs,listedbyreviewjob.Toviewitemsthatareassignedtoaparticularreviewjob,selectjustthefilterforthereviewjobandthenselecttheappropriate"responsive"tagintheTaggedfilter.
• Tagged‐Itemsthataretagged,listedbytag.Toviewitemsthatareresponsivebutnotprivileged,selectthe"responsive"filterhereinthetreeandthenintheAdvancedSearchtooladdasearchcriteriaof"none"oftheprivilegedtags.
• DigestLists‐Itemsthatmatchdigestlists(MD5hashesofitems)definedinthecase.• WordLists‐Itemsthatmatchawordlistdefinedinthecase.
Non‐searchablePDFs
TextUpdated
BadExtension
Unrecognised
UnsupportedItems
Empty
Encrypted
Deleted
Corrupted
TextStripped
Interface Overview 25
Tabs
Inthenavigator,youcanalsoperformtheseactions:
• Filterthedatayouwanttoworkwithbyselectingthecheckboxesnexttothefoldersornodesinthetreeorbydouble‐clickingthefiltername.Whenyoudo,thenavigatorturnsyellowtoindicatethatthefullsetofdataisnotbeingusedforsearchandreviewtasks.Note:DoubleclickingonthefilternamewillshowthesearchsyntaxusedtofilterthedataintheSearchbar.
• Expandthenodesinthetreebyclickingontheplussign,andcollapsethembyclickingontheminussign.
• Atthetopofthetree,selectResettoclearanyfiltersandincludetheentiresetofevidenceoncemore.• Atthetopofthenavigator,showorhidethissectionbyclickingonthedouble‐arrowiconintheblue
titlebar.• Viewtheentiretreelefttorightbyusingthescrollbaratthebottom.
Filters by File Type
WithintheFilteredItemsnavigator,undertheAllItemsfilter,youcanfilterbyspecificfiletypes(theMIMEtypeoftheitem).Nuixdoesnotrelyontheitem’sfileextensiontodeterminesitsfiletype(whichcanbealtered),butinsteadonmetadatainitsheader.
YoucanperformequivalentfilteringactionsbyusingtheKindsearchsyntaxintheSearchbar,asdescribedbelow.
Kind Equivalent Query Description
Email kind:email Email items. This includes all email related item types.
Word Processor Documents
kind:document Word processor documents such as Microsoft Word documents and rich text format (RTF) files.
Spreadsheets kind:spreadsheet Spreadsheets such as Microsoft Excel.
Presentations kind:presentation Presentations, also known as slide shows.
Drawings kind:drawing Vector drawings and diagrams.
Other Documents kind:other‐document Other types of documents a user might create.
Images kind:image Bitmap (raster) images.
Multimedia kind:multimedia Audio and video files, and other types of multimedia.
Databases kind:database Structured database files, such as Microsoft Access.
Containers kind:container Data types that resemble directories, such as archives or mailboxes.
System Files kind:system System files, often uninteresting to the investigator.
Unrecognised kind:unrecognised Files of a type unknown by the software.
26 Interface Overview
Tabs
Filters by Languages
TheLanguagesfilterintheFilteredItemsnavigatorenablesyoutoidentifyitemswithArabic,Chinese,Cyrillic,Hangul(Korean),JapaneseandNon‐Latincharacters.NuixusestheUnicodecharactersetdefinitionstofilterthesedocuments.ThisallowsNuixtoidentifyadocumentthatcontainsasingleChineseorJapanesecharacter.
NuixisUnicodeenabledandhasmanycustomersworkinginalltheselanguages.Ifyouarenotabletoseecharacters–firstchecktoseeifyouhavealltheMScharactersetsonyourcomputer.Ifyouarestillunabletoseealloftheappropriatecharactersets,[email protected].
Nuixusesaregularexpressionsearchtofindthespecificcharacterrangesassociatedwitheachlanguage.See“RegularExpressionQueries”onpage 185foradditionaldetailonsearchingforcharactersetsnotincludedinthedropdownlist.ForacompletelistoftheUnicodecharacterranges,seethisUnicodeChart.
Arabic Unicode characters
TheArabicfilteroptionsearchesforthefollowingcharacterranges:
• Arabic(0600‐06FF)• ArabicSupplement(0750‐077F)• ArabicPresentationForms‐A(FB50‐FDFF)• ArabicPresentationForms‐B(FE70‐FEFF)
Chinese Unicode characters
TheChinesefilteroptionsearchesforthefollowingcharacterranges:
• KangxiRadicals(2F00‐2FDF)• Kanbun(3190‐319F)• CJKRadicalsSupplement(2E80‐2EFF)• CJKSymbolsandPunctuation(3000‐303F)• CJKStrokes(31C0‐31EF)• EnclosedCJKLettersandMonths(3200‐32FF)• CJKCompatibility(3300‐33FF)• CJKUnifiedIdeographsExtensionA(3400‐4DBF)• CJKUnifiedIdeographs(4E00‐9FFF)• CJKCompatibilityIdeographs(F900‐FAFF)• CJKCompatibilityForms(FE30‐FE4F)• CJKUnifiedIdeographsExtensionB(20000‐2A6DF)
Interface Overview 27
Tabs
• CJKCompatibilityIdeographsSupplement(2F800‐2FA1F)
Cyrillic Unicode characters
TheCyrillicfilteroptionsearchesforthefollowingcharacterranges:
• Cyrillic(0400‐04FF)0430isfirstlowercase• CyrillicSupplement(0500‐052F)
Japanese Unicode characters
TheJapanesefilteroptionsearchesforthefollowingcharacterranges:
• Hiragana(3040‐309F)3041isfirstlowercase.• Katakana(30A0‐30FF)• KatakanaPhoneticExtensions(31F0‐31FF)• Half‐widthKatakana(FF65‐FF9F)
Korean Unicode characters
TheKoreanfilteroptionsearchesforthefollowingcharacterranges:
• HangulJamo(1100‐11FF)• HangulCompatibilityJamo(3130‐318F)• HangulSyllables(AC00‐D7AF)• Half‐widthhangul(FFA0‐FFDC)
Non-latin Unicode characters
Thenon‐latinfilteroptionsearchesforthefollowingcharacterranges:
• BasicLatinNOT(0000‐007F)• Latin‐1SupplementNOT(0080‐00FF)• LatinExtended‐ANOT(0100‐017F)• LatinExtended‐BNOT(0180‐024F)• IPAExtensionsNOT(0250‐02AF)
Search History Navigator
TheSearchHistorynavigatorislocatedwithintheDocumentNavigatorpaneontheWorkbenchtab.Itdisplaysallsearchqueriesruninthecase,acrosstime.Thisallowsyoutore‐runaquerywithouthavingtorecreateit,aswellasgivesalogofthedifferenttypesofsearcheshavealreadybeenperformedtodate.
28 Interface Overview
Tabs
Nuixdoesnotsaveanyfiltersettingsyoumighthaveappliedwhenyouranasearch,sotheitemsdisplayedwhenyourerunasearchmayvary.
TheSearchHistorynavigatorshowssearchesperformed:
• Minutesago• Hoursago• Daysago
Searchesarenamedusingthecriteriayouusedinthequery,suchasraptor AND ethical orcomment:"research".Clickthesearchqueryinthetreetorerunit.
Inthenavigator,youcanalsoperformtheseactions:
• Expandthenodesinthetreebyclickingontheplussign,andcollapsethembyclickingontheminussign.
• Atthetopofthenavigator,showorhidethissectionbyclickingonthedouble‐arrowiconinthebluetitlebar.
• Viewtheentiretreelefttorightbyusingthescrollbaratthebottom.
Search BarTheSearchbar,locatedatthetopoftheWorkbenchtab,providesyouwithatoolforperformingbothsimpleandcomplexsearchesagainsttheevidenceset.Searcheswillrunagainstitemsthatmatchanyexistingfiltersanditemsthatarenotexcluded.
Interface Overview 29
Tabs
TheDatefilteroperatesintheinvestigationtimezonesetinFile>CasePropertiesinsteadoftheyoursystem’slocaltimezone.Thisallowsyoutoviewtheitemsinthetimezoneofthecustodian(s)beinginvestigated.Theleftdatecontrolwillsearchstartingfrom00:00:00HH:MM:SSandtherightdatecontrolwillsearchuntil23:59:59oftheselecteddate.
NotethattheDatefiltersearchesagainsttheNuixmetadatapropertycalledItemDate.TheItemDateisdefinedasfollows:
• Foremails,itistheNuixCommunicationsDate,whichcouldbetheMap‐Client‐Submit‐Time,SentDate,orDateoftheemailitem.
• Forfiles,itistheFileModifieddate,orifnotpresent,theFileCreateddate.• Foritemsthatdon'thaveadate,theyaregiventheitemdateoftheirparent.
TheSearchbariscomprisedofthefollowingcomponents.
Formoreinformation,see“PerformingSimpleSearches”onpage 174andfurtherdetailsaboutsearchingforitemsbydate.
Control Description
Previous and Next buttons
Advances backwards and forwards through the searches already performed in the currently open session of Nuix. Searches performed prior to the current session are not available. When you use these buttons, Nuix automatically runs the search and the items in the Results pane update.
Search text field Free text field into which you can type or paste a search query. The Search field can contain millions of characters.
Run button Runs the search in the Search field.
Date filter The date filter offers four options that you can use in conjunction with the calendar controls: Between, Not Between, After, and Before. By default, searches are set to the option No date filter.
Calendar controls
Two calendar controls allow you to specify one or two dates in time to use in conjunction with the Date filter, including year, month, and day. Click the drop‐down arrow to select a date using the visual calendar tool or type in the date you want to use in the field.
Clear button Clears the Search field and all filters, and sets all search criteria back to the default settings.
Advanced button
Shows the Advanced Query Builder tool for building more complex queries without needing to know specific Nuix or Lucene search syntax.
30 Interface Overview
Tabs
Advanced Query Builder
YoucanusetheAdvancedQueryBuildertoconstructcomplexsearchexpressionswithoutknowinganysearchsyntax.LocatedonthefarrightoftheSearch,clickAdvancedtoshowthetool.WhileyoucantypeorpastelargequeriesintotheSearchfield,thistoolallowsthosewithlimitedknowledgeofquerysyntaxtobuildthesametypesofqueries.
YoucanhideorshowtheAdvancedQueryBuilderbyclickingtheAdvancedbuttonatanytime.ThecorrespondingsearchsyntaxfortheexpressionsyouspecifiedinthetooldisplaysintheSearchbar.
Thetooliscomprisedofthefollowingcontrols.
Control Description
Search Criterion Filter Lets you type the first letters of the search criterion for which you are looking and finds it in the list box.
Search Criterion List Box Lists the types of criteria you can use to build a search expression. The associated options for each criterion display in step two, to the right. You can use as many of these criteria as you wish in your query by adding them to the search expression one at a time.
Keywords: All of these words Allows you to type in terms and phrases to use in the search in the associated free‐text field on the right. The search returns only items that match all of the terms listed.
Interface Overview 31
Tabs
Keywords: Any of these words
Allows you to type in terms and phrases to use in the search in the associated free‐text field on the right. The search returns items that match any of the terms listed.
Keywords: None of these words
Allows you to type in terms and phrases to use in the search in the associated free‐text field on the right. The search returns only items that do not include the terms listed.
Keywords: Exact phrase Allows you to type in an exact phrase to use in the search in the associated free‐text field on the right. The search returns items that match only the exact phrase.
File size Allows you to specify a minimum and maximum numerical file size to use in the search in the associated fields on the right. You must enter a value for both fields. File sizes are measured in bytes, and uses the Nuix Digest Input Size.
File type Allows you to specify one or more file type(s) to search for in the associated list box on the right. Type into the filter control to go directly to a particular file type or file extension, or browse through the list of file types to find and select file extensions to include in your search expression. The file types you can choose from include application, audio, filesystem, image, message, server, text, and video. The list only includes the file extensions registered on the local system. You can select as many file types as you wish.
Tags Allows you to select from the list of tags that exist in the case and match items that have the selected tag(s) applied to them. You can choose to match items with any, all, or none of the tags chosen with the drop‐down control at the top of the list box.
Comments Allows you to specify a text string in the associated free‐text field on the right. The search returns only those items that include the string in the Nuix Comment field.
Addresses Allows you to specify one or more addresses in the associated list box on the right. Type into the filter control to go directly to a particular web domain or email address, or browse through the list of domains to find and select specific email addresses to include in your search expression. You can select as many addresses as you want.
Add to Expression Button Adds the criteria you selected in steps one and two to the search expression, which displays in the Expression table. You must click this button each time you complete step two to add the expression to the query.
Expression Table Displays each rule, or expression, as you add them. This collection of rules makes up the search query. You can choose to match all of any of the rules in the table, via the drop‐down control at the top right of the table.
Edit button After selecting an expression in the table, allows you to edit that rule by loading the criteria you entered in steps one and two.
Remove button Removes the selected expression from the query.
Clear All Clears all of the expressions from the Expression table.
Search Runs the search.
Control Description
32 Interface Overview
Tabs
Results PaneTheResultspane,locatedwithintheWorkbenchtab,displaysalistoftheitemsthatmatchyourselectedcriteria,whetherfromfiltersintheDocumentNavigator,asearch,orotheroperations.Bydefault,theviewoftheitemsisinatabularlistformat,showingthemetadataincolumnsfromtheassociatedmetadataprofileappliedtothatview.See“MetadataProfiles”onpage 113formoreinformation.
Atthebottomoftheselectedview,Nuixtellsyouhowmanyitemsaredisplayedthatmatchthecriteria.Ifmoreitemsexistthancanbeshownintheview,itwillstatethat.Italsoshowshowmanyitemsareselected,ifany,andhowmanyitemsareremovedfromthelistbecausetheyareimmaterialorduplicates,ifyouusethoseoptions.
Interface Overview 33
Tabs
TheResultspaneiscomprisedofthefollowingcontrols.
Working with Results Views
Bydefault,theResultspaneontheWorkbenchtablistsallitemsreturnedbyagivenquery(search,filter,etc).EachrowwithintheResultsviewisanactivelinkanddouble‐clickingarowdisplaystheiteminthePreviewpane.Youcancustomizethecolumnsdisplayedintheresultsetwithametadataprofile.Theresultsetdefaultstodisplay1,000,000items.YoucanconfigurethisvaluefromFile>GlobalOptions>ViewerLimits.
YoucanchangetheviewintheResultspanetodisplayandinteractwiththedataindifferentways.Thefollowingtopicsexplainhowtointeractwiththevariousviewsusingtheavailablecontrols.
Control Description
View By Sets which view to use to show the items that match the selected criteria (i.e., the items currently in the result set). Views include: Results, Thumbnails, Word List, Statistics, Addresses, Event Map, and Network.
Hide immaterial items Suppresses items that are not included in a legal export. Immaterial items are those items that are extracted for forensic completeness, but do not necessarily have intrinsic value in a legal context. Additionally, these items will NOT be exported as part of a legal export and are not included in the total size calculation for audited licenses. These items include, folders (file system, email, etc.), embedded inline graphics (email signatures, itext items in PDF files, embedded objects without text, the zip container itself (not the contents), and mailbox files (PSTS, OST, NSF, MBOX, etc.)
Deduplicate results Filters the items in the result set by MD5 hash to show only one of an item if it has duplicates. Selecting this option increases the amount of time it takes to load a view.
View area Displays the items or data in the format of the view you selected in the View by control. The columns in the default Results view can be changed by right‐clicking on a column header and choosing from one of the available options.
Add Tags Opens the Add Tags dialogue so that you can apply tags to the selected items. This button is enabled when you select items in the result set in the Results, Thumbnails, and Addresses views.
Exclude Items Opens the Exclude Items dialogue so that you can exclude the selected items. This button sis enabled when you select items int he result set in the Results, Thumbnails, and Addresses views.
Export Allows you to select from a variety of export options and opens the corresponding dialogue. Export options include exporting by view, items, case subset, annotations, digest list, and legal export to a load file.
34 Interface Overview
Tabs
Interacting with the Results View: Columns
YoucancustomizetheResultsview'scolumnsinseveralwaysbyright‐clickingonthecolumnheaderandselectingacommand.
Note:Selectingthecolumnheaderwiththemouse(aleft‐buttonclick)sortstheresultset.Iftheresultsetisverylarge,thiscancausetheapplicationtoappearhung.RepeatedlyselectingthecolumncausesNuixtocyclethroughthetypesofsortingoptions,furtherdelayingaresponsiveinterface.
Thefollowingtableliststheright‐clickcommandsforcolumns.
Command Description
Choose Column Profile Lists the metadata profiles that you can use to change the metadata values that display in the Results table view. See “Metadata Profiles” on page 113.
Metadata Name Column: Sort Ascending
Sorts the items in the column, starting with items that start with special characters, followed by items that start with numbers beginning with zero, and lastly items in alphabetical order beginning with the letter A.
Metadata Name Column: Sort Descending
Sorts the items in the column, starting with items in reverse alphabetical order that start with the letter Z, followed by items that start with numbers beginning with the highest number first, and lastly items with special characters in reverse order.
Metadata Name Column: Compute Distinct Values
Finds and displays all of the unique values in a given column. Each row is a unique record, and no parsing is performed within any field. The results of the Distinct Values calculation can be copied and pasted as comma separated values.
Metadata Name Column: Compute Column Sum
Totals all of the numerical values in a given column. Primarily for use with metadata whose values range in size, such as Digest Input Size.
Reset Sort Order Resets the column to the Nuix default sort order, which is the order in which the documents were displayed when the search or filter operation was performed.
Interface Overview 35
Tabs
Interacting with the Results View: Rows
YoucancustomisethedataintheResultsview'srowsinseveralways,byselectingorclickingonitemsandwithright‐clickoperations.
IntheResultstable,youcanperformthesetheseactions:
• TohighlightasinglerowanddisplaytheiteminthePreviewpane,single‐clickontherowwiththemouseorusetheupordownarrowsonyourkeyboard.
• Toselectoneormorehighlighteditemsinthelist,pressthespacebar.• ToselectallvisiblerowsintheResultsview,selectthecheckboxatthetopofthetable,oruseCtrl+A
onthekeyboardtoselectallvisiblerowsintheResults,WordList,Statistics,History,andThumbnailviews.
• ToclearallvisiblerowsintheResultsview,clear(deselect)thecheckboxatthetopofthetable,oruseCtrl+Shift+AonthekeyboardtoclearallvisiblerowsintheResults,WordList,Statistics,History,andThumbnailviews.
• Tohighlightcontiguousrowsofitems,single‐clickanitemanddragthemousedownoruptoselectadditionalrowsorselectthefirstitemandpresstheShiftkeyandthenselectthelastitemtoselectallrowsinbetween.
• Tohighlightnon‐contiguousrows,selectthefirstitemandpresstheShift+Ctrlkeyswhileselectingadditionalrows.
Aright‐clickonanyroworrowsdisplaysacontext‐sensitivesetofcommands.Somecommandsareonlyavailableiftheitemisselected(thatis,thecheckboxonthatrowisselected).
36 Interface Overview
Tabs
Thefollowingtableliststheright‐clickcommandsforrows.
*Thisresultsetdoesnotincludetheitemsthemselves.Ifyouareaftertheentirefamily,applyatag,andchoosetheAlsoincludeallitemsinthesamefamilyoption,thenfilteronthenewtag.
Command Description
Copy Copies the selected rows to the clipboard. Includes just the metadata displayed by the current metadata profile.
Select All Selects all visible rows in the Results view.
Select None Clears all visible rows in the Results view.
Export Exports items in a variety of ways using the Export commands.
Add Tags Adds tags to selected items.
Remove Tags Removes tags from the selected items.
Add to Review Job Adds the selected items to an existing Fast Review job.
Remove from Review Job Removes the selected items from an existing Fast Review job.
Exclude Items Excludes items from being available for further case activity. This suppresses the items within the data set, including items in the associated family and /or duplicates.
Show All Descendants * Finds all child items for the selected items.
Show All Top‐level Items * Finds the highest‐level ancestors for the selected items.
Interface Overview 37
Tabs
Interacting with the Thumbnails View
IntheResultspane,youcanviewthumbnailsoftheimagesinthatresultsetbyselectingViewby:Thumbnails.IfyouusetheSkinTonedImagesfilterinconjunctionwiththisview,youcanreviewimagesbasedondegreesofskintone.
IntheThumbnailsview,youcanperformthefollowingoperations:
• Single‐clickonanitemtohighlighttheitemandhaveitdisplayedinthePreviewpane.• Aright‐clickonanythumbnailimagedisplaysacontext‐sensitivesetofcommands.
38 Interface Overview
Tabs
Thefollowingtableliststheright‐clickcommandsforitemsintheThumbnailsview.
Command Description
Copy Copies the selected item to the clipboard.
Select All Selects all items in the Thumbnails view.
Select None Clears all items in the Thumbnails view.
Export Exports items in a variety of ways using the Export commands.
Add Tags Adds tags to selected items.
Remove Tags Removes tags from the selected items.
Add to Review Job Adds the selected items to an existing Fast Review job.
Remove from Review Job Removes the selected items from an existing Fast Review job.
Exclude Items Excludes items from being available for further case activity. This suppresses the items within the data set, including items in the associated family and /or duplicates.
Show All Descendants a
a. Thisresultsetdoesnotincludetheitemsthemselves.Ifyouareaftertheentirefamily,applyatag,andchoosetheAlsoincludeallitemsinthesamefamilyoptionthenfilteronthenewtag.
Finds all child items for the selected items.
Show All Top‐level Items a Finds the highest‐level ancestors for the selected items.
Interface Overview 39
Tabs
Interacting with the Word List View
IntheResultspane,youcanviewalistofallthewordsfromtheitemsinthecurrentresultset,aswellastheirfrequency.Thewordlistincludesallwordsfromboththecontentandpropertiesoftheselecteditems.
Usingthefirstdrop‐downmenu,youcanfilterthewordlistbychoosingtoviewAllWordsfromtheresultsetoronlythewordsthatappearinacustomlistofwordsthatyouhaveimportedintoNuixusingFile>GlobalOptions>WordLists.
Theseconddrop‐downmenuletsyoufilterthelistofwordsbymetadatafield.YoucandisplaywordsfromallfieldswithSearchoverallfields,orconstrainthewordlisttoshowwordsfromthebodyofanitembyselectingSearchoveritemcontent,orlastlyshowwordsthatappearinmetadatapropertiesonlybyselectingSearchoverproperties.
Lastly,youcanquicklymovetoawordorsectionofthewordlistbytypinginthosecharactersintheFilterfield.
40 Interface Overview
Tabs
IntheWordListview,youcanperformthefollowingoperations:
• Tore‐sorttherows,togglingbetweenascendinganddescendingorder,single‐clickonacolumnheader.
• Toviewtheitemsthatincludeaspecificwordinthelist,double‐clickontherowtocreateanewWorkbenchtabdisplayingthoseitemsinanewresultset.
• Toexporttheview,selecttheExportbutton.Formoreinformationaboutexportingviews,see“ExportingInformationfromaView”onpage 258.
Interacting with the Statistics View
IntheResultspane,youcanviewthestatisticsrelatedtojusttheitemsinthatresultsetbyselectingViewby:Statistics.TheStatisticsviewprovidesinformationaboutthenumberofprocessedandirregularfilesbyfiletypewithinthecurrentresultset,asopposedtotheStatisticstabthatoffersalookatfiletypestatisticsfortheentirecase.
IntheStatisticsview,youcanperformthefollowingoperations:
• Tore‐sorttherows,togglingbetweenascendinganddescendingorder,single‐clickonacolumnheader.
• Toviewtheitemsassociatedwithoneofthefiletypes,double‐clickontherowtocreateanewWorkbenchtabdisplayingthoseitemsinanewresultset.
• Toexporttheview,selecttheExportbutton.Formoreinformationaboutexportingviews,see“ExportingInformationfromaView”onpage 258.
Interface Overview 41
Tabs
Interacting with the Addresses View
IntheResultspane,youcanviewtheemailaddresses,aswellastheInternetdomains,oftheitemsintheresultsetbyselectingViewby:Addresses.Thisviewalsodisplaysanitemcountforeachdomainandemailaddress,bydefault.
Youcanchoosetogroupemailbydomainname(thedefaultchoice),ordisplaytheemailsinaflatlistorderedalphabetically.Youcanalsofilterthelistbythecommunicationfields:From,To,Cc,andBcc.
IntheAddressesview,youcanperformthefollowingoperations:
• Tore‐sorttherows,togglingbetweenascendinganddescendingorder,single‐clickonacolumnheader.
• Toviewtheitemsassociatedwithadomainoremailaddress,double‐clickontherowtocreateanewWorkbenchtabdisplayingthoseitemsinanewresultset.
• Toexporttheview,selecttheExportbutton.Formoreinformationaboutexportingviews,see“ExportingInformationfromaView”onpage 258.
42 Interface Overview
Tabs
Interacting with the Event Map View
IntheResultspane,youcanviewitemsinaspecificthreadtolearnwhowasinvolvedandtofollowaconversationordocumentovertime,byselectingViewby:EventMap.TheEventMapviewprovidesastaticgraphicalviewofcommunicationsintheresultsetagainstatimeline,showingwhosentthemandhowtheyweresenttoothers.
IntheEventMapview,youcanchangehowtheaddresslabelsintheright‐handcolumnoftheEventMapdisplaybyselectingoptionsinthedrop‐downAddressmenu:
• None‐Suppressesthedisplayoftheemailaddress.• Personal‐Displaysonlythepersonalportionofeachemailaddress.Forexample,StephenStewart
wouldonlydisplay"StephenStewart".• Address‐Displaysonlytheaddressportionofeachemailaddress.Forexample,StephenStewart
wouldonlydisplay"[email protected]".• PersonalorAddress‐DisplayseitherthePersonalorAddressportionoftheemailaddressdepending
onitsavailability.• FormattedAddress‐Displaysthefullyformattedemailaddress.Forexample,StephenStewartwould
display"StephenStewart".
Interface Overview 43
Tabs
You can also exporttheEventMapview.See“ExportingInformationfromaView”onpage 258.
Note:Alldatesandtimearestoredassystemtime,whichessentiallythenumberoftickssince1970.Whentheitemsarethendisplayed,NuixappliestheappropriatetimezonedefinedintheCasePropertiesdialoguebox,andpresentstheappropriatetime.
Interacting with the Network View
IntheResultspane,youcananalysepatternsofcommunicationbetweenpersonsinasetofevidencebyselectingViewby:Network.TheNetworksviewprovidesadynamicviewofcommunicationpatterns,includingfrequencyofcommunicationandanyoutlyingcommunicationsinagraphicalformat.
YoucancontroltheformatoftheNetworkviewbyusingthecommandsintheNetworksmenu(seepage 15).
44 Interface Overview
Tabs
YoucanfiltertheitemsthatdisplayintheNetworksdiagrambyselectingthefollowingoptions:
• Direct(To)‐ShowsorhidesitemslistedinthecommunicationsTofield.• Indirect(Cc)‐ShowsorhidesitemslistedinthecommunicationsCcfield.• Hidden(Bcc)‐ShowsorhidesitemslistedinthecommunicationsBccfield.• Showlinkcount‐Setstheminimumnumberofcommunicationsthatmusthaveoccurredforitemsto
displayinthediagram.Ifthediagramisdenseandyouwanttoviewfeweritemsbasedonfrequencyofcommunications,raisethevalueinthisfield.
TheNetworksdiagramisadynamicviewofthecommunicationsinformationassociatedwiththespecificresultset,meaningthedisplaychangesasyoufilterorchangetheresultset.Youcanalsocustomizetheviewinthefollowingways:
• RunLayout‐Freezesorunfreezestheautomaticplacementofthenodesinthediagram.Whenselected,thediagramisactiveandworkstodisplaythenodesinthemostreadablelayoutforviewing.Thenodeswillcontinuetopulseastheapplicationcontinuallyoptimizestheview.Whenyouclearthisoption,thediagramislockedinplace(althoughyoucanstillmanuallymovethenodes).
• Scrollandpan‐Holddowntheleftmousebuttononthebackground(white)areaoftheviewtoscrollthediagramup,down,left,orright.Thisdoesnotchangetherotationorproximityofthenodes.
• Zoom‐HolddowntherightmousebuttononthebackgroundandmovethecursorupordownontheYaxisofthescreentozoominoroutonthediagram.
• Rotate‐HolddowntherightmousebuttononthebackgroundandmovethecursorleftorrightalongtheXaxisofthescreentorotatethediagramclockwiseorcounter‐clockwise.
• Highlightallcommunicationspartners‐Movethemouseoveranaddressorleft‐clickonanaddresstohighlightallofthepartnersintheviewwhohavecommunicatedwiththatspecificaddress.
• Highlighttwocommunicationspartners‐Movethemouseoveralineorleft‐clickonalinebetweentwoaddressestohighlightthetwoaddressesassociatedwiththatcommunication.
• Viewitemssentbetweentwoaddresses‐Double‐clickonacommunicationslinetodisplaythoseitemsinanewresultsetview.
YoucanalsoexporttheNetworkview.See“ExportingInformationfromaView”onpage 258.
Hide Immaterial Items Option
Nuixaccountsforallitemsthatitencountersduringprocessing.Thisincludedsystemfolders,foldersinsideanPST,viewsinanNSF,embeddedobjectsinOfficedocuments,inlinegraphicsinemails,andembeddeditemsinsideaPDF.Nuixdoesnotprovideameansofcontrollinghowdeeptheextractiongoes—Nuixwillextracteverythingthatitcanfind—always.
Nuixextractsandtracksallitems,sothatacompleteandaccurateaccountingisperformed,includingmaintainingarecordofthetheentireevidenceancestryandallparent‐childrelationships.
Interface Overview 45
Tabs
However,inmanycontexts,youmightconsidertheadditionalitemsthatNuixextractsasnoiseorimmaterialtoyourgoals.YoucansuppresstheseitemsbyselectingtheHideImmaterialItemscheckboxintheResultspane.
Immaterialitemsarethoseitemsthatareextractedforforensiccompleteness,butdonotnecessarilyhaveintrinsicvalueinalegalcontext.Additionally,theseitemsarenotexportedaspartofalegalexportandarenotincludedinthetotalsizecalculationforauditedlicenses.
Immaterialitemsinclude:
• folders(filesystem,email,etc.)• embeddedinlinegraphics(emailsignatures,embeddeditemsinPDFfiles)• embeddedobjectswithouttext• thezipcontaineritself(notthecontents)• mailboxfileslikePST,OST,NSF,MBOX,EDB,STM,etc.
Thebestwaytoseeexactlywhathasbeendeterminedanimmaterialitemistodirectlyqueryforthem.FromtheSearchfield,type:
-flag:audited
Youcanaddalloftheimmaterialitemstoanexclusionset,andthenviewallthefilesthatNuixconsidersimmaterial:
1. Acrosstheentirecase,searchfor–flag:audited.Thisreturnsalloftheimmaterialitems.
2. SelectallitemsintheresultsetandthenaddthemtoanExcludedItemssetcalled“ImmaterialItems”.See“ExcludeItemsDialogueBox”onpage 66.
3. Clearthesearchresults.
4. Runasearchforexclusion:Immaterial.Items.Thisshouldreturn0hits.
5. FromtheDocumentNavigator,ExcludedItemspane,cleartheboxnexttothe"Immaterial.Items"exclusionset.
YoucannowreportonthisatthestatisticslevelaswellastheresultlevelbyusingacustommetadataprofiletoreviewtheexactlistofitemsthatNuixconsidersimmaterialforagivencollectionofitems.See“MetadataProfiles”onpage 113.
46 Interface Overview
Tabs
YoucandeterminepreciselywhichitemswillbeexportedaspartofaLegalExport,andwhichitemsareconsideredimmaterial,byrunningamockLegalExport.YoucanrunamockLegalExportusingthefollowingsteps:
1. Selectalloftheitemsthatyouwanttoexportandaddatagthatisappliedtotheentirefamily.
2. ConfiguretheLegalExportparametersusingalloftheappropriatesettings.
3. OntheExportTypetaboftheLegalExportdialoguebox,selecttheShowpre‐exportsummaryoption.
4. SelectOKtoruntheexport.
5. Oncethepre‐exportsummaryreportdisplays,scrolltothebottomofthelist,andselecttheTagtheseitemsbutton.Addatagthatclearlymarkstheseitemsasthedocumentsassociatedwiththisspecificexport.
6. Next,Canceltheexport.Youareonlyinterestedintaggingtheitemsthatwillbeexported.
7. FromtheDocumentNavigator,FilteredItemspane,opentheTaggedfolderandselectthetagyouappliedduringstep1toopenaresultthatwiththosehitsandallfamilyitems.
8. Searchfor-tag:export,whereexportisthenameoftheexporttagappliedinstep5.Thisprovidesalistingofalltheimmaterialitemsthatarenotincludedaspartofthelegalexport.
Deduplicate Results Option
InthePreviewpane,runningasearchwiththeDepuplicateresultsoptionselectedonlyreturnsuniquerecordstotheresultset.
RemovalofduplicatesisbasedontheMD5digestandisessentiallyperformedbyfilteringontheMD5digestfield.
Notes:• Startingwithversion2.20,thecopythatappearsintheresultset(the"original"),istheearliestitemin
theevidencetreeasseeninthebrowserview.Thisensuresthateachtimeaduplicateisremovedtheexactsameitemisalwaysdisplayed/exportedaspartoftheresultset.Priortoversion2.20,preferencewasgiventoitemsthatcontainedcommentsorclassifications.
• SHA‐1andSHA‐256hashesareonlycalculatedforreferencepurposes.Theyarenotusedaspartoftheduplicatedetermination.
Foradditionaldetailonhowduplicatesareremovedduringtheexportprocess,seetheLegalExportoption,“Exportitems”onpage 82.
Interface Overview 47
Tabs
Preview Pane
ThePreviewpane,locatedontheWorkbenchtab,iscomprisedofinformationandtoolsthatallowyoutoviewtheitemitself,themetadataassociatedwiththeitemandadditionalinformationtohelpanalysethecontextoftheitem.
Bydefault,thePreviewpaneislocatedontheright‐handsideoftheWorkbenchtab,andcanbepoppedoutofthewindowframeand/orresizedwithintheWorkbenchwindowasnecessary.
ThePreviewpaneiscomprisedofthreemainareas:
• Atoolbaratthetopofthepaneallowsyoutonavigatebetweenitems,applyoreditcomments,andviewtheitemnatively.
• Anareawithcontextualinformationabouttheitem,suchasitssourcepathandsimilarorrelateditems.
• Asetoftabsthatpresentdetailsabouttheitem,suchastheitem'stextualorimagecontentandassociatedmetadata.
48 Interface Overview
Tabs
Preview Toolbar
AtoolbaratthetopofthePreviewpaneallowsyoutonavigatebetweenitems,applyoreditcomments,andviewtheitemnatively.
Thetoolbariscomprisedofthefollowingcontrols:
• PreviousItem‐Selecttheleftarrowtopreviewthepreviousitemintheresultset.• NextItem‐Selecttherightarrowicontopreviewthenextitemintheresultset.• ItemName‐DisplaystheSubjectlineofanemailorthefilenameforallotheritemtypes.• Comment‐OpenstheEditCommentdialogue,allowingyoutoenteroreditacommentassociated
withtheitembeingpreviewed.Youcansearchforthetextenteredinacommentfield.• Launch‐Openstheiteminitsnativeapplicationiftheapplicationisinstalledonyoursystem.When
youcreateacase,selectingtheoptionStorebinaryofdataitemswilldecreasetheamountoftimeittakestoopenanitemnatively.See“ProcessingSettings”onpage 158.
Preview Item Context
BelowthePreviewpanetoolbarisanareathatprovidescontextualinformationabouttheitem,suchasthepathtowhereitexistedinitssourcelocation,andotheritemssimilarorrelatedtotheitem.
Youcanreviewthefollowinginformationinthisarea:
• Path‐Thecomplete,hierarchicalpaththatshowsallparentitemsfortheitembeingpreviewed.Youcanviewtheitemswithinthepathbyclickinganyfolderlink,whichopensanewresultsset.
• Similaritems‐Showsitemsthatareliketheitembeingpreviewed.DuplicatesareitemswiththesameMD5Hashvalueastheitembeingpreviewed,thusanitemthatdoesnothaveanyduplicateswillshowavalueofzero(0).TheHigh(90%+similar),Medium(70%+similar),andLow(50%+similar)categoriesgrouplikeitemsbylookingatthenameoftheitem,theMD5Hashvalue,andallwordsoversixletterslongthatarethesame.
• Relateditems‐Showstheitemsthatareapartofthesameconversationthreadastheitembeingpreviewed.Anemailthreadisaseriesofemailsthathavebeensent,forwarded,copied,andreceived,beginningwiththefirstrelatedcommunication.YoucanusetheEventMapview(seepage 226)toseewhowasinvolvedwithanemailthreadovertime.
Interface Overview 49
Tabs
Preview Item Detail Tabs
ThePreviewpaneincludesuptofiveItemDetailtabs.
Thesetabspresentdifferentviewsoftheitem'scontentandassociatedmetadata:
• Email/Image/Text‐Displaystheextractedtextoftheitemanddetailsabouttheitem,andisselectedbydefault.ClickDetailstoshoworhideasubsetofthemetadataprocessedfortheitem,basedonMIMEtype.Searchwordsarehighlightedwithinthepreview.
• Attachments/Children‐Displaysallattachmentsorchilditemsassociatedwiththeitembeingpreviewed.Double‐clickinganiteminthistabopensapreviewoftheiteminanewWorkbenchtab.
• Metadata‐Displaysthemetadataassociatedwiththeprevieweditem,includingpropertiesandNuix‐definedmetadata.Youcandefinethelistofmetadatathatshowsonthistabusingametadataprofile(seepage 113);bydefaultallmetadataisshown.Clickthedrop‐downmenuandselectadifferentprofiletochangethemetadatashown.
• PDF‐RendersaPDFviewoftheitem.YoucanrenderPDFswhileyouarereviewingitems,orincorporateitaspartofthepre‐reviewprocess.ThePDFrenderingisthesamethatwillbeproducedaspartofthelegalexport,andcanthereforebeusedforimage‐levelQCaswellasarichtextviewoftheitem.ClickDetailstoshoworhideasubsetofthePDFmetadata.ClickImporttoreplacetheexistingPDFoftheiteminthePDFstorewithaPDFgeneratedoutsideofNuix.ClickLaunchtoviewthePDFinthenativePDFviewer,ifinstalled.ClickZoomtochangetheviewingsizeofthePDF.AtthebottomofthePDFview,arepagecontrolsthatallowyoutonavigatemulti‐pagePDFitems.
• WordList‐Displaysalistofthewordsintheprevieweditem,alongwithhowfrequentlyeachwordappearsintheitem.YoucanbegintypingintheFiltertextfieldtogodirectlytoawordorwordsmatchingthoseletters.
EachtabinthePreviewpanepresentshorizontalorverticalscrollbarsifthecontentdoesnotfitintheviewingarea.
50 Interface Overview
Tabs
Review and Tag Pane
TheReviewandTagpane,locatedontheWorkbenchtab,allowsyoutocreateandapplytagstotheitemsyoureviewinthePreviewpane.Youcanassignnumericalvaluesforuptoninetagstosupportefficienttaggingoflargeresultsetsfromthekeyboard.Youcanalsoapplytagsinbulktofamilymembersorduplicates,whenreviewingandtagginganitem.
Bydefault,theReviewandTagpaneislocatedbelowthePreviewpane,andcanbepoppedoutofthewindowframeand/orresizedwithintheWorkbenchwindowasnecessary.
TheReviewandTagpaneiscomprisedofthreemainareas:
• Atoolbaratthetopofthepaneallowsyoutonavigatebetweenitemsandeditthetagsforthecase(add,remove,orrename).
• Atagginggridthatdisplaysthetagsthathavebeenassignedtonumericalvaluesonthekeyboard,aswellastaggingoptions.
• Atreeviewofalltagsinthecase,showinganyhierarchicalrelationships(nestedtags).
Youcanadjustthewidthofthetagginggridorthetagtreeareabyright‐clickingthehorizontaldottedlinebetweenthetwoareasandmovingthedividertotheleftorright.
Note:TagsareonlyappliedtotheitemthatisactivelyselectedanddisplayedaspartoftheReviewandTagpaneheader.YoucannotusetheReviewandTagpanetobulktagmultipleselecteditems.
Review and Tag Toolbar
AtoolbaratthetopoftheReviewandTagpaneallowsyoutonavigatebetweenitemsintheresultset,viewthenameoftheitemcurrentlybeingpreviewed,andopentheEditCaseTagsdialogueboxtomanagecasetags.
Interface Overview 51
Tabs
Thetoolbariscomprisedofthefollowingcontrols:
• PreviousItem‐Selecttheleftarrowtotagthepreviousitemintheresultset.• NextItem‐Selecttherightarrowicontotagthenextitemintheresultset.• ItemName‐DisplaystheSubjectlineofanemailorthefilenameforallotheritemtypes.• EditTags‐Allowsyoutoadd,remove,orrenamecasetags.Youmustcreateandmanagealltagsfrom
thisdialoguebox.Ahierarchicalstructureallowsfororganizingtagsintogroups.
Tagging Grid
BelowtheReviewandTagpanetoolbarisatagginggridwhereyoucanassigntagsyouhavecreatedforthecasetonumericalkeyboardvalues.Thisallowsyoutotagquicklyfromthekeyboardwithoutusingyourhandsonthemouse.
Aftercreatingtagsforthecase(seepage 246),draganddropatagfromthetagtreetoanemptypositiononthetagginggrid.Thegriddisplaysthenameofthetagandthenumericalvaluetousetoapplythattagtoitems.Forexample,ifyoudragatagnamedResponsivetothetopleftpositiononthetagginggrid,thenumericalhotkeyforthattagbecomesseven(7).Onceanitemisselectedinaresultset,pressing7onyourkeyboardtagsthatitemasResponsive.Pressingthenumber7againremovesthetag.
Thetagginggridprovidestwooptionstousewhiletaggingitemsthatallowyoutoapplytagstoallitemsinthesamefamilyortoduplicateitems.Forthisfeaturetowork,eitheroptionmustbeselectedpriortoapplyingthetag(s)totheitem.Tagsappliedtoitemspriortoselectingtheseoptionsarenotpropagatedtofamilyorduplicateitems.
• Applysametagstoallfamilyitems(#)‐Appliesthetag(s)youselecttothecurrentitemaswellasallitemsinthefamily,includingduplicateitems.Whenselected,thePreviousandNextarrowsinthetoolbaradvancebyfamilyinsteadofbyindividualitem.
• Applysametagstoallduplicateitems(#)‐Appliesthetag(s)youselecttothecurrentitemaswellasanyduplicateitems.
Thefollowingoperationscanbeperformedfromthekeyboardtoreviewandtagitemsinaresultset:
• Tomoveverticallythrougharesultset,withtheResultspaneinfocususetheUpandDownarrowkeys.
52 Interface Overview
Tabs
• Pressthehotkeynumbersassignedtoyourcasetastoapplytagitems.Youcanapplymultipletagsbypressingmultiplenumbersinsuccession.
Note:Tagsareonlyappliedtotheitemthatisactivelyselected.YoucannotusetheReviewandTagpanetobulktagitems.
Tag Tree
ThetagtreeintheReviewandTagpaneisavisualrepresentationofthetagsinthecase,whichyoucanusetoapplytagsorpopulatethetagginggrid(seepage 252).Ifyouhavemorethanninetagstouseinthecaseandallthehotkeysinthetagginggridhavebeenassigned,youcanapplytagsbyselectingtheminthetree.
Fromthetagtree,youcan:
• Dragatagontoanemptypositiononthetagginggridtoassignitanumericalhotkey.• Selectoneormoreitemsintheresultsetandtagthembyclickingthebluecheckboxforataginthe
tree.Youcanselectmultipletagsinthetreetoapplytagstotheselecteditems.
FAST REVIEW TAB
TheFastReview:JobListtabiswhereyoumanagestructuredreviewjobs(asopposedtoadhocreviews).Thefastreviewfunctionprovidesaworkflowforperforminglinearreviewsoftheitemswithinacase.OpenanewFastReview:JobListtabbygoingtoWindow>NewFastReviewTab.
OnthistabNuixdisplaysthestatusofeachjobinthecase(statisticsforeachreviewer(user)andthetagsareontheFastReviewStatisticstab).Thesearethereviewjobsthatalreadyexistinthecase,andthelistdisplaysthejobname,whocreatedthejob,andthestatusofthejob(numberofitemstaggedovertotalnumberofitems,andapercentagecomplete.)Asreviewersreviewandtagtheitems,orasyouaddmoreitemstothereviewjobs,thestatusinformationupdatesdynamically.
Interface Overview 53
Tabs
Otheractionsavailablefromthisareainclude:
• Newjob‐Createanewreviewjob,includingwhichtagstouseandwordstoautomaticallyhighlightintheitems.See“CreatingaReviewJob”onpage 233.
• Editjob‐Modifypropertiesofthereviewjob,includingitsname,orderofitemassignment,associatedtags,andhighlightedwords.See“EditingaReviewJob”onpage 238.
• Deletejob‐Deleteareviewjob.See“DeletingaReviewJob”onpage 241.• Joinjob‐Joinareviewjobtoreviewandtagtheitemsinthejob.See“JoiningaReviewJob”on
page 239.
Onceareviewerjoinsareviewjob,NuixpresentstheitemsfortaggingviaanewWorkbenchtab.Nuixalwaysgroupsitemsbyfamilyintheresultset.
STATISTICS TAB
TheStatisticstaboffersanitemisedlistingofallfiletypesprocessedinthecaseandtheirrespectivefrequencywithinthedataset,includingalistingofirregularfiles.TheStatisticstaboffersagoodoverviewoftheitemsinthecaseandshouldbecarefullyreviewedafteryouloaddataintoanewcaseandsubsequentlyeachtimeyouaddevidencetoacase.OpenanewStatisticstabbygoingtoReports>NewStatisticsTab.
Thetabisdividedintotwomainareas:
• ProcessedFiles‐Showsstatistics(processed,corrupted,encrypted,anddeleted)byfiletype,includingpercentageofthatfiletypewithinallitemsprocessed.TheProcessedFilessectionincludesthefilesmarkedasirregularfiles.
• IrregularFiles‐Showshowmanyoftheprocesseditemsweremarkedirregular,andthepercentageofofeachirregularfiletypewithinallitemsmarkedasirregular.FileslistedasIrregulararestillrepresentedintheProcessedFilessection,theIrregularFilesdesignationissimplyanadditionalattributeassociatedwiththeitem.
54 Interface Overview
Tabs
Notes:• Nuixdoesnotrelyontheitem'sextensiontodetermineitsfiletype.Nuixchecksthecontentsofthefile
toensureitaccuratelyassociatesthefiletype.Thiseliminatesthechancetohideevidencesimplybychangingthefileextension.
• TheStatisticstabdiffersfromtheViewby:StatisticsfeatureintheResultspane.WhiletheStatisticstabshowsinformationaboutallcaseevidence,thelatterviewonlyshowsinformationabouttheitemsinagivenresultset.
Statisticsforprocessedfilesinclude:
• FileType‐Listsallofthefiletypesencounteredduringtheingestionprocess.• Processed‐Liststhetotalnumberofitemsprocessedforthespecificfiletype.• Corrupted‐ListsthetotalnumberofitemsthatNuixwasunabletoprocess,orfoundtobecorrupted
foraspecificfiletype.• Encrypted‐ListsthetotalnumberofitemsthatNuixdetectedasencrypted.• Deleted‐ListsthetotalnumberofpermanentlydeleteditemsfoundinMicrosoftmailcontainer
formatsforaspecificfiletype.• PercentageEncountered‐Liststhepercentage,byitemcount,ofthetotaldatasetconsumedbythe
specificfiletype.
Interface Overview 55
Tabs
Typesofirregularfilesinclude:
• TextStripped‐ItemswhereNuixrecognizedthefiletype,butdoeshavearoutinetocleanlyextractalltextandmetadatainaccordancewiththefiletypesAPI.Theresultsinaitemthatissearchable,butthetextmaybegarbledornotbeproperlyformatted.
• Unrecognised‐ItemswhereNuixdidnotrecognisetheheaderandwasthereforeunabletoassignamime‐type.
• BadExtension‐Itemswhosefiletype(MIMEtype)isnotconsistentwithitsfileextension.• Corrupted‐ItemsthatNuixhasbeenunabletoprocess.• Deleted‐ItemsthatNuixextractedfromtheslackspaceofMicrosoftemailboxesorareflaggedas
deletedwithinanEncaseLogicalEvidenceFiles(LEF).• Encrypted‐ItemsthatNuixhasdeterminedtocontainencryptedcontent.Nuixstillextractsmetadata,
andasmuchinformationaspossiblefromanencryptedfile,butNuixisunabletoindexallofthecontent.
• UnsupportedItems‐ItemsforwhichNuixwasunabletoextractanycontentortext.• Non‐SearchablePDFs‐ItemsthataredeterminedtobeaPDFthroughheaderrecognitionbutdonot
containindexabletext.• Empty‐Itemsthatarezero(0)bytesinsize.
Formoreinformation,see“ManagingIrregularFiles”onpage 217.
YoucanperformthefollowingoperationswithintheStatisticstab:
• Openaresultsetcontainingitemsforaspecificfiletypebydouble‐clickingonanyrowintheStatisticstab.
• Sortacolumninascendingordescendingorderbysingle‐clickinginthecolumnheader.Thedefaultisascending.
• ExporttheStatisticsviewbyusingFile>Export>ExportView.
Note:TheStatisticsTabisfortheentirecase,anddoesnothonorExcludedItemsfilters.
WORD LIST TAB
TheWordListtabprovidesalistingofeverywordthatappearsinthecontentandpropertiesofthedatasetoracustomwordlist(seepage 133),andacountofthenumberofitemscontainingthatword.OpenanewWordListtabbygoingtoReports>NewWordListTab.
Usingthefirstdrop‐downmenu,youcanfilterthewordlistbychoosingtoviewAllWordsfromtheresultsetoronlythewordsthatappearinacustomlistofwordsthatyouhaveimportedintoNuixusingFile>GlobalOptions>WordLists.
56 Interface Overview
Tabs
Theseconddrop‐downmenuletsyoufilterthelistofwordsbymetadatafield.YoucandisplaywordsfromallfieldswithSearchoverallfields,orconstrainthewordlisttoshowwordsfromthebodyofanitembyselectingSearchoveritemcontent,orlastlyshowwordsthatappearinmetadatapropertiesonlybyselectingSearchoverproperties.
Lastly,youcanquicklymovetoawordorsectionofthewordlistbytypinginthosecharactersintheFilterfield.Thisfilterisbasedonananchoratthebeginningoftheword,so"ranteed"willnotshow"guaranteed".Thefiltersupportsnumbers,lettersandsymbols.
Notes:• Nuixviewsawordasanyitemthatissurroundedbywhitespaceso24014isconsideredaword.From
apracticalperspectivethiscouldbegibberishoritcouldacriticalzipcode.• Allwordsarelisted,includingallcharactersetsandsymbols.• AscriptisavailablewithintheKnowledgeBasethatcanbeusedtoremoveallalphanumericentries
fromandexportedlist.• TheWordListtabisfortheentirecase,anddoesnothonorExcludedItems.
Interface Overview 57
Tabs
ADDRESSES TAB
TheAddressestabprovidesalistingofalldomainandemailaddressesinthecase(asopposedtotheAddressesviewintheResultspane,whichshowsonlytheaddressesfromthecurrentresultset).Thisviewalsodisplaysanitemcountforeachdomainandemailaddress,bydefault.OpenanewAddressestabbygoingtoReports>NewAddressesTab.
Youcanchoosetogroupemailbydomainname(thedefaultchoice),ordisplaytheemailsinaflatlistorderedalphabetically.Youcanalsofilterthelistbythecommunicationfields:From,To,Cc,andBcc.
YoucanperformthefollowingoperationswithintheAddressestab:
• Openaresultsetcontainingitemsforaspecificemailaddressordomainbydouble‐clickingonanyrowintheAddressestab.
• Sortacolumninascendingordescendingorderbysingle‐clickinginthecolumnheader.Thedefaultisascending.
• ExporttheAddressesviewbyusingFile>Export>ExportView.
58 Interface Overview
Tabs
HISTORY TAB
TheHistoryListtabprovidesalogofavarietyofeventsanduseractionsinthecase,suchaswhenthecasewasopened,searchesthatwereperformed,whenandwhoannotateditems,andthelike.Timestampsarerecordedforeachevent,alongwithwhoperformedtheevent,thetypeofevent,thestatusoftheevent,andeventdetails.OpenanewHistorytabbygoingtoReports>NewHistoryTab.
Nuixmonitorsthefollowingtypesofevents:
• CaseOpened‐RecordstheversionoftheNuixapplicationthatopenedthecaseintheDetailsofEvent.• CaseClosed‐RecordstheversionoftheNuixapplicationthatopenedthecaseintheDetailsofEvent.• LoadData‐RecordsthatdatawasloadedintheDetailsoftheEvent.• Search‐Recordsthesearchparametersthatwereusedandthenumberofresultsthatwerereturned.• Annotation‐Recordsthatanannotationwasapplied,includingthespecificannotation.• Import‐RecordsthataPDFwasimported.• Export‐Recordsthatanexportwasperformed.See“AuditedInformationforExportOperations”on
page 278.• ScriptRun‐Recordsthatascriptwasrun.
Foreachevent,thefollowinginformationislogged:
• Started‐Timetheeventstarted.• Ended‐Timetheeventended.• PerformedBy‐Userwhoperformedtheoperation,basedonthelogged‐inusername.• TypeofEvent‐Thetypeofeventperformed.
Interface Overview 59
Tabs
• Status‐Successorfailureoftheevent.• DetailsofEvent‐Specificdetailsoftheactionsperformed.
Actionsyoucanperformfromthistabinclude:
• Re‐runaspecificsearchquerybydouble‐clickingonaSearchevent.AnewWorkbenchtabdisplaysshowingtheresultsofthequeryagainstthecurrentdataset.Thisisnotamemorializedresultset,soifnewevidenceisaddedtoacase,thenumberofresultswillreflectthenewevidence.
• Sortthecolumnsinascendingordescendingorderbysingle‐clickingonacolumnheader.Thedefaultorderisascending.
• ExportthecontentsoftheHistorytabbyusingFile>Export>ExportView.
FAST REVIEW STATISTICS TAB
TheFastReviewStatisticstabliststhereviewerandtagstatisticsperreviewjob.ThisinformationisalsoavailableviathescriptingAPIforusewithcustomreports.OpenanewFastReviewStatisticstabbygoingtoReports>NewFastReviewStatisticsTab.
TheUserStatisticstabprovidesadetailedbreakdownofeachreviewers’activity,including:
• numberofitemstheuserhascompleted(tagged)• totalnumbertagged,bytag• numberofitemsassigned• totalnumberofitemsinthereviewjob
60 Interface Overview
Tabs
Youcandouble‐clickonanyoftherowsandanewWorkbenchtabopenswiththeresultsfromthecorrespondingquery.Forexample,ifyoudouble‐clickonauser'sname,theitemsthatusertaggedaredisplayed.Ifyoudouble‐clickonatagthathasbeenapplied,theitemswiththattagaredisplayed.
TheTagstabliststhetotalnumberoftagsappliedinthecaseacrossallreviewers(users),bytag,includinganycombinationsoftagsthathavebeenappliedtotheitems.
Interface Overview 61
Tabs
WORKBENCH TAB FOR A FAST REVIEW JOB
AfterselectingJoinjobontheFastReview:JobListtab,NuixopensanewWorkbenchtabmodifiedforthefastreviewworkflow.
ThePreviewpaneoffersallofthetypicalitemcontext,metadata,anddetailsforanitem(seepage 48).SelecttheHideimmaterialitemsoptiontosuppressanyoftheembeddedgraphics,allowingyoutoreviewonlythoseitemsthatwouldbeincludedinalegalexport.However,ifitemsareaddedtoareviewjobbyfamily,allitemsinthefamilymustbetagged,includinganysuppresseditems.YoucanselecttheApplysametagstoallfamilyitemsoptiontoensureallitemsaretagged.
TheReviewandTagpanedisplaysthetaggingpaletteforapplyingtags.Inthisworkflow,onlyoneitemorfamilycanbetaggedatatime.Youmusttagallitemsinonefamilybeforeyoucanadvancetothenextfamilyofitems.ThegreenNextFamilyarrowdisplaysintheReviewandTagtoolbarafterallitemsinafamilyaretagged.TheyellowPreviousandNextarrowsnavigatebetweenitemswithinasinglefamily.
62 Interface Overview
Dialogue Boxes
Dialogue Boxes
Nuix3Desktopmanagesawidearrayoftaskswithdialogueboxes.Notalldialogueboxesaredocumentedinthissection.Somearecoveredthoroughlyinthetopicscoveringthetasksthedialoguessupport,andsomeareundocumentedastheyareconsistentwithcommonlyusedMicrosoftdialogues(suchasSave,Open,andPrint).
ADD TAGS/REMOVE TAGS DIALOGUE BOXES
TheAddTagsdialogueboxprovidesameansofaddingtagstotheselecteditems,bydisplayingthelistofexistingtagsinthecase.Conversely,theRemoveTagsdialogueboxletsyouremovetagsfromtheselecteditems.Thelatterdialogueboxappearsandworksexactlythesamewhenremovingtags,exceptthattagsareremovedinsteadofadded.Thistopicusesthetaskofaddingtagsastheexample.
Afterselectingitems,youcanaddtagsusingoneofthefollowingmethods:
• Fromthemenu,Edit>AddTags• FromtheDocumentNavigator,ortheResultspaneusingtheResultsorThumbnailsview,byright‐
clickingovertheselecteditems.• FromtheResultspane,clicktheAddTagsbutton.
Whenyouaddtags,youcanalsochoosetoaddtheminbulkbyselectingoneofthefollowingoptions:
• Alsoincludeallitemsinthesamefamily(#)‐Appliesthetag(s)youselecttothecurrentitemaswellasallitemsinthefamily,includingduplicateitems.
• Alsoincludeallduplicateitems(#)‐Appliesthetag(s)youselecttothecurrentitemaswellasanyduplicateitems.
Interface Overview 63
Dialogue Boxes
Youcanperformthefollowingoperationsinthisdialoguebox:
• Highlightasingletagbyclickingonit.• HighlightmultiplecontiguoustagsbyholdingdowntheShiftkeywhileyouselectthemwiththemouse
orarrowkeys.• Highlightmultiplenon‐contiguoustagsbyholdingdowntheCtrlkeywhileyouselectthemthemouse.• Deselectatagbyclickingonitagain,onceitishighlighted.• Createnewtagsbyright‐clickinginthewhiteboxandselectingNewTagorNewSubtag.• Editexistingtagsbyright‐clickinginthewhiteboxandselectingRenameorDelete.
YoucansetupthetagsthatdisplayinthislistfromtheEditTagslinkintheReviewandTagpaneontheWorkbenchtab(see“ReviewandTagToolbar”onpage 51),oryoucancreatethemfromthisdialoguewhileworkingwiththedata.
64 Interface Overview
Dialogue Boxes
CASE PROPERTIES DIALOGUE BOX
TheCasePropertiesdialogueboxletsyouedittheinformationaboutthecasethatwasspecifiedwhenthecasewascreated(see“CreatingaCaseandLoadingData”onpage 157).Thesesettingsareglobalandremainthesame,regardlessofhowmanypeopleareworkingonthecase.
Casemetadataincludes:• Name‐Nameofthecase.• Investigator‐NameorIDofthepersoninvestigatingthecase.• Description‐Descriptionofthecasetofurtheridentifyit.
InvestigationsettingsincludetheInvestigationtimezone,whichsetsthebasetimezoneusedforinvestigations.YoucansearchandreviewEventMapsinthedesiredtimezone.Nuixstoredalltimestampdatatosystemtime,butdisplaysdatesandtimesaccordingtothetimezonesetinthisfield.Thisensuresalleventmapsprogresslinearlythroughtime,andeliminatesthecomplexityofmanagingcommunicationsfromdifferenttimezones.
Interface Overview 65
Dialogue Boxes
EXCLUDE ITEMS DIALOGUE BOX
TheExcludeItemsdialogueboxletsyoucreateanexclusionruleforsuppressingitemsfromthedataset.Anumbershowshowmanyitemsyouhaveselectedforexclusion.
Youcaneitheraddtheselecteditemstoanewexclusionrule,orchoosetouseanexistingexclusionrulebyselectingitfromadrop‐downlist.Bydefault,Createanewexclusionisselected.
Eachexclusionruleismadeupofthefollowing:
• Exclusionname‐Uniquenameoftheexclusionrule.• Exclusiondescription‐Adescriptionoftheruleorwhytheitemsarebeingexcluded.
Youcanalsochoosetoexcludeitemsinbulkbyselectingoneofthefollowingoptions:
• Alsoexcludeallitemsinthesamefamily(#)‐Excludestheitem(s)youselectaswellasallitemsinthefamily,includingduplicateitems.
• Alsoexcludeallduplicateitems(#)‐Excludestheitem(s)youselectaswellasanyduplicateitems.
Afterselectingitems,useoneofthefollowingmethodstoopenthisdialoguebox:
• Fromthemenu,Edit>ExcludeItems.• FromtheResultspane,clickExcludeItems.
66 Interface Overview
Dialogue Boxes
• FromtheResultspane,right‐clickontheitemsandselectExcludeItems.
Interface Overview 67
Dialogue Boxes
EXPORT CASE SUBSET DIALOGUE BOX
TheExportCaseSubsetdialogueboxprovidesameansofexportingaresultsetintoanewcase,containingonlythoseitems.Thisnewcaseisafullyinteractivecase,andincludesallsearch,reviewandanalysisfunctions,onlyscopedtotheexporteddataset.Settingshereallowyoutodefinethecasesubsetsimilarlytohowyouwoulddefineanewcase(minustheprocessingsettings).
Fromanexistingcase,youcanuseoneofthefollowingmethodstoopenthisdialoguebox:
• Fromthemenu,File>Export>ExportCaseSubset.• FromtheResultspane,clicktheExportbuttonandselectExportCaseSubsetandtheloadfileformat.• Onceitemsareselected,right‐clickoverthemandselectExport>ExportCaseSubset.
Note:Nuixonlyexportstheselecteditemsandanyofthenecessaryparentdocumentrecordstocompletetheevidencehierarchy.Nuixdoesnotgatherfamiliesandexportthose.ToincludeentirefamiliesintheCaseSubset,youwouldneedtofindthemandensurethattheypartofyourselecteditems.
Exported Case Settings
TheExportedcasesettingsincludebasicinformationaboutthecasesubset.
• Name‐Nameofthecasesubset.Thevaluedefaultstothenameoftheparentcaseappendedwith"‐Export#".
• Directory‐DirectorywhereyouwantNuixtoexportthecase.Thevaluedefaultstotherootfolderofthelastexport.
• Investigator‐Theactivelyloggedinuser.• Description‐Descriptionofthecasesubsetusedsolelyforinformationalpurposes.
68 Interface Overview
Dialogue Boxes
Note:Thecasesubsetadoptsalloftheparentcase'singestionprocessingsettings.ThemostimportantsettingtonoteistheStorebinaryofitemsoption.Ifthestorebinaryoptionwasnotselectedwhenthecasewasprocessedoriginally,thecasesubsetwillnotcontainthebinary.Ifitwasselected,thenthecasesubsetwillcontainthebinary.Thisisimportantifthecasesubsetistobetransported,asthepathtotheoriginalsourcewillmostlikelynotbeavailableaftertransport.
Text Processing Settings
TheTextprocessingsettingsintheExportCaseSubsetdialogueboxcontrolhowtheitemswillbetextindexed.ThesesettingsarethesameasintheNewCase‐AdvancedSettingsdialogue.See“ProcessingSettings”onpage 158fordetailsontheseoptions.
Note:Nuixdoesnotreprocessthesourcedatawhenitcreatesacasesubset,insteaditonlyre‐indexesthepreviouslyextractedtext.
Annotation Settings
TheAnnotationsettingsintheExportCaseSubsetdialogueboxdetermineifuser‐definedcommentsandtagsfromtheparentcasearetobeincludedinthecasesubset.Bydefault,bothoptionsareselected.
Output Progress
TheExportingCaseSubsetdialogueboxdisplaysafteryouselectOKontheExportCaseSubsetdialogue,showingyoutwoexportprogressindicators.
• Item‐Showstheprogressatanindividualitemlevel.Someitemsarecompounditemsandcantakeaconsiderableamountoftime.
• Total‐Showstheprogressoftheentireexport.• FailedItems‐Numberofitemsthatfailedtoexport.
Interface Overview 69
Dialogue Boxes
Note:Creatingcaseexportsfromcaseswithoutthestoredbinaryisveryfast.Caseswithstoredbinarycantakeconsiderablylongerbecauseallofthebinarydataneedstobecopied.
Anotherdialoguebox,ExportResults,followsthisoneindicatingthenumberofitemsthatweresuccessfullyexported.
EXPORT DIGEST LIST DIALOGUE BOX
TheExportDigestListdialogueboxenablesyoutoproduceanMD5digestlistoftheselecteditemsoraddthemtoanexistinglist(see“DigestLists”onpage 129).Notethattheselectionisnotexportedtoalocation,butidentifiedandusedwithintheGlobalOptionsDigestListfeatureforMD5selections.IfyouneedtoexporttheactuallistofMD5s,youcandosowiththeExportViewcommand(see“ExportingInformationfromaView”onpage 258)inconjunctionwithanappropriatemetadataprofile.
Optionsinclude:
• Createnewlistnamed‐CreatesanewlistandsavesitasabinaryfileintheNuix\Digestsdirectory.• Mergewithexistinglist‐Appendsthecurrenthighlightedresultstoanexistingdigestlist.
Digestslistsarestoredlocallyandwesupportthembeingmoved/copiedtootherworkstationsviathedigestimportfeature(seepage 130).
Youcanuseoneofthefollowingmethodstoopenthisdialoguebox:
• Fromthemenu,File>Export>ExportDigestList.• FromtheResultspane,clicktheExportbuttonandselectExportDigestListandtheloadfileformat.• Onceitemsareselected,right‐clickoverthemandselectExport>ExportDigestList.
70 Interface Overview
Dialogue Boxes
EXPORT ITEMS DIALOGUE BOX
TheExportItemsdialogueboxallowsyoutoexportitemsinnativeformatfromNuix.Itdoesnotcreatealoadfileormaintainparent‐childrelationshipsfordocuments;rather,itexportsonlytheitemsyouselectedintheresultset.Therefore,ifasearchonlyhitsontheattachment,onlytheattachmentisexported.
Note:TheExportingItemsfeatureisavailabletoallexportenabledlicences.
Toexportcompletedocumentfamilies,youmustfirstusetheShowallTop‐LevelItemscommandtoshowthehighestlevelancestor.Afterselectingitems,youcanuseGo>ShowAllTop‐levelItems,orintheResultspane,thecommandisavailableontheright‐clickmenu.
ThefollowingtopicsdescribeeachsettingoroptionintheExportItemsdialoguebox.
Export directory
ExportdirectorydefinestherootpathtowhereyouwantNuixtoexportthedata.TheSavedialogueboxdefaultstothepreviouslydefinedlocation.
Notes:• Priortoperformingalegalexport,ensurethatthetargetfilesystemhassufficientdiskspaceforthe
export.
Interface Overview 71
Dialogue Boxes
• Nuixstronglyrecommendsthatallexportsbeperformedtolocaldisk.Nuixdoesnotrecommendexportingtoamappeddrive,aUNCshareoranexternallyattachedharddriveastheseallpresentseverperformancelimitations.
Export copies of original data
Exportcopiesoforiginaldatacontrolswhethertheactualitemsareexported,orifonlyreportsarecreated.Byclearingthischeckbox,onlythereportsarecreated.Thisoptionisselectedbydefault.
Retain directory structure of original data
RetaindirectorystructureoforiginaldatasetswhetherNuixrecreatestheentirefolderstructureofthesourceevidencewhenexportingtheitems.Thisoperationisappliedtobothemailcontainers(PST,MBOX)andloosefiles.NuixusesthefolderstructurecontainedintheNuixPathnamefieldtorecreatethefolderstructure.Thisoptionisoffbydefault,andtheitemsarethereforeexportedtotherootoftheemailcontainerortargetedfilesystemexportfolder.
Thefollowingimageshowstheresultswiththisoptionselected.
Thefollowingimageshowsthedefaultresult,withtheoptionleftoff.
Notes:• ThisoptiondoesnotrecreatethePSTexactlyasitexistedpriortoingestion.Thedirectorystructure
willberelativetothenameoftheemailcontainerthatwasingested.ThisallowsemailfrommultipleemailcontainerstobeexportedintoasinglePST/NSF/MBOXfile.Additionally,NuixlimitsthedefaultPSTsizeto10,000messagesperarchiveaslargersizesaresusceptibletocorruptionissues.Ifyouwish
72 Interface Overview
Dialogue Boxes
increasethenumberofitemsstoredperPST,youcanlaunchNuixwiththe-Dnuix.export.pst.maximumMessagesPerPst=500000 commandlineswitch.
• ThisoptionisnotsupportedforNSFfiles.
Export messages as
Exportmessagesassetswhatformattousewhenexportingtheemailitems.
TheNative,EML,andMSGandoptionswillexportindividualitemstotheexportfolder.TheMBOX,PST,NSFoptionswillexportasingleemailcontainerwithalloftheitems.
Individualfileoptions:
• Native‐Exportmessagesintheiroriginalformat.• EML‐ExportmessagesinMimemessageformat.• MSG‐ExportmessageinMicrosoftOutlookMSGFormat.
Aggregatedemailcontaineroptions:
• MBOX‐ExportMessagesinMBOXFormat• PST‐ExportmessagesasaMicrosoftOutlookPSTfile• NSF‐ExportmessagesasaLotusNotesNSFfile
Notes:• AsingleemailcontainerfileiscreatedattherootoftheExport_Dir\FilesfoldercalledExport.xxx.This
filecontainsalloftheselectedemails.• LotusNotesdataisclassifiedasamessage/RFC822andisexportedasEMLifNativeisselected.• IfNativeisselected,mostdatafromMicrosoftExchangeEDBfilesisexportedasEML.IfallMicrosoft
dataisexpectedtobeMSG,selecttheMSGoption.
Metadata for summary report
Metadataforsummaryreportallowsyoutoselectasetofcustommetadatafieldstoincludeinthesummaryreportdescribingtheexportjob.TheExportSummaryreportprovidesatableofcontentsforalloftheindividualitemreports.Thesummaryreportlistsasummaryofeachitem,includingtheitem'snameandallmetadatafromtheselectedmetadataprofile.
Thedrop‐downlistontheleftcontainsallofthemetadataprofilesdefinedinNuix.Thedefaultsettingisblank(noprofile),whichmeansnometadataisusedinthereport.
Interface Overview 73
Dialogue Boxes
TheManageMetadataProfilesbuttonlaunchestheMetadataProfilepageintheGlobalOptionsdialoguebox.See“MetadataProfiles”onpage 113.
Anexamplesummaryreportisreferencedbelow.
Item report formats
Itemreportformatssethowyouwantthetextualitemreportformatted.Theitemreportcontainsallofthemetadataandtextualcontentoftheitem.ThereportscanbegeneratedinXHTML,PDF,andTIFF.Ifyoudonotwishtogenerateanyitemreports,clearallselectedformatoptions.
Theitemreportspecificallycontains:
• Caseinformation,includingname,timeandthedatethecasewasopened,andwhenthereportwasgenerated.
• Allthemetadataretrievedfromtheitem.• Detailsofthecommunicationsactivitiesaboutthatfile,suchaswhosenttheitemandtowhomitwas
sent.• Thetextofthedocumentitself.
Seethesampleitemreportisreferencedbelow.
Summary report formats
Summaryreportformatssetshowyouwantthetextualsummaryreportformatted.TheExportSummaryreportprovidesatableofcontentsforalloftheindividualitemreports.Thesummaryreportlistsasummaryofeachitem,includingtheitem'snameandallmetadatafromtheselectedmetadataprofile.
ThereportscanbegeneratedinXHTML,PDF,TIFF,andCSV.Ifyoudonotwishtogenerateanysummaryreports,clearallselectedformatoptions.
Note:Itemreporthyperlinkswillfailifyoudonotselecttheappropriateemailcontainerexportformats(PST,NSF,MBOX)intheExportmessagesasfield.
Attachment Size
Docs_Case (Summary Report).pdf 95.74 KB
Attachment Size
Docs_Case (Item Report).pdf 108.22 KB
74 Interface Overview
Dialogue Boxes
Seethesamplesummaryreportreferencedbelow.
Description of export
Descriptionofexportisafree‐textfieldthatprovidesyouwithaplacetocommentaboutyourexportactivity.Thisinformationisincludedaspartofheaderofboththeitemandsummaryreports.
Copyright notice
Copyrightnoticeisafree‐textfieldthatprovidesaplacetoaddaCopyrightnotice.ThistextisstampedatthebottomofallPDFandTIFFreports.
Output Folder Structure
TheExportItemcommandcreatesfour(4)foldersattherootofthetargetedexportdirectory,andifselected,thesummaryreport.
Foldersinclude:
• Assets‐Containsthecommon.cssfilethatisusedtorendertheHTMLreports.• Files‐ContainsallofthenativefilesifyouselecttheExportcopiesoforiginaldataoption.• Report‐ContainsalloftheitemlevelreportsiftheItemlevelreportsoptionisselected.• Thumbnails‐ContainsthumbnailsofitemsiftheThumbnailsoptionwasusedduringingestion.
Note:IftheRetaindirectorystructureoforiginaldataoptionwasselected,afoldertreematchingthatofthesourceiscreatedunderneaththeFilesfolder.OtherwiseallitemsareexportedtotherootoftheFilesdirectory.Ifnamingcollisionsoccur,allduplicatenameswillhavetheirnamemodifiedwithanincrementalcounter.
LEGAL EXPORT DIALOGUE BOX
TheNuixLegalExportfunctionprovidesthenecessarytoolstocreatelogicallegalloadfiles.Nuixofferslegalexportstothefollowingloadfileformats:
• Concordance• DiscoveryRadar• EDRMXML
Attachment Size
Docs_Case (Summary Report).pdf 95.74 KB
Interface Overview 75
Dialogue Boxes
• IPRO• Relativity• Ringtail• Summation
TheLegalExportdialogueboxhasthefollowingtabsofsettings:
• ExportType‐Settingstoestablishhowyouwanttoexporttheitems.• RelativitySettings‐SettingsforexportingtoRelativityonly;thistabdoesnotdisplayforotherlegal
loadformats.• NumberingandFiles‐Settingstoconfiguredocumentnumberingandfilenames.• ParallelProcessing‐SettingsforadjustingthenumberofNuixworkermachinesandassociated
memoryfortuningtheperformanceoftheexportoperations.
ForeachlegalexportNuixcreatesseveralstandardfiles:
• Summary‐Report.txt/xml‐Thesummaryreportprovidesacompletereportforthelegalexport.• Top‐level‐MD5‐digests.txt‐TheTop‐level‐MD5‐digests.txtfilecontainsalistallthetop‐levelMD5
digestsincludedinthelegalexport.
Youcanuseanyofthefollowingmethodstoopenthisdialoguebox:
• Fromthemenu,File>Export>LegalExportto.• FromtheResultspane,clicktheExportbuttonandselectLegalExporttoandtheloadfileformat.• Onceitemsareselected,right‐clickoverthemandselectExport>LegalExportto>Loadfileformat.
Export Type TabIntheLegalExportdialoguebox,theExportTypetabofferssettingsforcontrollinghowthedataisexported.
Thesettingsforthedifferentloadfileformatsaregenerallythesame,withafewexceptions.ConcordanceEDRMXML,andRingtailhaveoneormoreadditionalsettingsonthistab,ashighlightedbelow.
76 Interface Overview
Dialogue Boxes
Concordance
Interface Overview 77
Dialogue Boxes
EDRM XML
78 Interface Overview
Dialogue Boxes
Ringtail
Interface Overview 79
Dialogue Boxes
Discovery Radar, IPRO, Relativity, Summation
ThefollowingtopicsdescribeeachsettingoroptionontheExportTypetab.
Export to - EDRM XML
ExporttoisanEDRMXMLsettingthatallowsyoutocreateanXMLloadfilepertheElectronicDiscoveryReferenceModel(EDRM)’sgenerallyacceptedXMLschemas.ChoosefromoneofthetwopublishedEDRMstandards(schemas),dependingonyourdownstreamapplicationrequirements:v1.0orv1.1.TheXMLincludesallfieldselectionsfromthemetadataprofileandreferencestoallitemsthataregenerated.
Export to - Ringtail
ExporttoisaRingtailsettingthatcreatesthefullRingtaildatabaseaswellasanumberofotherdocuments/items.ChoosefromoneoftwotypesofMicrosoftAccessdatabases:RingtailCaseBook6orRingtailLegal2005.Casebook6isthedefaultsetting.
Thisoptiongeneratesafolderwiththenative,multi‐pagePDF;multiplesingle‐pagetiffs;ortextfilesasrequested.Italsoincludes:
• Theexport.mdb.
80 Interface Overview
Dialogue Boxes
• SummaryReportdetailinginformationabouttheProduction/Exportingrunitself.(summary‐report.txtandsummary‐report.xml).NotethattheXMLisprovidedtohelpyoucreatemoreuserfriendlyreportsbycombiningitwithacustomcascadingstylesheet.
• AtextfilecontainingthetoplevelMD5digests(top‐level‐MD5‐digests.txt)• Acustomfolderforeachtypeofexporteddata(Native,TIFF,PDF,Text).Thesearedefinedaspartof
thefilenamingsection.
ThedetailsoftheExport.mdbdatabaseExporttableareasfollows:
TheExport_extrastablecontainsalloftheinformationthatisincludedaspartoftheNuixMetadataProfile.Thedetailsofthetableareasfollows:
Field Definition
ID Ringtail internal cross reference.
Document_ID Document ID assigned by Nuix during the Legal Export.
End_Page Last Page of a PDF production.
No_Pages Total Number of pages in the PDF.
Host_Reference Parent Document_ID.
Document_Date This is the document date assigned for sorting purposes. This will be the Item Date for the document, unless the “Inherit document dates” option is selected. If the “Inherit document dates” is selected then, the item will Document_Date will be populated with the Item Date of the document families top‐level item.
Estimated NA
Document_Type Contains the type of document. This is based on the Nuix defined metadata – Item Category.
Title The items Name. This will be either the subject of an email, or the name of a file/attachment.
Level_1 – Level_10 Level’s 1 through 3 will be populated with the breakdown of the file naming structure.
Document DateValue
The Item date of the item. This is the actual system time for the item and will be visually presented using the local systems default date settings.
Description The item’s name. This will be either the subject of an email, or the name of a file/attachment.
Field Definition
ID Unique, system generated ID for each record.
Document_id Document ID assigned by Nuix during the Legal Export.
theCategory Category is MEMO.
theLabel Field name from Nuix metadata profile.
theValue The data for the specific field in the Nuix metadata profile.
Interface Overview 81
Dialogue Boxes
Export items
Exportitemscontrolswhatitemsareexportedandwhethertode‐duplicatethem.
Optionsinclude:
• Top‐levelitems(de‐duplicated)anddescendants‐Nuixfirstidentifiesthetoplevelitemforeachitemintheresultset.Nuixthendeduplicatesacrossallofthetoplevelitemsbeforeexportingtheresults.Thisensuresthatasinglecopyofeachlogical,top‐levelisexportedalongwithallofitsdescendant(child)items.
• Top‐levelitems(de‐duplicated)only‐Nuixfirstidentifiesthetoplevelitemforeachitemintheresultset.Nuixthendeduplicatesacrossallofthetoplevelitemsbeforeexportingtheresults.Thisensuresthatasinglecopyofeachlogical,top‐levelitemisexported.
• Toplevelitemsanddescendants‐Nuixidentifiesthetoplevelitemforeachitemintheresultset,andthenexportsthoseitemsplustheirdescendants.Ifduplicatetop‐levelitemsarepresenttheywillbeexportedasseparatefamilies.
• Top‐levelitemsonly‐Nuixidentifiesthetoplevelitemforeachitemintheresultset,andthenexportsthoseitems.Ifduplicatetop‐levelitemsarepresenttheywillbeexportedasseparateitems.
• Selecteditemsanddescendants‐Nuixexportsonlytheselecteditemsandanydescendantitems.Thisoptionismostfrequentlyusedwhenyoumanuallyfindthetoplevelitemsandspecificallytailortheexactcontentsoftheresult.
• Selecteditemsonly‐Nuixexportsonlytheselecteditems.Thiswillnotdeduplicateorexporttheentirefamily.So,ifanattachmenttoanemailispartoftheresultset,onlytheattachmentisexported.Theparentemailisnotexported.
numbValue NA
textValue NA
memoValue The data for the specific field in the Nuix metadata profile
dateValue NA
boolValue NA
82 Interface Overview
Dialogue Boxes
Notes:• TheTop‐levelitems(de‐duplicated)anddescendantsoptionwillstillresultinduplicatechild
items.IftheMD5Digestisincludedaspartofthemetadataprofile,duplicatechildrencanbedeterminedpostexport.
• Top‐leveloptionscanandwillresultintheexportreportingadifferentnumberofitemsexportedthanthanareselectedintheresultset.ThisoccursbecauseNuixistakingtheresultset,findingallofthetop‐levelitems,thenoptionallydeduplicatingtheexportedset.ReviewthePre‐exportsummaryreportaswellasthepost‐exportsummaryreporttoassistinreconcilingtheresultcounts.
Export messages as
Exportmessagesassetswhatformattousewhenexportingtheemailitems.
TheNative,EML,andMSGandoptionswillexportindividualitemstotheexportfolder.TheMBOX,PST,NSFoptionswillexportasingleemailcontainerwithalloftheitems.
Individualfileoptions:
• Native‐Exportmessagesintheiroriginalformat.• EML‐ExportmessagesinMimemessageformat.• MSG‐ExportmessageinMicrosoftOutlookMSGFormat.
Aggregatedemailcontaineroptions:
• MBOX‐ExportMessagesinMBOXFormat• PST‐ExportmessagesasaMicrosoftOutlookPSTfile• NSF‐ExportmessagesasaLotusNotesNSFfile
Notes:• AsingleemailcontainerfileiscreatedattherootoftheExport_Dir\FilesfoldercalledExport.xxx.This
filecontainsalloftheselectedemails.• LotusNotesdataisclassifiedasamessage/RFC822andisexportedasEMLifNativeisselected.• IfNativeisselected,mostdatafromMicrosoftExchangeEDBfilesisexportedasEML.IfallMicrosoft
dataisexpectedtobeMSG,selecttheMSGoption.
Export scheme
Exportschemeprovidescontroloverhowthenativeemailswillbeexported.Optionsinclude:
• Leaveattachmentsonemails‐Nuixexportstheparentemailwithalloftheattachmentsassinglefile.Italsoexportseachoftheattachmentsasseparatefiles.Thisallowstheentiremessagetobevieweda
Interface Overview 83
Dialogue Boxes
singleentity,whilestillmaintainingtheparent‐childrelationshipoftheentirefamilywithintheLegalExportnumberingscheme.
• Separateattachmentsfromemails‐Nuixexportstheemailandallofitsattachmentsasseparatefiles.Thisensuresthatwhenperforminganativereview,thateachitemcanbeviewedasauniqueitem.TheLegalExportnumberingschememaintainstheparent‐childrelationshipfortheentirefamilyofdocuments.
Load file sorting
Loadfilesortingdeterminestheorderinwhichtheitemsareexported.Optionsinclude:
• Defaultsortorder(fastest)–ExportstheselecteditemsbasedontheirinternalID.Thisisthesameorderinwhichtheyarereturnedtotheresultset.Thismethodisthefastest,becauseitdoesnotrequireanyadditionalsorting.Thisoptionisthedefaultsetting,andistherecommendedoptionifyouareimportingthisdataintoanotherreviewtoolthathasitsownsortingcapabilities.
• Top‐leveldocumentdate(ascending)–Exportstheselecteditemsbasedonthetop‐leveldocument’sdate,withtheoldestdocumentappearingfirstintheloadfile.
• Top‐leveldocumentdate(descending)–Exportstheselecteditemsbasedonthetop‐leveldocument’sdate,withthemostrecentdocumentappearingfirstintheloadfile.
Load file encoding - Concordance
LoadfileencodingsetsthedocumentencodingthatisusedwhencreatingtheConcordanceloadfile(*.dat).OlderversionsofConcordancearenotUnicodecompliantandonlysupportsASCIIcharacters.ThedefaultsettingisISO‐8859‐1(8‐bitsingle‐bytecodedgraphiccharactersets‐=Part1:Latinalphabet).NuixisfullyUnicodecompliantandallowsyoutoexportthe*.datwithanyencoding.ThemostcommonlyusedencodingafterISO‐8859‐1willbeUTF‐8.UTF‐8allowsUnicodecharacterstobeexportedaspartoftheloadfile.
Export directory
ExportdirectorydefinestherootpathtowhereyouwantNuixtoexportthedata.TheSavedialogueboxdefaultstothepreviouslydefinedlocation.
Notes:• Priortoperformingalegalexport,ensurethatthetargetfilesystemhassufficientdiskspaceforthe
export.• Nuixstronglyrecommendsthatallexportsbeperformedtolocaldisk.Nuixdoesnotrecommend
exportingtoamappeddrive,aUNCshareoranexternallyattachedharddriveastheseallpresentseverperformancelimitations.
84 Interface Overview
Dialogue Boxes
Metadata profile
Metadataprofilesallowsyoutoselectasetofcustommetadatafieldstoincludeinthelegalexportloadfile.Thedrop‐downlistontheleftcontainsallofthemetadataprofilesdefinedinNuix.Thedefaultsettingisblank(noprofile),whichmeansnometadataisexported.
TheManageMetadataProfilesbuttonlaunchestheMetadataProfilepageintheGlobalOptionsdialoguebox.
Headers & footers
Headers&footersprovidescontroloverwhatmetadatafieldsareappliedtoPDFandTIFFrenderingsduringthelegalexport.PressConfiguretosettheseoptions.
Optionsinclude:
• ShowDividerLine‐Showsorhidesablackrulebeneaththeheaderorfootertext.Thisoptionisselectedbydefault.
Interface Overview 85
Dialogue Boxes
• Name‐Anidentifierfortheitemlocatedintheupperleftcorneroftheheader.BydefaultthisissettoName,whichisthesubjectofanemailofthenameofafile.ChangethevalueandfontbyclickingEdit.
• Labelinmiddleofheader‐Optionally,anotherplacetoplaceinformationintheheader,suchasanItemIDordigestnumber.Bydefault,thisisleftblank.
• GUID‐Anidentifierfortheitemlocatedintheupperrightcorneroftheheader.BydefaultthisissettoGUID,whichistheGloballyUniqueIdentifierusedbyNuixtoreferencetheindividualitem.ThisIDisuniquetoeveryitem,butnoteverypage.ChangethevalueandfontbyclickingEdit.
• Producedby‐Anidentifierfortheitemlocatedinthelowerleftcornerofthefooter.BydefaultthisissettoProducedby,whichisthenameoftheuserperformingtheexportoperation.ChangethevalueandfontbyclickingEdit.
• Labelinmiddleoffooter‐Optionally,anotherplacetoplaceinformationinthefooter,suchasanItemIDordigestnumber.Bydefault,thisisleftblank.
• BatesNumber‐Anidentifierfortheitemlocatedinthelowerrightcornerofthefooter.BydefaultthisissettoBatesNumber,theDocumentIDassignedtothefile/pageduringthePDF/TIFFprocess.Thisnumberisuniquetoeverypageofanimageddocument.ChangethevalueandfontbyclickingEdit.
Image Excel spreadsheets
ImageExcelSpreadsheetsprovidesameansofconvertingExceldocumentstoimageformat.Thisoptionisoffbydefault.
Note:ItisgenerallyrecommendedthatExcelfilesbeproducedinnativeformat.ThenatureofanExceldocumentdoesnotlenditselftotheflatnatureofaprintedpage.IfExceldocumentsmustbeconvertedtoimages,youshouldfirstpreviewthePDFrenderingintheitemlevelviewbeforeusingthisExportoptiontoensureitmeetsyourexpectations.
Regenerate natives
RegeneratenativespopulatestheNuixbinarystorewiththenativefileoftheselecteditemsduringtheexport.Thisoptioncanbeusedtoreloadthebinarystoreifitwaspopulatedwhenthecasewascreated,oritcanbeusedtocachefilesthatwilllikelybelaunchedinnativeformatduringareview(Excels,PowerPoints,etc.).Thisoptionisoffbydefault.
Additionally,thisoptionisonlyavailablewhentheExportmessagesasoptionissetto“Native–Exportmessagesintheiroriginalformat”andtheExportSchemeoptionissetto“Leaveattachmentsonemails”.
Regenerate PDFs
RegeneratePDFsforcesallofthePDFsintheNuixPDFprintstoretobereplacedwithnewPDFsgeneratedbyNuix.Thisoptionisoffbydefault.
Note:IfyouhaveimportedcustomPDFsintothecase,usingthisoptionwillreplacethem.
86 Interface Overview
Dialogue Boxes
Generate slip-sheets for container items
Generateslip‐sheetsforcontaineritemsinsertsaPDFslipsheetforallcontaineritemsthatareencounteredaspartofthedocumentfamiliesduringlegalexports.Thisisusedwhenyouwantaplaceholderfilepresentinadocumentfamilythatrepresentstheactualzipfile.Thecontentsoftheziparestillexportedandthefamilyrelationshipisstillmaintained.Thisoptionisoffbydefault.
ThetextofthePDFslipsheetcontainsthefollowingtext:
Containeritemintentionallyexcludedfromtheexport.
Per-page text files
Per‐pagetextfilescreatesatextfileforeachpageofadocument.Thisoptionisoffbydefault.
Note:OnlyusethisoptionwithdocumentsthatarebeingrenderedtoTIFF.Otherwise,itwillforceNuixtocreateaPDFforeachdocument,thenextractthetextfromeachpagetocreateaseparatetextfile.ThisoperationdramaticallyincreasestheexporttimeandshouldonlybeusedwhenexportingitemstoTIFF.
Wrap lines in text files
Wraplinesintextfilesforcesatextstringtowrapatacertainnumberofcharacters,ensuringthatallofthetextforagivendocumentiseasilyviewable.Thisoptionisoffbydefault.
Text file encoding
TextfileencodingsetsthemultibytecharacterencodingforUnicode.ThisoptionissettoUTF‐8forEDRMexports,bydefault.
Inherit document dates - Ringtail
Inheritdocumentdatesappliestheemailcommunicationsdatetoalldescendant(child)items.ThisoptionisavailableandselectedbydefaultwhenexportingtotheRingtailloadfileformat.
Use MEMO for all extra values - Ringtail
UseMEMOforallextravaluesconfiguresallNuixmetadatafieldsastypeMEMOintheRingtail(MSAccess)database.AvailableonlyfortheRingtailloadfileformat,thisoptionisoffbydefault.
Name: File Name
GUID: Item GUID
MIME Type: MIME type of the item
Interface Overview 87
Dialogue Boxes
Relativity Settings TabIntheLegalExportdialoguebox,theRelativitySettingstabofferssettingsforexportingitemstotheRelativityloadfileformat.Thisloadfileincludesanumberofstaticcolumnsthatarealwaysexported,followedbycolumnsforeachFileNamingtypeyouspecifyontheNumberingandFilestab,andfinallythemetadatacolumnsfromyourmetadataprofile.
NuixusesaKWEmappingfiletomapthedatafromtheNuixloadfiletotheRelativityworkspace.YoumustensurethatallvaluesinacolumnoftheloadfilearevalidvaluesfortheRelativityfieldstowhichtheyaremapped.Thatis,itisnotpossibletomaptheNuixGUIDtoanumericalRelativityWorkspaceFieldasitcontainsnon‐numericcharacters.
YouwillalsoneedtoensurethatyouuseacustomNuixmetadataprofilethatcorrectlyformatsdatesto“EEEE,MMMMdd,yyyyHH:mm:ss”usingderivedmetadata.Seepage 123forinformationonhowtoaddderivedmetadata.ThemetadataprofilethatyouusetoexportitemstoRelativityshouldalsoincludethePathNamefield,fromtheNuix‐definedmetadata.
ThefollowingtopicsdescribeeachsettingoroptionontheRelativitySettingstab.
88 Interface Overview
Dialogue Boxes
Select Version
SelectVersionsetstheRelativityversionyouwanttousewiththeexportedloadfile.
Optionsinclude:
• Version6.6‐IfyouareusingRelativityversion6.6ornewer,selectthisoption.• Version6.5• LegacyVersions(pre6.5)
Native Export
Nativeexportspecifiesthedirectorywheretheitemsaretobeexported.Optionsinclude:
• MainExportDirectory‐ExportsthenativeitemstothedirectoryspecifiedontheExportTypetab,Exportdirectoryfield.
• RelativityAccessibleDirectory‐ExportsthenativeitemstoboththeExportdirectoryandthedirectoryspecifiedonaRelativityserver.Clicktheassociatedbuttontospecifythedirectoryortypeitinmanually.
KWE Mapping File
KWEMappingFilespecifiesthelocationofthefileyouwanttousetomapthedatafromtheNuixloadfiletotheRelativityworkspace.
Relativity URL
RelativityURLdisplaysthelocationoftheRelativityserver.YoumustruntheRelativityclientandspecifytheWebServerURLwithinthatapplication.NuixreadstheURLfromtheWindowsregistryandusesitfortheexportoperation.IfyouhavenotsetupthiswebserverURL,youcannotexportitems.
User Name
UserNameisthenameusedtogainaccesstotheRelativityserver.
Password
PasswordisthepasswordusedinconjunctionwiththeusernametoaccesstheRelativityserver.
Workspaces
TheWorkspacelistbuttongeneratesalistoftheRelativityworkspacesthatareavailabletotheaccount(user)specifiedintheWorkspacesfield.Ifyouareusingversion6.5orlater,youcanseeboththeworkspacesandthesubfolderswithineachworkspace.
Interface Overview 89
Dialogue Boxes
Numbering and Files Tab
IntheLegalExportdialoguebox,theNumberingandFilestabofferssettingsfornamingfilesandnumberingdocuments.Thefilenamingsettingsarethesameacrossallloadfiletypes.However,Nuixprovidestwobasicnumberingoptions:
• simplesequentialnumberingfortheConcordance,Summation,IPRO,andDiscoveryRadarloadfilesloadfileformats
• amoregranularschemefortheRingtailformatwithspecificbox,folder,andpagenumbering
Concordance, Summation, IPRO, Discovery Radar
90 Interface Overview
Dialogue Boxes
Ringtail
ThefollowingtopicsdescribeeachsettingoroptionontheNumberingandFilestab.
Numbering
Numberingprovidessixbasicschemesfornumberingdocuments.
Interface Overview 91
Dialogue Boxes
Concordance,Summation,IPRO,andRingtailsettingsinclude:
• Box,Folder,Page‐Assignsaninedigit,sequentiallyassignednumbertoeachdocument.Thiseffectivelyprovidesforalegalexportupto999,999,999items.
• Folder,Page‐Thiswillassignasixdigit,sequentiallyassignednumbertoeachdocument.Thiseffectivelyprovidesforalegalexportupto999,999items.
• Prefix,Box,Folder,Page‐Sameasthe"Box,Folder,Page"optiononlythetextstringintheprefixfieldisincludedatthebeginningofdocumentnumber.
• Prefix,Folder,Page‐Sameasthe"Box,Folder,Page"optiononlythetextstringintheprefixfieldisincludedatthebeginningofdocumentnumber.Thisisthedefaultsetting.
AdditionalsettingsonlyavailableinRingtailinclude:
• Page‐Assignsa3digit,sequentiallyassignednumbertoeachdocument.Thiseffectivelyprovidesforalegalexportupto999items.
• Prefix,Page‐Sameasthe"Page"optiononlythetextstringintheprefixfieldisincludedatthebeginningofdocumentnumber.
UsethePreviewfieldtopreviewthenumberingscheme.
Prefix
Prefix allows for an alphanumeric/special character ("_", ".", "‐") prefix to be included on each document ID. The default value is CASE.
UsethePreviewfieldtopreviewthenumberingscheme.
Note:Spacesarenotpermitted.Ifaspaceisrequired,Nuixrecommendsusingan"_"or".".
Start at
Start at provides a way to start the numbering sequence at a specific digit. The default value is 1.
UsethePreviewfieldtopreviewthenumberingscheme.
Box, Folder, Page - Ringtail
Box,Folder,andPagearefieldsthatallowyoutomoregranularlydefineeachnumericalsegment,andisavailableonlyintheRingtailloadfileformat.
ThevalueyouchoosefortheNumberingsettingdriveswhichBox,Folder,andPagefieldsareactive.Inthisscreenshot,theFolder,Pageoptionisselected,whichleadstoanumberingschemelike001001,
92 Interface Overview
Dialogue Boxes
wherethefirst001representthefoldernumberingschemethatbeginswith1,andthe001presentsthepagenumberingschemethatbeginswith1.
ThesethreefieldsintheLegalExportdialogueboxallowzeropaddingupto7digitswide.Youcansetthepagerollovervalueexplicitly,whileBoxandFolderrollovervaluesaredeterminedbyhavinga9foreverydigitintherespectivenumbering(e.g.,afieldvalueof‘0001’resultsinarolloverof‘9999’.)
Family docs - Ringtail
Familydocssetswhetherdocumentfamiliesarebrokenupacrossconcurrentfolders.
Optionsinclude:
• Canexistinmultiplefolders‐Ifadocumentfamilyconsistsofmultipledocumentsormultiplepagesofdocuments,thisoptionenforcesthenumberingscheme,andsimplyspansasinglefamilyordocumentacrossafolderboundary.
• Mustexistinsamefolder‐Ifadocumentfamilyconsistsofmultipledocumentsormultiplepagesofdocuments,thisoptionforcestheentiredocumentfamilyintoasinglefolder.Thismeansthatthatthenumberoffiles/pagesperfoldercanbeexceeded.
Delimiter - Ringtail
Delimiterallowsyoutoaddaseparatorbetweenthebox,folder,andpagenumbers.Thedefaultsettingistodelimitthesevalueswithaperiod(.).Theotheroptionisblank,meaningnodelimiterisused.
File Naming
FileNamingdisplaysthevariousformatsoftheexports(native,text,TIFF,andPDF),thesub‐folderpathwithintheexportdirectorywheretheywillbewritten,andhowtheitemswillbenumbered.Youcanonlydefinethepropertiesforthegeneratedfileonceforeachfiletype.
UsetheAdd,Edit,andRemovebuttonstomanagethecontentsofthistable.
Add/Edit
AddandEditopentheGeneratedFilesdialog,whichallowsyoutodefinethedifferentexportfiletypes.ClickAddtodefineanewfiletype.ClickEdittochangeanexistingone.Bydefault,NuixprovidesadefinitionfortheNativefiletype.
Interface Overview 93
Dialogue Boxes
IntheGeneratedFiledialoguebox,youcandefinethreeproperties.
Thefiletypesyoucandefineinclude:
• Native‐Thedocumentsareexportedasindividualitemsthatcanbeopenedintheirnativeapplication.• Text‐Theextractedtextofthedocumentisexported.Thisdoesnotincludealloftheextracted
metadata.• PDF‐ThisisaPDFrenderingofthedocument.Asingle"SearchablePDF"iscreatedforeachitem.• TIFF‐TIFFsarecreatedfromthePDFrenderingofthedocumentusingGhostscript.TheTIFFsare
singlepageTIFFs.
Thepagenamingoptionsareshownbelow.Inmostcasesyouwillwanttoensurethatthepagenameisconsistentacrossallexportfiletypes.Additionally,the"Full"optionwillhonorthesettingsmadeontheNumberingandFilestab.
Thesub‐folderpathallowsthenameoftheexportsub‐directorytobedefined.Thisisusedwhennatives,text,imagesallneedtobestoredinseparatefoldersundertherootexportdirectory.
Remove
RemovedeletesthefiletypedefinitionthatiscurrentlyhighlightedintheFileNamingtable.Besuretohighlightthefileyoutypeyouwishtodeletepriortoclickingthebutton.
94 Interface Overview
Dialogue Boxes
Preview
Previewshowsanexampleofthenumberingschemeusingthedocumentnumberingvaluesyouhavespecified.Usethisfieldtoensureyournumberingschemeiscorrect.
Parallel Processing Tab
IntheLegalExportdialoguebox,theParallelProcessingtabofferssettingsthatallowyoutocontrolhowtheNuixworkersoperatewhileexportingthedata.
Note:Thesesettingsonlyapplytotheexportoperation,andareseparatefromtheparallelprocessingsettingsassociatedwithingestingdata.
Nuixoffersthefollowingsettings:
• Numberofworkers‐Setsthenumberofnuix_single_worker.exeinstancestouseduringanexportjob.Inthemajorityofcases,youshouldalwayssetthistothemaximumavailablebasedonyourlicence.However,therearesomecaseswhenthenumberofworkersneedstobereducedandtheamountofRAMincreasedtosuccessfullyexportadataset.Bydefault,thevalueissettotothemaximumallowedbyyourlicense.
Interface Overview 95
Dialogue Boxes
• Memoryper‐worker(MB)‐SetstheamountofRAMthateachnuix_single_worker.exehasavailableduringanexportjob.Nuixdoesnotimmediatelyconsumetheallocatedmemory,butrathersetsthisathethresholdfortheJavaVirtualMachine.Bydefault,thevalueissetto1,000.Note:Thesumof("NumberofWorkers"×"Memoryper‐worker")+"SystemOptions>ApplicationMemory"shouldbeatleast2GBlessthanthetotalavailableRAMonthesystem.Foradditionalinformationonallocatingapplicationmemory,see“AllocatingMemory(RAM)forBetterPerformance”onpage 141.
• Workertempdirectory‐SpecifiesthetemporarylocationusedbytheNuixduringexporting.Nuixwillusethisdirectoryascacheforanyfilesthatitneedstowritetodisk.
Note:WhenexportingLotusNotesdata,NuixwillcreateonecopyoftheactiveNSFfileforeachnuix_single_worker.exe.Forexample:Ifyouareexportingone10GBNSFfile,witha4‐corelicense,NuixcreatesfourcopiesoftheNSFfileintheWorkertempdirectory.
Show pre-export summary report
Showpre‐exportsummaryreportdisplaysacompletelistofallitemstobeexported.Thisincludestop‐levelanddescendant(child)itemsandshouldbeusedasaguidewhendeterminingtheoverallexportsize.Bydefaultthisoptionisoff.
TheExportSummarysectionatthetopofthereportprovidesthetotalnativefilecountsthatwillbeexported:
• Itemsselectedforexport‐Thetotalnumberofitemshighlightedintheresultset.
96 Interface Overview
Dialogue Boxes
• Top‐levelitemsfoundfromselecteditems‐Thetotalnumberoftop‐levelitemsfound.Thisnumberincludesduplicates.
• Deduplicatedtop‐levelitemsfoundfromselecteditems‐Thetotalnumberoftoplevelitemsthatwillbeexported.
• Duplicatetop‐levelitemsnotexported‐Thenumberoftop‐levelitemsthatwillnotbeexportedbecausetheyareduplicates.
• Totalitems,includingchilditems,discoveredforexport‐Thetotalnumberofitemsthatwillbeexported.Thisnumbermatchesthetotalnumberofnativefilesexported.
ClickOKtoexporttheitems,orclickCanceltocanceltheexportoperation.
NUIX SCRIPT CONSOLE DIALOGUE BOX
TheNuixScriptConsoledialogueboxprovidesameansofwritinganddirectlyexecutingscriptcodeagainstaNuixcaseaswellasdisplayinganyconsoleoutputfromthatscript.Youcanalsousetheconsoleverifythestatusofarunningscript,asinformationalmessagescanbewrittentotheconsoleaswellasanyerrors.
Thefollowingoptionsandcontrolsareavailable:
• Language‐Setsthescriptinglanguagetooneoftwo,eitherECMAScriptorRuby,thedefaultsetting.• Script‐Afree‐textboxintowhichyourscriptistypedorpasted.
Interface Overview 97
Dialogue Boxes
• Console‐Aread‐onlyboxthatdisplaystheresultsofthescriptaswellasastatusmessageandanyerrors.
• Clear‐ClearstheresultsintheConsolebox.• Execute‐RunsthescriptthathasbeenpastedintotheScripttextbox.• Cancel‐Cancelsacurrentlyrunningscript.
Toclosethedialoguebox,clicktheCloseiconintheupperrightcorner.
SYSTEM DIAGNOSTICS DIALOGUE
TheSystemDiagnosticsdialogueboxprovidesyouwithinformationaboutthemachineonwhichNuixisinstalled.EachtimeNuixDesktopisopened,itrunsasystemcheck.Ifatanypointthesoftwareconfigurationchanges,theSystemDiagnosticsdialoguedisplays.
TherearefivetabsintheSystemDiagnosticsdialoguebox:
• Dependencies–Identifiesallrequired/recommendedsoftware.DependenciesnotinstalledarenotedintheStatuscolumn.Highlightarowtoviewdetailsofthedependencyintheboxbelow.NuixregularlyreceivessupportquestionsaboutthesoftwareNuixrequirestoperformitstasks.Toreducetheserequests,NuixnowrequiresyoutoindicatethatyouunderstandtheserequirementsbyselectingtheIunderstandtheconsequencesoflackingthisdependencycheckbox.
98 Interface Overview
Dialogue Boxes
• SummaryReport–Reportsproductversionandotherinformationaboutyourhardwareandsoftware.
• Environment–Detailsavarietyofvariablesandvaluesaboutyourhardware.• Systemproperties–DetailsanumberofNuixsystemfilepropertiesandvaluesusefulfor
troubleshootingproblems.• Licenceproperties–Detailspropertiesandvaluesaboutthesoftwarelicenceonthelicencedongle.
Note:IF AN ERROR OCCURS DURING THE OPERATION OF THE NUIX APPLICATION, GO TO Help > System Diagnostics TO OPEN THIS DIALOGUE BOX AND CLICK Save to file. SEND THE OUTPUT TO [email protected] WITH A DESCRIPTION OF WHAT WAS BEING DONE WHEN THE ERROR OCCURRED.
Interface Overview 99
Customizing the Interface
Customizing the Interface
Nuix3Desktopsupportscustomizingtheapplicationinterfaceinacoupleofdifferentwaystobettersupportyourpersonalworkflowandtopromoteefficiencyinmousingoperations:
FromanyWorkbenchtab,youcan:
• Resizepanes.• Rearrangethelocationofpanes.• Un‐dock(pop‐out)thepanes,distributingthemacrossmultiplemonitorsorfloatingthemoutsidethe
applicationwindowonasinglemonitor.• Hidethepanes.
Atanytime,youcanresetallthepanesintheWorkbenchtabtotheirdefaultlocationsbyselectingWindow>ResetLayout.
Toresizepanes:
1. Selectaninsideedgeofapane.Aresizecursordisplayswitharrowpointinginthetwodirectionsthatyoucandragthepane.
2. Whileholdingdowntheleft‐mousekey,dragthepanetothedesiredwidthorheight.Theotherpanesresizetoaccommodatewithintheremainingspace.
Torearrangepanes:
1. Selecttheyellowtitlebarofapaneanddragittoanotherlocationwithinthetabwindow.Nuixdisplaysanoutlinedepictingwherethepanecanbeplaced.
2. Releasethemousewhenthepaneisinthedesiredlocation.
3. Resizethepanestoachieveaparticularresult.
Toundockandreplacepanes:
1. On the Workbench tab, in the pane you wish to undock, select the icon.ThepanepopsoutoftheNuixwindow.
2. Selecttheyellowtitlebarofthepaneanddragitontoanothermonitor,ortoanotherpositiononyourcurrentmonitor.
3. Toreplacethepane,dragitbacktothedesiredlocationwithintheWorkbenchtaborclickthesameiconinthetitlebaragaintoreturnittoitsoriginallocation.
100 Interface Overview
Customizing the Interface
Tohideandshowpanes:
1. Tohideapane,selecttheWindowmenuandthenselecttheShowPaneNamecommandforthepaneyouwishtohide.ThepaneishiddenfromtheWorkbenchtab.
2. Toshowthepaneagain,selectthesamecommandagainintheWindowmenu.Thepanereturns.
Interface Overview 101
Keyboard Shortcuts
Keyboard Shortcuts
Nuix3Desktopprovidesavarietyofkeyboardshortcutstoenablegreaterefficiencyforthetasksyouperformfrequently.Shortcutkeysarekeyboardcharactersthatyouholddowntoactivateacommandortriggeranactivity.Lettersarenotcasesensitive.Usingthekeyboardinsteadofthemousemightalsoreducetheriskofrepetitivestressinjuries.
KEYBOARD SHORTCUTS FOR MENU ITEMS
Youcanusethefollowingkeycombinationsonyourkeyboardtoaccessfunctionsintheapplication.
Command Shortcut
New Case Ctrl + N
Open Case Ctrl + O
Print Ctrl + P
Cut Ctrl + X
Copy Ctrl + C
Paste Ctrl + V
Select All Ctrl + A
Select None Ctrl + Shift + A
Find Ctrl + F
Next Item in Family Alt + Right Arrow
Previous Item in Family Alt + Left Arrow
Next Batch (Family) ‐ Only active while in Fast Review.
Shift + Right Arrow
Show All Descendants Ctrl + Shift + D
Show All Top‐level Items Ctrl + Shift + T
New Workbench Tab Ctrl + T
New History Tab Ctrl + H
Close Tab Ctrl + W
Help Shift + F1
102 Interface Overview
Keyboard Shortcuts
KEYBOARD SHORTCUTS IN THE RESULTS PANE
OntheWorkbenchtab,youcanusethefollowingkeyboardshortcutstoperformactionsintheResultspane.
Command Shortcut
Select highlighted item(s) Spacebar
Highlight item above Up arrow
Highlight item below Down arrow
Apply same tags to all family items Alt + Shift + F
Apply same tags to all duplicate items Alt + Shift + D
Apply tag from tag grid 0‐9
Interface Overview 103
Keyboard Shortcuts
104 Interface Overview
CHAPTER 3 Install
NuixprovidestwobasicDesktopinstallerpackages,whichincludesallprocessingandreviewlicencetypes,fromEnterpriseWorkstationstoForensicDesktop:
• 32‐BitinstallerforWindowsx86Architecture(32‐bitWindowsOS)• 64‐BitinstallerforWindowsamd64Architecture(64‐bitWindowsOS)
Notes:Thisincludesall64‐bitbasedarchitecturesandisnotlimitedtotheAMDchipset.
Thischaptercontainsthefollowingtopics:
• “PrerequisiteHardwareandSoftware”onpage 106• “InstallingNuixDesktop”onpage 110
Install 105
Prerequisite Hardware and Software
Prerequisite Hardware and SoftwareRunningNuixrequiresacertainminimumhardwareconfiguration,andadditionalsoftwaretosupportreviewandexporttasks.Beyondthat,youcanoptimizeperformanceandfunctionalitybyaddingfurtherhardwareandsoftwaretoyourenvironment.
ToensurethatyouarereadytoinstallNuix,reviewandestablishthefollowing:
• whetheryouneedtoinstallthe32‐bit,64‐bit,orbothversionsofNuixDesktop• theproperhardwareforyourprocessingneeds• thepropersoftwareforthetasksyouperform• theminimumrequirementsforNuixtooperate
USING 32-BIT, 64-BIT, OR BOTH
Nuixprovidessupportforboth32‐and64‐bitenvironments.Nuixrecommendsalwaysusinga64‐bitOSforimprovedperformanceandmemorymanagement.
WiththereleaseofOffice2010(MSAccess64‐bit),itispossibletorunNuixina100%64‐bitenvironment.Runninginpure64‐bitconfigurationprovidesthebestresourceutilizationandoverallperformance.
AllNuixcasescansimultaneouslybeaccessedfromboth32‐bitand64‐bitversions.
Whenusingboththe32‐bitand64‐bitversionofNuixonthesame64‐bitOS,notethefollowing:
• Nuixinstallsthe32‐bitsoftwareintoC:\ProgramFiles(x86)\Nuix\NuixDesktop3andthe64‐bitsoftwareintoC:\ProgramFiles\Nuix\NuixDesktop3
• Nuixcreatestwodesktopicons.TheNuixDesktop3iconlaunchesthe64‐bitapplicationandtheNuixDesktop3(32‐bit)launchesthe32‐bitapplication.
MINIMUM SYSTEM REQUIREMENTS
Dataprocessing,indexingandsearchareresource‐intensiveoperations,requiringtheproperbalanceofprocessingspeeed,RAM,anddiskI/O.Ifanyoftheseisnotproperlybalanced,thenabottleneckexistsandthesystemcannotoperateatoptimalperformance.
106 Install
Prerequisite Hardware and Software
TofollowaretheminimumsystemrequirementsforoperatingNuix.See“HardwareSizingGuidelines”onpage 107foroptimumperformance.
Hardware
• CPU–DualCore(2.4GhzorGreater)• RAM–4GB• HardDrive–2x7200RPMdrives+adequatecapacityforsourceandcasedata• VideoCard–1280X1020ScreenResolution(RequiredforNetworkVisualizations)• Network–10/100EthernetController
OperatingSystem
• 32‐bit:WindowsXP,Vista,Server2003,Server2008,Windows7orlater• 64‐bit:WindowsXP,Vista,Server2003,Server2008,Windows7orlater
AdditionalSoftwareRequiredforProcessing
• LotusNotes(8.5.2)
AdditionalSoftwareRequiredforLegalExport
• Office2010• Ghostscript
HARDWARE SIZING GUIDELINES
Nuix’sarchitectureallowsittomaximisetheutilisationofagivenpieceofhardware(server,workstation,desktop).WhenevaluatingthebestpieceofhardwaretorunNuix,considerthefollowingthreefactors:
• Cores/CPUs/Processors–forthesakeofthisdiscussion,thenumberofcoresequalsthenumberofCPUsdisplayedinTaskManager.
Inthisexample,thismachinehastwocores.
Install 107
Prerequisite Hardware and Software
• RAM–RandomAccessMemory• DiskI/O–regardingthenumberofphysicaldrives/spindles
Theobjectiveofanyhardwaresizingexerciseistoensurethatallcomponentsarebalancedtoeliminatebottlenecks.ProperlybalancingthesecomponentsensuresthatyouareabletakefulladvantageofNuix’sdataprocessingandexportrates.ItthereforedoesnotmakesensetoinstallNuixonamachinewith8cores,butwithonlyaccesstolimitedmemoryortoasinglephysicaldrive.Ifthisisthecase,yourprocessorswillbeunderutilisedbecauseneithertheRAMorthediskI/Ocankeepupwiththeprocessors.
Note:Throughputratesvarydependingonthetypeofdataprocessed.Ouraverageingestionrateisbasedonamixedcollectionof50%PSTsand50%loosebusinessdocuments.ProcessingallEDBfilesoralltextfilesresultsinlowerorhigherthroughput.
Thefollowingisalistingofsomesampleconfigurations:
*7200RPMdisksareaminimum,withNuixrealizingimprovedperformancewith10Kor15RPMdrives.
SOFTWARE REQUIREMENTS
ThissectiondescribesthesoftwarerequirementsforNuix3Desktop.
ProcessingRequirements
• LotusNotesClient‐TheLotusNotes(version8.5.2)clientisrequiredtoprocessLotusfiles(NSFdatabases.)Theproductonlyneedstoinstalled,anddoesnotactuallyneedtobeactivatedforNuixtooperatecorrectly.
• LotusDomino64‐bitServer‐NuixsupportstheLotus64‐bitversionoftheDominoserverwiththe64‐bitversionofNuix.However,IBMLotusdoesnotprovidethesamedownloadaccessforthisversion.ToobtainacopyoftheLotusDomino64‐bitserver,youwillneedtocontactIBMorandIBMLotusreseller.Note:LotusDomino64‐bitServerisstronglyrecommendedforallprocessingandexportoperationsasitallowsyoutorunin100%64‐bitmode,whichprovidesaccesstosignificantlymoresystemresources.
Description # of Cores RAM (GB) Physical Disks* Operating System
2x Core 2 8 2 Displays the next item in the result set.
4x Core 4 24 4 Displays the previous item in the result set.
8x Core 8 72 8 Displays the first item in the next family of items during a Fast Review job.
108 Install
Prerequisite Hardware and Software
ProcessingRecommendations
• MicrosoftOffice2007/2010isstronglyrecommendedforallprocessingsystems.NuixwillattempttoopenOffice95andOfficeworksfileswithOffice2007/2010,otherwiseNuixwillbydefaultextractonlytextforthesefileformats.
ExportRequirements
• MicrosoftOffice2007/2010‐Office2007/2010isrequiredtoexportPSTfiles,createRingtaildatabases(MSAccessMDB),andisusedaspartofourPDFrenderingprocess.Office2010includesa64‐bitversionofAccess,whichallowsyoutoexportouttoRingtailandDiscoveryRadaronthe64‐bitversionofNuix.Ifyoudonothavethe201064‐bitversionofAccess,youcanonlyrunyourRingtailandDiscoveryRaderexportsfromthe32‐bitversionofNuix.Office2010hasin‐builtPDFcapabilities.
• MicrosoftOffice2007PDFPlug‐In‐TheOffice2007PDFplug‐insareusedaspartofthelegalexporttocreatePDFrenderingsofnativeelectronicdocuments.
Note:Office2007SP2nowincludesthePDFPlug‐inbydefault.IfyouhaveOffice2007installedandareuncertainwhetherthecorrectPDFplug‐insareinstalled,openaworddocumentandsaveitasaPDF.Iftheoptionisnotpresent,anotherSaveoptiondisplaystosaveasanalternativeformincludingPDF.
• Ghostscript‐GhostscriptisusedtoconvertPDFimagestoTIFFfiles.
ReviewOnlyOptions
• DocumentViewer‐Dependingontheindividualrevieweroranalystdesktopconfigurations,theymaynothaveaccesstoallofthenecessarysoftwaretolaunchtheitemsintherenativeapplication.Thereareseveralapplicationsavailable,notablyOutside‐InfromOracleandQuickViewPlusfromAvantStar.TheseapplicationscanbeinstalledonthereviewerdesktopandwillreplacetheOSfileassociationstoopenthemajorityoffiletypes.
• Office2010Viewers‐MicrosofthasmadefreeviewersavailableformanyoftheOffice2010suite.ThesefreeviewerseliminatetherequirementforinstallingafullcopyofOffice2007oneachreviewerclient.ExcelViewerWordViewerPowerPointViewerVisioViewer
Note:UsingtheMicrosoftOfficeviewersdoesnotallowforanaccuratePDFrenderingoftheitem.NuixwillstillgenerateaPDFview,butitwillsimplybeaPDFrenderingoftheextractedtext,asopposedtoaformatted,truetoliferepresentation.
Install 109
Installing Nuix Desktop
Installing Nuix DesktopOnceyouhaveconfiguredyourhardwareandinstalledanyprerequisitesoftware,youcaninstalltheNuix3Desktopapplication.
ToinstallNuix3Desktop:
1. DownloadandopentheNuixinstallerpackage.
TheSetupWizarddisplays.
2. OntheWelcomescreen,selectNext.
3. SpecifywhereyouwanttoinstallNuix.YoucanclickBrowsetonavigatetoalocationonyoursystem.Thislocationshouldbelocaltoyourmachine.Ifyouareinstallingboththe32‐bitandthe64‐bitversionsofNuix,see“Using32‐bit,64‐bit,orBoth”onpage 106”toreviewthatscenario.
4. ClickNexttocontinue.
5. OntheReadytoInstallscreen,clickInstall.Ascreendisplaysindicatingthattheapplicationisbeinginstalled.Optionally,youcanclickCanceltocanceltheinstallation.
6. Whentheinstalliscomplete,thefinalscreendisplays.ClickFinishtocompletetheinstallation.
YoucannowopenNuix.ThefirsttimethatNuixopens,theSystemDiagnosticswindowdisplays.TheDependenciestabshowswhethertheprerequisitesareinstalled.Reviewthislistcarefullytoensurethatalloftheexpectedprerequisiteshavebeeninstalled.Foranydependenciesthatarenotfound,youmustconfirmthatyou"Understandtheconsequencesoflackingthisdependency",foreachmissingitem.
Commonissuesinclude:
• LotusNotesorMicrosoftAccessareshownas"NotFound".Iftheprerequisiteshavebeeninstalled,thisisusuallyseenwhenrunningthe64‐bitversionofNuix.
• Office2007isinstalled,butnotthePDFextensions.
Foradditionaldetailoninstallingthedependencies,see“SoftwareRequirements”onpage 108.
110 Install
CHAPTER 4 Configure
NuixDesktoprequiresthatyouconfigureyourenvironmenttosupportcertaintasks,andalsooffersyouavarietyofoptionswithintheproductitselfthatwillhelpyoumaximizeitsvalue.
ConfiguringNuixDesktopincludes:
• Settingglobaloptions‐Globaloptionsapplytoallcasesaccessedfromthisuserprofile.Theyarenotglobalinthesensethattheyapplytoallusers.
• Settingcaseoptions‐Caseoptionsapplytothecasethatiscurrentlyopen.
Configuringyourenvironmentincludes:
• Allocatingmemory(RAM)forbetterperformance• DisablingRemoteDesktopprinterredirection(requiredifrunningNuixoveraremotedesktop
connection)• SettingupdistributedprocessinginNuix(optional)
Thischaptercontainsthefollowingtopics:
• “SettingGlobalOptions”onpage 113• “SettingCaseProperties”onpage 140• “AllocatingMemory(RAM)forBetterPerformance”onpage 141• “DisablingRemoteDesktopClientPrinterRedirection”onpage 143• “SettingUpDistributedProcessinginNuix(Optional)”onpage 144
Configure 111
• “TheDataWorkflowinaDistributedEnvironment”onpage 145
112 Configure
Setting Global Options
Setting Global OptionsNuixoffersavarietyofglobaloptionsandsettingsthatyoucanapplytocasesmanagedwithNuixDesktop.ClickFile>GlobalOptionstosettheseoptions.
METADATA PROFILES
MetadataProfilesprovideameanstomanagethepresentationandexportofmetadatainNuix.Nuixhasthreetypesofmetadata:
• NuixDefined‐MetadatapropertiesdefinedbytheNuixapplication(seepage 123),suchasGUID,MD5Digest,Name,etc.Thesepropertiesarespecificallyextractedorcreatedforinternalpurposes.
• ItemProperties‐Nuixtakesanopportunisticapproachtometadataextraction.Essentially,Nuixjustenumeratesallofthemetadatapropertiesthatweencounterforeachitem,andinsertthekey/valuepairsintotheLucenefulltextindex.Nuixdoesnotmaporbuildanytypeofrelationshipbehindthescenes.Soforeachitem,Nuixtargetsthenon‐binarymetadataandaddsitintoitsfulltextindex.Thesevalueasgroupedcollectivelyasproperties,sothatyoucansearchonasinglemetadataproperty(properties:”key:value”)oragainstallproperties(properties:value).
Configure 113
Setting Global Options
• UserDefined‐Custommetadatapropertiesyoucancreatewhenyouloadacase(seepage 166),whichareappliedtoallitemsintheevidenceset.
Youcancreatemetadataprofilesforspecificitemtypes(email/files),specificpurposes(exceptionhandling),orthespecificloadfileformatsrequiredbyyourclients.TheDefaultMetadataProfileistheonlyprofileprovidedwiththeapplication.YoucanviewacollectionofsamplemetadataprofilesintheNuixKnowledgeBase.
Nuixmakesuseofmetadataprofilesinseveralplacessothatyoucancustomisewhatmetadatainformationtoview:
• ResultSetView‐Definesthemetadatacolumnstodisplay.• ItemLevelView‐DefinesthemetadatatodisplayintheMetadataarea.• ItemExport‐DefinewhichmetadataisincludedintheSummaryReport.• LegalExport‐Definewhichadditionalmetadataisincludedintheloadfile.
Changetheprofileassociatedwithaviewbyright‐clickingonacolumnheaderandselectingChooseColumnProfile>profilename.
114 Configure
Setting Global Options
Details on Nuix Metadata and Item PropertiesReviewthefollowingdetailsaboutthemetadatathatNuixaddstoingesteditems,aswellasinformationaboutthird‐partyitemproperties.
Nuix-defined Metadata
Nuix‐definedmetadataincludes:
• AuditedSize‐AuditedSizeisthesizeoftheitemasitexistsondisk.TheAuditedSizeiscalculatedonlyforcasescreatedwhilerunningwithanAuditedlicencetype.Note:Foremails,thisisthesizeoftheemailitself,withoutanyattachments.TheAuditedSizediffersfromtheDigestInputSizeinthatforemailstheAuditedSizerepresentsthesizeofallproperties,notjustthosethatareusedinthecreationofthedigest.
• Bcc‐Bccaretheblindcarboncopyaddressesextractedfromanemail.ThecontentsoftheBccfieldaresearchedbythebcc:communicationssearchfield.
• Cc‐CCarethecarboncopyaddressesextractedfromanemail.Thecontentsofthecc:fieldaresearchedbythecccommunicationssearchfield.
• ChildNames‐Childnamesarethenamesallofthechilditemsforagivendocument.Thiscanbeusedwhenbuildinganexportprofilethatneedstoshowthenamesofallembeddeddocumentsorattachments.Note:UsecautionwhenincludingtheChildNamespropertyinyourdefaultmetadataprofile,asitcanincreasetheamountoftimerequiredtorendertheresultsetordisplayitems.
• Comment‐Commentsaretheclientcreatedandappliedcomments.• CommunicationDate‐Anemailssentdate.• Deleted‐DeletedsignifiesthattheitemwasfoundinaMicrosoftmailstorewhileextracting
permanentlydeleteditems.Foradditionalinformationonprocessingdeleteditems,seetheExtractfromslackspaceofemailboxesoptionin“ProcessingSettings”onpage 158.
• DigestInputSize‐DigestInputSizeisthenumberofbytesassociatedfromthefileusedtogeneratethevariousdigests.Thiswillbethefilesizeforloosefilesandaroughapproximationofthesizeofanemail.
• DuplicateCount‐Showsthenumberofduplicatesanitemhasinthecase.• DuplicateGUIDs‐DuplicateGUIDsliststheGUIDsofallduplicateitems.
Note:UsecautionwhenincludingtheDuplicateGUIDspropertyinyourdefaultmetadataprofile,asitcanincreasetheamountoftimerequiredtorendertheresultsetordisplayitems.
• DuplicatePaths‐DuplicatePathsliststhePathsforallduplicateitems.Note:UsecautionwhenincludingtheDuplicatePathspropertyinyourdefaultmetadataprofile,asitcanincreasetheamountoftimerequiredtorendertheresultsetordisplayitems.
• Encrypted‐Encryptedsignifiesthatthefileisencrypted.• Exclusion‐Listofallexclusionsetsappliedtoaspecificitem.
Configure 115
Setting Global Options
• FileExtension(Corrected)‐FileExtension(Corrected)istheextensionbasedontheheadersignature.The"Corrected"versionoftheextensioniswhatwillbeappendedtothefilenamewhenperforminganativefileexport.
• FileExtension(Original)‐FileExtension(Original)istheextensionlistedonthesourcefile.• FileType‐FileTypeisthetypeofthedocumentbasedonNuix'sheaderanalysis.• From‐Fromisthesenderaddressextractedfromanemail.Thecontentsofthefromfieldaresearched
bythefrom:communicationssearchfield.• GUID‐GUIDistheGloballyUniqueIdentifierassignedtotheitemduringingestion.• ItemCategory‐ItemCategoryisdefinedasEmail,Attachment,ElectronicFile(loosefilefromfile
system),ElectronicDirectory.• ItemDate‐Foremails,theNuixCommunicationsDate(Map‐Client‐Submit‐Time,SentDate,Date).For
files,itistheFileModifiedorifnotpresent,theFileCreateddate.• ItemID‐ItemIDisahumanfriendlynumberassignedtoeachitemduringingestion.Thisisa
sequentiallyassignedIDthatcanbeusedtouniquelyreferenceanitemwithoutthehavingtoreferencetheGUID.Note:Theitemidisthereforconvenienceandshouldnotberelieduponasthesolereferenceofadocumentasitisupdatedwhensimplecasesareaggregatedintocompoundcases.Forexample,asportofasimplecase,eachitemisassignedannumericalitem‐id(12345).Whenthatsimplecaseiscombinedintoacompoundcase,theItem‐idisprefixedwiththerelativepositionofthesimplecasewithinthecompoundcase.Ifthesimplecasecontainingitem12345wasthesecondsimplecaseaddedtothecompoundcase,thenewitem‐idwouldbe1‐12345."1‐"representsthelocationofthesimplecasewithinthecompoundcaseand12345representstheitemwithintheoriginalsimplecase.TheNuixGUIDistheonlyabsolutereferenceforanitem.
• MD5Digest‐MD5DigestisastandardMD5hashoftheitem.• Name‐NameistheNuixassigneddocumentname.ForfilestheNameisthefilenameandforemails
thenameisthesubject.• ParentGUID‐ParentGUIDistheGUIDoftheitem'sparent.ThecombinationoftheGUIDandthe
ParentGUIDallowsNuixtomaintaintheentiredocument'sancestry.• PathName‐PathNameisthecompletepathtothesourceevidence.• PDFGenerationMethod‐ShowsthemethodbywhichthePDFintheprintstorewaspopulated.• PDFPageCount‐NumberofpagesinaPDFthatisstoredintheprintstore(locationthatNuixstores
thePDFaspartofexportoperation).• SHA‐1Digest‐Additionaldigest.Notusedforsingleinstancing.• SHA‐256Digest‐Additionaldigest.Notusedforsingleinstancing.• Tags‐Classificationsthatyoucreateandapplytoitems,suchasResponsive.• ThreadGUIDs‐ThreadGUIDslistsalloftheitemGUIDsforeachoftheemailsdeterminedbyNuixto
beapartofthethread.
116 Configure
Setting Global Options
Note:UsecautionwhenincludingtheThreadGUIDspropertyinyourdefaultmetadataprofile,asitcanincreasetheamountoftimerequiredtorendertheresultsetordisplayitems.
• ThreadPaths‐ThreadPathslistsalloftheitemPathsforeachoftheemailsdeterminedbyNuixtobeapartofthethread.
• To‐Toisthecollectionorprimaryrecipientaddressesextractedfromanemail.ThecontentsoftheTofieldaresearchedbytheto:communicationssearchfield.
• Top‐LevelGUID‐Top‐LevelGUIDistheitemstop‐levelGUID.Bystoringtheitem'stop‐levelGUIDasapropertyofthechilditem,thetimetofindalltoplevelitemsissignificantlyreduced.
Item Properties
Itempropertiesconsistofmetadataextractedfromthethird‐partyapplicationsfromwhichitemsaresourced.Nuixtakesanopportunisticapproachtometadataextraction.Essentially,Nuixjustenumeratesallofthemetadatapropertiesthatitencountersforeachitem,andinsertsthekey/valuepairsintotheLucenefulltextindex.Nuixdoesnotmaporbuildanytypeofrelationshipbehindthescenes.Foreachitem,Nuixaddsthenon‐binarymetadataintoitsfulltextindex.Thesevalueasgroupedcollectivelyasproperties,sothatyoucansearchonasinglemetadataproperty(properties:"key:value")oragainstallproperties(properties:value).
Nuixperformssomeadditionaloperationstoextractthefollowingitempropertiesdocumentedinthissection. Theseadditionaloperationsincludeprefixingcertainpropertyvaluesforclarityaswellasspecialextractionoperationstoprovideadditionaldetailsaboutthedocument(e.g.,hiddencontentinofficefiles).
EvidenceProperties
Thefollowingpropertiesaresupportedonfileswhenyoucreatecustommetadatawhenloadingevidenceintoacase.
FileSafeProperties
Evidence Properties Notes
Source Charset Default character set to use for legacy files that have character data but no encoding information. Used with older PST files, for example.
Source Time Zone Default time zone applied to items that have a date field, but no time zone information.
Configure 117
Setting Global Options
FileSafeitemshavemetadataassociatedwiththeactualfiles;propertiesarenotmadeavailabletoNuixatthearchiveorvolumelevel.
FileProperties
Thefollowingfilepropertiesaresupportedonitemsfromthirdpartyapplicationsthatmakethismetadataavailable.
LotusNotesProperties
ThefollowingdatepropertiesinIBMLotusNotesitemsaremanagedasdescribed.
FileSafe Properties Notes
FileSafe ACL XML
FileSafe Annotation
FileSafe Auxiliary ID
FileSafe File Number
FileSafe Original Container
FileSafe Original Hash
FileSafe Owner Domain For example, NT Domain.
FileSafe Owner Name Such as NT user name.
FileSafe Owner SID Such as NT SID.
FileSafe Property AccessDate
FileSafe Property File Size In bytes.
FileSafe Property ModificationDate
File Properties Notes
File Created Created date taken from the file sytem metadata.
File Modified Last date modified taken from file system metadata.
File Accessed Last date accessed taken from the file system metadata.
File Size Size of file taken from the file system metadata.
Lotus Notes Properties Notes
Notes Accessed Date the Notes document was last accessed.
Notes Created Date the Notes document was created.
118 Configure
Setting Global Options
MAPIProperties
MostdatastoredinsidetheMicrosoftOutlookandExchangefiles(MSG,TNEF,PSTandEDB)iscomposedofproperty/valuepairs.ThesepropertypairsareknownasMAPIproperties.Theyarealsostoredwithadatatypetohelpworkwiththestoredvalue.Belowisapartiallistofthepossibletypes:
UnknownpropertieswillsometimesappearonMAPImessages.Theytakethefollowingform:
Mapi-97-2002-String8-16376: Data
Where"String8"isthepropertytypeand"16376"isthepropertyvalueasadecimalnumber;thisexamplecorrespondstoMAPIproperty0x3ff8.
MicrosoftmaintainsalistofpublishedpropertyIDsforyourreference.ForadditionaldetailrelatedtometadatapropertiesextractedfromMAPImessages,seetheNuixKnowledgeBasearticle“TranslatingNuixextractedMAPIpropertiestoMAPIcanonicalnames”.
Notes Modified Date the Notes document was last modified.
Notes Reviseda Date the Notes document was last revised.
a. It is unclear how IBM defines the difference between Notes Modified and Notes Revised. This information does not appear to be documented.
Type Description
I2 16‐bit integer
I4 32‐bit integer
I8 64‐bit integer
Boolean A true/false value
Binary A binary block of data
String8 An ASCII string
Unicode A Unicode string
AppTime Application time
SysTime System time
Configure 119
Setting Global Options
MicrosoftOfficeProperties
NuixmanagesMicrosoftOfficepropertiesasnotedbelow.
MS Office Applications Properties Notes
Word (.doc and .docx) Contains Comments True of False value, whether item contains comments.
Word (.docx only) Contains Track Changes True or False value, whether insertions or deletions were found in the Track Changes history.
Contains Hidden Text True or False value, whether item contains hidden text.
Contains White Text True or False value, whether item contains text colored white.
Word (.doc only) Save History Annotates the save history stored in t he .doc file.
Excel (.xls and .xlsx) Excel Hidden Columns True or False value, whether item contains hidden columns.
Excel Hidden Rows True or False value, whether item contains hidden rows.
Excel Hidden Sheets True or False value, whether item contains sheets hidden though the graphical interface.
Excel Hidden Sheet Count Number of sheets found hidden through the graphical interface.
Excel Hidden Workbook True or False value, whether item contains a hidden workbook.
Excel Protected Sheets True or False value, whether item contains sheets with protection settings applied.
Excel Very Hidden Sheets True or False value, whether item contains sheets hidden with a VBA script.
Excel Very Hidden Sheets Count
Number of sheets found hidden with a VBA script.
Excel (.xlsx only) Contains Comments True of False value, whether item contains comments.
Contains Hidden Text True or False value, whether item contains hidden text.
Excel (.xls only) Excel Workbook Write Protected
True or False value, whether the item’s workbook has write protection applied.
PowerPoint 2007+a
a. In PowerPoint 2007+, speaker Notes are not managed as an item property. They are embedded as part of the body text of the item.
Contains Comments True of False value, whether item contains comments.
Contains Hidden Text True or False value, whether item contains hidden text.
Hidden Slides True or False value, whether item contains hidden slides.
120 Configure
Setting Global Options
PSTProperties
NuixprocessesthefollowingPSTpropertiesasdescribed.
Inaddition,NuixtrackstheMAPIattributenamedMapi‐EntryID,whichisacomputedpropertybasedonseveralfieldsinaPSTfile.
Managing Metadata ProfilesFromMetadataProfiles,youcancreateandmodifynewmetadataprofiles.
Add a Profile
Toaddaprofile,selectGlobalOptions>MetadataProfiles,andclickAdd.
TheCreateMetadataProfiledialogdisplays,allowingyoutoaddanunlimitednumberofmetadatavalues.TypesofvaluescanincludeNuix‐derivedmetadata,User‐definedEvidenceMetadata,Properties,andDerivedMetadatafields.YoucanorderthevaluesbyusingMoveUpandMoveDown.
PST Properties Notes
PST Encryption Values can be None (no encryption), Compressible (a simple scrambling algorithm), and High (high encryption).
PST Name Name of the PST as it appears in Outlook.
PST Slackspace Item True or False value. If True, it indicates the item was extracted from PST slackspace, meaning it was a deleted item.
PST Type Value of either “97‐2002” or “2003”, representing one of two PST versions.
Configure 121
Setting Global Options
Thefollowingimageshowsasample"EmailProfile"thatincludesavarietyofdifferentmetadatatypescombinedintoasingleprofile.
Edit a Profile
Toeditanexistingprofile,selectitinthelistofmetadataprofilesandclickEdit.TheEditMetadataProfiledialogdisplays,allowingyoutomanagethemetadataforthatprofile.
Remove a Profile
Toremoveanexistingprofile,selectitandclickRemove.Onceaprofileisappliedtoaview,thatsetofmetadatawillbeassignedtothecolumnsinthatviewevenifyoudeletetheprofile.
Adding Metadata to a Profile
OntheCreateMetadataProfiledialog,clickAddtobrowseandselectfromtheavailablelistofmetadata.
122 Configure
Setting Global Options
Nuixmetadataisgroupedintothreecategories:
• NuixDefined‐MetadatapropertiesdefinedbytheNuixapplication(seepage 123),suchasGUID,MD5Digest,Name,etc.Thesepropertiesarespecificallyextractedorcreatedforinternalpurposes.
• UserDefined‐Custommetadatapropertiesyoucancreatewhenyouloadacase(seepage 166),whichareappliedtoallitemsintheevidenceset.
• ItemProperties‐Nuixtakesanopportunisticapproachtometadataextraction.Essentially,Nuixjustenumeratesallofthemetadatapropertiesthatweencounterforeachitem,andinsertthekey/valuepairsintotheLucenefulltextindex.Wearenotmappingorbuildinganytypeofrelationshipbehindthescenes.Soforeachitemwetargetthenon‐binarymetadata,andputitintoourfulltextindex.Thesevalueasgroupedcollectivelyasproperties,sothatyoucansearchonasinglemetadataproperty(properties:”key:value”)oragainstallproperties(properties:value).
Itemsineachlistarepresentedinalphabeticalorder.YoucanalsotypetextintotheFilterfieldtofindnamesthatmatchthetextyouenter.
Adding Derived Metadata
Youcanusederivedmetadatatocreatecustomviewsofoneormultiplepiecesofmetadata.Thisisusefulwhenmetadataneedstobenormalisedacrossadiversesetofmetadata.
Note:Metadataprofilesarenotsearchable.IfyoucreateanewDerivedMetadatafield,youcannotsearchitscontentsusingtheproperties:valuesearchsyntax.Metadataprofilesarepopulatedatthepointintimethattheyarebeingused,andarenotstoredintheindex.
Configure 123
Setting Global Options
Anexampleshowinghowtoaddderivedmetadata:
1. Createanewderivedmetadatavaluecalled‐MessageID
2. Ensurethatthetopnodeinthetreeisthe"Firstnon‐blankvalue"
3. Rightclick,selectAddchildexpression>Metadatavalueandselectaseriesoffields.Theoneslistedbelowarejustexamplesandmaynotexistinyourdataset. Field1‐Mapi‐Smtp‐Message‐Id Field2‐Message‐id Field3‐Message‐Id Field4‐Message‐ID Field5‐Notes‐Universal‐ID
TheMessageID(User‐derived)metadatawillstartwithField1andgodownthelistlookingforanavailablepieceofmetadata.The"Firstnon‐blankvalue"willbepopulatedintothederivedMessageIDfield.Inthisexample,ifthedatasetcontainedamixtureofMicrosoftOutlook,MBOX,orLotusNotesemails,theMessage‐IDfieldwillalwaysbepopulatedwiththeappropriatemessageID.
124 Configure
Setting Global Options
Derived Metadata Options
Youcanusethefollowingoptionswhenworkingwithderivedmetadata.
NodeTypes:
• Addchildexpression‐Addsanewchildexpressiontothehierarchy.• Replacewith‐Replacesanodeinthehierarchy.
Operators:
• Metadatavalue‐Definesthechildexpressionasaspecificmetadataproperty.• Firstnon‐blankvalue‐Populatesthevalueofthenodewiththefirstnon‐blankvalue.Thisiterates
thoughthelistofmetadatavalues,andpopulatesthevaluewiththefirstnon‐blankorpopulatedvalue.Thisisusedwhenavarietyofoptionsexistforthedesiredderivedmetadatavalue.
• Concatenatenon‐blankvalues‐Combinesmultiplenon‐blankmetadatapropertiesintoasinglefield.Eachmetadatapropertyisincludedasis,andisseparatedbya";".
• Highestvalue‐Populatesthevalueofthenodewiththehighestvalue.Highestwillfindthelargestnumberorthemostrecentdate.
• Lowestvalue‐Populatesthevalueofthenodewiththelowestvalue.Lowestwillfindthelowestnumberortheoldestdate.
Customizing the Date Format
OntheEditDerivedMetadatadialog,theUsecustomdateformatoptionletsyouconvertvariousdatefieldsintodifferentformats.Thisisusefulwhenaspecificloadfileformatonlysupportsaspecifictime/dateformat(e.g.,ConcordanceMM/DD/YYYY).
Configure 125
Setting Global Options
ClickAddFieldtobuildtherequiredformats.Ifanyspecialcharacters(/)arerequiredbetweeneachdatesegment,youmustinsertthemintothetextbox.Apreviewhelpsyouseeifthedateiscorrectlyformatted.
Note:Theseformattingoptionsonlyfunctionontruedatefields.Ifthedateinthefieldlookslikeadate,butisactuallystoredasasimplestringoftextbythenativeapplication,Nuixcannotapplythecustomdateformat.ValuesforPDF‐Creation‐Dateoftenexhibitthisbehavior.
CommonDatefieldsinclude:
CommonTimefieldsinclude:
126 Configure
Setting Global Options
TimeZoneandEraFieldsinclude:
AllOtherFieldsinclude:
Creating Derived Metadata Fields
Usethefollowingexampletobuildacustom,orderived,metadatafieldfortheLastModifiedDateofanitem.Thisfieldshowsthemostrecentdate,ifmultiplefieldsexist.
Tocreateaderivedmetadatafield:
1. Exploretheavailablemetadatatodeterminewhichfieldsarerelevant.
Notallitemsusethesamemetadata.Forexamplethe"LastModified"timeonafiledoesnotexistforaMAPImessage.Itisthereforenecessarytounderstandtheavailablemetadata.ThiscanbedoneeitherthroughtheMetadataProfilebuilderorbysearchingthedatasetforsomethinglikeproper-ties:modif*,thensortingbyFiletypeandexploringthehighlightedresults.ThiscanalsobedoneintheMetadataProfilebuilderbyfilteringonmodif.
2. Onceyoudeterminethelistoftargetedmetadataforthedifferentitemtypes,selecttheAddDerivedMetadatabutton.
TheEditMetadataProfiledialogdisplays.
3. IntheNamefield,typeLast Modified Date.
4. SelectFirstnon‐blankvalueandright‐clicktoselectReplacewith>HighestValue.
5. SelectHighestvalueandright‐clicktoselectAddchildexpression>MetadataValue.
Configure 127
Setting Global Options
6. ChangethedropdownlistboxfromNuix‐definedMetadatatoProperties.
7. InFilter,typemodif.
8. Fromthelist,selectFileModifiedandMapi‐Last‐Modification‐TimeandclickOK.UseCtrlandCtrl+Shifttosingleselectormulti‐selectvalues.
9. SelectUsecustomdateformattodefineastandarddateformat.
10. SelecttheellipsestodisplaytheEditDateFormatdialog.
11. SetthedesireddateformatbyclickingAddFieldandchoosingtheformatfromthemenu.ThisexampleshowstheMM/dd/yyyyformatwhichequals‐Monthofyear(paddedto2digits)/Dayofmonth(paddedto2digits)/Year(4‐digit).Note:Previouscustomdataformatsarelistedinthedrop‐downlist.
12. SelectOK.
TheLastModifiedDate(User‐derived)metadatafieldisaddedtothemetadataprofile.
128 Configure
Setting Global Options
Using Derived Metadata Fields to Create Summation DII Tokens
TheSummationDIIloadfileformatmakesuseofacollectionofcustomtokensasameansofautomaticallyloadingmetadataintospecificfields.
NuixautomaticallycreatesspecifictokensaspartofitsdefaultSummationloadfile.See“SummationLoadFileFormat”onpage 270foracompletelistofthetokensusesaspartofitsstandardSummationloadfile.
TopopulateadditionalSummationfields,usingadditionaltokens,createaNuixDerivedMetadataFieldnamedforthespecificDIItoken.Forexample:@DATECREATED‐CreateanewDerivedMetadataFieldnamed@DATECREATED,thenaddtheappropriateproperties(Created,DateCreated,Mapi‐Creation‐Date,Notes‐Created,etc.)
Importing and Exporting Metadata Profiles
Youcansave,store,andsharemetadataprofilesusingtheimportandexportfunctions.
Examplesofwhenyoumightwanttodothisinclude:
• ReusingprofilesacrossallNuixmachines,forexampledisplayingmetadataforFastReviewjobs• Facilitateconsistentviewsforspecificfiletypes(emails,files,internetcaches,etc...)• Alignwithspecificclientmetadatarequirements(LegalExport/SummaryReports)• Toprovidecase‐specificdocumentation,whenincludedasaclientdeliverabletodemonstrateprocess
Metadataprofilesarestoredinthefollowingdirectories:
• WindowsVista:%AppData%\Nuix\MetadateProfiles• Windows2000/XP:%UserProfile%\ApplicationData\Nuix\MetadataProfiles
Eachmetadataprofileisstoredasan*.xmlfile.ThesefilesareportableandcanbeusedonanysystemrunningNuix.ViewtheNuixKnowledgeBasetoseeacollectionofsamplemetadataprofilesthatyoucandownload.
DIGEST LISTS
NuixallowsyoutoimportdigestlistsfromthirdpartysourcesaswellasdirectlycreatethemfromwithinNuix.AdigestlistisalistofMD5digests(hashes)foracollectionoffiles.
Youcanusedigestliststoassistwiththefollowingoperations:
• Toeliminatesystemfilesorotherapplicationfilesthathaveknownsignaturesandlittleornovaluetotheinvestigation.Thisprocessisoftencalled"De‐NISTing".
Configure 129
Setting Global Options
• Toeliminatepreviouslyproducedcontent.Thisisdonebyimportingthetop‐leveldigestlistreportincludedaspartofthelegalexport.See“OutputFilesforLegalExports”onpage 265.
• Toeliminateorsuppressinappropriatecontent.Ifinappropriatecontentisdetected,youcanimport/generateahashlistofknowinappropriatecontent,andpassthatalongaspartoftheexportprocesstoallowthiscontenttosuppresseddownstream.
Nuixsupportsstandarddigestlists,includingNSRL,iLook,Hashkeeper,aswellasplaintext.
Theplaintextformatincludesasingledigestperline.Whencreatingplaintexthashes,ensurethatthereisnotrailingpunctuationorwhitespace.
Importing Digest ListsYoucanimportdigestlists,andremove(delete)them.
Toimportadigestlist,selectGlobalOptions>DigestLists,andthenclickAdd.TheAddDigestListdialogdisplays.
130 Configure
Setting Global Options
TheDigestListisstoredasa*.hashfileinthefollowingdirectories:
• WindowsVista/2008:%AppData%\Nuix\DigestLists• Windows2000/2003/XP:%UserProfile%\ApplicationData\Nuix\DigestLists
Toremoveadigestlist,selectaspecificdigestinthelistandclickRemove.
Importing NSRL Digest ListsNuixcandirectlyimporttheNSRLDigestLists(HashSets).However,thehashlistscontainasignificantamountofextraneousinformation.ThisinformationcausesNuixtoperformadditional,unnecessarywork.
CombineddigestlistsfortheNSRLDigestListscanbedownloadedfrom:https://www.box.net/shared/xeagha25hf.
Ifyouthelatestversionisnotavailable,oryouwishtodoityourself,youcanstreamlinetheNSRLHashlistsbyfollowingthesesteps:
1. DownloadtheNSRLhashlistsfromhttp://www.nsrl.nist.gov/Downloads.htm#isos.Youwillwanttodownloadalldisks(Disc1‐4).
Fullyextractthecontentsofeach*.isoimage.TheNSRLFile.txtistheultimatetarget.TheNSRLFile.txtforeachdiscneedstobestreamlinedandloaded.
2. Tostreamlinethefiles,usethefollowingcommand:# The syntax is actually '"' or Single Quote Double Quote Single Quote
cat NSRLFile.txt | cut -d '"' -f 4 | sort | uniq > NSRLFile.sorted
Youcanprocessthesefilesonalinux/unixmachineorbydownloadingcygwinfromhttp://www.cygwin.com.Onceitisinstalled,youneedtonavigatetothelocationoftheunzippedNSRLFile.txtfiles,andexecutethecatcommand.Afteryourunthecommand,youwillneedtoopenthefileinatexteditorandcleanupthelastfewlinesastheycontainsomeresidue.
Configure 131
Setting Global Options
Ifyouarenotfamiliarwiththesyntaxnecessarytonavigatethroughcygwin,thefollowingcommandsletyounavigatetothedesiredfilelocation.Thisassumesthatthefilesexistinamappeddrive.
Fromthe$prompt,typethefollowingsequence:
1. Movetotherootdirectory:cd /
2. Showallavailablefolders:ls
3. Moveintotherootdirectoryforallthemappeddrives:cd cygdrive
4. Moveintothespecificfolder(typeforinstance"d"insteadof"driveletter"):cd drive letter/folder name
5. OnceallfouroftheNSRLFile.txtfileshavebeensorted,combinealloftheNSRLFile.sortedfilesintoasinglefile.ThiswillallowthemtobeusedasasingleDigestListfilter.
6. ToloadthedigestlistsintoNuix,selectFile>GlobalOptions>DigestList>Add.
Performingthisstepssignificantlydecreasesthetimeittakestoloadthedigestlistsaswellassearchwiththem.
About MD5 DigestsDigestvaluesarecreatedusingthefollowingparameters:
Documents (non‐email items):Thedocument’sentirebinarystream.
Email:Sincenotallemailtypesactuallyhaveabinarystreamandtwocopiesofthesamemessagecanhavecompletelydifferentheaderinformation,wecomputeanemail'sMD5digestbytakingthefollowingdataencodedusingUTF‐8asinput:
1. Subjectheader
2. Fromheader
3. Toheader
4. Ccheader
5. Emailbodytexttokenisedsowhitespaceandirrelevantcharactersareremoved
6. Binarystreamsofallattachments.
132 Configure
Setting Global Options
Foraddressheadersthepersonalpartisdiscardedandonlytheaddresspartisused.Theemailbodyistokenisedtoignorewhite‐spacedifferences,whichcanbeafactorwhencomparingHTMLandplaintextmessages.
WORD LISTS
WithNuixDesktop,youcanimporta.txtfilecontainingalistofkeywordsthatyoucanuseasafilteragainstthedataset.YoucanselectoneormorewordlistsintheFilteredItemspanetoproducealistofitemsthatincludethewordsyouhavecompiled.
Eachnewwordinthetextfilemustbeplacedonaseparateline.Thereisnolimittothenumberofwordsthatyoucanincludeinthewordlist,butthegreaterthenumberofwordsinalist,thegreaterthenumberofmatchingdocumentsyouwillreceiveintheResultslist.SelectFile>GlobalOptions>WordListstoview,add,orremovewordlists.
Notes:• Multiplewordsonasinglerowaretreatedasanexactphrase.(e.g.DogCatMouse,aretreatedlikea
searchfor"dogcatmouse").Quotesareunnecessary,andwillbestripped.• Booleanorothersearchesarenotsupportedwithinawordlist,so"(classificationORmaxim)"isnot
valid.ToperformaseriesofBooleanorcomplexsearchesagainstaNuixdataset,thescriptinginterface
Configure 133
Setting Global Options
providesyouwithameansofautomaticallyexecutingqueries,andapplyingclassificationstotheresultset.Ifcomplexqueriesorreportingisrequired,seetheNuixScriptingGuideforadditionaldetail.
Importing a Word ListFromFile>GlobalOptions>WordLists,clickAddtoimportawordlistintoNuix.
Nuixstoresthewordlistasa*.words fileinthefollowingdirectories:
• WindowsVista/2008:%AppData%\Nuix\WordLists• Windows2000/2003/XP:%UserProfile%\ApplicationData\Nuix\WordLists
TheWordListfileshouldconsistofasinglerowperwordorphrase.
Note:TextfileencodingmustbeintheUTF‐8characterset,whichisparticularlyimportantfornon‐latinbasedlanguages.
134 Configure
Setting Global Options
DEFAULT TABS
DefaultTabsletsyousetwhichtabsyouwanttoviewbydefaultinNuix3Desktopwhenopeninganewcase.
• Workbench‐Thistabhoststheprimarytasksofexcluding,filtering,andsearchingfordatawithinthecase.Youcanalsoanalyzedata,previewindividualitems,andtagfromthistab.Thistabissettodisplaybydefaultwhenyouopenacase.
• Statistics‐Thistabdisplaysinformationabouttheprocessedandirregularfilesbyfiletype,includingnumberprocessed,corrupted,andencrypted,aswellasapercentageofeachfiletypeencountered.
• FastReview‐Thistabletsyoucreatejobsthatcanbebatchedupforreviewbyinvestigators.Foreachjob,youcanspecifytagsandwordstohighlight.Youcanthenassociateitemstoeachjob,andthoseitemsarepresentedinalinearfashionfortagging.
Configure 135
Setting Global Options
SEARCH OPTIONS
SearchOptionsletsyouconstrainthesetoffieldsthatNuixsearches.Onceyouconstrainthesearchbyclearinganyofthefieldslisted,Nuixskipsoverthosefieldswhensearchingforthecriteriayouspecify.ThesesettingsapplytoallcasesopenedbythisinstallationofNuix3Desktop,notjustthecasethatisopenedwhenyouapplythesettings.Bydefault,allsearchfieldsareincludedinsearchoperations.
Fieldsavailabletoconstrainsearchoperationstoinclude:
• SearchContent‐Searcheswithintheemailbodyorthetextportionofadocument.• SearchProperties‐Searchesthepropertynamesandvaluesassociatedwitheveryitem.• SearchNames‐Searchesthefilenamesofitems,orinthesubjectofemailmessages.• SearchPathNames‐Searchestheoriginalsourcepathnameoftheitems.• SearchEvidenceMetadata‐Searchesanycustommetadatathatwasaddedtothecasewhenthe
evidencewasloaded.
136 Configure
Setting Global Options
LAUNCH OPTIONS
LaunchOptionsletsyousetthedefaultapplicationNuixusestoopenemailmessages.Regardlessofthesourceformatoftheemailmessage,Nuixopensthemessageintheapplicationyouspecifyhere.
• EML‐Standardmessageformat(RFC822).OnmostWindowssystemsthissettingdefaultstousingOutlookExpress.IfyouhavenotconfiguredOutlookExpress,youwillbepromptedtoconfigureit.YoucanclosetheconfigurationscreensandOutlookExpresswillstilldisplaymessages.
• MSG‐MicrosoftOutlook• NSF‐LotusNotes
Configure 137
Setting Global Options
VIEWER LIMITS
ViewerLimitsletsyoumanagehowNuixpresentslargedatasetswhenviewingitemsbyResultsorNetworkintheResultspane.Youcansetthemaximumnumberofitemsinthelistorviewtomakereviewandanalysistasksmoremanageable.
Youcansetthefollowingmaximumvalues:
• Resulttablerowlimit‐SetsthemaximumnumberofitemsthatdisplayintheResultslist.Thedefaultvalueissetto1,000,000items.Ifyouareworkingwithverylargedatasetsyoumightneedtoincreasethisnumbertoseealloftheitems.Iftherearemoreitemstolistthanthemaximumviewinglimityouselect,astatusmessageisprovidedatthebottomoftheResultslistintheformof"DisplayingXitems,truncatedfromY".Theminimumvalueyoucansetis10,000.
• Networknodelimits‐SetsthemaximumnumberofnodesthatdisplayintheNetworksviewbydefault.Thedefaultvalueissetto500items.Afterthegraphdisplays,youcanadjustittoshowmoreorfewernodes.Increaseordecreasethisvaluebasedonthespeedofyoursystem,asneeded.Theminimumvalueyoucansetis15.
138 Configure
Setting Global Options
MEMORY
MemoryletsyouconfiguretheamountofRAMmadeavailabletoNuixDesktop.TheamountofRAMallocatedtotheNuixdesktopcanbeadjustedupanddownbasedonthecircumstanceandcurrentusecase.Ingeneral4GBofRAMshouldbesufficientformostoperations.However,ifyouareworkingwithverylargedatasets,andperformingoperationslikefindingtop‐levelitems,ordeduplicatinglargecollections,thenitisnotuncommontosetyouMemoryto30+GB.
The30GBisnotreservedwhentheapplicationislaunched,butinsteadsetasamaximumthresholdoftheJavavirtualmachineusedbytheNuixDesktop.Ifthisvalueissetdisproportionatelyhigh,itisimportanttoresetittoalowervaluepriortoloadingorexportingdata.YoumustbalancethememorythatcouldbeusedbytheNuixDesktopandtheNuixsingleworkersusedforprocessingandexportoperations.Foradditionalinformationonallocatingapplicationmemory,see“AllocatingMemory(RAM)forBetterPerformance”onpage 141.
Notes:• Themaximummemorythatcanbeallocatedona32‐bitOSis1300MB.Ifyouareunabletosetthe
valuehigher,confirmthatyouareusinga64‐bitOS.• Thisoptioneliminatestheneedforusingthecommandlineswitch.• YoumustcloseandreopentheNuixDesktopforthissettingtotakeeffect.
Configure 139
Setting Case Properties
Setting Case PropertiesYoucaneditsomeofthedescriptiveinformationthatwasdefinedwhenthecasewascreatedbygoingtoFile>CaseProperties.Thecasepropertiesincludethecasename,caseinvestigator,andcasedescription.
Thisdialoguealsoallowsyoutosettheinvestigationtimezone(thetimezoneassociatedwiththesourcedata),whichcontrolsallofthedate/timespresentedinNuix.ThisallowsinvestigatorstoviewtheresultsetsandEventMapsbasedonthegeography/timezoneofthecustodian(s).Nuixalsoappliesthistimezonetotheexportedmetadataduringallexports.
Nuixstoresalldate/timevaluesinabsolutetimeorsystemtime.Absolutetimeorsystemtimeisrecordedasthenumberoftickssinceepoch.Foreachdate/time,Nuixcalculatestheoffsetbasedonthetimezone,thenstoresthesystemtime.
140 Configure
Allocating Memory (RAM) for Better Performance
Allocating Memory (RAM) for Better PerformanceForbothprocessingandexportpurposes,Nuixrequiresanabsoluteminimumof2gigabytesofRAMpercore(thatis,perinstanceofnuix_single_worker.exerunningonthesystemasdefinedbytheNuixlicence).Bydefault,thesoftwareusesamaximumof1gigabyteofmemoryforthe32‐bitversion,and1.8gigabytesforthe64‐bitversion.However,largerratiosofRAM,forinstance4GBor8GBofRAMpercore,willdramaticallyimproveperformanceandpreventJava'sOutofMemoryerrorswhenprocessingcomplexdatasetsorexportinglargenumbersofitems.
Examples
Hereareexamplesforworkingwithprocessingandexportingoperations.
• Processing:Whileprocessinga15GBPSTfilewiththedefaultsettingsona64‐bitmachine,NuixencounteredanOutofMemoryerrorwhiletryingtoprocesstheInboxfolder.AfterlookingatthePST,itwasnoticedthattheInboxfoldercontained120,000itemsand100+folders.Thenuix_single_worker.exeprocesswassimplyrunningoutofmemorywhiletryingtoenumeratethatfolder.Nuixwasrestartedwiththeappropriateparameterstoallocate4GBofRAMpernuix_single_worker.exeinstanceandthefileprocessedwithoutissue.
• Exporting:Whileattemptingtoexport2millionitemswiththedefaultsettingsona64‐machine,NuixencounteredanOutofMemoryerrorwhiletryingtofindallofthetop‐levelitems.Thenuix_desktop.exewassimplyrunningofmemorywhiletryingtobuildthatlist.Nuixwasrestartedwiththeappropriateparameterstoallocate8GBofRAMtothenuix_desktop.exeprocessandtheexportproceededwithoutissue.
32‐Bit Operating System Configuration
Forthe32‐bitversionoftheproduct,themaximumamountofmemorythatcanusuallybeallocatedis1.3gigabytes,althoughthiscanvarydependingonothersoftwarepresentonthesystem.VirusscannersandsimilarsoftwarecanmaptheirDLLsforallprocessesonthesystematcertainspecificvirtualaddresses,whichcanpreventJavaallocatingmorethanitshould.
64‐bit Operating System Configuration
Fora64‐bitversionoftheproduct,significantlymorememorycanbeallocatedtotheprogram.
Recommendationsforconfiguringa64‐bitOS:
• 4GBofRAMavailablepercore:Allocate3GBofRAMtoeachnuix_single_worker.exeAllocate(0.5GB*Numberofcores)+2ofRAMtotheNuixDesktop
• 8GBofRAMavailablepercore
Configure 141
Allocating Memory (RAM) for Better Performance
Allocate4GBofRAMtoeachnuix_single_worker.exeAllocate((1GB*Numberofcores)+1GB))ofRAMtotheNuixDesktop
Formorespecificinformation:
• NuixImportWorkers‐ToallocateadditionalRAMtotheNuixworkersduringingestionprocessing,see“ParallelProcessingSettings”onpage 161forloadingdata.
• NuixExportWorkers‐ToallocateadditionalRAMtotheNuixworkersduringexportoperations,see“ParallelProcessingTab”onpage 95forexportingdata.
142 Configure
Disabling Remote Desktop Client Printer Redirection
Disabling Remote Desktop Client Printer RedirectionWhenrunningNuixdesktopviaaremotedesktopconnection(RDP),the"clientprinterredirection"mustbedisabledforNuixtorenderitemstoPDForTIFF.Ifthisoptionisdisabledornotconfigured,thequalityoftheitems'renderingisaffected.
Symptomsofthisprobleminclude:
• Failuretoproducehighquality,accuratePDFrepresentationsofExcelfiles.• Possiblefailurestoproducehighquality,accuratePDFrepresentationsofotherOfficedocuments.
Disablingthisoptionalleviatestheseissues.
Todisableclientprinterredirection:
1. IntheRunboxoratthethecommandline,typegpedit.msctoopentheLocalGroupPolicyEditor.
2. NavigatetoComputerConfiguration>AdministrativeTemplates>WindowsComponents>TerminalServices>TerminalServer>PrinterRedirectionorComputerConfiguration>AdministrativeTemplates>WindowsComponents>RemoteDesktopServices>RemoteDesktopSessionHost>PrinterRedirection.
3. Set Do not allow client printer redirection to Enabled.
Detailsaboutthissetting:
• ThispolicysettingallowsyoutospecifywhethertopreventthemappingofclientprintersinTerminalServicessessions.
• Youcanusethispolicysettingtopreventusersfromredirectingprintjobsfromtheremotecomputertoaprinterattachedtotheirlocal(client)computer.Bydefault,TerminalServicesallowsthisclientprintermapping.
• Ifyouenablethispolicysetting,userscannotredirectprintjobsfromtheremotecomputertoalocalclientprinterinTerminalServicessessions.
• Ifyoudisablethispolicysetting,userscanredirectprintjobswithclientprintermapping.• Ifyoudonotconfigurethispolicysetting,clientprintermappingisnotspecifiedattheGroupPolicy
level.However,anadministratorcanstilldisableclientprintermappingbyusingtheTerminalServicesConfigurationtool.
Configure 143
Setting Up Distributed Processing in Nuix (Optional)
Setting Up Distributed Processing in Nuix (Optional)YoucanconnectmultipleNuixprocessingsystemstogethertoformasingledistributedprocessingengine.Whenoperatinginadistributedprocessingconfiguration,Nuixmanagesaccesstoasinglecopyoftheevidence,andconsolidatesalloftheindividualworkers'casefilesattheendoftheprocessingjob.
Notes:• Runningtwodual‐corelicencesondifferentmachinesisnotasfastasasinglequad‐corelicence.
Runninginadistributedfashionincreasestheoverallnetworktrafficandrequiresthecompletedindexestobecopiedbacktotheprimaryserver.
• Runninginadistributedenvironmentrequiresthatyouhavealicenseforthemasterserveraswellasalloftheworkerservers.Thesecanbelicensedusingaseparatedonglepluggedintoeachmachine,orusingtheNuixServerasasharedlicensingserver.
144 Configure
The Data Workflow in a Distributed Environment
The Data Workflow in a Distributed EnvironmentNuixmovesthedatadifferentlywhenyouconfigureitforusewithdistributedprocessing.Themastermachineadministerstheworkermachines,asdescribedbelow.
Master Machine Functions
TheNuixMastermachinemaintainsthedataprocessingqueuesandmanagestheoverallworkflow.
Whenthecasebeginsprocessing,anddirectorystructureiscreatedwiththeAnalysisDatabase,Evidence,andPersistentQueuedirectories.Oncetheworkersstart,eachworkercreatesanewfolderthatcontainsitsindividualindexes.Intheexamplebelow,onlyremoteworkersarefunctioning.(Remote‐99087…Folder)Thesedirectoriesaresimplyplaceholders.
Oncetheprocessingjobcompletes,theindexesfromtheremoteworkerarecopiedintotheseplaceholderdirectories,andarerenamedComplete‐99087….
Worker Machine Functions
TheNuixWorkermachinecreatesatemporaryindexinthelocalworkingdirectory.
Whentheremoteworkerstarts,itcreatestheRemote—99087c…directoriesontheMasterasaplaceholder,thencreatesPartial‐99087cfoldersinthelocalworkingdirectory.
Configure 145
The Data Workflow in a Distributed Environment
Oncethedataisprocessed,thedirectoriesarerenamedComplete,andcopiedtotheMaster.Note:Thereisnogarbagecollectiononthesedirectories,soyouwillneedtocleanthemoutmanuallyafterthecaseisfinalized.
CONFIGURING THE MASTER AND WORKER MACHINES
ToemploydistributedprocessingwithNuix,youneedtoproperlyconfigureboththemastermachineandworkersmachineswhenyoucreateanewcaseinNuix.
Configure the Master MachineToconfigurethemastermachine:
1. CreateanewcaseontheNuixMastermachine.Ensurethatthecasedirectoryiscreatedinasharethatisaccessiblebyallworker(processing)machines.
Note:Thecasedirectoryshouldbelocaltothemastermachine.Creatingthecasedirectoryonanet‐worksharewillsignificantlyreduceNuixperformance.
2. FromtheNewCasedialogue,clickAdvanced>ParallelProcessing.
3. EnsurethattheRunLocalWorkersoptionisselected.
Notes:Whenrunningthisforthefirsttime,werecommendthatRunlocalworkersisdisabled.Thisallowsyoutoensurethattheworkermachinesareconnectingcorrectly.
146 Configure
The Data Workflow in a Distributed Environment
TheonlyreasontodisabletheRunlocalworkersoptioninaproductionenvironmentiswhenyourcaseserverisjustusedforcaseaccessandyouhaveapoolofprocessingmachinesthatsharedamongstacollectionofcaseservers.Inthiscase,itmightbeadvantageousjusttousetheprocessingresourcesfromthepool.
4. Selectthedesiredevidence,ensuringthattheevidencedefinitionreferencesauniversallyaccessiblepoolorsourceevidence.
5. Starttheprocessingjob.
Note:Ifyouaredoingthisforthefirsttime,andhavedeselectedthe“Runlocalworkers”,thentheprocessingwindowwillappearandsitidle.
Configure the Worker MachineToconfigureeachworkermachine:
1. OpentheNuixWorkerbygoingtoStart>Programs>Nuix>NuixWorker3.Selecttheappropriate32or64‐bitversion.
2. IntheNuixWorkerdialogue,definethemastermachinewherethecasehasbeenconfigured:
a.MasterHostname:TheDNSnameortheIPaddressofthemastermachine.
b.Directory:Thelocalworkingdirectory.
c.Numberofworkers:Thenumberofnuix_single_worker.exeinstancestoberunontheworkermachine.
d.Memoryper‐worker(MB):TheamountofRAMtoallocatetoeachoftheindividualnuix_single_worker.exeprocesses.
Configure 147
The Data Workflow in a Distributed Environment
3. ClickStart.TheNuixworkerbeginsprocessing,andupdatesarepostedtotheNuixProcessingwindowonthemaster.
CREATING THE SHARED NETWORK DRIVES
Whenrunninginadistributedfashion,alloftheNuixresourcesneedaccesstoboththesourceevidenceandthemastercasedirectory.
Create Shared Network DrivesYouneedtocreatedrivesforboththesourceevidenceandthecasedirectory,bothofwhichcanbeaccessibleviaacommondrivemapping(allresourcesmustaccessusingexactsamedrivemapping)orviaaUNCpath.
1. Createtheshareddriveforholdingyoursourceevidence.
ThesourceevidenceyouloadintoNuixmustbelocatedonacommonnetwork‐baseddiskresourcethatcontainsalloftheevidence.WhendeclaringtheUNCpath,entertheentireUNCpathintheFileNamefield,orbrowsetoitusingtheLookincontrol.
2. Createashareddriveforholdingthecasedirectory.
Acommondiskresourcemustbeavailableforthecasedirectory.Thecasedirectoryistypicallyastor‐agepoollocaltotheMasterprocessingserver,presentedasasharetotheotherserversrunningintheteam.WhendeclaringtheUNCpath,entertheentireUNCpathintheFileNamefield,orbrowsetoitusingtheLookincontrol.
148 Configure
The Data Workflow in a Distributed Environment
Create Local Working FoldersEachNuixworkermachinerequiresitsowntemporaryworkingdirectory.Nuixusesthisdirectorytocreateitslocalsetofindexes.Oncetheindexingprocessiscomplete,thesetemp/localindexesarecopiedfromtheworkerserverstothecasedirectoryonthemastermachine.
Configure 149
The Data Workflow in a Distributed Environment
150 Configure
CHAPTER 5 Load Data
WithNuix3Desktopyoucancreatecasesandaddevidencetoexistingcases.Duringthisprocess,youspecifythefiles,directories,ormailstoresyouwanttoaddtothecase.Youcanadduptotwomillionitemsintoasinglecase.Nuixtheningeststheitemsandprocessesthem,addingNuixmetadataandindexingthemforsearch,analysis,review,andexporttasks.
Thischaptercontainsthefollowingtopics:
• “PreparingtoLoadCertainTypesofData”onpage 152• “CreatingaCaseandLoadingData”onpage 157• “InterruptingaProcessingJob”onpage 168• “WorkingwithExistingCases”onpage 170
Load Data 151
Preparing to Load Certain Types of Data
Preparing to Load Certain Types of DataSometypesofdataneedspecialhandlingbeforeNuixcaningestandprocessit.BeforeyouloaddataintoNuix,ensurethatyoureviewtheinformationinthissectionspecifictothefollowingdatatypes:
• Unsupportedforensicimages(seethelistofNuix'ssupportedforensicimageformatsonpage 285)• EncryptedLotusNotesfiles• Groupwiseemail
PROCESSING UNSUPPORTED FORENSIC IMAGE FILE FORMATS
Nuixdirectlyprocessesforensicimageformats(E01,L01,DD)takenfromNTFS,FAT32,EXT2,andEXT3volumes.See“Processingforensicimages”onpage 285formoredetailsonthesupportedforensicimagefiles.
Youcanuseoneoftwomethodstoprocessitemsfromunsupportedforensicimagefileformats:extractingfromtheforensicimageormountingtheforensicimage.Eachoffersitsownadvantagesanddisadvantages.
Extract from the forensic imageUsingaforensicapplication,suchasGuidanceSoftwareEnCaseorAccessDataForensicToolKit:
1. Locatethefilesanddirectoriesofinterest.
2. Exportthedatafromtheforensicimage.
3. ImportintoNuixDesktopviatheAdd>AddDirectoriescommandwhencreatingacaseoraddingnewevidence.
Theadvantagesofusingthismethodare:
• AllowsyoutoextractrecoveredfilesfoundviaEnCaseorFTK• Bypassesdirectoryandfilesecurity
Thedisadvantagesinclude:
• Onceyouexportthefiles/directories,thereisachanceofthefilesbeingalteredpriortobeingingestedintoNuixDesktop
• Requiresadditionaldiskspaceforexportingthefiles
152 Load Data
Preparing to Load Certain Types of Data
Mount the forensic imageUseanapplication,suchasGetData’sMountImagePro:
1. MounttheEnCase(E01),Raw,Smart,ISOorDDimageasavirtualdriveonyourNuixworkstation.
2. Oncetheimageismounted,addevidencetoNuixDesktopusingAdd>AddDirectoriesorAddFilescommands.
Theadvantagesofusingthismethodare:
• Youareexaminingfiles/directorieswithinasealed,read‐onlyenvironment• Nodate/timestampsarealteredasaresultofingestingintoNuix• Noneedtoexportfiles• NoneedforEnCaseorFTK• Iftheimagecontainsmultiplepartitions,thenyoucanvirtuallymountallpartitionstoexaminethem
Thedisadvantagesinclude:
• Noexaminationofdeletedfiles• Maynotbeabletoaccessfiles/directorieswhichhavesecurityprivilegesforanon‐commonuseror
group
PROCESSING ENCRYPTED LOTUS NOTES FILES
NuixenablesyoutoprocessencryptedLotusNotesmailfilesifyouhavetheassociatedIDfilesandpasswords,andhavecreatedaCSVCredentialsMappingfile.
LotusNotesrequiresaccesstotheLotusNotsClientbinaries(API)toprocessLotusNotesemailandotherNotesapplicationdata.Wheninstalling,youonlyneedtoinstalltheNotesClientforNuixtoloaditems.UncheckanyoftheotherapplicationsontheCustomSetuppage,iftheyareselected.DonotstartorconfiguretheNotesclientafteritisinstalled.
Create the CSV FileYouwillneedtocreateaCSVfilethatmapstheNOtesfiletoitsIDandpassword,usingthreecolumns:
• Inrow1,labelColumnAasNsfFile,andputthenameofeachNotesfileinthesubsequentrows.• Inrow1,labelColumnBasIdFile,andputtheabsolutepathtotheIDfileforeachNotesfileinthe
subsequentrows.• Inrow1,labelColumnCasPassword,andincludethepasswordforeachNotesfileinthesubsequent
rows.
Load Data 153
Preparing to Load Certain Types of Data
Process Encrypted FilesProcesstheencryptedNotesfilesbyopeningNuixfroma.batfile,asshownbelow.
Check whether Nuix can Process the FilesInNuix,whenaddingtheencryptedNotesfileintoacase,usethePre‐FilteroptiontoviewwhetherNuixcanprocesstheitems.Fileswithoutapadlockiconareprocessed;thosewithapadlockiconwillbemarkedasanirregularfile(Encrypted).
Note:EvenifyouhaveanNotesmailfilethatshowsasunencrypted,theremightstillbeindividualemailfilesthatareencrypted.YocanusetheCSVcredentialmappingfiletodecryptthem.InthePre‐FilterEvidencedialogue,expandtheNSFfilestocheckwhetheranyindividualfilesareencrypted,or,searchforproperties:"encrypt:1",whichwillsearchtheNotesmetadatafieldcalledEncryptforavalueof1(true).
154 Load Data
Preparing to Load Certain Types of Data
ACCESSING GROUPWISE AS A TRUSTED APPLICATION
NuixindexesGroupWiseemailthroughthetrustedsourceapplicationthatisbuiltintoGroupWise.Nuixregularlyupgradesandsimplifiesthisprocess.Followtheprocessdescribedbelowtoindexthistypeofmailstore.
Creating a Trusted Application KeyThefirststepistocreatea"trustedapplicationkey"fortheNuixsoftware.ThiskeyiswhatauthenticatesourproducttotheGroupWiseserverasbeingatrustedapplication.Tocreateatrustedapplicationkey,followthesesteps:
1. InstalltheNuixsoftwareonthemachinewheretheauditingprocesswilloccur.WehighlyrecommendthatthisbeadifferentmachinethantheactualGroupWiseserver.
2. GotothebindirectoryintheNuixinstallationpath.Thedefaultlocationofthebindirectorywillbe:C:\Program Files\Nuix\Nuix Desktop\bin.
CopytheGroupWiseTrustedAppInstaller.exeandGWTApp.dllfilestoatemporarydirectoryontotheGroupWiseserver.
3. StartanewCommandPromptontheGroupWiseserver,andchangedirectories(cd)tothetemporarydirectorycontainingtheabovefiles.
4. RunthecommandGroupWiseTrustedAppInstaller.exewiththefollowingparameters,wherethefirstargumentisthelocationoftheGroupWisedomaindirectory(shouldcontainthewpdomain.dbfile),andthesecondargumentistheapplicationname,inthiscase,nuix.Anexampleinvocationmightbe:
GroupWiseTrustedAppInstaller.exe c:\groupwise-data\domain-data nuix
5. Savetheoutputofthiscommand,asthisistheNuixsoftware'strustedapplicationkey.Youwillneedtoputthisvalueintothemailstoreconfigurationdialogontheauditingmachine.
NotethatfurtherpropertiesofthetrustedapplicationcanbemodifiedfromConsoleOne,viaTools>GroupWiseSystemOperations>TrustedApplications.AnexamplepropertyyoucanchangeistoindicatewhatIPaddressesthetrustedapplicationispermittedtorunfrom.
YoucanrunGroupWiseTrustedAppInstaller.exeagainifanewtrustedapplicationkeyisrequired.Thiswilloverwritetheexistingkey,makingitobsolete.
Further ConfigurationEnsurethatyouhaveenabledtheIMAPprotocolonyourGroupWiseserver.YoucanedittheIMAPsettingsinthestartupfileforyourassociatedGroupWisepostoffice.Ifthepostofficeprogramisrunning
Load Data 155
Preparing to Load Certain Types of Data
interactively,youcanaccessthisviatheConfiguration>EditStartupFileoption.Anychangesrequirethepostofficeprogramtoberestarted.
Itisalsoimportanttosetthe/imapreadlimitoptioninthepostofficestartupfile.FortheNuixsoftwaretoreadallthemessagesfromafolder,werecommendtospecifythevalue/imapreadlimit-50inthisfile.Thismeansupto50,000messagescanbedownloadedfromasinglefolder.SeetheNovellDocumentationformoredetails.
Loading Messages in NuixAftersettinguptheapplicationasatrustedapplication,NuixcannowconnecttotheGroupWiseserveranddownloadmessagesfromalluseraccounts,withoutrequiringapasswordtobeentered.Todoso,followthesesteps:
1. OpenNuixandcreateanewcase.
2. CompletethenecessaryinformationandthenclickOKtoaddevidencetothecase.
3. IntheAdd/EditEvidencedialoguebox,selectAdd>AddMailStore.
4. SelecttheGroupWiseTrustedApplicationprotocol,andenterthetrustedapplicationnameandthekeyyouobtainedintheprevioussteps.
5. Oncethenewcaseiscreated,thesoftwarewillconnecttotheGroupWiseserveranddownloadmessagedataforeveryuseraccountonthatserver.
156 Load Data
Creating a Case and Loading Data
Creating a Case and Loading DataThefirststepingettingdataintoNuixistocreateacase,whichisthecontainerforacollectionofdatathatholdsevidenceforaparticularinvestigation.
Hereyoucandescribeandsetoptionsforthecase,aswellassethowyouwantNuixtoprocessthedata.Includeasmuchdetailasnecessarytoensureacompleteandaccuratechainofcustody.YoucaneditthesedetailslaterviaFile>CaseOptions.Theinformationyouspecifyhereissavedasapartofthecaseproperties,alongwiththedatathatyouselectforprocessing.
CREATING A NEW CASE
Tocreateacase:
1. FromtheFilemenu,selectNewCase.
TheNewCasedialoguedisplays.
2. Specifyacasename.
3. SelectthedirectorywhereyouwantNuixtosavethecase.
4. Specifytheinvestigator(nameorID)forthecase.
5. Brieflydescribethecasesothatitiseasilyidentifiable.
6. ForCasetype,chooseeitherSimpleorCompound.
Whenyoucreateasimplecase,youcanaddtoitanycollectionofitems(emails,documents,images,etc.),whicharetheningestedandindexed.Acompoundcaseisonethattiestogethermultiplesimplecasesthathavealreadybeenprocessed;youcannotaddindividualitemstothecollectionduringthis
Load Data 157
Creating a Case and Loading Data
stepwhenyoucreateacompoundcase.Youcanalsocombinemultiplecompoundcasestogetheraswell,whichallowsyoutorollalldatarelatedtoaninvestigationintoasinglesearchablerepository.
7. Optionally,setotherprocessingoptionsforsimplecases,byclickingAdvanced.
8. ClickOK.
Nuixcreatesthecaseandbeginsprocessingthedata.
SETTING ADVANCED OPTIONS
Whenyoucreateasimplecase,youshouldspecifywhattypeofprocessingyouwishNuixtoperformonthedata.FromtheNewCasedialogue,clickAdvanced.
Thetypesofsettingsavailableare:
• Processing‐TheProcessingtabletsyousetvariousoptionsforhowthedatawillbeprocessed.• ParallelProcessing‐TheParallelProcessingtabletsyousethowindividualworkermachineswill
operateinadistributedprocessingenvironment.• AuditFiltering‐TheAuditFilteringtabisonlyvisiblefor"audited"licencetypes,andletsyoudefinea
digestlisttoexcludeitemsfromtheauditreport.
Processing SettingsWhenyoucreateanewcase,theProcessingtabvarietyofoptionsforprocessingdata.Reviewandselecttheonesthatmeettheneedsforyourparticularcase.Someoftheseoptionscanincreaseprocessingtimeorstoragerequirements.
158 Load Data
Creating a Case and Loading Data
Nuixoffersthefollowingoptionsforprocessingtext:
• Storeandindextextofdataitems‐SelectingthisoptionconfiguresNuixtoextractthecontentfromallitemsaswellasitsmetadata.Ifyouclearthisoption,Nuixonlyextractsitemmetadata.Evenwhenthisitemisnotselected,Nuixstillextractsallembeddeditems,andtheirmetadata.Thisoptionisselectedbydefault.Notes:Notselectingthisoptionprovidesanominalperformanceboostaswellasareductionintheoverallsizeofthecase.Notselectingthisitemresultsinblanktextviewsforalldocuments.
• UseStopWords‐TheEnglishlanguagestopwordsare:a,an,and,are,as,at,be,but,by,for,if,in,into,is,it,no,not,of,on,or,such,that,the,their,then,there,these,they,this,to,was,willandwith.WhenthisoptionissettoNone,Nuixindexesallwordsinthesourcedata.WhensettoEnglish,NuixdoesnotindexEnglishstopwords.ThisoptionissettoNonebydefault.Notes:Nuixrecommendsleavingthissetto"none"toensurethatallphrasesearchescanbeaccuratelysearched.DTSearchexcludesstopwordsfromitsindexbydefault.ThiscanresultindifferentsearchcountsbeingreturnedwhencomparingtheresultsofNuixandDTSearchbasedproximityqueries.
• UseStemming‐SelectingtheEnglishlanguagestemmingoptionmeansthatNuixstemsallwordsduringprocessing.Nuixdoesnotstoreboththestemmedandunstemmedvariantsofthewordsintheindex.Itisthereforeveryimportanttounderstandhowstemmingimpactsadataset.WhenthisoptionissettoEnglish,Nuixsearchesforpluralsandotherwordvariantswhenyousearchforagivenword.Forexample,ifthesearchwordis"control",havingthisoptionenabledreturnsdocumentscontaining"control","controlling","controller","controls",etc.WhensettoNone,thesearchreturnsonlydocumentscontainingtheword"control".ThisoptionissettoNonebydefault.Ifdesired,reviewmoreinformationonstemming.Notes:Unlessthereisaveryspecificreasontoenablethesefeatures,Nuixrecommendsthatyouusethedefaultsettings.Forexample:Acollectionofdocumentswasindexedwithstemmingenabled.Thecasepertainedtoahumanresourcesrelatedinvestigation.Oneofthekeywordstheinvestigatorwastryingtofindwas"PMS".Withstemmingenabled,"PMS"wasindexesas"PM".ThismeanttheeverysearchforPMS,foundallhitsthatcontainedanyafternoontimestamp(PM).Dataisindexedwithstemmingorwithout.Thefulltextindexdoesnotcontainbothastemmedandun‐stemmedcollection.So,ifyouprocesswithstemmingenabled,andfindsometermsimpossibletofind,youmustreprocesstheentirecollection.Nuixrecommendsusing*insteadofstemmingforsim‐plicityandtransparency.
Load Data 159
Creating a Case and Loading Data
Inaddition,Nuixalsooffersavarietyofothergeneralprocessingoptions:
• Storebinaryofdataitems‐SelectingthisoptioncopiesthebinaryequivalentoftheitemintotheNuixdatabase.Thisallowsyoutoopendocumentsintheirnativeapplicationmorequicklyandalsoincreasesthespeedofexportingitemsbyeliminatingtheneedtore‐extractthedatafromthesource.
Note:Selectingthisoptioncanreduceindexingspeedby15‐20%aswellasincreasetheamountofstoragerequiredforevidencefromabout20‐50%oftheoriginaldatasetto220‐250%.Bydefault,thisoptionisnotselected.
• Extractfromslackspaceofemailboxes‐SelectingthisoptionallowsNuixtorecoverpermanentlydeletede‐mailsinMicrosoftformats,includingPSTs,OSTs,DBXandEDB/STMfiles.Nuixdoesnotsupporttheextractionofdatafromdeleted,swap,orslackspaceonfilesystemsorinforensicimages.Bydefault,thisoptionisnotselected.
• Createthumbnailsforimagedataitems‐Selectingthisoptionpresentsaviewofextractedimagesasthumbnailsforquickreview.TheThumbnailviewalsoshowsyouthenumberofcopiesofeachimage,andworkswellinconjunctionwiththeskintonefilter.Thisoptionisselectedbydefault.
• Skintoneanalysis‐Selectingthisoptionappliesaskin‐tonedetectionalgorithmonallimages.Thisanalysiscategorizesimagesintofourgroupsbasedonthepercentageofskintonepresent(pixelanalysis):Severe(over50%)High(between20%and50%)Medium(between5%and20%)Low(below5%).Nuixidentifiestheimagesmostlikelytocontainlargequantitiesofskinorfleshtones(highlikelihoodofpornographiccontent).Youcanthenperformavisualreviewoftheimagestoanalyzethemforrelevancy.Thisoptionisselectedbydefault.
• SHA‐1Digests‐SelectingthisoptioncreatesSHA‐1digestofthefile.Thisdigestisforinformationalpurposesonlyandisnotusedinthededuplicationprocess.Bydefault,thisoptionisnotselected.
• SHA‐256Digests‐SelectingthisoptioncreatesSHA‐256digestofthefile.Thisdigestisforinformationalpurposesonlyandisnotusedinthededuplicationprocess.Bydefault,thisoptionisnotselected.
Note:NuixcreatesanMD5digestforallitemsthatdonotexceedtheMaximumDigestSize.TheMD5Digestofafileiscalculatedfromitsbinaryandanemail'sdigestiscalculatedbasedontheTo,From,Cc,Subject,tokenizedbody,andthebinarystreamsofitsattachments.
• MaximumDigestSize(MB)‐SetsthemaximumfilesizeforwhichNuixwillcreateadigest(hash);Nuixdoesnotcreateadigestforanyfilesizegreaterthanthevaluespecified.SettingthisoptionartificiallyhighwillerodeNuix'sperformanceascreatingdigestsforextremelylargefilesistimeconsuming.NotethatpriortoNuix2.16.x,fileslargerthan256MBwerenotdigested.Thedefaultvalueis256,andthereisnomaximumvalue.
• MaximumBinarySize(MB)‐SetsthemaximumfilesizeforwhichNuixwillcachethebinary;Nuixdoesnotcachethebinaryofanitemifitgreaterthanthevaluespecified.Settingthisartificiallyhigh
160 Load Data
Creating a Case and Loading Data
willerodeNuix'sperformanceascopyinglargefilesistimeconsuming;thesetypesoffilestypicallyarecompoundfiles(PST,ZIP,etc...)wherethecontentsofthefilewillbeindividuallyextractedandcachedinthecase.NotethatpriortoNuix2.16.x,fileslargerthan256MBwerenotcachedinthebinarystore.Thedefaultvalueis256,andthemaximumdigestsizecanbesetto1000MB.
Parallel Processing SettingsTheParallelProcessingtabofferssettingsthatallowyoutocontrolhowtheNuixworkersoperatewhileprocessing(ingesting)thedata.IfyouareusingNuixinaparallelprocessingenvironment,reviewtheinformationaboutdistributedprocessingonpage 144.
Nuixoffersthefollowingsettings:
• Runlocalworkers‐Selectingthisoptionallowsworkerstorunonthelocalmachine,inadditiontotheremoteserver.Itispossibletorunbothlocalandremoteworkersonthesamejob,butthesuccess/speedofprocessingisdirectlydependentonyourhardware.Iftherearealargenumberofremoteworkersonthejob,itisoftenmoreefficienttodisablelocalworkerssothatthemastergetsmoretimetocoordinatewiththeworkers.YoushoulddiscusstheoptimalconfigurationsettingswithNuixsupport@nuix.comoryourreseller.Thisoptionisselectedbydefault,andunlessyouareprocessinginadistributedconfiguration,theoptionshouldalwaysbeselected.
• Numberofworkers‐Setsthenumberofnuix_single_worker.exeinstancestouseduringaprocessingjob.Inthemajorityofcases,youshouldalwayssetthistothemaximumavailablebasedonyourlicence.However,therearesomecaseswhenthenumberofworkersneedstobereducedandtheamountofRAMincreasedtosuccessfullyprocessadataset.Bydefault,thevalueissettotothemaximumallowedbyyourlicense.
Load Data 161
Creating a Case and Loading Data
• Memoryper‐worker(MB)‐SetstheamountofRAMthateachnuix_single_worker.exehasavailableduringaprocessingjob.Nuixdoesnotimmediatelyconsumetheallocatedmemory,butrathersetsthisathethresholdfortheJavaVirtualMachine.Bydefault,thevalueissetto1,000.
Note:Thesumof("NumberofWorkers"×"Memoryper‐worker")+"SystemOptions|ApplicationMemory"shouldbeatleast2GBlessthanthetotalavailableRAMonthesystem.Foradditionalinfor‐mationonallocatingapplicationmemory,see“AllocatingMemory(RAM)forBetterPerformance”onpage 141.
• Workertempdirectory‐SpecifiesthetemporarylocationusedbytheNuixduringprocessing.Nuixwillusethisdirectoryascacheforanyfilesthatitneedstowritetodisk.
Note:WhenprocessingLotusNotesdata,NuixwillcreateonecopyoftheactiveNSFfileforeachnuix_single_worker.exe.Forexample:Ifyouareprocessingone10GBNSFfile,witha4‐corelicense,NuixcreatesfourcopiesoftheNSFfileintheWorkertempdirectory.
Audit Report Filtering SettingsTheAuditFilteringtabdisplaysifyouareusinganauditedlicencetype.Fromhere,youcanselectadigestlistofsystemfiles(NSRL,or"NIST"files)toexcludefromtheauditreportforthiscase.Thiseffectivelyallowsyoutocontrolwhichitemswillbecountedtowardtheper‐processedGBtotalforeachcase.
Thesettingsare:
• Filteroutitemsmatchingthefollowingdigestlist‐Selectthisoptiontoremoveaspecificlistoffilesfromtheauditreport.
• Digestlist‐SpecifythedigestlisttoexcludefromauditingfromthesetofdigestlistsimportedintoNuix.
162 Load Data
Creating a Case and Loading Data
Foradditionaldetailoncreatingdigestlists,see“ImportingDigestLists”onpage 130and“CreatingaDigestList”onpage 263.
ADDING CASE EVIDENCE
Afteryoudescribethecaseandsetitsoptions,younextadddatatothecase.ForinformationontheNuixsupportedfiletypes,see“AboutSupportedFileTypes”onpage 285.
TheAddCaseEvidencedialogueallowsyoutoadd,removeandeditthemetadataofcaseevidencebeforeNuixretrievesandprocessesit.
• Thedatathatyouaddasevidenceshouldbelogicallyorganised,suchasbycustodianorotherrelevantfactor.
• Eachpieceofevidencecancontainmultiplefiles,directoriesormailstores.• Theevidencenameswithincasesshouldbeunique,incaseyouevercombinethesimplecaseintoa
compoundcase.
Note:Youcannotremoveevidencefromacaseonceitisprocessed(indexedinNuix).Ifyoudoincorrectlyadddatatoacase,youcanfilteritoutduringthereview/search/analysisprocessusinganexclusionfilter,atag,oradigestlist.Iftheevidenceneedstoberemoved,youcancreateacasesubsetwithouttheundesirabledata.
Load Data 163
Creating a Case and Loading Data
Selecting the Data SourcesThefirststeptoaddingthecaseevidenceistoselectthedatasources.Eachsimplecasecanhandleamaximumoftwobillionitems(2,000,000,000).Asagauge,aTBofdatamightcontainupwardsof20million(20,000,000)items.Thismeansthatyoucouldeffectivelyadd100TBofsourcedatatoasinglesimplecase.
FromtheAddCaseEvidencedialogue,selectAddtodisplaytheAdd/EditEvidencedialogue.
WhenyouselectAdd,fouroptionsareavailable:
• AddFiles–Selectfilesfromacomputer,networkorexternaldrive(e.g.PST,EDB,NSF,MBOXetc…)• AddSplit“DD”Files‐Selectfilesthathavebeensplitintomultipleparts,suchas“DD”imagefiles.
UsingthisoptionallowsNuixtoproperlyidentifyandmanagethesegmentsofasplitfile.• AddDirectories–Selectadirectorythatincludesallfilestobeadded.Thisisthesuggestedwayto
importanEnCase,CompressedEnCaseorddimage.Nuixdoesnotsupportsegmentedddfiles,onlywholeddimages.
• AddMailStore–SelectsanindividualmailstoreviaPOPorIMAP.UsethismethodtoconnecttoNovellGroupWiseorforcorporatemailserversthatsupportPOPandIMAPconnections,aswellasloadingGmail,Hotmailandotherinternet‐storedemaildata.
164 Load Data
Creating a Case and Loading Data
TocollectinformationfromanyofthesesourcestheappropriatecredentialsmustbeprovidedtoNuix:Mailstoretype‐POP,POP/SSL,IMAP,IMAP/SSLandGroupwiseServerhostname‐DNSnameorIPaddressofthetargetedmailserverServerport‐WillupdatebasedonMailStoretype.Ifacustomportisrequired,pleasemaketheappropriatechange.UsernamePassword
Note:Connectingtocorporatemailserverscanresultinexportinglargevolumesofdata,whichcanputaheavystrainontheserver.
Describing the EvidenceIntheAdd/EditEvidencedialogue,youwillneedtodescribethesettheevidencethatyouareadding,includingcertainmetadataproperties.
Thefollowingfieldsareavailable:
• Evidencename‐Describestheevidence.Youshoulduseuniqueevidencenames,asyoucanbothsearchforthesenamesandviewthemintheDocumentNavigator.Ifalloftheevidenceappearsasthedefault“Evidence1”,thevalueofthesecapabilitiesisdiminished.
• Comments‐Furtherinformationabouttheevidenceyouareaddingtothecaseorthatyourbusinesspolicydictatesshouldbeassociatedwiththeevidence.
• Sourcetimezone‐Nuixstoresalldate/timevaluesinabsolutetimeorsystemtime.Absolutetimeorsystemtimeisrecordedasthenumberoftickssinceepoch.Foreachdate/time,Nuixcalculatestheoffsetbasedonthetimezone,thenstoresthesystemtime.
TheSourceTimeZonesetsthedefaulttimezonethatisusedforprocessingtheevidencecollection.Thisprovidesameansofcontrollingthetimezonevalueforthosedatatypesthatdon'texplicitlydeclaretheirtimezone.Thisisusefulforwhenagroupofdocumentshavebeencollectedfromonegeography/timezone(e.g.,NewYork,EasternStandardTime,orEST),butarebeingprocessinginadif‐ferentgeography/timezone(e.g.,London,GreenwichMeanTime,orGMT).Thisensuresthatalldateswithoutatimezonearecorrectlyprocessedusingthecorrectcollectiongeographiestimezone(EST).
Examplesofdocumenttypesthatdonotstoretimezoneinformation:Yahoo,Hotmail,andGmailHTMLfilesSomeEncaseheadersectionsPSTpropertyblockinfoTNEF,CAB,RAR,ZIP,PDF,andDBXfilesImagefilesMicrosoftProjectfiles(Internalprojectdates)
Load Data 165
Creating a Case and Loading Data
DatepropertiesforOLE2‐baseddocuments(includesOffice97‐2003formats)• Sourceencoding‐SetstheWindowssourcefileencodingformat.Anumberoflegacy/badlydesigned
filetypeswhichcontaincharacterdatainbinarydon'tstorewhatcharacterencodingwasusedtocreateit.Examplesincludeold‐stylePSTfiles.Typically,oldChinesePSTfilesneedtouseGBKasthesourceencoding,andJapaneseusewindows‐31j.Newer‐stylePSTfilesarebetterdesignedinthattheyuseUTF16‐LEforencoding.
Adding Custom MetadataIntheAdd/EditEvidencedialogue,youcanalsoaddthecustommetadatatoeveryitemwithinagivensetofevidence,eithermanuallyorbyimportingit.
Note:Youcanonlyaddcustommetadatatoitemswhenyoucreateacase.OnceNuixloadsthedata,youcanonlyaddtagsandcommentstoitems.
BelowtheCustommetadatatable,clickAddtoaddmetadataoneatatime.TheAddMetadatadialogueboxdisplays.Provideanameandavalueforeachcustommetadatafield.Youcanaddasmanyasyoulike.Thesemetadatavalueswillbeaddedtoeveryitemthatisimportedaspartofthiscollectionofevidence.Examplesincludecustodianname,clientcase#,internaljob#,etc.
YoucanalsoimportaCSVfilewithalistofthedesirednameandvaluepairs,byclickingImport.Anexamplefilewouldlooklike:
name, valueCustodian, John Smithid, 000001
Toremovecustommetadata,selecttheitem(s)inthetableandclickRemove.
Note:Fordetailsonhowtosearchforcustommetadata,see“evidence‐metadata”onpage 190.
Pre-Filtering the Evidence (Enterprise Workstation Licenses Only)IfyouhavetheEnterpriseWorkstationlicense,thePre‐FilterEvidencedialogdisplayswhenyouaddevidenceintheAdd/EditEvidencedialogue.Thisfunctionletsyouselectivelychoosespecificfilesorfolderstoaddasevidencefromwithincompoundfiles.Someexamplesinclude:
• ExchangeDatabaseFiles(*.EDB)‐ProcessonlyspecificcustodianmailboxesfromwithinanEDBoralternativelyselectonlyasinglecustodian'sInboxorCalendarforprocessing.
• ForensicImages(E01,L01,DD)‐Processonlyspecificfoldersfromwithinanimage(DocumentsandSettingsorUsers).
166 Load Data
Creating a Case and Loading Data
• NSFfiles‐SelectivelyprocessspecificviewsfromwithinaLotusNSFfile,insteadofextractingalldocuments.SeetheKnowledgeBasearticleonhowtoextractfromallviewspresentinanNSFfile.
Load Data 167
Interrupting a Processing Job
Interrupting a Processing JobDuringthetimeNuixisprocessingthedata(ingestingandindexing),youcanpauseorcanceltheoperation.
FromtheProcessingtab,selectoneofthefollowingoptionstointerrupttheprocessingofcaseevidence:
• Pause‐Temporarilyhaltstheprocessingjob,atwhichpointtheResumebuttonbecomesactive.• Resume‐Continuestheprocessing.PausingandthenpressingStopisthesameasjustpressingStop.• Stop‐Displaysadialoguethatprovidestwooptionsforstoppingcaseprocessing,StopandAbort.
Note:Pausingisaverytemporarystate.YoucannotpauseNuix,thenrebootthemachineorcloseNuix,andopenitbackupandresumeprocessing.IfyouarelookingtoexitoutofNuixcompletely,usetheStoporAbortoption.
168 Load Data
Interrupting a Processing Job
FromtheStopProcessingdialogue,youcanselectoneofthefollowingoptionstostopprocessingcaseevidence:
• Stop‐Quitsprocessingandcleansupthecase,makingthedatathathasbeenprocessedavailableforsearch.Insomeinstancesthiscantakeawhile.Theunprocessedportionofthedatacannotbereprocessed.Youmustreloaditintothecase.
• Abort‐Quitsprocessingandexitsthecase;whenyoureopenthecase,Nuixwillcontinueprocessingevidencefromthebeginningofallpartiallyprocessedfiles.Forexample,ifyouareprocessingasinglelargeEDBfileandyouAbort,Nuixwillrestartatthebegnningofthepartiallyprocessedfile,whichinthiscaseistheEDBfile.Ifyouareprocessingadirectoryof1GBPSTs,andNuixhascompleted50,haspartiallyprocessed4,andhad46remaining‐Nuixwillresumeprocessingbyrestartingatthebeginningofthe4partiallyprocessedPSTfiles.Thisleadstosomeduplication,butnodataisomitted.
• Cancel‐Cancelsthedialogueboxandresumestheprocessingoperation.
Load Data 169
Working with Existing Cases
Working with Existing CasesOnceacaseitselfiscreated,otherrelatedactionsareopeningthecase,editingpropertiesofthecase,addingnewevidencetothecase,andclosingthecase.
Toopenacase,youcanuseoneofseveralmethods:
• ClickacasefromthelistofrecentlyopenedcasesthatdisplayintheNuixDesktopwindow.• ClickOpenCasefromtheNuixDesktopwindow.• Fromthemenu,selectFile>OpenCase.
Toeditthepropertiesofacase,openthecaseandselectFile>CaseProperties.Youcaneditthename,investigator,anddescriptionofthecase,aswellassetthetimezoneassociatedwiththeinvestigativeworkonthecase.The"InvestigationTimeZone"controlsthetimezoneoffsetusedforalldate/timespresentedintheresultset,theMetadatatabofthePreviewpane,andlegalexports.
170 Load Data
Working with Existing Cases
Toaddmorecaseevidenceafteryouhavecreatedthecase,openthecaseandselectFile>AddCaseEvidence.See“AddingCaseEvidence”onpage 163formoreinformation.Tocloseacaseyouhaveopened,selectFile>CloseCase.
Load Data 171
Working with Existing Cases
172 Load Data
CHAPTER 6 Search
ThissectionexplainshowtosearchforevidenceinNuix,including:
• searchingwiththeSearchfieldandAdvancedQueryBuilder,whichletsyoubuildmorecomplexsearcheswithoutknowingsearchsyntax
• savingandrerunningqueries• learningthesearchsyntaxavailableforqueries
Thischaptercontainsthefollowingtopics:
• “PerformingSimpleSearches”onpage 174• “PerformingAdvancedSearches”onpage 176• “SavingandManagingSearchQueries”onpage 178• “SearchQuerySyntax”onpage 179
Search 173
Performing Simple Searches
Performing Simple SearchesNuixoffersacoupleofdifferentwaystoquicklysearchthroughthebodyofevidence:
• UsingtheSearchbaratthetopoftheWorkbenchtabtosearchusingsimplekeywordqueriesand/ordates.
• UsingthepredefinedFilteredItemscategorieswithinthesearchquerytorefinetheevidencebasedonmetadatatype.
SEARCH WITH KEYWORDS AND DATES
LocatedatthetopoftheWorkbench,theSearchbargivesyouquickaccesstokeywordsearchesandsearchingbydate.
ToperformasearchfromtheSearchbar:
1. TypedirectlyintotheSearchtextfieldorcutandpasteapredefinedqueryintothefield.
TheSearchfieldcanholdanunlimitednumberofcharacters,soqueriescanbeaslongasnecessary.YoucanuseBooleanoperatorssuchasAND,OR,andNOTbetweensearchterms,andquotesaroundphrases.Formoreinformationonthesupportedsearchsyntax,see“SearchQuerySyntax”onpage 179.
2. Ifneeded,usethedatefiltertosearchBetween,After,orBeforecertaindates,orusetheNotbetweenoptiontoexcludeaspecificdaterange.
Notes:TheDatefilteroperatesintheinvestigationtimezonesetinFile>CasePropertiesinsteadoftheyoursystem’slocaltimezone.Thisallowsyoutoviewtheitemsinthetimezoneofthecustodian(s)beinginvestigated.ThedatefiltersearchesontheNuixItemDate.Foremails,itusestheNuixCommunicationsDatewhichistheMap‐Client‐Submit‐Time,SentDate,orDatemetadataproperty.Forfiles,itistheFileModi‐fiedor,ifnotpresentthentheFileCreated.Iftheitemdoesn'thaveanyofthesedatefields,thentheitemdateoftheparentitemisused.Theleftdatecontrolwillsearchstartingfrom00:00:00HH:MM:SSandtherightdatecontrolwillsearchuntil23:59:59oftheselecteddate.
3. ClicktheSearchbutton orpresstheEnterkeytorunthesearch.
174 Search
Performing Simple Searches
Otheractionsyoucanperformare:
• ViewandreusepriorsearchstringsusingtheBackwardsandForwardsarrowbuttons infrontoftheSearchfield.
• ClearthesearchkeywordsanddatefilterbyclickingtheClearbutton.Whenyouclearasearch,anyselectednodesintheFilteredItemspaneareclearedaswell.
• BuildamorecomplexsearchquerybyclickingAdvanced.
SEARCH WITH FILTERS
IntheDocumentNavigatortotheleftontheWorkbench,youcannarrowyoursearchby:
• includingonlytheevidenceyouwanttosearchbyclearingthenodesinthetreeyoudonotwishtosearch,intheEvidencepane.
• includingonlythetypesofitemsyouwanttosearchforbyselectingtheappropriatemetadatafiltersintheFilteredItemspane.
WhenyouthenusetheSearchbar,evidenceandfiltereditemsthatareunselectedintheDocumentNavigatorwillbeexcludedfromthesearch.
Search 175
Performing Advanced Searches
Performing Advanced SearchesNuixoffersahelpfulgraphicaltoolforbuildingmorecomplexsearches.Insteadofmanuallycreatingasearchquery,youcanselectthetypesofmetadatayouneedandaddkeywords,values,orothercritieriaasprompted.Thetoolbuildsthesearchsyntaxforyou,andallowsyoutoeditorremovepartsoftheexpressionasyouwork.
TocreateasearchqueryusingtheAdvancedSearchtool:
1. OntheWorkbenchtab,intheSearchbar,clickAdvanced.
2. Selectacriterion(typeofmetadata)forwhichyouwanttosearch.
Theavailabletypesarekeywords,filesize,filetype,tags,comments,andaddresses.
3. Enterthevaluesforthecriterionselected.
Forexample,ifyouselectedFilesize,specifytheminimumandmaximumrangeinbytesizestomatchagainst.
4. ClickAddtoExpression.
Thisaddsthepropersearchsyntax,calledrules,tothequeryanddisplaysintheExpressiontable.
5. Repeatsteps2‐4asneededuntilyourquerycontainsallthecriteriayouneedforyoursearch.
6. Selectwhethertomatchalloftherulesoranyoftherules.
176 Search
Performing Advanced Searches
7. ClickSearchtorunthesearch.
OtheractionsthatyoucanperformintheAdvancedSearchtoolinclude:
• EditapieceofsyntaxbyselectingitintheExpressiontableandclickingEdit.• DeleteapieceofsyntaxfromtheexpressionbyselectingitandclickingRemove.• CleartheentiresearchexpressionbyclickingClearAll.• ClosetheAdvancedSearchtoolbyclickingtheAdvancedbuttonintheSearchbar.Thesearchcriteria
specifiedinthefieldsissaved.
JustlikequeriesthatyoutypeintotheSearchbar,youcansavethesearchqueriesbuiltinthistool(see“SavingandManagingSearchQueries”onpage 178).Fordetailedinformationontheavailableoptions,see“AdvancedQueryBuilder”onpage 31.
Search 177
Saving and Managing Search Queries
Saving and Managing Search QueriesAfteryoucreateasearchquery,youcansaveitforreuse.Managingsearchqueriesinvolvessaving,loading,deleting,andreusingthem.
SAVE A SEARCH QUERY
Tosaveasearchquery:
1. UsetheSearchbarorAdvancedsearchwindowtocreateasearchquery.
2. FromtheGomenu,selectSaveSearch.TheSearchNamedialoguedisplays.
3. GiveyoursearchqueryauniquenameandclickOK.
Thissearchisnowavailableforreuse.
Note:Whenyousaveasearchquery,NuixsavesitintheWindowsregistryundertheHKEY_CURRENT_USER\Software\JavaSoft\Prefs\com\nuix\investigator\search\savedkey,incaseyouneedtouseacommonsetofsearchqueriesacrossmultiplemachines.
LOAD A SEARCH QUERY
Toloadasavedsearchquery:
1. FromtheGomenu,selectLoadSearch.
2. Fromthelist,choosethequeryyouwishtorerun.
Nuixautomaticallyrunsthesearchagainwhenyouloadit.AnymatchingitemsdisplayintheResultslist.
DELETE A SEARCH QUERY
Todeleteasavedsearchquery:
1. FromtheGomenu,selectDeleteSearch.
2. Fromthelist,choosethequeryyouwishtodelete.
ThesearchqueryisremovedfromtheWindowsregistryandisnolongeravailabletoload.However,itwillremaininthecase'sSearchHistorylistintheDocumentNavigator.
NuixalsosavesallsearchqueriesthatyouperformwithinacaseintheSearchHistorypaneoftheDocumentNavigator.TheSearchHistorylistsallsearchesperformed,categorizedbyhowlongagointimethesearcheswereperformed.Thislistservesasbothanaudittrailofthesearchesrunwithinthecase,butalsoallowsyoutofindanrerunasearchthatyouhavenotsaved.
178 Search
Search Query Syntax
Search Query SyntaxNuixoffersawidevarietyofsearchsyntaxtorefinethesearchresults,including:
• Simplequeries• Wildcardqueries• Fuzzyqueries• LogicalorBoolean• Phrasequeries• Regularexpressionqueries• Rangequeries• Indexedfields
SIMPLE QUERIES
ThesimplestNuixsearchqueryisasingleword.WhenyouenterasinglewordintotheSearchfielditlocatesalloccurrencesoftheword,foundintheproperties,thename,thepathand/ortextcontentofitems.
Thesearchtermsarenotcasesensitive;thequeries"joe","Joe"or"JOE"willreturnidenticalresults.
Example:
Note:Nuixbydefaultsearchesthepathnameoftheitem.ForExample,ifthefilesIamlookingforarelocatedin\Evidence 1\Email\Joe's Email\Important stuff,adefaultqueryforJoefindsallitemsfrom"Joe'sEmail"andbelow.Toexcludethepathnamefromthesearch,searchineachfield:name:joe OR content:joe OR properties:joe.
WILDCARD QUERIES
Youcanusewildcardstosearchformultiplewordsthatsharesomeofthesamecharacters.Youcanusemorethanonewildcardinasearchterm.
Query String Results
joe Matches all items with the word "joe" somewhere in the properties, name, path or the text content.
Search 179
Search Query Syntax
Single Character WildcardsTosearchwithasinglecharacterwildcard,usethe"?"symbol.Youcanusethe"?"characterinanypositionexceptasaleading(first)character.Thequery"J?e"isvalid,howeverthequery"?oe"isnot.
Nuixreturnswordswithanycharacterinthepositionofthe"?"symbol,includinganemptycharacter,aslongastherestofthecharactersinthetermmatchaswell.
Examples:
Multiple Character WildcardsTosearchusingmultiplecharacterwildcards,usethe"*"symbol.The"*"symbolcanbeusedinanyposition,howeverwhenusedatthefrontofatermthesearchcantakelonger.
Aquerywillmatchzeroormorecharacterstothepositionofthe"*"symbol.
Examples:
Mixing WildcardsYoucanuseboththesingleandmultiplecharacterwildcardsinasinglequery.
Example:
Query String Results
nu? Matches "nuv" and "num"
n??e Matches "nice" and "nate"
Query String Results
nu* Matches "nunawading", "nuix", "nu" and "numpages".
*work Matches "work", "network" and "patchwork".
Query String Results
n?u* Matches strings that start with the character "n", are followed by zero or exactly one more character, followed by "u", followed by any number of characters. Thus, it will match "nsummary", "neutral", "noun" and "nuix".
180 Search
Search Query Syntax
FUZZY QUERIES
NuixsupportsfuzzysearchesbasedontheLevenshteindistanceor“Editdistance”algorithm.TheLevenshteindistancebetweentwostringsisdefinedastheminimumnumberofeditsneededtotransformonestringintotheother,withtheallowableeditoperationsbeinginsertion,deletion,orsubstitutionofasinglecharacter.
Tofindwordsthataresimilartooneanotherinasfarasthecharacterstheycontain,addthetilde(~)symbolattheendofasearchterm.
Youcanaddanoptionalparameterafterthetildetospecifytherequiredsimilarity.Thevaluecanbebetween0.0and1.0,wherehighervaluesrequireamoresimilarmatch(using1.0isthesameasnotusingafuzzysearch)andlowervaluesallowmoreletterstobedifferent.
Thedefaultvalueintheabsenceofthisparameteris0.5.
Examples:
LOGICAL (OR BOOLEAN) OPERATORS
YoucanuseBooleanoperatorsinyourqueriestohelprefineyoursearchtasks.NuixsupportsthefollowingBooleanoperators:AND,OR,NOT.WhileyoucanchaintogetheranynumberoflogicalANDs(oranynumberoflogicalORs)withoutambiguity,combiningthevariousoperatorstogethercanleadtoambiguity.Insuchcases,youcanuseparenthesestoclarifytheorderofoperations.Asalways,theoperationswithintheinnermostpairisperformedfirst,followedbythenextpairout,etc.,untilalloperationswithinparenthesesarecomplete.Thenanyoperationsoutsidetheparenthesesareperformed.Reviewthefollowingsectionsfordetailsonhowtousethelogicaloperators.
AND OperatorAsearchcombiningtwoormoresearchtermsusingtheANDoperatormatchesonlythoseitemsthatincludealloftheindividualterms.
Query String Results
hot~ Matches the words "hot", "lot", "hut", "hoc", "how", "shot", "got", "pot", ...
cold~ Matches the words "cold", "clod", "mold", "bold", "coil", "mould", ...
cold~0.75 Matches the words "cold", "mold", "bold", ... but not "clod", "mould", ...
Search 181
Search Query Syntax
TheANDoperatoriscasesensitiveandmustbewritteninuppercase.Ifyousearchusing"and"instead,youwillgetitemsthatcontaintheword"and".
YoucancombinetheANDoperatorwithothertypesofsearchsyntax.Forexample,youcanuseANDinbetweentermsthatuseawildcardandafuzzysearch.
If you use two single terms in the query, by default Nuix combines the terms using the AND operator. Another syntax for the AND operator is to add the plus (+) symbol to additional terms you want to include in the search; therefore insider AND trading AND options is the same as insider +trading +options.
Examples:
OR OperatorAsearchcombiningtwoormoresearchtermsusingtheORoperatormatchesitemsthatincludeeitherofthewordsinthem.
TheORoperatorbehavesmuchliketheANDoperatorwithrespecttomixingwithotherqueries.
Example:
NOT OperatorAsearchcombiningtwoormoresearchtermsusingtheNOToperatormatchesthoseitemsthatincludethefirstterm,butdonotincludethesecondterm.
TheNOToperatorbehavesmuchliketheANDoperatorwithrespecttomixingwithotherqueries.
Query String Results
Joe AND Bloggs Matches items that contain both "Joe" and "Bloggs".
Joe Bloggs Matches the same items as the previous query, because AND is the default operator.
Joe +Bloggs Matches the same items as the previous two queries (alternative syntax).
J* AND Bloggs Matches items that contain both text starting with "J" and the full word "Bloggs".
Joe~ AND Bloggs Matches items that match the fuzzy search results for "Joe" and the full word "Bloggs".
Query String Results
Joe OR Bloggs Matches items that contain either "Joe" or "Bloggs" (or both).
182 Search
Search Query Syntax
AnothersyntaxfortheNOToperatoristoaddtheminus(‐)symboltoadditionaltermsyouwanttoexcludefromthesearch.
Examples:
Operator GroupingIfANDandORoperatorsaremixedinasingleexpression,useparenthesestogrouptheexpressiontoproducethedesiredquery.
Examples:
XOR (Exclusive OR) Operator
NuixdoesnotsupportanexplicitXORoperand.However,becauseitdoessupporttheuseofparentheses,youcanconstructequivalentqueries.
Example:
Query String Results
Joe NOT Bloggs Matches items that contain "Joe", but not "Bloggs".
Joe ‐Bloggs Matches the same items as the previous query (alternative syntax).
Query String Results
(Joe AND Bloggs) OR Smith Matches all items that contain either both Joe and Bloggs, or Smith (so it would match an item that contains the phrase "Keith Smith".)
Joe AND (Bloggs OR Smith) Matches all items that contain both Joe, and either Bloggs or Smith (so it would not match "Keith Smith", but it would match "Joe Bloggs".)
Query String Results
(Joe NOT Bloggs) OR (Bloggs NOT Joe)
Matches items that contain either "Joe" or "Bloggs", but not both. That is, it could return matches containing Joe Smith or Karen Bloggs.
Search 183
Search Query Syntax
PHRASE QUERIES
Tosearchforasequenceofwordsinaspecificorder(aphrase),adddoublequotemarks(")atthestartandtheendofthephrase.
Example:
Punctuationisremovedfromthesearchstringautomatically,andtreatedaswhitespace.Ifapunctuationmarkisconvertedtowhitespace,theentiretermisautomaticallyconvertedtoaphrase.
Examples:
Tosearchforwordswithinacertaindistanceofeachother,usethetilde(~)symbolattheendofthequeryalongwithanumericalvalue.Thisisreferredtoasthe"slop"ofaphrasequery.
Examples:
Note:Thebehaviourofphrasequerieswithslopappliedisnotimmediatelyobvious.Thenumberinputastheslopvalueisappliedrelativetothetermbeingsearchedfor,whereassomeusersexpectittobeappliedrelativetothepreviousterm.
Takethephrase,"Thequickbrownfoxjumpsoverthelazydog."Ifwewanttosearchfor"foxquick"~2.Nuixwillfirstfind"fox",andthensetaboutlookingfor"quick"immediatelyafterfox,allowingittofall2wordseitherside.
Query String Results
"Joe Bloggs" Matches items that contain "Joe Bloggs", in that order.
Query String Results
"P&L" Matches items that contain "P L", in that order.
[email protected] Matches items that contain "joe bloggs nuix com", in that order.
"[email protected]" Matches items that contain "joe bloggs nuix com", in that order. This is the same result as without quotes.
Query String Results
"Joe Bloggs"~2 Matches items that contain "Joe Bloggs", as well as items that contain "Joe John Bloggs".
"Joe* Blog*"~2 Matches items containing "Joe Bloggs", Joe's Blog" or other combinations that match the provided wildcards, with up to two unrelated words in between them.
184 Search
Search Query Syntax
Visuallythiscanberepresentedasfollows:
Thenumbersbelowthewordsindicatetheslopvaluerequiredtomatcheachterm,from‐2upto2.Therefore,thefollowingqueriesshould(anddo)resultinamatch(thisassumesthatstopwordsarenotinuse):
• "foxjumps"~2• "foxover"~2• "foxthe"~2• "foxbrown"~2
Thefollowingqueriesdonotresultinamatch:
• "foxquick"~2• "foxlazy"~2
Additionally,"foxfox"~2doesnotreturnamatchasphrasequeriescanonlymatcheachtermonceforeachpositioninthephrase.
SeetheJavaToday‐QueryParserRulesandsearchfor"slop"foradditionaldetails.
REGULAR EXPRESSION QUERIES
Aregularexpressionisapowerfulmethodfordescribingasearchpattern,providingameansformatchingstringsoftext,suchasparticularcharacters,words,orpatternsofcharacters.
Toperformaregularexpressionsearchaddtheforwardslashcharacter(/)tothestartandendoftheregularexpression.Forthosefamiliarwithregularexpressions,thepatternismatchedagainsteach
Search 185
Search Query Syntax
individualword,sousingexpressionssuchasthecaret(^)tofindthestartofalineinthetextisnotpossible.
Youcanformcomplexphrasequeriesbyusingspaceswithintheregularexpressions.
Note:Regularexpressionscanslowsearchperformancedependingontheircomplexity.
Someavailablepatterns:
Examples:
Syntax Result
\d A digit (0‐9).
\D A non‐digit.
| Matches either the left or right side.
[] One of the characters within the brackets.
. Any character.
.* The same as a multiple character wildcard search.
\b A word boundary. Hyphenated words are broken up by word boundaries. This matches hyphen boundaries and the end of a word.
^ Start of a word. Will not match hyphen boundaries.
$ The end of a word. Will not match hyphen boundaries.
Query Syntax Description
/apple|orange/ Matches all items that contain either apple or orange.
/gr[eao]y/ Matches all items that contain either grey, gray or groy.
/gr[^eao]y/ Matches all items that contain at least one word starting with gr followed by a character that is not e, a or o, followed by y. This query would match griy and gr3y.
/.oe.* not/ An example of a phrase query. Matches all items that have a word starting with any letter followed by oe, optionally followed by any other characters then the word not. This query would match "does not", "joe not" and "ioexception not".
/\d{4}‐.*/ Matches all hyphenated terms starting with 4 digits. This query would match 0404‐, 8823‐4524 and 8823‐4524‐6754‐2345.
/0\d{1,3}/ Matches all items that start with 0 followed by 1 to 3 digits. This query would match 02, 0404, 00 and 080.
186 Search
Search Query Syntax
RANGE QUERIES
Rangequeriesallowyoutosearchforarangeofresultsbasedonstartandendpoint.Thisismostcommonlyusedwhensearchingfordates,butcanalsobeusedfornumbersanddictionarybasedsearches.Tosearchforwordsoritemswithinarange,usinganupperandlowerboundary,usesquarebrackets([])andcurlybraces({}).Usesquarebracketswhenyouwanttoincludethetermsoneithersideintherangeoftermsyouareseekingtomatch,andusecurlybraceswhenyouwanttomatchonlythetermswithintherangebutnotincludingthetermsoneitherside.
Daterangesareaspecialcase,asyouneedtoenterthedateintheshortformatappropriateforthesystemlocale.
Examples:
Note:Rangesearchesforwordssearchingreturnanyitemsthatwouldappearbetweenthetwotermsinthealphabet.Forexample,ifthewords"Jet","Joe","Joseph","Joey","John","Johnathan"and"Jordan"arealphabetized,youget"Jet","Joe","Joey","Joeseph","John","Johnathan",and"Jordan".Arangesearchfor[JoeTOJohnathan]returnstheitemsthatfallbetweenthosetermsinthealphabeticorder‐"Joe","Joey",
/0\d{1,3} \d{3,4} \d{3,4}/ OR /0\d{1,3} \d{6,8}/
Matches all items that may contain local phone number patterns. The first part of this query would match 02 2328 1929, 043 232 192 and 0404 0233 2333. The second part would match 02 23281929, 043 23221923 and 0404 023323. There are different conventions for how phone numbers are grouped, so you will probably need to adjust this query for different cases.
/[\u0400‐\u052f]*/ Matches all unicode Cyrillic and Cyrillic Supplement family of alphabets. Note: adding the asterisk (*) will highlight whole words for some languages.
/[\p{InCyrillic}\p{InCyrillic_Supplementary}]*/
Matches all unicode Cyrillic and Cyrillic Supplement family of alphabets using the Unicode block names.
Query String Results
[Joe TO Johnathan] Matches items that contain "Joe", "John" or "Johnathan" somewhere in the properties, name, path or the text content.
{Joe TO Johnathan} Matches items that contain "John" somewhere in the properties or the text content, but does not match "Joe" nor "Johnathan".
digest‐input‐size:[0 TO 1000] Matches items whose digest input size is between 0 and 1000 bytes.
item‐date:[1/1/2007 TO 31/1/2007]item‐date:[1/1/2007 TO 1/31/2007]
Matches items with an item date within 2007. Examples given are for UK/Australia and US format respectively; the actual format you use depends on your system configuration.
Search 187
Search Query Syntax
"Joseph","John","Johnathan".Both"Jet"and"Jordan"areexcludedbecausetheydon'tfallbetweentherange.
INDEXED FIELDS
Nuixprovidesavarietyofdifferentindexedfieldstohelpyousearchbythemetadataassociatedwithanitem,insteadofjustsearchingthefulltextofanitem.Revieweachtypeofindexedfieldtounderstandthefullrangeofsearchtasksyoucanperform.
Forexample,usingasinglesearchtermsuchas"Joe"returnsitemswhereinthatwordwasinthetextcontentsorproperties.However,youcanalsorestrictthesearchtospecificpropertiesoftheitembyusingthefieldsNuixhasindexedinyourquery.Torestrictasearchtoaspecificindexedfield,prefixthetermforwhichyouaresearchingwiththefieldnamefollowedbyacolon(:).Forexample,thesearchexpressionname:wowlocatestheitemswhosenamecontaintheterm"wow",butitwillnotlocateitemsthatonlycontaintheterm"wow"inthetextcontent.
Whenusingfields,notethatthefieldsearchonlyworksagainstthewordthatdirectlyfollowsthecolon.Ifyouwanttosearchforthephrase"Optionstosell"inthesubjectofanemailorinthenameofanitem,youwouldusename:"Options to sell";otherwise,onlyitemsmatchingtheword"options"inthesubjectortitlearefound.
Common FieldsYoucanusetheNuixCommonfieldstosearchforadditionalattributesabouttheitem,thataren'tnecessarilypartofthecontenttheitemitself.Forexample,youcansearchforallitemsthathaveextractedtextandareemailsbyusingthequery:contains-text:1 AND kind:email
Youcansearchwithincommonfieldsbytypingthefieldnamefollowedbyacolon(:)andthenthetermyouarelookingfor.Youcanalsosearchagainstmorethanonefieldatatimeinaquery.
Forexample,youwanttofindonlydocumentsthathavethename"JoeBloggs"astheauthor.Todoso,intheSearchfieldtype: kind:document properties:"Author:Joe Bloggs"
content
Searcheswithintheemailbodyorthetextportionofadocument.
Example:
content:wow
188 Search
Search Query Syntax
Matchesallitemsthatcontaintheterm"wow"intheemailbodyortextportionofadocument,essentiallytheTexttabofthePreviewpane.
name
Searchesonthefilenameoftheitem,orinthesubjectofemailmessages.
Example:
name:"Check this out"
Matchesitemswiththephrase"Checkthisout"somewhereinthefilename,includingemailitemswiththephrasesomewhereinthesubject.
kind
Youcanusethisfieldtosearchforitemsbasedonthekindofdatatheycontain.Thisissimilartousingthemime‐typefield,butsimplertouse.
Thesupportedkindsofitemsare:
Examples:
kind:emailMatchesallemailmessages.
Kind Explanation
email Email messages
document Word processor documents
spreadsheet Spreadsheets
presentation Presentations, also known as slide shows
drawing Vector drawings and diagrams
other‐document Other types of document a user might create
image Images (raster)
multimedia Audio and video files
database Structured database files, such as Microsoft Access
container Data types that resemble directories, such as archives or mailboxes
system System files, often uninteresting to the investigator
unrecognised Files of a type not detected by the software
Search 189
Search Query Syntax
-kind:systemExcludesallsystemfiles.
mime-type
SearchesontheMIMEtypeoftheitem.Thisfieldisthemoreadvancedalternativetothekindfield,andallowsyoutoselectmorespecifictypesofitemsinyourquery.
Examples:
properties
Searchesthepropertynamesandvaluesassociatedwitheveryitem.
Examples:
evidence-metadata
Searchesthecustommetadatathattheinvestigatoraddedtothecasewhentheevidencewasloaded.Intheseexamples,"site"isapieceofcustommetadata.
Query String Results
mime‐type:message/rfc822 Matches all RFC 822 email messages.
mime‐type:application/vnd.ms‐outlook‐note
Matches all Outlook email messages.
mime‐type:application/vnd.ms‐outlook*
Matches all Outlook data items.
mime‐type:application/vnd.ms* Matches all Microsoft Office documents (and potentially documents from a few other Microsoft applications).
mime‐type:image* Matches all images (some image types, however, may have different MIME types, for instance Adobe Illustrator does not fall into this category).
Query String Results
properties:Bloggs Matches data items with the name Bloggs in any property name or property value.
properties:"Author: Joe Bloggs"
Matches data items that contain the value "Joe Bloggs" for the "Author" property. This actually matches some other things, such as "Author Joe Bloggs" all in the value, since the colon character and other punctuation are ignored in the query.
190 Search
Search Query Syntax
Examples:
file-extension
Youcanusethisfieldtosearchacrossthefileextensionsdetectedforallitems.Notethatitispossibleforuserstochangefileextensionsonitemstomasktheoriginalfiletypes,sousingthemime‐typeandkindfieldscanbemorereliable.
Examples:
has-binary
Youcanusethisfieldtosearchforitemsthateitherhaveordonothavebinarydata.Veryfewtypesofitemslackbinarydata,suchasfilesystemdirectories,mailfoldersorfoldersinsidecompressedzipfiles.
Thisfieldcontainseither0or1.Usea1tofinditemsthatcontainbinarydata.Usea0tofinditemsthatdonotcontainbinarydata.
Examples:
contains-text
Youcanusethisfieldtosearchforitemsthateitherhaveordonothavetextdata.Thisfieldonlyappliestoitemsthatarereturnedbyhas-text:1,thereforeimages,videos,etc.,arenevermatched.
Query String Results
evidence‐metadata:site Matches items whose top‐level evidence folder has the word "site" in the name or value.
evidence‐metadata:"site: 23 Dickson Street, Canberra"
Matches items whose top‐level evidence folder contains the value "23 Dickson Street, Canberra" for the "site" metadata field. This actually matches some other things, such as "site 23 Dickson Street Canberra" all in the value, since the colon character and other punctuation are ignored in the query.
Query String Results
file‐extension:doc Matches items in which the original file extension was .doc.
file‐extension:* Matches all items that had a file extension when originally processed.
Query String Results
has‐binary:1 Matches all items with binary data.
has‐binary:0 Matches all items without binary data.
Search 191
Search Query Syntax
Thisfieldcontainseither0or1.Usea1tofinditemsthatcontaintextdata.Usea0tofinditemsthatdonotcontaintextdata.
Examples:
has-text
Youcanusethisfieldtosearchforitemsthateithercanorcannotcontaintextdata.Thistypeofsearchdoesnotimplythedocumenthastext,butratherjustthattheitemtypecouldcontaintext.
Thisfieldcontainseither0or1.Usea1tofinditemsthatcouldcontaintextdata.Usea0tofinditemsthatcannotcontaintextdata.
Examples:
has-image
Youcanusethisfieldtosearchforitemsthatcouldcontainimagedata.
Thisfieldcontainseither0or1.Usea1tofinditemsthatcouldcontainimages.Usea0tofinditemsthatdocannotcontainimages.
Examples:
Query String Results
contains‐text:1 Matches all items with text.
mime‐type:application/pdf AND contains‐text:0 Matches all pdf documents that do not contain text.
Query String Results
has‐text:1 Matches all items that could contain text.
has‐text:0 Matches all items that cannot contain text.
Query String Results
has‐image:1 Matches all items that could contain images.
has‐image:0 Matches all items that cannot contain images.
192 Search
Search Query Syntax
has-communication
Youcanusethisfieldtosearchforitemsthathavecommunicationdata.Thissearchmatchesitemsthatarecommunicationsintheirownright,butnottheitemsthatareattachedto,orassociatedwith,acommunication.Tosearchforattachments,reviewthecommunicationsfields(seepage 201).
Thisfieldcontainseither0or1.Usea1tofinditemsthatcontaincommunicationsfields.Usea0tofinditemsthatdonotcontaincommunicationsfields.
Examples:
has-embedded-data
Youcanusethisfieldtosearchforitemsthatcouldcontainembeddeddata.Usingthissearchmatchesitemsthathavetheabilitytocontainembeddeddata.Forinstance,itwillmatchalldirectoriesevenifadirectorycontainsnofiles.
Thisfieldcontainseither0or1.Usea1tofinditemsthatcouldcontainembeddeddata.Usea0tofinditemsthatcannotcontainembeddeddata.
Examples:
digest-input-size
Searchesforitemsofthesamesize.
Examples:
Query String Results
has‐communication:1 Matches all items that contain communications fields (To, Cc, Bcc, From fields).
has‐communication:0 Matches all items that do not contain communication fields (To, Cc, Bcc, From fields).
Query String Results
has‐embedded‐data:1 Matches all items that could contain embedded items. This does not mean that the item DOES contain embedded items.
has‐embedded‐data:0 Matches all items that cannot contain embedded items.
Query String Results
digest‐input‐size:789 Matches all data items with a size of 789.
digest‐input‐size:[400 TO 789]
Matches all data items with a size from 400 to 789.
Search 193
Search Query Syntax
digests
Searchesonthedigestsoftheitems.See“AboutMD5Digests”onpage 132foralistingofthecomponentsusedtocreateadigest.
Youcanusethisfieldtofinddataitemswithcontentsidenticaltootheritemsinthesamedataset,andalsoitemsoutsidethedataset.Duetothenatureofdigests,queriesonthisfieldmay(althoughitisextremelyunlikely)returndataitemsthatarenotactuallyidenticaltothedataitemyouarelookingfor.
Note:Thesoftwarewillonlycomputedigestsonfileslessthan256MBinsize,forthesakeoffasterprocessing.
DigestssupportedbyNuixhavelengthsasdetailedinthefollowingtable.Thenumberofhexadecimaldigitsrepresentshowmanydigitswillcomeafterthecolonwhenusingthisfieldinasearchquery.
Examples:
digest‐input‐size:* Matches all data items with a computed size.
‐digest‐input‐size:* Matches all data items without a computed size, which includes directories and evidence folders.
Digest Bits Hexadecimal Digits
MD5 128 32
SHA‐1 160 40
SHA‐256 256 64
Query String Results
md5:678467f81cf6275822396e8fab08df31 Matches all items with the MD5 digest "678467f81cf6275822396e8fab08df31".
sha‐1:354d8b33aa51aed2a7fcb8ad5476a5d5ede8bb2a
Matches all items with the SHA‐1 digest "354d8b33aa51aed2a7fcb8ad5476a5d5ede8bb2a".
sha‐256:59836db73f6bc16f524050b1ca5b77f51305f63fe68b3918916b1b9cd4b8f347
Matches all items with the SHA‐256 digest "59836db73f6bc16f524050b1ca5b77f51305f63fe68b3918916b1b9cd4b8f347".
194 Search
Search Query Syntax
flag
SearchesforitemsthatwereflaggedbyNuixasbeingofaparticulartype,suchasirregular,textstripped,toplevel,etc.
Youcanusethisfieldtofinditemsthatwereidentifiedasaparticulartypeduringprocessing.
Examples:
item-id
SearchesfortheshortIDthatisuniquetoeachiteminthiscase.
Examples:
Query String Results
flag:irregular_file_extension Matches all data items that were marked as having an irregular file extension.
flag:inline Matches all data items that were marked as being displayed as a part of the parent item. An example is an image inside an RTF document or a embedded graphic in an email signature.
flag:partially_processed Indicates the item's children were only partially processed. Some children were explicitly skipped at the direction of the user.
flag:poison Matches all data items that caused a critical error during processing on several attempts.
flag:text_stripped Matches all data items whose text was determined via text stripping.
flag:audited Matches all data items that were marked to be audited for calculating the total size calculation for audited licences. These items would be exported in a legal export.
flag:top_level Matches all data items that were marked as being top‐level items.
flag:not_top_level Matches all data items that were not marked as top‐level items.
flag:loose_file Matches all data items that were marked as loose files, which are the files you would see, for example, in Windows Explorer when browsing a directory. Loose files within a disk image are also flagged.
flag:not_loose_file Matches all data items that were not marked as loose files.
Query String Results
item‐id:11234 Matches the data item with the given ID.
item‐id:1‐1234 Matches the data item, contained in a compound case, with the given ID. In this case the item 1234 is part of the first case added to a compound case.
Search 195
Search Query Syntax
Note:Theitem‐idisthereforconvenienceandshouldnotberelieduponasthesolereferenceofadocument,asitisupdatedwhensimplecasesareaggregatedintocompoundcases.Forexample,aspartofasimplecase,eachitemisassignedanumericalitem‐id(12345).Whenthatsimplecaseiscombinedintoacompoundcase,theitem‐idisprefixedwiththerelativepositionofthesimplecasewithinthecompoundcase.Ifthesimplecasecontainingitem12345wasthesecondsimplecaseaddedtothecompoundcase,thenewitem‐idwouldbe1‐12345."1‐"representsthelocationofthesimplecasewithinthecompoundcaseand12345representstheitemwithintheoriginalsimplecase.TheNuixGUIDistheonlyabsolutereferenceforanitem.
item-date
Searchesforanitembythedateoftheitem.Thedateoftheitemwillgenerallybethesameasthecommunicationdateforitemsthatrepresentacommunication,andthemodifieddateforothertypesofitem.Itemswithoutadateinheritthedateoftheirparent.
Thisfieldisonlyusefulinconjunctionwitharangequery(seepage 187).
Examples:
path-kind
Matchesitemswhereoneoftheancestorsoftheitemcontainsthespecifiedkindofdata.Thisissimilartousingthepath‐mime‐typefield,butsimplertouse.
Thiscanbeusedifyouknowwhatyou’researchingforwasinsideacertainkindofdata.
Example:
path-kind:document
Matchesallitemsthatareinsidewordprocessordocuments.
path-name
Matchesitemswhereoneoftheancestorsoftheitemhastheprovidedname.
Query String Results
item‐date:[1/1/2007 TO 31/1/2007] Matches items with date of January 2007. This example is using the date format for the UK/Australia.
item‐date:[1/1/2007 TO 1/31/2007] Matches items with date of January 2007. This example is using the date format for the United States.
196 Search
Search Query Syntax
Thiscanbeusedifyouknowwhatyou'researchingforwasinsideacertainkindofdata.
Examples:
print-method
SearchesforitemsthatarestoredasPDF,basedonhowthePDFwascreated.
Youcanusethistoidentifyitemsthathavebeenprintedinalessthanidealfashion,sothatcustomPDFscanbesubstitutedfortheseitems.
Examples:
skintone
Searchesforitemswithaskintonescoreinthespecifiedrange.Thissearchonlyworksifskintoneanalysiswasselectedwhenyoucreatedthecase.
Youcanusethistomatchallimagesthathavesetlevelsofskin‐tone.Theskintonefilterusesthefollowingranges.
Query String Result
path‐name:"Documents and Settings/username"
Loosely matches files underneath a specific Windows user's Documents and Settings directory.
path‐name:deleted.pst Loosely matches emails within a PST file called deleted.pst.
path‐name:doc Loosely matches items that were inside Word documents.
Query String Results
print‐method:printed Matches items that were properly printed to PDF.
print‐method:text_converted Matches items that had their text converted to PDF without formatting it.
print‐method:imported_by_user Matches items that had their PDF imported by a user, or a script run by a user.
Level Lower Range Upper Range
Severe 0.50 1.01
High 0.20 0.50
Medium 0.05 0.20
Low 0.00 0.05
Search 197
Search Query Syntax
Examples:
path-mime-type
SearchesforitemswhereoneoftheancestorsoftheitemhastheprovidedMIMEtype.
Youcanusethisfieldifyouknowwhatyou'researchingforwasinsideacertaintypeofdata.
Examples:
encrypted
Searchesforitemsthathavebeenencrypted.YoucanusethisfieldtoreturnallencryptedofficeandPSTfiles.
Thisfieldcontainseither0or1.Usea1tofinditemsthatareencrypted.Usea0tofinditemsthatarenotencrypted.
Examples:
Query String Results
skintone:[0.00 TO 0.05] Matches all data items with Low skin tone values.
skintone:[0.20 TO 1.01] Matches all data items with Severe or High skin tone values.
Query String Results
path‐mime‐type:message/rfc822 Matches all email attachments as well as files contained in those attachments. Also matches emails sent as attachments of another email.
path‐mime‐type:application/vnd.ms‐*
Matches all items (chiefly images) contained within Microsoft documents.
Query String Results
encrypted:1 Matches all data items that are encrypted.
encrypted:0 Matches all data items that are not encrypted.
198 Search
Search Query Syntax
characters
Searchesforitemsthatcontainthespecifiedcharacters.
Youcanusethistoreturnallitemsthatcontaincharactersfromparticularwritingsystems.Thefollowingtypesaresupported.
Examples:
deleted
Searchesforitemsthatweredeleted,andthosethatwererecoveredfromslackspace.Youcanusethistofinditemsflaggedasdeletedduringprocessing,suchasEnCasefilesthatweremarkedasdeleted,ortofinddeletedemailmessagesandtheirattachmentsfromtheslackspaceofMicrosoftemailcontainers.
Thisfieldcontainseither0or1.Usea1tofinddeleteditems.Usea0tofinditemsthatwerenotdeleted.
Examples:
Type Explanation
arabic Includes Arabic characters.
chinese Includes Chinese characters that are shared with other languages such as Japanese and Korean.
cyrillic Includes many East and South Slavic languages, and almost all languages in the former Soviet Union.
hangul Includes characters from the native alphabet of the Korean language.
japanese Includes the Japanese Hiragana and Katakana alphabets.
non‐latin Includes any characters not found in common Latin (English, Spanish, German, etc.) text.
Query String Results
characters:japanese Matches all items containing hiragana or katakana characters.
characters:non‐latin Matches all items that contain non‐latin characters.
Query String Results
deleted:1 Matches all data items that were marked as deleted.
deleted:0 Matches all data items that were not marked as deleted.
Search 199
Search Query Syntax
Foradditionaldetails,readaboutdeleteditemsonpage 220.Forinformationabouthowtoensurethatpermanentlydeleteditemsarebeingprocessed,reviewtheoptiontoExtractfromslackspaceofemailboxes(see“ProcessingSettings”onpage 158).
audited-size
Searchesforauditeditemsofthesamesize.Auditeditemshavebeenmarkedforauditingandwillalsobematchedwithflag:audited.
Examples:
previous-version-docid
SearchesthedocIDofthepreviousversion,presentonitemswhosecontentreplacesotheritems.
Example:
previous-version-docid:*
Findsallitemsthathavehadtheirtextupdated.
has-stored
Searchesforitemswiththestoreddatatypespecifiedbythequery.
Examples:
Query String Results
audited‐size:789 Matches all audited data items with a size of 789.
audited‐size:[400 TO 789] Matches all audited data items with a size from 400 to 789.
audited‐size:* Matches all data items with an audited size, although flag:audited will run quicker.
‐audited‐size:* Matches all data items without an audited size, although -flag:audited will run quicker.
Query String Results
has‐stored:binary Matches all items that have stored binaries.
has‐stored:pdf Matches all items that have stored PDFs.
has‐stored:text Matches all items that have stored text.
has‐stored:thumbnail Matches all items that have stored thumbnails.
200 Search
Search Query Syntax
exclusion
Searchesforitemsthatwereexcludedbyanamedexclusionrule.
Example:
exclusion:"my exclusion"
Findsallitemsthathavebeenexcludedwiththerulelabeled"myexclusion".
has-exclusion
Searchesfortheexistenceorabsenceofanyexclusionsmadebyinvestigators.
Thisfieldcontainseither0or1.Usea1tofindexcludeditems.Usea0tofinditemsthatwerenotexcluded.
Examples:
Communications FieldsTo,Cc,Bcc,andFromareNuix‐derivedcommunicationfields.ThisallowsNuixtonormaliseavarietyofdifferenttypesofemail(Microsoft,Lotus,SMTP)intoastandardisedsetoffields.Thedatainthesefieldscanbeexportedanddirectlysearchedwiththecommunicationsfields.
EachofthefieldsTo,Cc,Bcc,andFromaredistinct,andthereforemustbesearchedindependently.Forexample,[email protected],youmustusethefollowingquery:to:[email protected] OR cc:[email protected] OR bcc:[email protected]
Note:TheTo,Cc,Bcc,andFromfieldsinNuixareextractedfromthemessagetransportheaders,andthereforedonothaveadirectitemlevelmetadatapropertycorrelation.
Whenindexingemailaddresses,Nuixignoresallpunctuation(e.g."@",".","_").Byignoringpunctuation,Nuixprovidesameansofperformingexactemailaddresssearchesaswellpartialordomainsearches.
Forexample:[email protected]"janedoenuixcom".Thisallowsallofthefollowingquerystringstomatchtheemailaddress:
Query String Results
has‐exclusion:1 Matches all items that have an exclusion. (You must uncheck the exclusions to see them in the Results view.)
has‐exclusion:0 Matches all items that do not have an exclusion.
Search 201
Search Query Syntax
to:"jane doe" cc:doe bcc:nuix.com from:[email protected]
from
Searchesforitemscontainedinsideacommunicationsentfromapartythatmatchesthepattern.Thestringheremaybeapartialaddress.
Examples:
Note:ThefromfieldisaNuix‐derivedmetadatafieldthatispopulatedeitherfromthetransportheaders,orifnotpresentthere,acombinationofthePR_SENDER_EMAIL_ADDRESS/PR_SENDER_NAME.
to, cc, bcc
Searchesforitemscontainedinsideacommunicationsenttoapartythatmatchesthepattern.Thestringheremaybeapartialaddress.
Thefieldsmaintainameaningconsistentwithhowtheyareusedinemail:
• to:directrecipient• cc:carboncopy• bcc:blindcarboncopy(copied,butunknowntoallrecipients)
Examples:
GUID FieldsNuixDesktopassignsauniqueIDtoeachitemthatitprocesses.TheGUID(gloaballyuniqueidentifier)isuniqueacrossallcases.TheGUIDshouldnotbeconfusedwiththedigestidentifier(MD5,SHA‐1,SHA‐
Query String Result
from:example Matches all messages sent from [email protected], or [email protected].
from:"[email protected]" Matches all messages sent from [email protected], or addresses like [email protected].
Query String Results
to:example Matches all messages sent to [email protected], or [email protected].
cc:"[email protected]" Matches all messages carbon copied to [email protected], or addresses like [email protected].
202 Search
Search Query Syntax
256),asthesearebasedontheitemcontentandaredesignedtoshowauthenticityandtofindduplicatecontent.
ExampleGUID:debfa9a5‐4fdb‐47d1‐b1ea‐0cc105a626fa
Note:NuixsupportswildcardswithalloftheGUIDfieldssearches,sosearchingforguid:da056718*matchesallitemswiththisstringofcharactersinitsGUID.
guid
SearchesforanitemwithaspecificGUID.AGUIDisa100%uniqueIDassignedtoeachitemofdatathatisprocessedbyNuixDesktop.
Bydefinition,thiswillalwaysreturneitheroneorzerosearchresults.
Example:
Note:Anitem'sGUIDis32characterslongandlookslike:d05307e6‐0402‐4042‐a75e‐a6d24a1235b1.
parent-guid
SearchesforallofthechilditemsthatareembeddedoneleveldeepforaspecificGUID.
Query String Results
guid:5000 Matches the item whose GUID is 5000.
Search 203
Search Query Syntax
Theparent‐guidisdifferentfromthepath‐guidinthatitsearchesforonlydirectlyembeddeditems,notallitems.Inthefollowingimage,theparent‐guidsearchonlyfindsthoseitemsthatareonelevelbeneaththeparentitem.
Example:
Forexample,searchingforparent-guid:3aad2ab02fb04feea7f45077fc0e75deshowsallofofthesubfolders(onelayerdeep)forthe"ToporPersonalFolders"folder,whichhasthatGUID.ItreturnsfivematchesintheResultspane,forthefivefoldersthatarethedirectchildrenofthatparentitem.
path-guid
SearchesforallofthechilditemsforaspecificGUID.ThisisusefulwhenyouneedtosearchforallitemsassociatedwithapieceofNuixevidence.
Thepath‐guidisdifferentfromtheparent‐guidinthatitsearchesforallembeddeditems,notjustthoseoneleveldeep.Inthefollowingimage,thepath‐guidsearchfindsallitems,includingthoseinthatarewithintheInbox.
Example:
Searchingforpath-guid:3aad2ab02fb04feea7f45077fc0e75dedisplaysallofthesubfoldersforthe"ToporPersonalFolders"folder.Inthisexample,itmatchesover10,000items.
Query String Results
parent‐guid:5000 Matches all items whose parent GUID is 5000.
Query String Results
path‐guid:5000 Matches items whose parent's or any other ancestor's GUID is 5000.
204 Search
Search Query Syntax
comm-guid
SearchesforitemsthatwerecontainedinacommunicationwithagivenGUID.Forthistomakesense,theGUIDprovidedneedstobeacommunication;thatis,thequeryhas-communication:1shouldshowtheiteminquestion.
Example:
Annotation FieldsAnnotationfieldsarethosethatcontaininformationaddedbyinvestigators.Thetwotypesofannotationsforwhichyoucansearcharetagsandcomments.
tag
Searchesforaspecifictagcreatedbyaninvestigator.Youmustspecifythefullnameofthetag.Iftheclassificationnamehasanyspaces,suchasNotRelevant,theclassificationnamemustbeenclosedin
Query String Results
comm‐guid:5000 Matches items contained as attachments of the communication with GUID 5000, or contained as attachments of another message that was in turn an attachment of GUID 5000 (and so on.)
Search 205
Search Query Syntax
doublequotes.Youcanalsouseaminussign(‐)infrontofthetagfieldtoexcludeatagfromasearch.Alltagsthatexistaspartofanestedstructure,shouldbeseparatedbythe"|".
Examples:
has-tag
Searchesforitemsthateitherhaveordonothavetags.
Thisfieldcontainseither0or1.Usea1tofinditemsthatareassociatedwithatag.Usea0tofinditemsthathavenotbeentagged.
Examples:
comment
Searchesfortextincommentsmadebyinvestigators.Textenteredinthisfieldisautomaticallytreatedasawildcard.
Example:
Query String Results
tag:Pornography Matches items that have been tagged as pornography.
tag:"Not Relevant" Matches items that have been tagged as not relevant.
(tag:"Top Secret" AND tag:Classified) NOT tag:Relevant
Matches items tagged both "Top Secret" and "Classified" but excludes all items tagged "Relevant".
tag:"Case Tag|Privileged|Attorney Work Product"
Matches items tagged "Attorney Work Product" where the tag is nested three levels deep.
Query String Results
has‐tag:1 Matches items that have been tagged.
has‐tag:0 Matches items that are not tagged.
Query String Results
comment:bank Matches items containing the word "bank" in the investigator's comments, but also items containing the words "banking" and "embank".
206 Search
Search Query Syntax
has-comment
Searchesfortheexistenceorabsenseofanycommentsmadebyinvestigators.
Thisfieldcontainseither0or1.Usea1tofinditemsthatcontaincomments.Usea0tofinditemsthatdonotcontaincomments.
Examples:
List-based FieldsList‐basedsearchfieldsallowyoutoleverageimportedwordordigestliststofind....
Seemoreinformationaboutimportingandworkingwithwordlists(seepage 133)anddigestlists(seepage 129).
digest-list
Searchesforitemswhosedigestmatchesadigestinthenamedlist,effectivelyequivalenttousingadigestlistfilter.
Digestlistsarefrequentlyusedtoeliminateduplicatedatafrompreviouslyprocessedorreviewedevidence.ThisistypicallydonebycreatingadigestlistforasetofevidenceandthenusingtheNOToptiontoensurethatonlyuniquecontentisreturned.
Example:
Note:Thenameofthelistiscasesensitive.
Query String Results
has‐comment:1 Matches items that have an associated comment.
has‐comment:0 Matches items that do not contain a comment.
Query String Results
‐digest‐list:"Known Software Files"
Matches items whose hashes are not present in the digest list named "Known Software Files".
Search 207
Search Query Syntax
word-list
Searchesforitemscontainingthewordsandphrasesinthegivenwordlistfile,effectivelyequivalenttousingawordlistfilter.
Example:
Note:Thenameofthelistiscasesensitive.
Query String Results
word‐list:Fraud Matches items whose words are present in the word list named "Fraud".
208 Search
CHAPTER 7 Analyse
Nuixsupportsavarietyofanalysistasks,fromanalyzingthefiletypesthatwereprocessedinacasetolookingforthemesorpatternsofcommunicationbetweenkeycustodians.Thefollowingworkflowsaretypicalforanalysingcases:
• Providingameansforseniorinvestigatorsandattorneystosiftthroughthedataanddevelopthecasestrategy,followedbycreatingreviewjobsthatwillguidetheactualdocument‐levelreviewandtaggingbythemselvesorothers.
• ProvidingcasedatatoLitigationSupportVendors,withlistsofsearchstrings,keywords,dateranges,custodians,andsimilarcriteria,whichtheycanusetoanalysethedataandbatchtheitemsintoreviewjobsfortheclient.
Afteryouhaveselectedtheevidencetoanalyze,youcanevaluatetheitemsintheResultslistinmanyways,suchas:
• Reviewingwordsinasetofevidencetofindthosethatmatchrelevantkeywordsorthatmightseemoutofcontextwiththerestofthedataset.
• Viewingimagestofindinappropriatecontent,includingthosewithhighskintonestodetectpornography.
• Analysingthefrequencyofvariousfilestypesinasetofevidencetofindspreadsheet,containers,multimediafilesorothercontenttypesthatmighthelptheinvestigation.
• Analysingtheemailaddressesinasetofevidencetoseeifcustodiansareemailingcompetitors,theirpersonalemailaddresses,etc.
Analyse 209
• Analysingcommunicationsovertimetoseehowaspecificspreadsheetcontainingtheprojectedsalesfiguresmovesfromemployeetoemployee,changingnames,andultimatelyissenttoacompetitor.
• Analysingpatternsofcommunicationstoseewhoistalkingtowhoandhowfrequently.
Thischaptercontainsthefollowingtopics:
• “ViewingThumbnailsofImages”onpage 211• “ReviewingIndividualWords”onpage 213• “ReviewingFileTypeStatistics”onpage 215• “ManagingIrregularFiles”onpage 217• “ReviewingDomainandEmailAddresses”onpage 224• “AnalysingCommunicationsOverTime”onpage 226• “AnalysingPatternsofCommunication”onpage 228
210 Analyse
Viewing Thumbnails of Images
Viewing Thumbnails of ImagesAftersearchingorfilteringtheevidence,youcanviewanyimagesintheresultsetbythumbnail.TheThumbnailviewisonlyavailableiftheoptiontocreatethumbnailsforimagesdataitemswasselectedwhenthecasewascreated.
Viewingtheresultsbythumbnailallowsyoutosearchforinappropriatecontentinanimageformat.Ifyouarelookingforpornography,andtheskintoneanalysisoptionwasselectedduringcasesetup,youcanusetheskintonefiltertoreducethesetoffilesdowntothosewithjusthighlevelsofskintone.Morecomplexscenariosmightinvolvesearchingforinformationhiddeninimages.
Foreachitemoftypeimage,athumbnailrenderingofthedocumentdisplays.Inaddition,thetotalnumberofcopiesofthatimagebasedonitsMD5digestislisted.
Formoreinformationonsettingtheseoptionswhenyoucreateacase,see“ProcessingSettings”onpage 158.
Analyse 211
Viewing Thumbnails of Images
REVIEW IMAGES
Nuixdisplaysathumbnailforeachitem,showingthenumberofcopiesinparenthesesifany.WerecommendedthatwhenworkingwiththeThumbnailsviewthatyouselecttheDeduplicateresultsoption(seepage 47)whenconductingasearch.Thiswilleliminateseeingthesameimagetwiceintheview.
1. Searchforthesetofitemsyouwishtoanalyze,optionallyremovingduplicatesifyouwanttotagimagesanddonotwanttoseemultiplesofthesameitemsintheview.
2. Optionally,intheFilteredItemspane,selecttheSkinTonedImagesfilterstofurthernarrowtheset.
3. IntheResultspane,selectViewby:Thumbnails.
Theimagesmatchingyoursearchandfiltercriteriadisplay.
APPLY TAGS TO ALL COPIES OF AN IMAGE
Applyingtagsthroughthethumbnailviewdoesnotpropagatethetagtoallcopiesoftheitem.Totagalloftheimages’duplicates,usethefollowingsteps:
1. IntheResultspane,double‐clickthedesireditem.
2. InthePreviewpane,selecttheDuplicateslinkatthetopoftheitemlevelview.TheDuplicateslinkshowsthetotalnumberofduplicatesthatexistwithinthedatasetbasedontheMD5digestofthedocument.AnewWorkbenchtabdisplayswiththeduplicateitems.
3. Selectallofthecopiesoftheitem(Ctrl+A).
4. ClickAddTags.
Youcannowapplyatagtoallcopiesoftheitematonce.
212 Analyse
Reviewing Individual Words
Reviewing Individual WordsAftersearchingandfilteringtofindthesetofevidenceyouwishtoanalyze,youcanviewalistoftheindividualwordsfromallitemsintheresultset,alongwithacountofthenumberofdocumentscontainingthatword.EachrowwithintheWordListviewisanactivelinkanddouble‐clickingarowopensanewWorkbenchtabwitharesultsetcontainingalloftheitemsthatcontainthatword.
Notes:• Nuixviewsawordasanyitemthatissurroundedbywhitespaceso24014isconsideredaword.From
apracticalperspective,thiscouldbegibberishoritcouldacriticalzipcode.• Bydefault,allwordsarelisted,includingallcharactersetsandsymbols.Tonarrowthewords
displayedtoonlythosematchingacustomwordlistyouhaveimportedintoNuix,selectthewordlistfromthefirstdrop‐downmenu.
• AscriptisavailablewithintheKnowledgeBasethatcanbeusedtoremoveallalphanumericentriesfromthelist.
ViewingtheresultsbyWordListcanbememoryintensiveonlargedatasets.YoumaywishtoincreaseyourmemoryallotmentinFile>GlobalSettings>Memorypriortoreviewingthelistofindividualwordsintheresultsset.
Analyse 213
Reviewing Individual Words
REVIEW THE WORD LIST
Nuixitemizesallthewordsintheresultssetinthewordlist.
1. Selectforthesetofitemsyouwishtoanalyze,optionallyselectingtheHideimmaterialitemsoptionintheResultspane,ifdesired.
2. IntheResultspane,selectViewby:WordList.
3. Optionally,selectacustomwordlistfromthefirstdrop‐downmenutoonlyshowwordsintheresultsetthatmatchspecificwordsfromthewordlist.
4. Optionally,selectanoptionfromtheseconddrop‐downmenutoconstrainthewordlisttodisplayonlywordsfrommetadatapropertiesorthatonlyappearintheitemcontent
5. Scrollthroughthelist,ormovedirectlytoaspecifickeywordbytypingitintheFilterfield.
Thisfilterisbasedonananchoratthebeginningoftheword,sotyping"ranteed"willnotshow"guar‐anteed".Thefiltersupportsnumbers,lettersandsymbols.
FILTER THE RESULTS WITH AN IMPORTED WORD LIST
Insteadofviewingallthewordsfromalltheitemsinaresultset,youcanchoosetofilteronjustthespecifickeywordsthatyouhaveimportedintoNuixinawordlist(see“WordLists”onpage 133).Thisallowsyoutobypassafullwordlistandviewresultsthatstrictlymatchthegivenkeywords.
1. Selectthesetofitemsyouwishtoanalyze,optionallyselectingtheHideimmaterialitemsoptionintheResultspane,ifdesired.
2. IntheFilteredItemspane,selecttheWordListfiltersyouwishtouse.
Theresultssetchangestoincludeonlythoseitemsthatincludeoneormoreofthewordsfromthewordlist(s)chosen.
3. IntheResultspane,selectViewby:WordList.Youcanreviewthenumberofitemsforeachword,anddouble‐clickarowtoopenanewWorkbenchtabtopreviewthoseitemsinthePreviewpane.
214 Analyse
Reviewing File Type Statistics
Reviewing File Type StatisticsAfterprocessingtheevidenceinthecase,youcanviewstatisticsaboutallfiletypesandtheirfrequencywithinthedataset.YoucangetanideaofhowmanyfilesNuixencounteredthatwereencrypted,corruptedordeleted,orthenumberoffilesconsideredirregular(see“IrregularFileTypes”onpage 217).
Nuixdoesnotrelyontheitem'sextensiontodetermineitsfiletype.Nuixcheckstheheaderblockofthefiletoensureitaccuratelyassociatesthefiletype.Thiseliminatestheabilityforapersontohideevidencesimplybychangingthefile'sextension.
TheStatisticsviewoffersagoodoverviewofthecontentsofthecaseandshouldbecarefullyreviewedafteryouloaddataintoacase.EachrowwithintheStatisticsviewisanactivelinkanddouble‐clickinganyrowopensanewWorkbenchtabdisplayingaresultsetcontainingalloftheitemsforaspecificfiletype.
Toreviewthefilestatistics:
1. Selecttheevidenceforwhichyouwishtoviewstatistics.
TheStatisticsviewshowsonlythestatisticsforthesetofitemsyouhavesearchedorfilteredonandareincludedintheresultset.
2. IntheResultspane,selectViewby:Statistics.
Analyse 215
Reviewing File Type Statistics
Thefilesarecategorizedintotwosections,IrregularFilesandProcessedFiles.Notethatthestatis‐ticsintheProcessedFilessectionincludetheirregularfiles.
3. Examinethetypesofstatistics:FileType‐Listsallofthefiletypesencounteredduringtheingestionprocess.Processed‐Liststhetotalnumberofitemsprocessedforthespecificfiletype.Corrupted‐ListsthetotalnumberofitemsthatNuixwasunabletoprocess,orfoundtobecorruptedforaspecificfiletype.*Encrypted‐ListsthetotalnumberofitemsthatNuixdetectedasencrypted.Deleted‐ListsthetotalnumberofpermanentlydeleteditemsfoundinMicrosoftmailcontainerformatsforaspecificfiletype.PercentageEncountered‐Liststhepercentage,byitemcount,ofthetotaldatasetconsumedbythespecificfiletype.
216 Analyse
Managing Irregular Files
Managing Irregular FilesAfteryouloaddataintoNuix,youmustreviewtheirregularfilesforthatspecificcollectionofevidence.Thisworkflowshouldbefollowedafterbothofthesesteps:
• CreatingaNewCase‐Immediatelyafterprocessing,Nuixdisplaysthefullcasestatistics.Thelowerportionofthescreenlistsalloftheirregularfiles.
• AddingCaseEvidence‐Immediatelyafterprocessing,Nuixdisplaysthefullcasestatistics.Toseetheevidence‐specificirregularfiles,intheEvidencepanefilterbytheevidencename,andthenintheResultspane,selectViewby:Statistics.
Youwillwanttofamiliarizeyourselfwiththetypesofirregularfiles,aswellasdevelopaconsistentexceptionhandlingprocess.
IRREGULAR FILE TYPES
Duringtheingestionprocess,NuixflagsanyirregularfilesandpresentsthemaspartoftheStatisticsview.EachrowcanbeaccessedfromtheStatisticsvieworthroughaquery.
Eachtimedataisprocessed,youmustreviewtheirregularfilestoensurethatallofthedatawasproperlyprocessed.Nuixrecordsanitemfailurethesamewayfora*.txtfileasaPSTfile.Youshouldreviewanyquestionableitemsandpotentiallyreprocessifnecessary.
NotethatNuixonlypresentsthosetypesofirregularfilesthatarepresentinthecase,sothislistcanvarybycase.
Text StrippedTextStrippeditemsareitemswhereNuixrecognizedthefiletype,butdoeshavearoutinetocleanlyextractalltextandmetadatainaccordancewiththefiletypesAPI.Theresultsinaitemthatissearchable,butthetextmaybegarbledornotbeproperlyformated
Analyse 217
Managing Irregular Files
Note:NuixonlystripsoutUS‐ASCIIcharacters(punctuation,0‐9,A‐z).NuixusestheUTF‐16LEencoding(aunicodeencodingusedbyMicrosoft)topotentiallygetoutmoretextualdata.
Textstrippedfiletypesincludethefollowing(listissubjecttochange):
• image/vnd.corel‐draw• image/vnd.micrografx‐designer• image/x‐pict• image/vnd.micrografx‐designer• application/vnd.adobe‐photoshop• application/vnd.ms‐shortcut• application/vnd.lotus‐freelance• application/vnd.lotus‐wordpro• application/vnd.borland‐paradox• image/vnd.autocad‐dwg• image/cgm• application/vnd.myob• application/x‐js‐taro• application/vnd.lotus‐123• application/vnd.ms‐works‐ss• application/vnd.ms‐works‐wp• application/vnd.corel‐slideshow• application/vnd.ms‐works‐wp• application/vnd.ms‐visio• application/vnd.corel‐quattro• application/vnd.corel‐wordperfect• application/vnd.stardivision.calc• application/vnd.stardivision.draw• application/vnd.stardivision.impress• application/vnd.stardivision.math• application/vnd.stardivision.writer• application/x‐hwp• application/octet‐stream
Tosearchfortextstrippedfile,usethefollowingsearchsyntax:
flag:text_stripped
218 Analyse
Managing Irregular Files
UnrecognisedUnrecogniseditemsareitemswhereNuixdidnotrecognisetheheaderandwasthereforeunabletoassignamime‐type.ForitemswhereNuixisunabletorecognisetheheader,wetagtheitemasapplication/octet‐streamandtextstriptheitem.InadditiontoextractingtheASCIItext,Nuixextractsallrecognisablesystemmetadata.
Note:NuixonlystripsoutUS‐ASCIIcharacters(punctuation,0‐9,A‐z).NuixusestheUTF‐16LEencoding(aunicodeencodingusedbyMicrosoft)topotentiallyextractmoretextualdata.
Tosearchforunrecognisedfiles,usethefollowingsearchsyntax:
mime-type:application/octet-stream
Bad ExtensionBadExtensionindicatesitemswhosefiletype(MIMEtype)isnotconsistentwithitsfileextension.
Inthisexample,theFamily.jpegfileisnotanimage,butisactuallyaMicrosoftWorddocument.
Tosearchforfileswithimproperextensions,usethefollowingsearchsyntax:
flag:irregular_file_extension
Note:Nuixwillsetannativefile'sextensiontothe"FileExtension(Corrected)"duringanexport.Nuixrecordstheexporteditem'sdefinitivemetadataintheexportitemsummary,per‐itemXHTMLreportfiles,orloadfile.
CorruptedCorrupteditemsarethosethatNuixhasbeenunabletoprocess.Nuixwillmarkadocumentcorruptifitisunabletoopenthefile,whenopeningthefileexperiencessometypeoffailure,orisotherwiseunabletoprocessthefile.
Analyse 219
Managing Irregular Files
ForitemsthatarelistedasCorrupted,theFileTypepropertydisplaysthetypeofcorruption.Additionally,twopiecesofmetadatamightberecorded:FailureDetailandFailureMessage.Byreviewingtheseitemsoroptionallybuildingaspecificmetadataprofilethatcontainsthesefields,youcangaininsightintothenatureofthefailures.Attimes,areasoncouldbesomethingassimpleasafilebeinglockedbyanexternalprocess.HoldingthemouseovertheFailureDetailvaluedisplaysahovermessagewiththecompletedetailsforyoutoreview.
Tosearchforcorrupteditems,usethefollowingsearchsyntax:
properties:FailureDetail
DeletedDeleteditemsarethoseitemsthatNuixextractedfromtheslackspaceofMicrosoftemailboxesorareflaggedasdeletedwithinanEncaseLogicalEvidenceFiles(LEF).
• Deletedemailsarenotitemsfromthe"DeletedItems"folder,butratheritemsthathavebeen"permanentlydeleted"fromwithinOutlookorOutlookExpress.Whileprocessing,Nuixattemptstoextractasmanyfragmentsaspossible,andreconstitutecompletemessages.However,ifonlyaportionofthemessagestillexists,Nuixwillextracttheportionthatisavailable.
• DeletedfilesareitemswithinEncaseLogicalEvidenceFilesthathavebeenrecoveredfromdeleted,swap,orslackspace,andhavebeenflaggedasdeletedwithintheLEFbyEncase.
220 Analyse
Managing Irregular Files
Tosearchfordeleteditems,usethefollowingsearchsyntax:
deleted:1
Notes about Deleted Email Items
Reviewthefollowingnotestounderstandmoreaboutdeleteditems:
• Deleteditemsarerarelypresentinapplication‐createdPSTs.TheyaretypicallyfoundonlyinPSTscreatedbyendusers.
• Nuixdoesnotfindeverymessagethatwaseverdeleted.ThroughtheregularuseofaMicrosoftemailclient,permanentlydeleteditemswillbeoverwritten.Asthesemessagesorattachmentsareoverwritten,theyceasetoberecoverable.
• CompressingPSTsandOSTsremovesdeleteditems.
Understanding PST Property Blocks and PST Blocks
Whenscanningfordeletedinformation,wherepossibleNuixDesktopattemptstoreconstitutethecompletePSTitem.EachPSThasanassociatedpropertyblockthatcontainsallthebasicmetadataassociatedwiththeitem.Fortypesofmetadatathathavelargevaluesassociatedwiththem,suchasthemaintextoftheitem,theinternetheaders(ifany)orattachmentsarelocatedviaadditionalfilepointers.
Withdeleteditems,oftenthesepointersarenolongervalid,somanyofthedeleteditemsfoundarethese"orphaned"propertyblockitems,whichrepresentoldPSTitemsthatcannolongerlinktotheirlargermetadatavalues,butmaystillcontainusefulinformation.
PSTblocksarethechunksofdatathatarenolongerreferenced.Forexample,alargePDFattachmentwillbebrokenupinto4kBblocks.Whentheitemassociatedwiththeattachmentisdeletedtheblocksofdataareeffectivelyputonafreelist,butwilloftenstillcontaintheolddatathatwasresidentintheblockandmaystillcontainvaluableinformation.
Allextractedmetadatapropertiesareincludedinthetext(body)ofthedocumenttoensurethatthisinformationcanbeexportedinausableformat.
EncryptedEncrypteditemsarethosethatNuixhasdeterminedtocontainencryptedcontent.Nuixstillextractsmetadata,andasmuchinformationaspossiblefromanencryptedfile,butNuixisunabletoindexallofthecontent.
Analyse 221
Managing Irregular Files
Tosearchforencryptedfiles,usethefollowingsearchsyntax:
encrypted:1
Unsupported ItemsUnsupportedItemsareitemsforwhichNuixwasunabletoextractanycontentortext.
Tosearchforunsupporteditems,usethefollowingsearchsyntax:
( has-embedded-data:0 AND has-text:0 AND has-image:0 AND NOT kind:multimedia ) OR ( mime-type:application/vnd.lotus-notes AND has-embedded-data:0 )
See“AboutSupportedFileTypes”onpage 285intheAppendixforalistingofNuix'ssupportedfilestypes.
Non-Searchable PDFsNon‐SearchablePDFsareitemsthataredeterminedtobeaPDFthroughheaderrecognitionbutdonotcontainindexabletext.Theseitemsaremostfrequentlyimage‐onlyPDFsandwarrantfurtherinvestigation,asthecontentinthesePDFsisnottextindexed,andthereforeunsearchablebyNuix.
Tosearchfornon‐searchablePDFs,usethefollowingsearchsyntax:
mime-type:application/pdf AND contains-text:0
SeetheKnowledgeBasearticleOCRProcessingwithNuixforadditionaldetailsonexportingtheseitemsoutusingathirdpartytooltoOCRthem,andimportingthembackintoNuix.
Empty Emptyitemsareitemsthatarezero(0)bytesinsize.
Tosearchforemptyitems,usethefollowingsearchsyntax:
mime-type:application/x-empty
222 Analyse
Managing Irregular Files
SUGGESTED EXCEPTION HANDLING WORKFLOW
Whenprocessingdiversecollectionsofdatatypes,Nuixcanrecordlargenumbersofirregularfiletypes.Nuixgroupsallirregularfilestogether.IfafileappearsintheIrregularFileslisting,thatdoesn'tautomaticallyimplythatthereisaproblemwiththefile.Inmanycases,theheaderwassimplyunrecognisedanditwassubsequentlytextstripped.However,thisisnotalwaysthecase,andproperduediligenceinreviewingirregularfilesisrequired.Therigoranddepthofthereviewshouldbedeterminedbyeachorganisation'sownbusinesspoliciesandspecificrequirementsofthecase.
NuixsuggeststhefollowingworkflowtoanalysealloftheirregularfilesthatweredetectedbyNuixduringtheevidenceingestionprocess:
Identifythefilesthataremostlikelyofinterest:
1. SelecttheUnsupported,Empty,Encrypted,andCorruptedrowsfromtheFilteredItemslist.Theseoptionsrepresenttheitemswhereissuesarelikelytooccur.TheotherIrregularItemsareforinforma‐tionalpurposes,anddon’tnecessarilyrepresentfileswithissues.
2. Selectthe“DeduplicateResults”optiontoremoveanyduplicateitems.
Withtheabovefiltersapplied,usevarioussearchestolookforfilesofinterest:
1. Searchbyfilesizetofindfilesoveracertainsize.
Theideaistolookforlargerfiles,inthattheyarelikelycandidatestocontainunprocessedchilditems.Forexample,digest-input-size:[1000 TO 10000000000000000]searchesforfilesthatarelargerthan1kB.
2. Filterorsearchforcontainerfiles.
TheideaistolookforanyfilethatisconsideredacontainerwithinNuix,astheyarelikelytocontainunprocessedchilditems.Forexample:
a.Usekind:containertosearchforallfilesthatareofkindcontainer.
b.SelectAllItems>Containers.
3. Eliminatesystemfromtheresults.Theideaistoeliminateanythingthatmightbeasystemfilefromtheresultset.
Forexample,usingNOT kind:systemsearchesforallitemsthatarenotconsideredsystemfiles.
Typicalworkflowstouseforreviewinclude:
• ItemLevelReview‐Systematicallyworkthrougheachirregularfiletypelookingforanomalies.ThemostthoroughmethodologyistocreateaFastReviewJobforeachtypeofirregularfileandapplyatagacknowledgingthatthisirregularfileisaccepted.See“CreatingaReviewJob”onpage 233.
• GroupReview‐Usetheresultsetviewtogroupandslowlyexcludeitemsfromtheresultsetbybuildingquerieslike-name:picture* AND -name:object.
Analyse 223
Reviewing Domain and Email Addresses
Reviewing Domain and Email AddressesAftersearchingandfilteringtofindthesetofevidenceyouwishtoanalyze,youcanviewalistofthewebdomainsandemailaddressesassociatedwiththatresultset,alongwithacountofthenumberofitemsfromeach.Inthisview,youcangrouptheemailaddressedbydomain(thedefaultview)andfilterthelistbytheFrom,To,Cc,andBccfields.
IntheFilteredItemspane,werecommendfilteringtheresultsettoshowonlyEmail,asallattachmentsandparentcommunicationdataareincludedintheset.Youcanselectindividualaddresses,orallitemsfromaparticulardomain,andtagorexcludethem.
Toreviewwebdomainsandemailaddresses:
1. Selecttheevidenceforwhichyouwishtoviewwebdomainsandemailaddresses.
2. IntheFilteredItemspane,filtertoshowonlyEmail.
3. IntheResultspane,selectViewby:Addresses.
224 Analyse
Reviewing Domain and Email Addresses
AseparateWorkbenchtabopenstodisplaybyaddresses,withanitemcountforeachdomainandemailaddress.
4. Optionally,clearanyofthecommunicationfieldstonarrowthelist.
5. Optionally,cleartheGroupbydomainoptiontoviewaflatlistofemailaddresses,notgroupedbydomain.
Analyse 225
Analysing Communications Over Time
Analysing Communications Over TimeWhenyouwanttorevieworfollowaconversationthreadorotheritemovertime,theEventMapprovidesagraphicalviewofcommunicationsintheresultsetagainstatimeline,showingwhosentthemandhowtheyweresenttoothers.TheEventMapcanbeusefulindeterminingwhen,where,whom,andhowoftenaspecificpieceofevidencewastransmitted.Thisviewismostusefulwhenyoufirstnarrowyourresultsettoaspecificconversationthreadorcollectionofdocuments.
Specifically,theEventMapdisplays:
• Anycommunicationsintheresultslistand/ortheancestoremailsoftheitemsintheresultslist.Thismeansthatiftheresultsethitisanattachment,thecommunicationsdateoftheparentisusedforeventmapping.Soevenifthesearchisonlyfor*.zipfiles,theeventmapwillprovidevalue.
• Eachmessageisrepresentedbyalinefromthesendertotherecipient.Thetimeanddateofthemessagesdisplayonthetimelineabovethemap.
Note:NuixnormalisesalldatesandtimestoUTCwhenprocessed,andthendisplaysthemusingthetimezonedefinedintheCasePropertiesdialoguebox(seepage 65).
226 Analyse
Analysing Communications Over Time
Severalworkflowsexisttoperformthistypeofanalysis.Herewedescribeonetypicalworkflow.
Toreviewacommunicationovertime:
1. IntheFilteredItemspane,filtertojustEmailunlessyouarealsointerestedinanalysingothertypesofitems(documents,zipfiles,etc.).
2. Searchtheevidenceusingthedesiredcriteria.
3. Reviewtheitemsintheresultssettofindacommunicationyouwishtofurtherunderstand.
4. InthePreviewpane,selecttheThreadlinktonarrowtheresultsettojustthatconversation.YoucanalsoviewconversationsbySimilarItems.
5. IntheResultspane,selectViewby:EventMap.
Displayedisadiagramshowingthecommunicationsintheresultsetovertime,withwhosentwhattowhom,aswellaswhenandhow.Thisviewcanmakeiteasytoseewhoisemailingdirectlytooutsideaddresses,aswell.
6. Displayemailaddressesasyouprefer,choosingfromoneofthefollowingoptions:None‐Suppressesthedisplayoftheemailaddress.Personal‐Displaysonlythepersonalportionofeachemailaddress.Forexample,StephenStewart<[email protected]>wouldonlydisplay"StephenStewart".Address‐Displaysonlytheaddressportionofeachemailaddress.Forexample,StephenStewart<[email protected]>wouldonlydisplay"[email protected]".PersonalorAddress‐DisplayseitherthePersonalorAddressportionoftheemailaddressdependingonitsavailability.FormattedAddress‐Displaysthefullyformattedemailaddress.Forexample,StephenStewart<[email protected]>woulddisplay"StephenStewart<[email protected]>".
7. SelectanodeinthediagramtoviewaspecificemailfromtheconversationthreadinthePreviewpane.
Ifdesired,youcanexporttheEventMapdiagramasanimage.See“ExportingInformationfromaView”onpage 258formoreinformation.
Analyse 227
Analysing Patterns of Communication
Analysing Patterns of CommunicationWhenyouwanttoanalysepatternsofcommunicationbetweenpersonsinasetofevidence,theNetworkviewprovidesadynamicimageofcommunicationpatterns,highlightingthefrequencyordensityofcommunicationsbetweentheparties.Anarrowshowsthedirectionofcommunication,indicatingthatpersonAsentemailtopersonB,alongwithanumberindicatinghowmanyemailswherereceivedbypersonBfrompersonA.Arrowsarebi‐directional,andthegraphicdisplaystwoarrowsandemailcountsiftwopeoplecommunicatedtoeachotherwithintheresultset.
228 Analyse
Analysing Patterns of Communication
YoucanincreasetheefficiencyofthisworkflowbyclickingthearrowinthefarrightoftheResultspanetoundocktheNetworkviewandmoveittoanothermonitor,whichallowsmoreroomforviewingtheresultingitemsthatdisplaywhenyouclickonalinkintheview.See“InteractingwiththeNetworkView”onpage 44forinformationonhowtocustomizeandmanipulatethisview.
Toreviewpatternsofcommunication:
1. Searchorfiltertonarrowdowntothedesiredresultset.
YoucanusetheEvidenceandFilteredItemspanetofiltertheresultsetandviewwhoiscommunicat‐ingtowhom,andwhoissendingspecifictypesofitems,suchasemailsorzipfiles.
2. IntheResultspane,selectViewby:Network.
3. SelectDeduplicateresults.
4. AdjustthevalueintheShowlinkcount>fieldtoreduceorincreasethenumberofcommunicationsyouareviewing.
Bydefault,thevalueis1000,sonocommunicationscouldbeshown.Forexample,settingthisvalueto40showsonlythosepersonsintheresultsetwhohavesentatleastthatmanyemails(butnofewer).
5. Filtertheviewbyclearingorselectingthecommunicationsfields,suchasDirect(To)orHidden(Bcc),toshowonlythosetypesofcommunications,asneeded.
6. Optionally,cleartheRunLayoutoptiontohaltthedynamicmovementofnodesintheview.
WhenRunLayoutisselected,Nuixtriestopositionthenodesinareadableposition.Youcanstilldragthenodesintodifferentpositions,whetherthisoptionisselectedornot.
7. ReviewemailssentfrompersonAtopersonBbydouble‐clickingthelinkbetweenthetwo.
AnewWorkbenchtabopenstodisplaytheitems.
Ifdesired,youcanexporttheNetworkdiagramasanimage.Formoreinformation,see“ExportingInformationfromaView”onpage 258.
Analyse 229
Analysing Patterns of Communication
230 Analyse
CHAPTER 8 Review and Tag
NuixDesktopsupportsavarietyofworkflowsforreviewingandtaggingevidenceinacase.
Youcanperformadhocinvestigativereviews,searchingforinappropriatecontentoritemsrelevanttoapossiblelegalactionwithoutbeingconstrainedtoalinearreviewofeachiteminorder.Ormoreformally,youcanconstructreviewjobsandworklinearlytorevieweachandeveryiteminacase,taggingorcommentingthemasneeded.Inthesecondworkflow,youcanchoosetorevieweachiteminordersothatitemscannotbeskippedduringtherevieworyoucanviewallitemsthatbelongtoyouinasingleresultset.
Whentagging,youcanapplyoneormoretagstoindividualitemsofinterestasyoureviewthem,oryoucanapplytagsinbulktoanentireresultsetinoneoperation.
Formoreformalreviews,atypicalworkflowisasfollows:
1. Createreviewjobs,whichcanbeseparatedbyanylogicalgrouping,suchasissue,keyword,custodian,investigator,etc.
2. Createtagsforusewiththecase,suchasSPAM,Relevant,Privileged,Responsive,etc.
3. Previewitems,eitherinthePreviewpane,nativelyinthesourceapplication,orinPDF.
4. Applytagsand/oraddcommentstotheitems.
Review and Tag 231
Optionally,youcanalsocreatesubsetsofcasesforreviewtosupportareviewthatisbeingperformedbysomeonethatdoesnothavepermissiontoseetheentirecase.Thisworkflowmightbeasfollows:
1. Intheparent(original)case,searchforallinformationthatisnottobeviewedbythereviewer,suchasPrivilegedcontent.
2. Tagthatinformationaccordingly.
3. Excludetheinformationbytag,sothatitisculledfromtheresultset.
4. Whenyouhavejusttheitemsintheresultsetremainingthatneedtobereviewedseparatelyfromtherestofthecollection,exportittoacasesubset.
5. Havethereviewersannotate(tag/comment)theitemsasneeded.
6. Importtheannotationsfromthecasesubsetbackintotheparentcase,wherethetagsand/orcommentsareautomaticallyappliedtothesameitems(exceptforduplicates).
Thischaptercontainsthefollowingtopics:
• “WorkingwithReviewJobs”onpage 233• “CreatingSubsetsofCasesforReview”onpage 242• “CreatingTags”onpage 246• “ReviewingItems”onpage 249
232 Review and Tag
Working with Review Jobs
Working with Review JobsIfyouneedtosystematicallyrevieweachiteminaresultsetorcase,renderingadecisionaboutitsrelevanceandapplyingatag,youshouldcreateFastReviewjobstomanagethisprocess.Theactualitem‐levelreviewcanbedoneeitherbyin‐housestafforcontractedout.IfyouhavetheNuixServersoftware,multiplereviewerscanreviewitemssimultaneouslyinasinglecase,supportingacollaborativereviewworkflow.
Thetasksassociatedwithreviewjobsinclude:
• Creatingreviewjobstomanageitemreviewandclassification.• Addingitemstoorremovingitemsfromreviewjobs.• Editingreviewjobstochangetheassociatedtagsorkeywordhighlighting.• Joiningreviewjobs.• Managingreviewjobstoassesscurrentstatusofjobs,reviewerstatistics,andtypeandnumberoftags
applied.
CREATING A REVIEW JOB
Creatingareviewjobisusefulforwhenyouneedtoperformamorestructuredreviewofitemsinacase.Nuixsupportsbothofthefollowingworkflows:
• Addingitemstoareviewjobthatcanbeseenbyanyreviewer.Inthiscase,anyreviewercanviewtheitemslinearlybyfamilies,ensuringthattaggingorcommentingisperformedonitemsineachfamilybeforeprogressingtothenext.
• Addingitemstoareviewjobandassigningthoseitemstoaspecificreviewer.Thisallowsthereviewerassignedtothoseitemstoseeallitemsinthejobinonelist,insteadofhavingthemdisplayedfamilybyfamily.Notethatonceyouassignitemstoaspecificreviewer,theycannotbeun‐assignedorre‐assignedtosomeoneelsewithinthatreviewjob.
Youcanassigneachreviewjobaspecificsetofdocuments,withtagsandkeywordhighlightingspecificforthatreviewjob.ThetextyouspecifyforhighlightingwithinthereviewjobareseparatefromthosespecifiedinkeywordsearchesfromtheWorkbenchtab;onlywordscanbehighlighted,aswildcardsorotherformsorquerysyntaxarenotaccepted.
Theitemsaddedtoareviewjobaregroupedandmustbereviewedasanentirefamilyofdocuments.Youcanadddifferenttagstoeachmemberofthefamily,butinordertoadvancetothenextbatch,theentirefamilymustbetagged.Reviewjobsaredesignedthiswaytoallowforanacceleratedreview,inthatifone
Review and Tag 233
Working with Review Jobs
iteminthefamilyisresponseorprivileged,thenwithacoupleofkeystrokestheentirefamilycanbetaggedandthereviewerisabletomoveontothenextfamily.
WithinNuixDesktopyoucantracktheoverallstatusofareviewjob,aswellasthetagsthatareviewerhasappliedandhowmany.
Tocreateareviewjob:
1. FromtheWindowmenu,selectNewFastReviewTab.
2. FromtheFastReview:Joblisttab,selectNewjob.
TheNewJobdialoguedisplays.
3. Specifythenameofthereviewjob.
Namestypicallyrepresentalogicalgrouping,suchasissuetype(fraud,harassment,bribery),asearchquery,akeyword,adaterange,acustodian,areviewer/investigator,andthelike.
4. Selecthowyouwouldliketoordertheitemsinthejob:byorderitemswereaddedtothereviewjob,byearlieritemsfirst,orbymorerecentitemsfirst.
Ifyouselecttheearlierormorerecentsortoptions,Nuixwillsorttheitemsbasedontheitemdateofthefamily'stop‐levelitem.
5. Addtagsforthereviewertousewiththisreviewjob:
a.ClickAdd.
b.Selectexistingtagsorright‐clickinthelistboxandselectNewTagtocreateanewone.
234 Review and Tag
Working with Review Jobs
Review and Tag 235
c.ClickOKtoaddthetagstothereviewjob.
6. Ifdesired,addkeywordstohighlightintheitemswithinthisreviewjob:
a.Toaddanindividualwordorphrase,clickAddandspecifyitinthetextfield.
b.TopastealistofwordsfromtheclipboardorimportalistofwordsfromaNuixwordlist,clickMore.
7. SelectOKtocreatethereviewjob.ThenewreviewjobdisplaysinthelistofavailablereviewjobsontheFastReview:JobListtab.
8. Additemstothereviewjob.
Adding Items to a Review JobAftercreatingoneormorereviewjobs,youcanthenadditemsfromthecasetothejob(s).YoucanadditemsfromeithertheResultsorThumbnailsviewoftheResultspane.Youcanadditemstoareviewjobindividually,orinbulk.
Itemsaddedtoareviewjobcanbegroupedforreviewasanentirefamilyofdocuments,bynotassigningtheitemstospecificreviewers.Youcanadddifferenttagstoeachmemberofthefamily,buttoadvancetothenextbatch,theentirefamilymustbetagged.
Youcanalsoassignitemstoaspecificreviewer,whocanthenviewallitemsassignedtotheminonelist.
Whenyouadditemstoareviewjob,youhavetheoptiontoalsoincludetheirentirefamily.Includingthefamilyintothereviewjoballowsyoutoreviewandapplytagstoanentirefamilygroupinafewsteps.
Toadditemstoareviewjobsothatanyreviewerwhojoinsthejobcanlinearlyreviewtheitemsonefamilyatatime:
1. OnetheWorkbenchtab,selecttheitem(s)fromtheResultsorThumbnailview.
2. Right‐clickintheResultspaneandselectAddtoReviewJob(orselectEdit>AddtoReviewJob).
3. IntheSelectReviewJobdialogue,selectthereviewjobthatyouwishtoaddtheitemsto.
Note: Unassigned is selected by default, so that items can be reviewed by anyone who joins the job.
Working with Review Jobs
4. Optionally,selectAlsoapplytoallitemsinthesamefamilytoaddallitemsfromthesamefamilytothereviewjob.
5. ClickOK.
Nuixaddstheitemstotheselectedreviewjob,andtheprogressofthetaskisshownontheFastReview:JobListtab.
Toadditemstoareviewjobandassignthemtoaspecificreviewer,whocanthenseeallitemsinthejob:
1. OnetheWorkbenchtab,selecttheitem(s)fromtheResultsorThumbnailview.
2. Right‐clickintheResultspaneandselectAddtoReviewJob(orselectEdit>AddtoReviewJob).
3. IntheSelectReviewJobdialogue,selectthereviewjobthatyouwishtoaddtheitemsto.
4. SelectAssigntoandthenclicktheassociatedbuttontoviewthelistofreviewersthatareknownonthecomputer.
236 Review and Tag
Working with Review Jobs
5. IntheChoosetheappropriatereviewerdialoguebox,dooneofthefollowing:SelecteitheranExistinguserfromthedrop‐downmenuEntertheWindowsloginnameofaNewuser(reviewer).Note:Newusernamesmustbethereviewer’sWindowsloginname.Thenamemustmatchexactlyforthereviewertoseetheitemsbeingassigned.
6. ClickOKtoreturntotheSelectReviewJobdialoguebox.
7. Optionally,selectAlsoapplytoallitemsinthesamefamilytoaddallitemsfromthesamefamilytothereviewjob.
8. ClickOK.
Nuixaddstheitemstotheselectedreviewjobandassignsthemtothespecificreviewer,andtheprogressofthetaskisshownontheFastReview:JobListtab.
Removing Items from a Review JobYoumaycomeacrossaninstancewhereyouneedtoremoveitemsfromareviewjob,forexampleifsomeitemswereprocessedbymistakeoraddedtotheincorrectreviewjob.Whenyouremoveitemsfromareviewjob,anytagsthatmighthavebeenaddedtotheitemsduringthereviewprocessremainassociatedwiththeitems.
Toremoveitemsfromareviewjob:
1. OntheWorkbenchtab,selecttheitem(s)intheResultsorThumbnailsviewthatyouwishtoremove.
Review and Tag 237
Working with Review Jobs
2. Right‐clickintheResultspaneandselectRemovefromReviewJob(orselectEdit>RemovefromReviewJob).
3. IntheSelectReviewJobdialogue,selectthereviewjobfromwhichyouwishtoremovetheitem(s).
4. Optionally,selectwhethertoalsoremoveitemsfromthesamefamily.
5. ClickOK.
Nuixremovestheitemfromthereviewjob.ThestatisticsontheFastReviewStatisticstabupdatetoreflectthechanges.
Editing a Review JobYoucaneditareviewjobtochange:
• Thenameofthereviewjob• Theorderinwhichtheitemsdisplayinthereviewjob• Thelistofhighlightedwordsorphrasesassociatedwiththereviewjob• Thelistoftagsassociatedwithareviewjob
Ifyouremovetagsfromthereviewjob,itonlyremovesthemfromthetaggingpaletteofthereviewjobandnotfromtheitemsthemselves.
Note:Onceyouassignitemstoareviewjob,youcannotun‐assignorre‐assignthemviatheEditJobdialoguebox.Youmustaddtheitemstoanewreviewjobinstead.
238 Review and Tag
Working with Review Jobs
Toeditareviewjob:
1. OpenorclicktheFastReview:JobListtab.
2. Selectthereviewjobyouwishtoedit.
3. ClickEditjob.
TheEditJobdialoguedisplays.
4. Makechangestothename,order,tags,orhighlightedwords,asneeded.
5. ClickOKtosaveyourchanges.
JOINING A REVIEW JOB
Investigatorsassignedtoareviewjobmustlogintothejobbeforetheycanbeginreviewingtheitemsassociatedwiththatjob.Onceyoujoinareviewjob,youcanstepthrougheachiteminthejobbytagginganitemandmovingontothenextone.
Youcanjoinmorethanonereviewjobatatime,butyouwillnotbeabletojoinanemptyreviewjob(thatis,onewithoutitemsinit).
Tojoinareviewjob:
1. OpenorclicktheFastReview:JobListtab.
2. Selectthejobyouwishtojoin.
3. ClickJoinJob.
Younowhaveaccesstothereviewjob,andanewWorkbenchtabopensdisplayingapreviewofthefirstiteminthelistandthetaggingpalette.
4. Beginreviewingandtaggingtheitems.See“ReviewingItems”onpage 249.
Review and Tag 239
Working with Review Jobs
MANAGING REVIEW JOBS
TheFastReview:JobListtaboffersafewdifferentwaystomanagereviewjobsbyallowingyouto:
• Viewthelistofreviewjobsassociatedwiththecaseandaprogress(status)foreach.• Editajob,includingitsname,tags,andhighlightedwords.• Statisticsabouteachuser(reviewer)workingonaselectedreviewjob,includinghowmanyitemshave
beenreviewedperuser,andhowmanyofeachtagtheuserhasappliedtodate.• Thetagsassignedtotheselectedreviewjob,andhowmanyofeachtaghasbeenassignedtothereview
job(acrossallusers).
Thisinformationaffordsyoutheopportunitytounderstandhowthecase,thereviewjobs,andindividualreviewersareprogressing.
Tomanagereviewjobs:
1. OpenorclicktheFastReview:JobListtab.
2. Perusethelistofreviewjobs,theuserstatistics,andthestatisticsfortags.
240 Review and Tag
Working with Review Jobs
DELETING A REVIEW JOB
Casesmightexistwhereyoufindyouwanttodeleteareviewjob.Scenariosmightinclude:
• Areviewjobwascreatedbymistakeorwascategorizederroneously• Thereviewjobisnolongerpertinent,asthecasehastakenadifferentdirection• Toalleviateanoteddecreaseinperformance,ifalargenumberofin‐progressreviewjobsexistwithin
thecase
Whenyoudeleteareviewjobfromacase,youremovethereviewjobbuttheitemsandanytagsorcommentsappliedtotheitemsremaininthecase.
Todeleteareviewjob:
1. OpenorclicktheFastReview:JobListtab.
2. Selectthejobyouwishtodelete.
3. ClickDeletejob.
Nuixremovesthejobfromthelistofavailablereviewjobs.
Review and Tag 241
Creating Subsets of Cases for Review
Creating Subsets of Cases for ReviewUnlikeacompoundcase,whichaggregatesmultiplesimplescasestogether,acasesubsetisusedtocopyitemsfromacaseandcreateanewcasewiththoseitems.Inthiscase,theitemsarenotremovedfromtheoriginalcase.Thisallowsyoutolaterimportintotheparentcaseanyannotationsthatareappliedtothoseitemsexportedtothecasesubset.
Scenariosthatsupportcreatingcasesubsetsinclude:
• Tag‐basedworkflowsthatsearchforspecifictermstofinditems,andthentagsetsofitemsintogroupssuchas"Privileged"and"Responsive",andthensubsetjusttheitemstaggedResponsiveintoseparatecasesforreview.
• Exclusion‐basedworkflowsthatculltheevidencebyexcludingitemssuchasSPAMorotherirrelevantitemsfirst,andthenwiththeremainderoftheevidencecreatesubsetsoftheitemsforreview.
• Performance‐basedworkflowsthataggregatemultiplesimplecases,withnumerousdatabasesintoasingledatabase.
Thereviewworkflowisasfollows:
1. Exportingasetofitemsfromonecaseintoanewcase,knownasthecasesubset.
2. Reviewthoseitems,whicharenowseeninisolationfromtheitemsintheparentcase.
3. Whenthereviewiscomplete,exporttheannotations(tagsandcomments)fromthechildcasetoaCSVfile.
4. Importthoseannotationsbackintotheparentcase.Notethatthehistoryandanyothercasemetadatafromthechildcaseisnotbroughtbackovertotheparentcase.
Exporting a Subset of Items to a New CaseToisolateasetofitemsfromacollectionofevidencesothattheycanbereviewedseparatelyfromtherestofthecase,youcancreateacasesubset.
Note:Whenyouexporttoacasesubsetfromaresultset,theparentitemsoftheselecteditemsintheresultsetarealsoexported.Ifyouexport1000items,youwillhaveagreaternumberinthenewcaseastheadditionalparentitemsareincluded.Nuixdeduplicatestheparentitemsforselecteditemshavingthesameparent(s).
242 Review and Tag
Creating Subsets of Cases for Review
Toexportasubsetofitemstoanewcase:
1. FromtheResultspane,toexporttheentireresultset,clickthecheckboxinthecolumnheadertoselectalltheitems.
Or,youcanmanuallyselectindividualitemsfromaresultsettoexport.
2. ClickExport>ExportCaseSubset.
TheExportCaseSubsetdialoguedisplays.
3. Completethedialoguebyspecifyingcaseoptions(see“ExportCaseSubsetDialogueBox”onpage 68):Casesettings,suchasname,directorylocation,investigator,anddescription.Textprocessingsettings,suchaswhethertousestopwordsandstemming.Annotationsettings,suchaswhethertoincludeanyexistingcommentsandtags.
4. ClickOKtoexporttheitemstoanewcase.
AnExportingCaseSubsetdialogueremainsopenwhilethetaskisinprogress,andanExportResultsdialoguedisplaystoletyouknowthetaskisfinishedandhowmanyitemsweresucessfullyexported.
5. IntheExportResultsdialogue,clickOK.
Awindowopensdisplayingthefolderviewofthenewcasedirectory.
Exporting Annotations to a FileYoucanexportanyannotationsyoumakewithinacasetoaCSVfile.Casesubsetsaretypicallycreatedtoallowforareviewofitemsseparatefromthoseintheparentcase.Onethissubsetofitemsisreviewed,youcanexporttheannotationsthatwereappliedduringthereviewprocess,andthenimporttheannotations(tagsand/orcomments)backintotheparentcasetobeappliedtothoseitems.
Review and Tag 243
Creating Subsets of Cases for Review
The.csvfileisformattedasfollows.Nuixassociateseachannotationwiththeitem'sGUIDsothattheycanbemappedbacktothesameitemsintheparentcase.
Toexportannotationstoafile:
1. FromtheResultspane,toexporttheentireresultset,clickthecheckboxinthecolumnheadertoselectalltheitems.
Or,youcanmanuallyselectindividualitemsfromaresultsettoexport.
2. ClickExport>ExportAnnotations.
TheExportCSVAnnotationFiledialoguedisplays.
3. Specifythelocationandnamefortheannotationfile,andclickOK.
AnExportingAnnotationsdialogueremainsopenwhilethetaskisinprogress,andanExportResultsdialoguedisplaystoletyouknowthetaskisfinishedandhowmanyitemsweresucessfullyexported.
4. IntheExportResultsdialogue,clickOK.
Awindowopensdisplayingthefolderviewofthedirectorycontainingtheannotationsfile.
Importing Annotations from a FileIfyouhaveexportedtheannotationsfromacasethathasbeenreviewed,whichistypicallyasubsetofanothercase,youcanthenimportthoseannotationsbackintotheparentcasewhereNuixautomaticallyappliesthemtotheappropriateitems.
244 Review and Tag
Creating Subsets of Cases for Review
ToimportannotationsfromaCSVfile:
1. Opentheparentcaseintowhichyouwanttoimporttheannotations.
2. FromtheFilemenu,selectImport>ImportAnnotations.
TheOpenCSVAnnotationFiledialoguedisplays.
3. Browsetothelocationwherethe.csvfileislocated,selecttheannotationfile,andclickOpen.
TheImportAnnotationsdialogdisplays,showingtheGUIDs,AnnotationsType(tagorcomment),itemname,currentannotationsthatexistintheparentcase,andthenewannotationsthatweresuppliedinthecasesubset(orchildcase).
4. ClickOKtoimporttheannotationsintotheparentcase.
Foreachitem,Nuixappendsthetagsappliedinthecasesubsettoanyexistingtagsintheparentcase.Nuixonlyappliesuniquenewtags,duplicatetagsareignored.Technically,thismeansthatanitemcouldbetaggedwithbothResponsiveandNonresponsivetags,forexample,ifoneofthosetagswasappliedtotheitemintheparentcaseandanotherinthechildcase.Aftertheitemsaretagged,theAnnotationCompletedialoguedisplaysindicatinghowmanyitemswereannotated.
5. ClickOK.
Review and Tag 245
Creating Tags
Creating TagsInNuix,tagsareapieceofuser‐definedmetadatathatyouusetoclassifyanitemafteryouhavereviewedit.Somecasesmayrequireallitemshaveatagassociatedwiththem,whichsuitsaworkflowthatusesreviewjobstomanagethereviewprocess,whileothersmayonlyrequirethatyoutagitemsofrelevance.
Youcancreateasetoftagsforacase,andyoucanalsodefineaspecificsetoftagsforusewithareviewjob(thatis,asubsetofthetotalsetoftags,ortagsthatarespecifictothereviewjob).
Youcanorganisetagsintohierarchicalgroupings(nesttags),ifdesired.Sometypicaltagsinclude:Responsive,Non‐responsive,Privileged,Confidential,SPAM.
OnceyouhavetaggeditemsinNuixDesktop,youcan:
• Filtertheresultsettoshowjustthoseitemsthathaveacertaintagapplied,andthenexcludeorexportthem
• Searchforitemsusingthetagaspartofthesearchcriteria• Includethetagsaspartofthemetadatawhenexportingitems
CREATE TAGS FOR A CASE
Tocreatetagsforacase:
1. EnsuretheReviewandTagpaneisshowing(Window>ShowReview&Tag).
2. IntheReviewandTagpane,clickthelinktoconfiguretags.
TheEditcasetagsdialoguedisplays.
3. Right‐clickintheemptylistboxtoandselectNewTag.
Nuixcreatesatagandhighlightsthedefaultname.
4. Typethenameofthetagyouwishtocreatetooverwritethedefaultname,andpressEnter.
5. Tonesttags:
a.Selecttheparenttag.
Anexampleparenttagmightbe"Privileged"withsubtagsof"Attorney/Client"and"WorkProduct".
b.Right‐clickandselectNewSubTag.
c.TypethenameofthesubtagandpressEnter.
6. Whenyouarefinishedcreatingtags,clickClose.
Thetagsnowdisplayintheright‐handsideoftheReviewandTagpane.
246 Review and Tag
Creating Tags
Fromthisdialogue,youcanalsorenameanddeletetagsbyselectingatagandusingthosecommandsontheright‐clickmenu.
ASSIGN TAGS TO A REVIEW JOB
Todefineaspecificsetoftagsforuseinareviewjob:
1. OpenorclickontheFastReview:JobListtab.
2. Selectthereviewjobforwhichyouwishtocreatetags.
3. ClickEditjob.TheEditJobdialoguedisplays.
4. IntheFastaccesstagsfield,clickAdd.
TheTagSelectiondialoguedisplays.
5. EitherselectanexistingtagfromthelistandclickOK,orright‐clicktocreateanewcasetagthatwillbeaddedtothereviewjob.
UsetheShiftorCtrlkeystomulti‐selecttags.
6. Whenyouarefinishedaddingtags,clickOK.
ThetagsdisplayintheFastaccesstagslistbox.
7. OntheEditJobdialogue,clickOK.
Fromthisdialogue,youcanalsoremoveanytagsfromthereviewjob,byselectingthemandclickingRemove.
Review and Tag 247
Creating Tags
248 Review and Tag
Reviewing Items
Reviewing ItemsReviewingitemsforrelevanceisamajorcomponentofanyinvestigation.Afteryouhaveculledthedata,excludinganyitemsthatareirrelevant,andfilteredandsearchedtofindsetsofitemsthatneedfurtherinvestigation,youwillwanttoreviewindividualitems.
Nuixprovidesyouwiththeabilitytoreviewitemsinseveralways:
• withinthebuilt‐inpreviewer• withaPDFrenderingtoseearichtextview• launchedinitsnativeapplication
AllofthesemethodsareavailablefromtheNuixDesktopPreviewpane,highlightedinthescreenshotbelow.LocatedontheWorkbenchtab,thePreviewpanebydefaultishostedalongsidetheResultspaneandtheReviewandTagpanes,allowingyoutomovethroughitemsandtagtheminanefficientmanner.Anykeywordsthatyouusedinasearchqueryarehighlightedinthepreview.
Review and Tag 249
Reviewing Items
Toreviewanitem:
1. SelecttheWorkbenchtab,whichcouldshowthedefaultpanesetup,orifperformingaFastReview,thecustomizedversionforreviewingitemslinearly.
NuixdisplaysthefirstiteminthePreviewpane,unlessyouhavechosentoorderthemdifferentlyinareviewjob.Theitemnameisshownatthetop,whichisthesubjectofanemailorthefilenameforallotheritemtypes.
2. Selectoneormoreofthefollowingmethodstoreviewthecontentoftheitem:ClicktheEmailtabtoseetheextractedtextoftheitemintheNuixbuilt‐inpreviewer.Thisisnotarich‐textviewer.ClickthePDFtabtoseeaPDFrenderingoftheitem,whichisarich‐textviewoftheitem.FromthistabyoucanimportaPDFtoreplacetheonecurrentlyintheNuixPrintStore,launchthePDFinaPDFViewer,andusezoomandpagecontrolstoadjustthePDFrenderedinthePreviewpane.ClicktheLaunchbuttonintheupperright‐handcornerofthePreviewpanetoviewtheiteminitsnativeapplication.Theapplicationmustbeinstalledonyoursystemtoviewtheitemnatively.
250 Review and Tag
Reviewing Items
3. Optionally,reviewitemsthatmighthavesomecontextualrelationshiptothisitemby:Viewingthefolderstructureinwhichtheitemexistedtogaincontextfromitslocation,andclickinganyofthelinksinthePathtoviewotheritemsfromthesameplaceinthedatacollection.ViewingSimilaritemstotheoneyouarereviewingbyclickingonthelinksforDuplicates,High,Medium,orLow,whichdisplayitemsthataresimilartosomedegreeincontentbasedonwordsincommonwiththeselecteditem.ViewingRelateditemsbyclickingThreadtoseealltheitemsintheconversationtowhichthisitembelonged,ifany.Reviewingallchilditemsforagivenitembyright‐clickingonanitemandselectingShowAllDescendantsintheResultspane.Findingthetop‐levelitem(highestlevelancestor)foragivenitembyright‐clickingonanitemandselectingShowAllTop‐levelItemsintheResultspane.
4. Ifexisting,viewattachmentstotheitembyclickingtheAttachmentstab.
5. ViewthemetadatafortheitembyclickingtheMetadatatab.
TheMetadatatabprovidesbothNuix‐definedmetadataandthirdpartyapplicationmetadataingestedduringtheprocessingoftheitem.Youcanchangethemetadataprofileassociatedwiththistabbychoos‐inganotheronefromthedrop‐downlistintheright‐handcorner.
6. ViewthelistofallwordsintheitembyclickingtheWordListtab.
UsetheFilterfieldtoquicklyfindaspecificword.
Whenyouarefinishedreviewingtheitem,addatagorcomment,asneeded.UsetheyellowNextandPreviousarrowsatthetopleft‐handcornerofthePreviewpanetocyclethroughtheitems,or,ifyouareinareviewjob,addatagandclickthegreenNextFamilyarrow(orpresstheShift+rightarrowkey)toadvancetothenextfamilyofitems.
APPLYING TAGS TO ITEMS FROM THE REVIEW AND TAG PANE
Aftertagsarecreatedinthecaseorinthereviewjob,youcanassignthemtoitems.
Youcanusethemousetoapplytagstoitems,byselectingtheitem(s)andthenselectingoneormoretagsfromtheReviewandTagpane(fromeitherthetaggridontheleftorthetagtreeontheright).Alternatively,youcanusethekeyboardtoselectitemsandassigntagsviathetagginggrid,whichassignsnumbersfrom1‐9tothetagsprovidinganefficientwaytotagwithoutusingthemouse.
Tagsappliedthroughthetaggridortagtreeareonlyappliedtotheactiveitem.YoucanusetheApplysametagstoallfamilyitemsandApplysametagstoallduplicateitemstotagrelateditems.Ifyouwanttoapplytoatagtomultipleitemsselectedfromtheresultset,youneedtousetheAddTagsbutton.
Review and Tag 251
Reviewing Items
Assign Tags to the Tag GridTousethekeyboardnumberpadfortaggingitems,assignthetagstothetaggrid.Thenumbers1‐9areused;ifyouhavemorethan9tags,placethemostfrequentlyusedtagsonthegrid.Youcanstillapplytagsthatarenotonthetaggridbyselectingthemfromthetagtree.
Thetagscreatedforthecasedisplayinthetagtreeontheright‐handsideoftheReviewandTagpane.Ifthisareaisempty,clickEditTagstocreatetagsforthecase.See“CreateTagsforaCase”onpage 246.
1. Fromthetagtreeontheright,selectataganddragitontoanumberinthetaggridontheleft.Youcanalsoselectaspotonthegridandright‐clicktoselectAssignTagtothisShortcut,choosingthetagfromthelist.
Thetagdisplaysinthetaggrid.
2. Repeattheprocessuntilyouhaveplacedthetagswhereyouwantonthegrid.
3. Optionally,youcan:Moveatagbyselectinganddraggingitintoanemptyspotonthegrid.Ifyouplaceatagontoaspotthatalreadyhasatag,itreplacestheoriginaltag,butdoesnotswapthelocationsofthetags.Removeatagbyselectinganddraggingitbacktothetagtree,orright‐clickingandselectingRemoveTagShortcut
Thetagsnowdisplayonthetaggrid,eachwithanassignednumberfortaggingitemsfromthekeyboard.
252 Review and Tag
Reviewing Items
Apply a Tag to an Item
If you are performing an ad hoc review from the Results pane, you can use the Up and Down arrow keys on the keyboard to navigate through the result set. If you are in a review job, use the Previous and Next arrows to move through the document family.
Once you have tagged all of the items in the family, click the green Next Family arrow in the Review and Tag pane to advance to the next family. The green arrow is only available once you have tagged the entire family.
Toapplyatagtoanitem:
1. Optionally:Ifyouwanttoautomaticallyapplyatagtoallitemsofthesamefamilywhenyoutaganitemthatbelongstoafamily,selecttheApplysametagstoallfamilyitemsoptionatthebottomoftheReviewandTagpane.Ifyouwanttoautomaticallyapplyatagtoallduplicateitemswhenyoutaganitemthathasduplicates,selecttheApplysametagstoallduplicateitemsoption.Ifyouselecttheseoptionslaterinthetaggingprocess,itwillonlyworkfromthatpointforwardandnotupdateanyitemsalreadytagged.
2. Selectanitemintheresultslist.
TheselectedrowdisplaysinbluewithagoldoutlineintheResultspane.
3. Either:Fromthekeyboard,applyatagbytypingitsassignednumber.IntheReviewandTagpane,selectthetaginthetaggridortagtreewiththemouse.IntheResultspane,clickAddTagsandselectoneormoretagsfromtheAddTagsdialogue.
Atagicondisplaysnexttothecheckboxtoindicatethatitemhasoneormoretagsassociatedwithit.IfthemetadataprofileyouhaveassignedtotheResultspaneincludesthemetadatafield"Tags",youcanalsoseethenamesofthetag(s)appliedtotheitemintheTagscolumn.
4. Toadvancetothenextorpreviousfamilyintheresultset,clickthePreviousorNextarrowsinthetopleft‐handcorneroftheReviewandTagpane.
Thisdoesnotadvancefromitemtoitemintheresultset,buttothefirstiteminthenextfamilyintheresultset.
Review and Tag 253
Reviewing Items
Removing Tags from ItemsIfyouapplythewrongtagtoanitem,youcanremoveit.
Toremoveatagfromanitem:
1. Selecttheitem(s)intheresultset.
2. Either:Onthekeyboard,selectthehotkeynumberassociatedwiththetag(s)youwanttoremove.IntheReviewandTagpane,clickthetag(s)inthetaggridorthetagtreethatyouwanttoremove.IntheResultspane,right‐clickandselectRemoveTags,selectingthetag(s)youwanttoremovefromtheRemoveTagsdialogue.
Thetag(s)arenolongerappliedtotheitem.
Adding Comments to ItemsYourbusinesspolicymightincludeaddingcommentstoitems,toeitherfurtherdescribetheevidenceortodirectfurtherreviewtasks.Forexample,youmightwanttoexplaintherationalebehindacertaintagyouapplied,offerlegalopinionaboutthecontentoftheitem,orcommentthatfurtherreviewisneededbysomeoneelse.
254 Review and Tag
Reviewing Items
ThisadditionalpieceofmetadatacanbeseenintheCommentcolumnoftheResultspane,ifyouhaveaddedtheCommentmetadatafieldtotheprofileyouareusing.Youcanalsoviewthecommentsintheloadfilewhenexportingitems.
Youcanalsosearchfortextwithincomments,byusingthecommentsearchfield.
Toaddacommenttoanitem:
1. InthePreviewpane,atthetopright‐handside,clickComment.
TheEditCommentdialoguedisplays.
2. Typeyourcommentintothefield.
Youcanaddcommentsovertime.Thedateandtimethecommentwaslastmodifiedisdisplayedinthedialogue.
3. ClickOK.
TheCommenticondisplaysintherowResultspanetoindicateacommentisassociatedwiththeitem.
Removing Comments from ItemsIfyounolongerneedacommentonanitem,youcanremoveitbyremovingallthetextinthecomment.Youcanalsoremovejustsomeofthetextfromacomment,butthatdoesnotdeletethecomment.
Toremoveacommentfromanitem:
1. Selecttheitemintheresultset.
2. InthePreviewpane,clickComment.
TheEditCommentdialoguedisplays.
3. HighlightallthetextinthefieldandpressDeleteonyourkeyboardtodeleteit.
4. ClickOK.
Thecommentisremovedfromtheitem.
Review and Tag 255
Reviewing Items
256 Review and Tag
CHAPTER 9 Export Data
Dependingonyourworkflow,onceyouhaveprocessedorinvestigatedtheevidence,Nuixoffersavarietyofwaystoexporttheevidencebasedonthefeaturesenabledbyyourlicencetype.
Youcanexport:
• itemsfromcertainviewsinNuixDesktop• itemsinnativeformat,withoutaloadfile• itemsformattedintoalegalloadfile• asetofitemsintoanewcase• theannotations(tags,comments)associatedwitharesultsetintoaCSVfile• anMD5digestlistofitems
Thischaptercontainsthefollowingtopics:
• “ExportingInformationfromaView”onpage 258• “ExportingItemsinNativeFormat”onpage 260• “ExportingItemsintoaNewCase”onpage 262• “CreatingaDigestList”onpage 263• “ExportingtoaLegalLoadFile”onpage 264• “EnsuringExcludedContentisNotProduced”onpage 272
Export Data 257
Exporting Information from a View
Exporting Information from a ViewYoucanexportinformationfromthevarioustypesofviewsavailablefromtheResultspane.
YoucanexportthefollowinginformationtoaCSVfile:
• Thecurrentresultssetwiththedatafromthemetadataprofileinuse• ThecontentsoftheWordListtab• ThecontentsoftheStatisticstab• ThecontentsoftheHistorytab
Note:NuixexportsthisinformationtoaUTF‐8encodedCSVfile.
WhenimportingthisfileintoanapplicationlikeExcel,followthesesteps:
1. OpenMicrosoftExcel.
2. SelectDatafromthemenu.
3. SelectGetExternalDataandImportFromTextFilefromtheribbon.
4. SelecttheDelimitedoptionandUTF‐8fromtheFileOrigindrop‐downlistandselectNext.
5. SelecttheCommaoptionfromtheDelimitersgroupandselectFinish.
Note:IfyoudoubleclickontheCSVfileandallowittolaunchinExcel,thefieldswillnotbecorrectlyparsed.
Youcanexportthefollowingviewstoanimagefile(.svgor.png):
• TheNetworkdiagram• TheEventMapgraphic
Note:Thefewercommunicationsdepicted,themorereadabletheimage.
Toexportinformationfromaview:
1. Ensuretheresultssetyouareworkingfromcontainsthedatayouwanttoexport.
2. IntheResultspane,selecttoViewbyoneofthefollowingviews:ResultsWordListStatisticsNetworkEventMap
3. AtthebottomoftheResultspane,clickExport>ExportView.
258 Export Data
Exporting Information from a View
TheSavedialoguedisplays.
4. Browsetothelocationyouwanttosavethefile.
5. Specifyafilename.
6. Forimagefiles,chooseeither.svgor.pngasthefiletype.
7. ClickOK.
TheExportingViewdialoguedisplayswhiletheexporttakesplace.Itclosesautomaticallywhentheexporttaskcompletes.
Theviewissavedtothespecifiedlocation.
Export Data 259
Exporting Items in Native Format
Exporting Items in Native FormatToproduceitemsintheirnativeapplicationfileformat,youcanusetheExportItemscommand.FromtheExportItemsdialoguebox,youcanchooseavarietyofformatoptionsfortheitems.Nuixexportstheitemstoadirectory,whichmustbeempty,anddoesnotcreatealoadfileormaintainparent‐childrelationshipsfortheitems.Youcanthenopenanitemintheapplicationinwhichitwascreated,iftheapplicationexistsonyoursystem.
Thisoptionexportsonlytheitemsyouhaveselectedintheresultset,andnottop‐levelitemsordescendants.Therefore,ifasearchonlyhitsonanattachment,onlytheattachmentwillbeexported.Toexporttheparentemailaswellasalloftheattachments,youmustensureyoushowalltop‐levelitemsandincludethoseinthesetofitemstobeexported.
Note:TheExportItemsoptionisonlyavailabletoexport‐enabledlicences.
Toexportitemsintheirnativeapplicationformat:
1. FromtheResultspane,selecttheitemsyouwishtoexport.
2. ClickExport>ExportItems.
TheExportItemsdialoguedisplays.
3. Completetheexportsettings,usingthedefaultsettingfortheExportmessagesasoption,whichisNative‐Exportmessagesintheiroriginalformat.See“ExportItemsDialogueBox”onpage 71.
4. ClickOKtobegintheexportprocess.
260 Export Data
Exporting Items in Native Format
TheExportingItemsdialoguedisplaysindicatingtheprogressoftheexportoperation.TheExportResultsdialoguedisplayswhentheexportisfinishedandindicateshowmanyitemsweresuccessfullyexportedandalinkthatrunsaqueryforanyitemsthatfailed.Awindowopenstothedirectorywherethefileswereexported.
Export Data 261
Exporting Items into a New Case
Exporting Items into a New CaseWhenyouneedtoreviewitemsfromacollectionofevidenceseparatelyfromtherestofthecase,youcanexportasetofitemsintoanewcaseandthenre‐importtheannotationsmadeinthenewcasebackintotheparentcase,ifdesired.
EXPORTING SUBSETS OF ITEMS
Formoreinformation,see“ExportingaSubsetofItemstoaNewCase”onpage 242.
EXPORTING ANNOTATIONS
TheExportAnnotationsoptionexportsallofthecommentsandclassificationsfromtheselecteditemsinaresultsettoaCSVfile.NuixusestheGUID(GloballyUniqueID)totraceannotationsbacktotheoriginalitem,ifyouthenimporttheannotationsbackintoacasethatholdsthosesameitems.
Formoreinformation,see“ExportingAnnotationstoaFile”onpage 243.
262 Export Data
Creating a Digest List
Creating a Digest ListYoucancreateadigestlistbyselectingitemsinaresultsetandexportingthemtoanMD5digestlist.Youcanthenusethisdigestlisttoisolateandexcludeirrelevantitemsfromacollectionofevidence,tofinditemsthatarethesamebuthavedifferentnames,ortofindthesameoruniqueitemsbetweentwodatasets.See“DigestLists”onpage 129.
NuixsavesthedigestlistasabinaryfileintheNuix\Digestsdirectory;itisnotexportedouttoadirectoryofyourchoosing.ThedigestlististhenusedwithinNuix,allowingyoutomanagedigestlists(File>GlobalOptions>DigestLists)anddisplaythemintheFilteredItemspaneforusewithreviewandexporttasks.Youcancreateeitheranewdigestlistwiththeselecteditems,oraddtheselecteditemstoanexistingdigestlist.
Alternatively,ifyouneedtoexportanactuallistofMD5hashes,youcandosobyexportingaviewinconjunctionwithanappropriatemetadataprofile(onethatincludestheMD5Digestproperty).See“ExportingInformationfromaView”onpage 258.
TocreateadigestlistforuseinNuix:
1. IntheResultspane,selecttheitemsintheresultsetwithwhichyouwanttocreateadigestlist.
2. ClickExport>ExportDigestList.
TheExportDigestListdialoguedisplays,indicatingthenumberofuniqueMD5hashesthatexist.
3. Chooseoneofthefollowingoptions:Specifythenameofadigestlisttocreateanewone.Selectthenameofanexistinglist,toaddtheMD5hashestothatlist.
4. ClickOK.
AnExportingdialoguedisplayswhilethedigestlistisbeingcreatedandthencloseswhenthetaskiscomplete.
Export Data 263
Exporting to a Legal Load File
Exporting to a Legal Load FileNuixallowsyoutocreatelogicallegalloadfilesthatcanbeconsumedbyavarietyofthirdpartylegalapplications.TheLegalExporttofunctionisdifferentfromExportItemsinthatitalso:
• Ensurestheparent‐childrelationshipofadocumentismaintained.• Createsaloadfilethatmapstheexporteditemstoacrossreferencefilecontainingitems'metadata.• CreatesadocumentID(Batesnumber)foreachitem.• Exportsthefulltextcontentoftheitemand/oroptionallyexportsthenative,andcovertsthedocument
toaPDForTIFF.
Nuixofferslegalexportstothefollowingloadfileformats:
• Concordance• DiscoveryRadar• EDRMXML• IPRO• Relativity• Ringtail• Summation
Toexporttoalegalloadfile:
1. Selecttheitemsintheresultsetthatyouwanttoexport.
2. IntheResultspane,selectExport>LegalExporttoandchoosethedesiredlegalapplication.
YoucanalsofindthecommandontheFilemenuandright‐clickmenuintheResultspane.
3. FromtheLegalExportdialoguebox,ontheExportTypetab,specifypropertiesforthetypeofexportyouwanttoperform.See“ExportTypeTab”onpage 76.
4. IfyouareexportingtoRelativity,ontheRelativitySettingstab,selectoptionsandspecifytheRelativityURL,username,password,andworkspacesasneeded.See“RelativitySettingsTab”onpage 88.See“RelativitySettingsTab”onpage 88.
5. OntheNumberingandFilestab,specifyhowyouwanttonumbertheitemsinthelegalloadfile.See“RelativitySettingsTab”onpage 88.
6. OntheParallelProcessingtab,reviewthedefaultsandmakeanychangesifneededtomoreefficientlyexportitems.See“ParallelProcessingTab”onpage 95.
7. Ifyouwouldliketoviewasummaryoftheitemsdiscoveredforexport,andoptionallytagthempriortoexport,selecttheShowpre‐exportsummaryoptionatthebottomofthedialogue.
8. Whenyouhavefinishedsettinguptheexportjob,clickOK.
264 Export Data
Exporting to a Legal Load File
TheExportingItemsdialoguedisplays,indicatingtheprogressoftheexportoperation.TheExportResultsdialoguedisplayswhenNuixhasfinishedandshowsthenumberofitemsexported.
9. IntheExportResultsdialogue,clickOK.
Awindowopensdisplayingthefoldertowhichyouexportedtheitems.
OUTPUT FILES FOR LEGAL EXPORTS
InadditiontothedesiredloadfileandtheitemsspecifiedintheFileNamingsectionoftheNumberingandFilestaboftheLegalExport(Native,PDF,TIFFandText),Nuixcreatestwoadditionalfileswhenyouperformalegalexport:
• summary‐report.txt/xml‐Thesummaryreportprovidesacompletereportforthelegalexport.• top‐level‐MD5‐digests.txt‐TheTop-level-MD5-digests.txtfilecontainsalistallthetop‐level
MD5digestsincludedinthelegalexport.
Thesummary report.txtand.xmlfilescontainsdetailsoftheexportoperation,including:
• theexactlegalexportconfiguration• detailedbreakdownsofanyandallfilesthatwereexported• timinginformationforeachoftheexportstages• detailedfiletypestatistics• detailsofallduplicatetoplevelitemsnotexported• afullyqualifiedquerystringthatcanbeusedtofindallitemsthatfailedtoexportcorrectly
Afterexportingitemstoalegalloadfileformat,youshouldreviewtheassociatedsummaryreporttoensurethecontentoftheexportmeetsexpectations.
ABOUT CONCORDANCE LOAD FILES
NuixDesktopcreatestheConcordanceloadfilesaswellasanumberofotherusefuldocuments/items:
• Theloadfile:loadfile.dat.• Anopticalloadfile:loadfile.opt.Theloadfile.optisalwaysincludedintheexport,butwillbean
empty(zerosize)fileunlessyouselecttoexportPDFsorTIFFs.• Thesummaryreportdetailinginformationabouttheproduction/exportrunitself:summary-
report.txtandsummary-report.xml.TheXMLisprovidedtoassistinthecreationofmoreuserfriendlyreportsbycombiningitwithacustomcascadingstylesheet.
• AtextfilecontainingthetoplevelMD5digests:top-level-MD5-digests.txt.
Export Data 265
Exporting to a Legal Load File
• Acustomfolderforeachtypeofexporteddata:Native,TIFF,PDF,andText.ThesearedefinedontheLegalExportdialogue,NumberingandFilestab,intheFileNamingsection.
TheConcordanceloadfileisessentiallyadelimitedfile.YoucanusethisformattofacilitatethetransferofinformationfromNuixtoothersystems.
BydefaulttheConcordanceloadfileiscreatedusingASCIIencoding(ConcordanceonlyrecentlystartedsupportingUTF‐8encoding).TocreateaConcordanceloadfilewithUTF‐8encoding,youneedtostartNuixusingacommandlineswitch.Seethenuix.export.concordance.loadfile.encodingportionfrom“RunningNuixfromtheCommandLine”onpage 280.
Concordance Load File Format - Version 2.16
ThefollowinginformationdescribesthedefaultConcordanceloadfileformatthatwascreatedbyNuix2.16.
Column Name Source Concordance DB Description
DOCID Export Metadata Text, 50, Image, Key
Auto‐generated during the export process. The format is controlled as part of the Legal Export dialog.
PARENT_DOCID Export Specific Metadata
Text, 50 Used to track and maintain the parent‐child relationship of documents.
BEGINBATES Export Specific Metadata
Text, 50 Beginning DOCID for a multi‐page document. Relevant when creating TIFFs or PDFs.
266 Export Data
Exporting to a Legal Load File
ENDBATES Export Specific Metadata
Text, 50 Represents the ending DOCID for a multi‐page document. Relevant when creating TIFFs or PDFs.
BEGINGROUP Export Specific Metadata
Text, 50 Represents the beginning DOCID for a family of documents.
ENDGROUP Export Specific Metadata
Text, 50 Ending DOCID for a family of documents.
PAGECOUNT Export Specific Metadata
Numeric, 5 Number of pages for an imaged document.
ATTACHMENTLIST Item Metadata Paragraph, Indexed
List of attachment names.
FILENAME Item Metadata Paragraph, Indexed
Specific Filename. Maps to the Nuix “Name” field.
FILEEXTENSION Item Metadata Paragraph, Indexed
File extension for the specific item.
CREATIONDATE Item Metadata Date YYYYMMDD Creation Date.
MODIFIEDDATE Item Metadata Date YYYYMMDD Last Modified Date.
FILESIZE Item Metadata Numeric, 20 File Size in Bytes.
SENTONDATE Item Metadata Date YYYYMMDD Sent on Date for emails.
SENTONTIME Item Metadata Text , 20 Sent on Time for emails.
RECEIVEDDATE Item Metadata Date YYYYMMDD Received Date for emails.
RECEIVEDTIME Item Metadata Text, 20 Received Time for emails.
AUTHORNAME Item Metadata Paragraph, Indexed
Author field for documents.
AUTHOREMAIL Item Metadata Paragraph, Indexed
Nuix Communications FROM field.
TO Item Metadata Paragraph, Indexed
Nuix Communications TO field.
CC Item Metadata Paragraph, Indexed
Nuix Communications CC field.
BCC Item Metadata Paragraph, Indexed
Nuix Communications BCC field.
SUBJECT Item Metadata Paragraph, Indexed
Subject of an email message.
Column Name Source Concordance DB Description
Export Data 267
Exporting to a Legal Load File
Thefollowinguser‐definedmetadatafieldsareincludedbydefault.Ifyouuseotheruser‐definedmetadata,youmustmaketheappropriatechangestotheConcordancedatabase.
ThedefaultConcordanceloadfile(loadfile.dat)delimitersareasfollows.
TITLE Item Metadata Paragraph, Indexed
Subject of an email or the name of a file.
ORIGINALPATH Item Metadata Paragraph, Indexed
Full path to source evidence.
MD5HASH Item Metadata Paragraph, Indexed
MD5 Hash generated by Nuix.
ENTRYID Item Metadata Paragraph, Indexed
Nuix GUID.
DOCUMENTTYPE Item Metadata Paragraph, Indexed
Document type.
ITEMPATH Item Metadata Paragraph, Indexed
Location path of the item.
TIMEZONE Item Metadata Paragraph, Indexed
Time zone of the item.
Column Name Source Concordance DB
PATHNAME User‐selected Paragraph, Indexed
GUID User‐selected Paragraph, Indexed
FILETYPE User‐selected Paragraph, Indexed
Type Delimiter
Comma (020) – ASCII (decimal)
Quote (254) ‐ ASCII (decimal) / (00FE) ‐ Unicode (Hex)
Concordance Import Wizard ‐ Format
(174) ‐ ASCII (decimal) / (00AE) ‐ Unicode (Hex)
Column Name Source Concordance DB Description
268 Export Data
Exporting to a Legal Load File
Concordance Load File Format
ThedefaultConcordanceloadfilecontainsthefollowingfields.Thesefieldswillalwaysbepresent,andarenotconfigurable.YoucanaddadditionalcustommetadatathatwillappearasadditionalcolumnsaftertheITEMPATH,TEXTPATH,TIFFPATHandPDFPATHfieldsusingmetadataprofiles.
ThedefaultConcordanceloadfile(loadfile.dat)delimitersareasfollows.
Column Name Source Concordance DB Description
DOCID Export Metadata Text, 50, Image, Key
Auto‐generated during the export process. The format is controlled as part of the Legal Export dialogue.
PARENT_DOCID Export Specific Metadata
Text, 50 Used to track and maintain the parent‐child relationship of documents.
BEGINBATES Export Specific Metadata
Text, 50 Beginning DOCID for a multi‐page document. Relevant when creating TIFFs or PDFs.
ENDBATES Export Specific Metadata
Text, 50 Represents the ending DOCID for a multi‐page document. Relevant when creating TIFFs or PDFs.
BEGINGROUP Export Specific Metadata
Text, 50 Represents the beginning DOCID for a family of documents.
ENDGROUP Export Specific Metadata
Text, 50 Ending DOCID for a family of documents.
PAGECOUNT Export Specific Metadata
Numeric, 5 Number of pages for an imaged document.
ITEMPATH Item Metadata Paragraph, Indexed
Relative path to the native file.
TEXTPATH Item Metadata Paragraph, Indexed
Relative path to the text file.
PDFPATH Item Metadata Paragraph, Indexed
Relative path to the PDF file.
TIFFPATH Item Metadata Paragraph, Indexed
Relative path to the first TIFF page.
Type Delimiter
Comma (020) – ASCII (decimal)
Quote (254) ‐ ASCII (decimal) / (00FE) ‐ Unicode (Hex)
Newline (174) ‐ ASCII (decimal) / (00AE) ‐ Unicode (Hex)
Export Data 269
Exporting to a Legal Load File
ABOUT SUMMATION LOAD FILES
NuixDesktopcreatestheSummationloadfilesaswellasanumberofotherusefuldocuments/items:
• AClassIDIIloadfile.• Thesummaryreportdetailinginformationabouttheproduction/exportrunitself:summary‐
report.txtandsummary‐report.xml.TheXMLisprovidedtoassistinthecreationofmoreuserfriendlyreportsbycombiningitwithacustomcascadingstylesheet.
• AtextfilecontainingthetoplevelMD5digests:top‐level‐MD5‐digests.txt.• Afolderforeachtypeofexporteddata:Native,TIFF,PDF,andText.ThesearedefinedontheLegal
Exportdialogue,NumberingandFilestab,intheFileNamingsection.
Summation Load File FormatTheSummationLegalExportprovidesasingleDII,containingmetadata,fileandfulltextreferences.
ThefollowinginformationdescribestheSummationloadfileformat.
DII Token Source Description
@DOCID Export Specific Metadata
Auto‐generated during the export process. The format is controlled as part of the Legal Export dialog.
@PARENTID Export Specific Metadata
Used to track an maintain the parent‐child relationship of documents.
@FULLTEXT DOC Standard DII token One full‐text file exists for each database record
@O Standard DII token
@T Standard DII Token
@I Standard DII Token Image Location
@L Standard DII Token Long name for the item, includes Nuix specific item metadata: GUID, PathName, Name
@FROM Nuix Defined Metadata
Nuix Communications FROM field.
@TO Nuix Defined Metadata
Nuix Communications TO field.
@CC Nuix Defined Metadata
Nuix Communications CC field.
@BCC Nuix Defined Metadata
Nuix Communications BCC field.
@SUBJECT Nuix Defined Metadata
Email subject or Nuix Name.
270 Export Data
Exporting to a Legal Load File
@DATESENT Nuix Defined Metadata
Sent Date for email ‐ Nuix Communications Date.
@TIMESENT Nuix Defined Metadata
Sent Time for email ‐ Nuix Communications Date.
@HEADER / @HEADER‐END
Item Properties Email header content including all extracted metadata.
@EMAIL‐BODY / @EMAIL‐END
Item Content Email body content.
@MULTILINE Additional Metadata All additional metadata that is referenced from the metadata profile used for the export.
@ATTACH Standard DII Token Denotes any email attachments.
DII Token Source Description
Export Data 271
Ensuring Excluded Content is Not Produced
Ensuring Excluded Content is Not ProducedIfyouperformasearchforXandnotY,suchas"catNOTdog",sometimesitemscontainingYshowupinyourresultset.Thishappenswhenresponsiveitemsareapartofthesamefamilyasexcludeditems,andNuixperformsitsTop‐levelitemroll‐upoperation.IfyouneedtoexportitemsthatcontainXbutexcludeitemscontainingYfromtheexport,youmustfollowacertainsetofsteps.
Requirement
1. Findalldocumentfamiliesthatcontaintheworddog*(responsive)andexporttheresponsivefamilieswithaConcordanceloadfile.
2. Ensurethatthenodocumentsfamiliesthatcontainthewordcat*areincludedinthedataset.
Sample Email
Email_1hastwoattachments;Attach_1containstheword“dogs”,andAttach_2containstheword“cats”.
Typical workflow leading to questions
1. Runasearchfordog* AND NOT cat*.Attach_1willbereturned.
2. SelectAttach_1,andthenexporttoaConcordancelegalloadfile.BydefaultfromtheExportTypetab,theExportitemsfieldissettoTop‐Levelitems(deduplicated)anddescendants.
3. Aftertheexportiscompleted,thedataisimportedintoConcordanceandabasiccheckisperformedtoseeifanycontentcontainingtheexcludedterms(cat*)exists.Attach_2isfound,leadingtotheinitialquestion.
Explanation
ThisissueoccursbecauseEmail_1isatop‐levelitemwhosefamilycontainsbotharesponsiveandanexcludedsearchterm.Thesearchstringdog* NOT cat*isworkingcorrectly,inthatitisonlyreturning
272 Export Data
Ensuring Excluded Content is Not Produced
Attach_1.However,whenNuixissettofindTop‐Levelitems(deduplicated)anddescendants,itincludestheentirefamily,includingAttach_2.
Recommended Steps
Toensurethatyoudonotexporthitscontainingexcludedterms,followthesesteps:
1. RunasearchforX(suchascat*).
2. Applyatagthattothehitsandtheirentirefamilythatmarksthedocumentsasamatch(e.g.,Hit.Cat.Family).
3. SelecttheHit.Cat.FamilytagfromtheFilterItems>TaggedItemstree.
4. RunaqueryfortheNOT dog*.
5. Youcanconfirmthatdog*doesn'texistintheresultsetbyusingthewordlistviewoftheresultsetandfilteringontheworddog.
Intheexamplebelow,noneoftheitemswillmatchthequery,andthereforetheentirefamilyhasbeenexcludedbasedontheexistenceoftheexcludedcontent(cats).
ToensurethatyoudonotexporthitscontainingitemsthathavebeenaddedtoanExcludedItemsset,followthesesteps:
1. WhenyouareaddingitemstotheExclusionsetmakesurethatyouareaddingtheentirefamily.Ifyoudon'twanttoalwaysexcludetheentirefamily,thenaddasecondexcludeditemssetthatcontainstheentirefamilypriortoperforminganexport.
2. RunasearchforX(suchascat*).
3. Applyatagthattothehitsandtheirentirefamilythatmarksthedocumentsasamatch(e.g.,Hit.Cat.Family).
4. SelecttheHit.Cat.FamilytagfromtheFilterItems>TaggedItemstree.
5. RunaqueryfortheNOT(dog* OR exclusion:Tag.Applied.in.Step1.Family).YoucanalsojustensurethattheExclusionsetcreatedinStep1isactive.
Export Data 273
Ensuring Excluded Content is Not Produced
6. Youcanconfirmthatdog*doesn'texistintheresultsetbyusingthewordlistviewoftheresultsetandfilteringontheworddog.
274 Export Data
CHAPTER 10 Audit
NuixDesktopoffersauditingcapabilitiesforcompaniesthatneedtomonitorreviewer/useractivityonacase.Itdisplaysinformationabouthowtheapplicationisbeingused,logginginformationaboutcaseevents.
Thischaptercontainsthefollowingtopics:
• “EventsMonitored”onpage 276• “ViewingtheAuditHistoryforaCase”onpage 277• “AuditedInformationforExportOperations”onpage 278
Audit 275
Events Monitored
Events MonitoredNuixmonitorsthefollowingtypesofevents:
• CaseOpened‐RecordstheversionoftheNuixapplicationthatopenedthecaseintheDetailsofEvent.• CaseClosed‐RecordstheversionoftheNuixapplicationthatopenedthecaseintheDetailsofEvent.• LoadData‐RecordsthatdatawasloadedintheDetailsoftheEvent.• Search‐Recordsthesearchparametersthatwereusedandthenumberofresultsthatwerereturned.• Annotation‐Recordsthatanannotationwasapplied,includingthespecificannotation.• Import‐RecordsthataPDFwasimported.• Export‐RecordsthatanExportwasperformed.• ScriptRun‐Recordsthatascriptwasrun.
Foreachevent,thefollowinginformationislogged:
• Started‐Timetheeventstarted.• Ended‐Timetheeventended.• PerformedBy‐Userwhoperformedtheoperation,basedonthelogged‐inusername.• TypeofEvent‐Thetypeofeventperformed.• Status‐Successorfailureoftheevent.• DetailsofEvent‐Specificdetailsoftheactionsperformed.
276 Audit
Viewing the Audit History for a Case
Viewing the Audit History for a CaseNuixlogsdetailsaboutsomeoftheoperationsthatusersperforminacaseontheHistorytab.
Toviewtheaudithistoryforacase:
1. FromtheWindowmenu,selectNewHistoryTab.
AHistorytabdisplays.
2. Reviewtheauditedeventsforthecase,sortingtherowsbyanyofthecolumns,asneeded.
Audit 277
Audited Information for Export Operations
Audited Information for Export OperationsOntheHistorytab,intheTypeofEventcolumn,Nuixrecordsdetailsaboutseveraltypesofexportoperations.Examplesoftheinformationofferedabouteachexporteventtypeare:
• ExportView:"Exportofresultsview(#items)tospreadsheetfile({FilePath})"• ExportItems:"Exportof#itemstobinaryfiles({FilePath}),#processed,#skipped,#unprocessed"• ExportAnnotations:"Export#itemstospreadsheetfile({FilePath}),#processed,#skipped,#
unprocessed"• ExportDigestList:"Export#ofitemstodigestlist({digestlistname})"• LegalExport:"Export#ofitemsto{LoadFileType}loadformat({FilePath}),#processed,#skipped,
#unprocessed"• LaunchItem:"RecordtheDetailofEventwith"Exportofsingleitem({GUID})toexternalviewer"
278 Audit
Appendices
Thisappendixincludessupplementalinformationaboutthefollowingtopics:
• “RunningNuixfromtheCommandLine”onpage 280• “AboutSupportedFileTypes”onpage 285• “SupportedFileTypes:OrganizedbyKind”onpage 287• “SupportedFileTypes:OrganizedbyCommonName”onpage 300• “SupportedFileTypes:OrganizedbyFileType”onpage 314• “RenderingDocumentstoPDForTIFF”onpage 326
Appendices 279
Running Nuix from the Command Line
Running Nuix from the Command LineThissectionliststhesupportedoptionsforrunningtheNuixDesktopandNuixWorkerfromthecommandline.Theformatforrunningtheapplicationsisasfollows:
nuix_desktop.exe [-Dname=value] [-Xparam] casefile
nuix_desktop_console.exe [-Dname=value] [-Xparam] [-nologo] -script scriptfile
nuix_worker.exe [-Dname=value] [-Xparam]
Thefollowingsectionsexplainthecommandsandoptions.
-DNAME=VALUE
Addinga-D(define)overridesadefaultsystemproperty.Thefollowingsystempropertiesareofparticularinterest.
Multiple-Ddefinescanbespecifiedtosetmultipleparameters.
Example:
nuix_desktop.exe -Dnuix.logdir=D:\Logs -Djava.io.tmpdir=D:\temp –Xmx4g -Dnuix.worker.jvm.arguments=-Xmx2500m
StartsNuixDesktopwithalternativedirectoriesforthelogsandtempfiles,allocating4GBofRAMtothemainprocessand2.5GBtoeachworkerprocess.
Note:Thiswillonlyworkifrunningthe64‐bitversionofthesoftware.
file.encodingSpecifiesthedefaultfileencoding.
Example:-Dfile.encoding=shift_jis
java.io.tmpdirSpecifiesthelocationofthetempdirectory.
280 Appendices
Running Nuix from the Command Line
Example:‐Djava.io.tmpdir=D:\Temp
nuix.logdirSpecifiesthelocationofthelogdirectory.
Example:-Dnuix.logdir=D:\Logs
nuix.licence.preferenceSpecifiesthepreferredlicencetypetoobtainfromtheserverinasituationwheremorethanonelicencetypeisavailable.
Example:-Dnuix.licence.preference="Legal Reviewer"
nuix.export.concordance.loadfile.encodingSpecifiestheencodingtouseforConcordanceloadfiles.ThedefaultisUS‐ASCII.
Example:-Dnuix.export.concordance.loadfile.encoding=UTF-8
nuix.export.pdfToTiff.device
Specifies the device to use for converting PDF to TIFF using Ghostscript.
Example:-Dnuix.export.pdfToTiff.device=tiff24nc
Note:Ifyouusetiff24nctogeneratecolourTIFFsasshowninthisexample,theresultingfileswillbeverylarge.
nuix.export.pdfToTiff.dpiSpecifiestheDPIfortheTIFF.Thedefaultis300.
Example:-Dnuix.export.pdfToTiff.dpi=200
nuix.export.pst.maximumMessagesPerPstSpecifiesthenumberofitemsthatwillbeexportedtoaPSTbeforeanewPSTiscreated.Thedefaultvalueis10,000andisineffecttopreventaPSTfromexceedingthe20GBsizelimitforPSTfiles.
Appendices 281
Running Nuix from the Command Line
Example:-Dnuix.export.pst.maximumMessagesPerPst=500000
nuix.export.must-produce-native-mimetypesEnsuresthatitemsareexportedinnativeformatforthespecifiedmimetypes,evenwithonlyPDForTIFFandtextselected.
Example:
-Dnuix.export.must-produce-native-mimetypes=application/vnd.ms-powerpoint,application/vnd.openxmlformats-officedocument.presentationml.presentation,application/vnd.ms-excel,application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
nuix.export.additional-unprintable-mimetypesSpecifiesalistofmimetypesforwhichyoualwaysneedslipsheetsgenerated.
Example:-Dnuix.export.additional-unprintable-mimetypes=text/plain,text/html
nuix.worker.jvm.argumentSpecifiesadditionalargumentswhichwillbepasseddirectlytothechildworkerprocesses.
Examples:
-Dnuix.worker.jvm.argument=-Xmx2500m
-Dnuix.worker.jvm.argument=-Xmx3g
Seealso“MinimumSystemRequirements”onpage 106.
nuix.worker.sizeSpecifiesthetotalnumberofNuixworkerinstancesthatwillexecute.Thiscanbeusedtoreducethenumberrunningtoreallocateresources.
Example:-Dnuix.worker.size=2
282 Appendices
Running Nuix from the Command Line
nuix.loglevelSpecifiesthedefaultlogginglevel.ThedefaultisINFO.Furtherloggingcustomisationscanbemadebyeditinglog4j.propertiesintheconfigdirectory.
Example:-Dnuix.loglevel=DEBUG
Note:ChangingthissettingdramaticallyincreasestheamountoflogdetailandshouldonlybeusedwhenspecificallydirectedbyNuixtechsupport.
nuix.registry.serversSpecifiesthehostnamesorIPaddressofNuixlicenceandcaseservers,asanalternativetousingDNSorZeroconftoconfigurethemautomatically.
Example:-Dnuix.registry.servers=nuixserver.example.com
-XPARAM
Command‐lineparametersstartingwith-XwillbepasseddirectlytotheunderlyingJVM.AcommonusageforthisisincreasingtheamountofmemoryavailabletothemainNuixDesktopprocess.
Example:nuix_desktop.exe –Xmx4g
-NOLOGO
Addingthe-nologoflagdisablestheproductnameandcopyrightnoticewhichwouldotherwiseappearwhenusingtheconsoleversionoftheapplication.
Youmaypreferthisiftheapplicationwillberunmanytimesfromasinglescriptorbatchfile.
CASEFILE
Specifiesthelocationofthecasetoautomaticallyopen.
Example:"\baseline\Bubble2 - Nuix Cases\Case1\case.fbi2"
Appendices 283
Running Nuix from the Command Line
-SCRIPT SCRIPTFILE
Addingthe-scriptparameterfollowedbythefullpathnametoascriptfilewillrunthescriptwithoutdisplayingthemainwindow.Thisallowsbatchprocessingofcasesandisthususefulforintegrationwithothersoftware.
Formoreinformationonwritingscripts,seetheScriptingGuideavailableontheNuixcustomerportal.
Addingthefullpath‐nametoacase.fbi2filewillopenthespecifiedcaseimmediatelyafterdisplayingthemainwindow.
284 Appendices
About Supported File Types
About Supported File TypesNuixprovidesvariouslevelsofsupportforfileformatsusedbyawidevarietyofapplications:
• Supported‐Thefiletypeisfullysupported,includingtheextractionofallmetadataandcontent.• Recognised‐Thefiletypeisrecognisedbyitsheader,butisnotfullysupported.Thisfiletype
designationissimplytextstripped.• PartiallySupported‐Thefiletypeisrecognisedandpartiallysupported,meaningthatsomebutnot
alldatafromthefileisprocessed.
PROCESSING FORENSIC IMAGES
Nuixcandirectlyconsumesomeforensicimages.DirectlyconsumingforensicimagesallowsNuixtoprocessthesourcedatawithoutinterferencefromtheoperatingsystemorthefilesystemsecurity.
Nuixsupportsthefollowingformats.
Encase:
• E01,E02,E03,etc...‐NuixsupportsdirectprocessingofEncaseimages.BothsingleE01filesandsegmented.
• L01,L02,L03,etc...‐NuixsupportsdirectprocessingofEncaseLogicalVolumes.
ddImages:
• dd‐Nuixsupportdirectprocessingofsinglefileandsegmentedddimages.• dd.01,dd.02,dd.03,etc...
FileSystems:
OnlyimagesofthefollowingfilesystemswillbeprocessedbyNuix.
• Windows:FAT32,NTFS• Linux:EXT2,EXT3
Addingsinglefilediskimagesasevidence:
• Singlefile,completeE01orddimagescanbeaddedassinglefiles.
AddingsegmentedEncaseimages:
1. Createadirectorythatcontainsallofthesegmentsassociatedwithagivenimage.
Appendices 285
About Supported File Types
2. CreateapieceofNuixevidenceattheparentdirectorylevel.Thiswillensurethatallofthefilesareassociatedwiththesingleimage.
Notes:Nuixdoesnotrecoverorextractdatafromtheimagesdeleted,swap,slackorfreespace.
286 Appendices
Supported File Types: Organized by Kind
Supported File Types: Organized by KindTofollowisalistingofthefiletypesNuixDesktopsupportsorganizedbykind(container,database,drawing,email,images,etc.).
CONTAINERS
Container Common Name File TypePossible Extensions Status
Java Archive application/java‐archive *.jar, *.war, *.ear, *.sar
Supported
MacBinary Archive application/macbinary *.macbin Supported
Mailbox File application/mbox *.mbox Supported
AccessData FTK Image application/vnd.accessdata‐ftk‐imager *.ad1 Supported
Apple Mail.app Email File application/vnd.apple‐emlx *.emlx Supported
Apple UDIF Disk Image application/vnd.apple‐udif *.dmg Recognised
EmailXtender Archive application/vnd.emc‐mailxtender *.emx Supported
EmailXtender Notes Message application/vnd.emc‐mailxtender‐notes‐msg *.onm Supported
EnCase Disk Image application/vnd.guidance‐encase *.e01 Partially Supported
EnCase Logical Volume File application/vnd.guidance‐encase‐lvf *.l01 Partially Supported
Koomail Mail File application/vnd.koomail‐sml *.sml Supported
Lotus Notes Database application/vnd.lotus‐notes *.nsf Supported
Lotus Notes View application/vnd.lotus‐notes‐view Supported
Microforensics FileSafe Archive
application/vnd.microforensics‐filesafe *.mfs01 Supported
Microsoft Backup Tape Archive
application/vnd.ms‐backup *.bkf Recognised
Microsoft Cabinet Archive application/vnd.ms‐cab‐compressed *.cab, *.snp, *.onepkg
Supported
Microsoft ClipArt Gallery application/vnd.ms‐clipart‐gallery *.cag Recognised
Microsoft Exchange Server Property Store
application/vnd.ms‐exchange‐edb *.edb Supported
Appendices 287
Supported File Types: Organized by Kind
Microsoft Internet Explorer Cache
application/vnd.ms‐ie‐cache *.dat Supported
Microsoft Internet Explorer Cache Entry
application/vnd.ms‐ie‐cache‐entry Supported
Microsoft Installer File application/vnd.ms‐installer *.msi Partially Supported
Microsoft OLE2 Attachment Wrapper
application/vnd.ms‐ole2‐attachment Supported
Microsoft OLE2 Package File application/vnd.ms‐ole2‐package Supported
Microsoft Outlook Personal Folder
application/vnd.ms‐outlook *.pst Supported
Microsoft Outlook Express Mailbox
application/vnd.ms‐outlook‐express *.dbx Supported
Microsoft Outlook Express 4 Mailbox
application/vnd.ms‐outlook‐express‐4 *.mbx Supported
Microsoft Outlook Folder application/vnd.ms‐outlook‐folder Supported
Microsoft Outlook Message application/vnd.ms‐outlook‐msg *.msg Supported
Microsoft Photo Editor Object
application/vnd.ms‐photo‐editor Recognised
Microsoft Outlook Shortcut application/vnd.ms‐outlook‐shortcut *.msg Supported
Microsoft Shell Scrap application/vnd.ms‐shell‐scrap *.shs, *.shb Supported
Microsoft Imaging Format application/vnd.ms‐wim *.wim Recognised
Norton Ghost Disk Image application/vnd.norton‐ghost *.gho, *.ghs Recognised
Sonic Global Image application/vnd.sonic‐global‐image *.gi Recognised
Symantec Vault DVS File application/vnd.symantec‐vault *.dvs Supported
Tencent Foxmail Box File application/vnd.tencent‐foxmail‐box *.box Supported
Valve GCF Archive File application/vnd.valve‐gcf *.gcf Recognised
7‐Zip Archive File application/x‐7z‐compressed *.7z Supported
ACE Archive File application/x‐ace *.ace Recognised
Unix Ar Archive File application/x‐ar *.ar, *.deb, *.udeb, *.lib, *.a
Supported
bzip‐Compressed File application/x‐bzip *.bz2, *.tbz, *.tbz2 Supported
Container Common Name File TypePossible Extensions Status
288 Appendices
Supported File Types: Organized by Kind
UNIX compress‐Compressed File
application/x‐compress *.z, *.taz Supported
Compressed ISO9660 Disk Image
application/x‐cso‐image *.cso Recognised
Disk Image application/x‐disk‐image Supported
gzip‐Compressed File application/x‐gzip *.gz, *.tgz, *.wmz, *.emz
Supported
ISO9660 CD‐ROM Disk Image application/x‐iso‐image *.iso Supported
LZH Archive File application/x‐lzh‐archive *.lzh, *.lha, *.arc Supported
LZMA Archive File application/x‐lzma *.lzma, *.tlz Supported
LZX Archive File application/x‐lzx *.lzx Recognised
Parchive (Parity Archive) 1.0 File
application/x‐par *.par Recognised
Parchive (Parity Archive) 2.0 File
application/x‐par2 *.par, *.par2 Recognised
RAR Archive File application/x‐rar‐compressed *.rar Supported
RPM Archive File application/x‐rpm *.rpm Recognised
StuffIt Archive File application/x‐stuffit *.sit, *.sitx Recognised
tar Archive File application/x‐tar *.tar Supported
Windows Thumbs DB File application/x‐thumbs‐db *.db Supported
XZ Archive File application/x‐xz *.xz Supported
Zip‐Compressed File application/x‐zip‐compressed *.zip Supported
Directory filesystem/directory Supported
Drive filesystem/drive Supported
IMAP Mail Account server/imap Supported
IMAP Mail Folder server/imap‐folder Supported
POP Mail Account server/pop3 Supported
POP Mail Folder server/pop3‐folder Supported
Container Common Name File TypePossible Extensions Status
Appendices 289
Supported File Types: Organized by Kind
DATABASES
DRAWINGS
Database Common Name File Type Possible Extensions Status
Borland Paradox Database application/vnd.borland‐paradox *.db, *.px Recognised
Mozilla Mork Database application/vnd.mozilla.mdb‐mork *.mab, *.msf, *.dat Supported
Microsoft Access Database application/vnd.ms‐access *.mdb Partially Supported
Microsoft 2007 Access Database application/vnd.ms‐access‐acedb *.accdb Partially Supported
Microsoft Exchange Server Streaming Store
application/vnd.ms‐exchange‐stm *.stm Supported
MYOB Company File application/vnd.myob *.myo, *.prm, *.dat, *.pls Recognised
Drawing Common Name File Type
Possible Extensions Status
Adobe Illustrator Artwork
application/vnd.adobe‐illustrator *.ai Recognised
Microsoft Excel Chart application/vnd.ms‐excel‐chart *.xlc Supported
Microsoft Graph Chart application/vnd.ms‐graph *.gra Recognised
Microsoft Visio Drawing application/vnd.ms‐visio *.vsd, *.vst, *.vss Recognised
Microsoft Word Picture application/vnd.ms‐word‐picture *.doc Recognised
OpenDocument Chart application/vnd.oasis.opendocument.chart *.odc, *.otc Recognised
OpenDocument Database
application/vnd.oasis.opendocument.database *.odb Partially Supported
OpenDocument Graphics application/vnd.oasis.opendocument.graphics *.odg, *.otg Supported
StarDraw Drawing application/vnd.stardivision.draw *.sda Recognised
StarDraw XML Drawing application/vnd.sun.xml.draw *.sxd, *.std Supported
Computer Graphics Metafile
image/cgm *.cgm Recognised
AutoCAD DWG Drawing image/vnd.autocad‐dwg *.dwg Recognised
AutoCAD DXF Drawing image/vnd.autocad‐dxf *.dxf Recognised
Corel Draw Drawing image/vnd.corel‐draw *.cdr, *.cdt, *.drw Recognised
290 Appendices
Supported File Types: Organized by Kind
Corel Draw 6.0 Graphic image/vnd.corel‐draw‐6 *.cdr6 Recognised
Micrografx Designer Drawing
image/vnd.micrografx‐designer *.drw Recognised
Microsoft Windows Enhanced Metafile
image/vnd.ms‐emf *.emf Supported
Microsoft Windows Metafile
image/vnd.ms‐wmf *.wmf Supported
Email Common Name File TypePossible Extensions Status
Lotus Domino XML Mail application/vnd.lotus‐domino‐xml‐mail‐document
*.xml Supported
Lotus Domino XML Appointment application/vnd.lotus‐domino‐xml‐appointment‐document
*.xml Supported
Lotus Notes Document application/vnd.lotus‐notes‐document *.eml Supported
Microsoft Outlook Activity application/vnd.ms‐outlook‐activity *.msg, *.eml Supported
Microsoft Outlook Appointment application/vnd.ms‐outlook‐appointment *.msg, *.eml Supported
Microsoft Outlook Item application/vnd.ms‐outlook‐item *.msg, *.eml Supported
Microsoft Outlook Note application/vnd.ms‐outlook‐note *.msg, *.eml Supported
Microsoft Outlook Schedule application/vnd.ms‐outlook‐schedule *.msg, *.eml Supported
RFC822 Email Message message/rfc822 *.eml, *.mht Supported
RFC822 Email Headers message/rfc822‐headers *.eml Supported
Scraped Message message/x‐scraped *.eml Supported
Drawing Common Name File Type
Possible Extensions Status
Appendices 291
Supported File Types: Organized by Kind
IMAGES
Image Common Name File TypePossible Extensions Status
Adobe Photoshop Image application/vnd.adobe‐photoshop *.psd Recognised
OpenDocument Image application/vnd.oasis.opendocument.image
*.odi, *.oti Recognised
Windows Bitmap Graphic image/bmp *.bmp Supported
Compuserve Graphic Interchange Format
image/gif *.gif Supported
JPEG 2000 Image image/jp2 *.jp2, *.jpg2 Supported
JPEG/JIFF Image image/jpeg *.jpeg, *.jpg, *.jpe Supported
PCX Image image/pcx *.pcx Supported
Portable Network Graphic image/png *.png Supported
Targa Image File image/tga *.tga Recognised
Tagged Image Format File image/tiff *.tiff, *.tif Supported
Corel Photo‐Paint Image image/vnd.corel‐photo‐pain *.cpt Recognised
Corel WordPerfect Graphics image/vnd.corel‐wordperfect‐graphics
*.wpg Recognised
Efax Image image/vnd.j2global‐efax *.efx, *.jsd Recognised
Lotus Notes Bitmap Image image/vnd.lotus‐notes‐bitmap Supported
Microsoft Windows Cursor Image format
image/vnd.ms‐windows‐cursor *.cur Supported
Wireless Bitmap Graphic image/vnd.wap.wbmp *.wbmp Supported
WebP Image image/webp *.webp Recognised
Macintosh QuickDraw Picture image/x‐pict *.pict, *.pct, *.pic Recognised
UNIX Portable Bitmap Graphic image/x‐portable‐bitmap *.pbm Supported
UNIX Portable Graymap Graphic image/x‐portable‐graymap *.pgm Supported
UNIX Portable Pixelmap Graphic image/x‐portable‐pixmap *.ppm Supported
292 Appendices
Supported File Types: Organized by Kind
MULTIMEDIA FILES
OTHER DOCUMENTS
Multimedia File Common Name File Type Possible Extensions Status
MPEG‐4 Video File application/mp4 *.mp4, *.m4a, *.mpeg4, *.mpeg, *.m4v
Recognised
Ogg Multimedia Container application/ogg *.ogg Recognised
Adobe Shockwave/Flash File application/x‐shockwave‐flash
*.swf Recognised
MIDI Audio File audio/midi *.mid, *.kar, *.rmi Recognised
MPEG Audio File audio/mpeg *.mp3, *.mp2 Recognised
RIFF WAVE Audio File audio/wav *.wav Recognised
Matroska Audio File audio/x‐matroska *.mka Recognised
Extensible Music Format Audio File audio/xmf *.xmf, *.mxmf Recognised
AVI Multimedia File video/avi *.avi Recognised
MPEG Video File video/mpeg *.mpg, *.mpeg, *.mpe, *.m1v Recognised
Apple QuickTime Multimedia File video/quicktime *.mov Recognised
Microsoft Advanced Systems Format (ASF) Multimedia File
video/vnd.ms‐asf *.wmv, *.asf, *.wma Recognised
WebM Video File video/webm *.webm Recognised
Matroska Video File video/x‐matroska *.mkv Recognised
Other Document Common Name File Type
Possible Extensions Status
RDF/XML Metadata File application/rdf+xml *.rdf, *.xml Recognised
Lotus Domino XML Person Document
application/vnd.lotus‐domino‐xml‐person‐document
*.xml Supported
Lotus Domino XML Other Document
application/vnd.lotus‐domino‐xml‐other‐document
*.xml Supported
Microsoft Equation Object application/vnd.ms‐equation Recognised
Microsoft OLE2 Encrypted Package File
application/vnd.ms‐ole2‐encrypted‐package Supported
Appendices 293
Supported File Types: Organized by Kind
Microsoft OneNote File application/vnd.ms‐onenote *.one Partially Supported
Microsoft OneNote Table of Contents File
application/vnd.ms‐onenote‐toc *.onetoc2 Partially Supported
Microsoft Outlook Contact application/vnd.ms‐outlook‐contact *.msg Supported
Microsoft Outlook Journal application/vnd.ms‐outlook‐journal *.msg Supported
Microsoft Outlook Sticky Note application/vnd.ms‐outlook‐stickynote *.msg Supported
Microsoft Outlook Task application/vnd.ms‐outlook‐task *.msg Supported
Microsoft Project File application/vnd.ms‐project *.mpp, *.mpt
Supported
Microsoft Reader eBook File application/vnd.ms‐reader *.lit Recognised
Microsoft Transport Neutral Encapsulation Format File
application/vnd.ms‐tnef *.dat Supported
OpenDocument Formula application/vnd.oasis.opendocument.formula *.odf, *.otf Supported
StarMath Formula application/vnd.stardivision.math *.smf Recognised
StarOMath XML Formula application/vnd.sun.xml.math *.sxm Supported
MIME/HTML Archive application/x‐mime‐html *.mht, *.mhtml
Supported
Extensible Hypertext Markup Language Document
application/xhtml+xml *.html, *.htm, *.xhtml, *.xht
Recognised
Extensible Markup Language File
application/xml *.xml Recognised
XSL Formatting Objects File application/xslfo+xml *.fo, *.xml Recognised
Hypertext Markup Language Document
text/html *.html, *.htm
Partially Supported
Plain Text text/plain *.txt Supported
Other Document Common Name File Type
Possible Extensions Status
294 Appendices
Supported File Types: Organized by Kind
PRESENTATIONS
Common Name File TypePossible Extensions Status
Corel Presentation application/vnd.corel‐presentations *.cpr, *.mst Recognised
WordPerfect Slide Show application/vnd.corel‐slideshow *.shw Recognised
Kingsoft Presentation Document
application/vnd.haansoft‐presentation *.hpt, *.rbk Recognised
Lotus Freelance Presentation application/vnd.lotus‐freelance *.prz, *.pre Recognised
Microsoft PowerPoint Presentation
application/vnd.ms‐powerpoint *.ppt, *.pot, *.pps, *.dps, *.dpt
Supported
OpenDocument Presentation application/vnd.oasis.opendocument.presentation *.odp, *.otp Supported
Microsoft 2007 PowerPoint Presentation
application/vnd.openxmlformats‐officedocument.presentationml.presentation
*.pptx, *.pptm, *.ppsx, *.ppsm
Supported
StarImpress Presentation application/vnd.stardivision.impress *.sdd, *.sdp Recognised
StarImpress XML Presentation
application/vnd.sun.xml.impress *.sxi, *.sti Supported
Uniform Office Presentation File
application/vnd.uof.presentation *.uop, *.uof Recognised
Appendices 295
Supported File Types: Organized by Kind
SPREADSHEETS
SYSTEM FILES
Spreadsheet Common Name File Type
Possible Extensions Status
Quattro Pro Spreadsheet application/vnd.corel‐quattro *.qpw, *.wq1, *.wq2, *.wb1, *.wb2
Recognised
Lotus 1‐2‐3 Spreadsheet File
application/vnd.lotus‐123 *.wk4 Partially Supported
Microsoft Excel Spreadsheet
application/vnd.ms‐excel *.xls, *.xlt, *.nxl, *.nxt, *.et, *.ett
Supported
Microsoft Works Spreadsheet
application/vnd.ms‐works‐ss *.wks, *.xlr Supported
Microsoft Excel Pre‐OLE2 Spreadsheet
application/vnd.ms‐excel‐pre‐ole2 *.xls Recognised
Microsoft Excel XML Spreadsheet
application/vnd.ms‐excel+xml *.xml Recognised
OpenDocument Spreadsheet
application/vnd.oasis.opendocument.spreadsheet *.ods, *.ots Supported
Microsoft 2007 Excel Binary Spreadsheet
application/vnd.openxmlformats‐officedocument.spreadsheet.binary
*.xlsb Supported
Microsoft 2007 Excel Spreadsheet
application/vnd.openxmlformats‐officedocument.spreadsheetml.sheet
*.xlsx, *.xlsm Supported
StarCalc Spreadsheet application/vnd.stardivision.calc *.sdc Recognised
StarCalc XML Spreadsheet application/vnd.sun.xml.calc *.sxc, *.stc Supported
Uniform Office Spreadsheet File
application/vnd.uof.spreadsheet *.uos, *.uof Recognised
Comma Separated Values text/csv *.csv Supported
Microsoft Excel Chart application/vnd.ms‐excel‐chart *.xlc Supported
System File Common Name File Type Possible Extensions Status
COFF Object File application/coff *.obj, *.o, *.exp Recognised
DOS Executable application/com *.com Recognised
Windows Dynamic Link Library application/dll *.dll, *.ocx, *.drv Recognised
296 Appendices
Supported File Types: Organized by Kind
Windows Executable application/exe *.exe, *.prx, *.scr, *.pif Recognised
Java Class application/java‐class *.class Supported
Mozilla/Firefox Browser Cache application/vnd.mozilla‐browser‐cache
Supported
Mozilla/Firefox Browser Cache Entry
application/vnd.mozilla‐browser‐cache‐entry
Supported
Microsoft Bitmap Font File application/vnd.ms‐fon *.fon Recognised
Microsoft Compressed HTML Help File
application/vnd.ms‐htmlhelp *.chm, *.chtml Supported
Microsoft Outlook Block application/vnd.ms‐outlook‐block *.dat Supported
Microsoft Outlook Property Block application/vnd.ms‐outlook‐property‐block
*.msg Supported
Microsoft Shortcut application/vnd.ms‐shortcut *.lnk Recognised
BitTorrent File application/x‐bittorrent *.torrent Recognised
Unix/Linux ELF Executable application/x‐elf Recognised
Empty File application/x‐empty Supported
Executable Script File application/x‐executable‐script Supported
X11 Font application/x‐font‐pmf *.pmf Recognised
OpenType Font application/x‐font‐ttc *.ttc Recognised
TrueType Font application/x‐font‐ttf *.ttf Recognised
Type 1 Font application/x‐font‐type1 *.pfm, *.pfb, *.pfa Recognised
Native Language Support File application/x‐nls *.nls Recognised
XSL Transformation File application/xslt+xml *.xsl, *.xslt, *.xml Recognised
Inaccessible Content filesystem/inaccessible Supported
Symbolic Link filesystem/symlink Recognised
Microsoft Windows Icon Image format
image/vnd.microsoft.icon *.ico Supported
Microsoft Windows Animated Cursor Image format
image/vnd.ms‐ani *.ani Recognised
Java Archive application/java‐archive *.jar, *.war, *.ear, *.sar
Supported
System File Common Name File Type Possible Extensions Status
Appendices 297
Supported File Types: Organized by Kind
WORD PROCESSOR DOCUMENTS
Microsoft Cabinet Archive application/vnd.ms‐cab‐compressed *.cab, *.snp Recognised
Microsoft Installer File application/vnd.ms‐installer *.msi Partially Supported
Word Processor Document Common Name File Type
Possible Extensions Status
DocBook Document application/docbook+xml *.dbk, *.xml Recognised
Portable Document Format application/pdf *.pdf Partially Supported
Postscript File application/postscript *.ps Recognised
WordPerfect Document application/vnd.corel‐wordperfect *.wpd Supported
Lotus WordPro Document application/vnd.lotus‐wordpro *.lwp Recognised
MicroPro WordStar Document application/vnd.micropro‐wordstar *.wsd Recognised
Microsoft Publisher File application/vnd.ms‐publisher *.pub Supported
Microsoft Word Document application/vnd.ms‐word *.doc, *.dot, *.wps, *.wpt
Supported
Microsoft Word Pre‐OLE2 Document
application/vnd.ms‐word‐pre‐ole2 *.doc Recognised
Microsoft Word XML Document application/vnd.ms‐word+xml *.xml Recognised
Microsoft Works Word Processor Document
application/vnd.ms‐works‐wp *.wps Supported
OpenDocument Text application/vnd.oasis.opendocument.text *.odt, *.ott, *.odm, *.oth
Supported
Microsoft 2007 Word Document
application/vnd.openxmlformats‐officedocument.wordprocessingml.document
*.docx, *.docm, *.dotm, *.dotx
Supported
StarWriter Document application/vnd.stardivision.writer *.sdw, *.sgl, *.vor Recognised
StarWriter XML Document application/vnd.sun.xml.writer *.sxw, *.stw, *.sxg Recognised
Uniform Office Text File application/vnd.uof.text *.uot, *.uof Recognised
Haansoft Hangul Word Processing File
application/x‐hwp *.hwp, *.hwt Recognised
System File Common Name File Type Possible Extensions Status
298 Appendices
Supported File Types: Organized by Kind
Ichitaro Word Processing File application/x‐js‐taro *.jtd, *.jtt, *.jtdc, *.jfw, *.jvw, *.jbw, *.juw, *.jaw, *.jtw, *.jsw
Recognised
Rich Text Format text/rtf *.rtf Supported
Word Processor Document Common Name File Type
Possible Extensions Status
Appendices 299
Supported File Types: Organized by Common Name
Supported File Types: Organized by Common NameTofollowisalistingofthefiletypesNuixDesktopsupportsorganizedinalphabeticalorderbycommonname.
Common Name File Type KindPossible Extensions
Support Level
7‐Zip Archive File application/x‐7z‐compressed Containers *.7z Supported
AccessData FTK Image
application/vnd.accessdata‐ftk‐imager Containers *.ad1 Supported
ACE Archive File application/x‐ace Containers *.ace Recognised
Adobe Illustrator Artwork
application/vnd.adobe‐illustrator Drawings *.ai Recognised
Adobe Photoshop Image
application/vnd.adobe‐photoshop Images *.psd Recognised
Adobe Shockwave/Flash File
application/x‐shockwave‐flash Multimedia *.swf Recognised
Apple Mail.app Email File
application/vnd.apple‐emlx Containers *.emlx Supported
Apple QuickTime Multimedia File
video/quicktime Multimedia *.mov Recognised
Apple UDIF Disk Image
application/vnd.apple‐udif Containers *.dmg Recognised
AutoCAD DWG Drawing
image/vnd.autocad‐dwg Drawings *.dwg Recognised
AutoCAD DXF Drawing
image/vnd.autocad‐dxf Drawings *.dxf Recognised
AVI Multimedia File video/avi Multimedia *.avi Recognised
BitTorrent File application/x‐bittorrent System Files *.torrent Recognised
Borland Paradox Database
application/vnd.borland‐paradox Databases *.db, *.px Recognised
bzip‐Compressed File
application/x‐bzip Containers *.bz2, *.tbz, *.tbz2
Supported
COFF Object File application/coff System Files *.obj, *.o, *.exp
Recognised
300 Appendices
Supported File Types: Organized by Common Name
Comma Separated Values
text/csv Spreadsheets *.csv Supported
Compressed ISO9660 Disk Image
application/x‐cso‐image Containers *.cso Recognised
Compuserve Graphic Interchange Format
image/gif Images *.gif Supported
Computer Graphics Metafile
image/cgm Drawings *.cgm Recognised
Corel Draw 6.0 Graphic
image/vnd.corel‐draw‐6 Drawings *.cdr6 Recognised
Corel Draw Drawing image/vnd.corel‐draw Drawings *.cdr, *.cdt, *.drw
Recognised
Corel Photo‐Paint Image
image/vnd.corel‐photo‐paint Images *.cpt Recognised
Corel Presentation application/vnd.corel‐presentations Presentations *.cpr, *.mst Recognised
Corel WordPerfect Graphics
image/vnd.corel‐wordperfect‐graphics Images *.wpg Recognised
Directory filesystem/directory Containers Supported
Disk Image application/x‐disk‐image Containers Supported
DocBook Document application/docbook+xml Word Processor Documents
*.dbk, *.xml Recognised
DOS Executable application/com System Files *.com Recognised
Drive filesystem/drive Containers Supported
Efax Image image/vnd.j2global‐efax Images *.efx, *.jsd Recognised
EmailXtender Archive
application/vnd.emc‐mailxtender Containers *.emx Supported
EmailXtender Notes Message
application/vnd.emc‐mailxtender‐notes‐msg Containers *.onm Supported
Empty File application/x‐empty System Files Supported
EnCase Disk Image application/vnd.guidance‐encase Containers *.e01 Partially Supported
EnCase Logical Volume File
application/vnd.guidance‐encase‐lvf Containers *.l01 Partially Supported
Common Name File Type KindPossible Extensions
Support Level
Appendices 301
Supported File Types: Organized by Common Name
Executable Script File
application/x‐executable‐script System Files Supported
Extensible Hypertext Markup Language Document
application/xhtml+xml Other Documents
*.html, *.htm, *.xhtml, *.xht
Recognised
Extensible Markup Language File
application/xml Other Documents
*.xml Recognised
Extensible Music Format Audio File
audio/xmf Multimedia *.xmf, *.mxmf
Recognised
gzip‐Compressed File
application/x‐gzip Containers *.gz, *.tgz, *.wmz, *.emz
Supported
Haansoft Hangul Word Processing File
application/x‐hwp Word Processor Documents
*.hwp, *.hwt
Recognised
Hypertext Markup Language Document
text/html Other Documents
*.html, *.htm
Partially Supported
Ichitaro Word Processing File
application/x‐js‐taro Word Processor Documents
*.jtd, *.jtt, *.jtdc, *.jfw, *.jvw, *.jbw, *.juw, *.jaw, *.jtw, *.jsw
Recognised
IMAP Mail Account server/imap Containers Supported
IMAP Mail Folder server/imap‐folder Containers Supported
Inaccessible Content filesystem/inaccessible System Files Supported
ISO9660 CD‐ROM Disk Image
application/x‐iso‐image Containers *.iso Supported
Java Archive application/java‐archive Containers, System Files
*.jar, *.war, *.ear, *.sar
Supported
Java Class application/java‐class System Files *.class Supported
JPEG 2000 Image image/jp2 Images *.jp2, *.jpg2
Supported
Common Name File Type KindPossible Extensions
Support Level
302 Appendices
Supported File Types: Organized by Common Name
JPEG/JIFF Image image/jpeg Images *.jpeg, *.jpg, *.jpe
Supported
Kingsoft Presentation Document
application/vnd.haansoft‐presentation Presentations *.hpt, *.rbk Recognised
Koomail Mail File application/vnd.koomail‐sml Containers *.sml Supported
Lotus 1‐2‐3 Spreadsheet File
application/vnd.lotus‐123 Spreadsheets *.wk4 Partially Supported
Lotus Domino XML Appointment
application/vnd.lotus‐domino‐xml‐appointment‐document
Email *.xml Supported
Lotus Domino XML Mail
application/vnd.lotus‐domino‐xml‐mail‐document
Email *.xml Supported
Lotus Domino XML Other Document
application/vnd.lotus‐domino‐xml‐other‐document
Other Documents
*.xml Supported
Lotus Domino XML Person Document
application/vnd.lotus‐domino‐xml‐person‐document
Other Documents
*.xml Supported
Lotus Freelance Presentation
application/vnd.lotus‐freelance Presentations *.prz, *.pre Recognised
Lotus Notes Bitmap Image
image/vnd.lotus‐notes‐bitmap Images Supported
Lotus Notes Database
application/vnd.lotus‐notes Containers *.nsf Supported
Lotus Notes Document
application/vnd.lotus‐notes‐document Email *.eml Supported
Lotus Notes View application/vnd.lotus‐notes‐view Containers Supported
Lotus WordPro Document
application/vnd.lotus‐wordpro Word Processor Documents
*.lwp Recognised
LZH Archive File application/x‐lzh‐archive Containers *.lzh, *.lha, *.arc
Supported
LZMA Archive File application/x‐lzma Containers *.lzma, *.tlz Supported
LZX Archive File application/x‐lzx Containers *.lzx Recognised
MacBinary Archive application/macbinary Containers *.macbin Supported
Macintosh QuickDraw Picture
image/x‐pict Images *.pict, *.pct, *.pic
Recognised
Common Name File Type KindPossible Extensions
Support Level
Appendices 303
Supported File Types: Organized by Common Name
Mailbox File application/mbox Containers *.mbox Supported
Matroska Audio File audio/x‐matroska Multimedia *.mka Recognised
Matroska Video File video/x‐matroska Multimedia *.mkv Recognised
Microforensics FileSafe Archive
application/vnd.microforensics‐filesafe Containers *.mfs01 Supported
Micrografx Designer Drawing
image/vnd.micrografx‐designer Drawings *.drw Recognised
MicroPro WordStar Document
application/vnd.micropro‐wordstar Word Processor Documents
*.wsd Recognised
Microsoft 2007 Access Database
application/vnd.ms‐access‐acedb Databases *.accdb Partially Supported
Microsoft 2007 Excel Binary Spreadsheet
application/vnd.openxmlformats‐officedocument.spreadsheet.binary
Spreadsheets *.xlsb Supported
Microsoft 2007 Excel Spreadsheet
application/vnd.openxmlformats‐officedocument.spreadsheetml.sheet
Spreadsheets *.xlsx, *.xlsm
Supported
Microsoft 2007 PowerPoint Presentation
application/vnd.openxmlformats‐officedocument.presentationml.presentation
Presentations *.pptx, *.pptm, *.ppsx, *.ppsm
Supported
Microsoft 2007 Word Document
application/vnd.openxmlformats‐officedocument.wordprocessingml.document
Word Processor Documents
*.docx, *.docm, *.dotm, *.dotx
Supported
Microsoft Access Database
application/vnd.ms‐access Databases *.mdb Partially Supported
Microsoft Advanced Systems Format (ASF) Multimedia File
video/vnd.ms‐asf Multimedia *.wmv, *.asf, *.wma
Recognised
Microsoft Backup Tape Archive
application/vnd.ms‐backup Containers *.bkf Recognised
Microsoft Bitmap Font File
application/vnd.ms‐fon System Files *.fon Recognised
Common Name File Type KindPossible Extensions
Support Level
304 Appendices
Supported File Types: Organized by Common Name
Microsoft Cabinet Archive
application/vnd.ms‐cab‐compressed Containers, System Files
*.cab, *.snp, *.onepkg
Supported
Microsoft ClipArt Gallery
application/vnd.ms‐clipart‐gallery Containers *.cag Recognised
Microsoft Compressed HTML Help File
application/vnd.ms‐htmlhelp System Files *.chm, *.chtml
Supported
Microsoft Equation Object
application/vnd.ms‐equation Other Documents
Recognised
Microsoft Excel Chart
application/vnd.ms‐excel‐chart Spreadsheets, Drawings
*.xlc Supported
Microsoft Excel Pre‐OLE2 Spreadsheet
application/vnd.ms‐excel‐pre‐ole2 Spreadsheets *.xls Recognised
Microsoft Excel Spreadsheet
application/vnd.ms‐excel Spreadsheets *.xls, *.xlt, *.nxl, *.nxt, *.et, *.ett
Supported
Microsoft Excel XML Spreadsheet
application/vnd.ms‐excel+xml Spreadsheets *.xml Recognised
Microsoft Exchange Server Property Store
application/vnd.ms‐exchange‐edb Containers *.edb Supported
Microsoft Exchange Server Streaming Store
application/vnd.ms‐exchange‐stm Databases *.stm Supported
Microsoft Graph Chart
application/vnd.ms‐graph Drawings *.gra Recognised
Microsoft Imaging Format
application/vnd.ms‐wim Containers *.wim Recognised
Microsoft Installer File
application/vnd.ms‐installer Containers, System Files
*.msi Partially Supported
Microsoft Internet Explorer Cache
application/vnd.ms‐ie‐cache Containers *.dat Supported
Microsoft Internet Explorer Cache Entry
application/vnd.ms‐ie‐cache‐entry Containers Supported
Common Name File Type KindPossible Extensions
Support Level
Appendices 305
Supported File Types: Organized by Common Name
Microsoft OLE2 Attachment Wrapper
application/vnd.ms‐ole2‐attachment Containers Supported
Microsoft OLE2 Encrypted Package File
application/vnd.ms‐ole2‐encrypted‐package Other Documents
Supported
Microsoft OLE2 Package File
application/vnd.ms‐ole2‐package Containers Supported
Microsoft OneNote File
application/vnd.ms‐onenote Other Documents
*.one Partially Supported
Microsoft OneNote Table of Contents File
application/vnd.ms‐onenote‐toc Other Documents
*.onetoc2 Partially Supported
Microsoft Outlook Activity
application/vnd.ms‐outlook‐activity Email *.msg, *.eml
Supported
Microsoft Outlook Appointment
application/vnd.ms‐outlook‐appointment Email *.msg, *.eml
Supported
Microsoft Outlook Block
application/vnd.ms‐outlook‐block System Files *.dat Supported
Microsoft Outlook Contact
application/vnd.ms‐outlook‐contact Other Documents
*.msg Supported
Microsoft Outlook Express 4 Mailbox
application/vnd.ms‐outlook‐express‐4 Containers *.mbx Supported
Microsoft Outlook Express Mailbox
application/vnd.ms‐outlook‐express Containers *.dbx Supported
Microsoft Outlook Folder
application/vnd.ms‐outlook‐folder Containers Supported
Microsoft Outlook Item
application/vnd.ms‐outlook‐item Email *.msg, *.eml
Supported
Microsoft Outlook Journal
application/vnd.ms‐outlook‐journal Other Documents
*.msg Supported
Microsoft Outlook Message
application/vnd.ms‐outlook‐msg Containers *.msg Supported
Microsoft Outlook Note
application/vnd.ms‐outlook‐note Email *.msg, *.eml
Supported
Common Name File Type KindPossible Extensions
Support Level
306 Appendices
Supported File Types: Organized by Common Name
Microsoft Outlook Personal Folder
application/vnd.ms‐outlook Containers *.pst Supported
Microsoft Outlook Property Block
application/vnd.ms‐outlook‐property‐block System Files *.msg Supported
Microsoft Outlook Schedule
application/vnd.ms‐outlook‐schedule Email *.msg, *.eml
Supported
Microsoft Outlook Shortcut
application/vnd.ms‐outlook‐shortcut Containers *.msg Supported
Microsoft Outlook Sticky Note
application/vnd.ms‐outlook‐stickynote Other Documents
*.msg Supported
Microsoft Outlook Task
application/vnd.ms‐outlook‐task Other Documents
*.msg Supported
Microsoft Photo Editor Object
application/vnd.ms‐photo‐editor Containers Recognised
Microsoft PowerPoint Presentation
application/vnd.ms‐powerpoint Presentations *.ppt, *.pot, *.pps, *.dps, *.dpt
Supported
Microsoft Project File
application/vnd.ms‐project Other Documents
*.mpp, *.mpt
Supported
Microsoft Publisher File
application/vnd.ms‐publisher Word Processor Documents
*.pub Supported
Microsoft Reader eBook File
application/vnd.ms‐reader Other Documents
*.lit Recognised
Microsoft Shell Scrap
application/vnd.ms‐shell‐scrap Containers *.shs, *.shb Supported
Microsoft Shortcut application/vnd.ms‐shortcut System Files *.lnk Recognised
Microsoft Transport Neutral Encapsulation Format File
application/vnd.ms‐tnef Other Documents
*.dat Supported
Microsoft Visio Drawing
application/vnd.ms‐visio Drawings *.vsd, *.vst, *.vss
Recognised
Common Name File Type KindPossible Extensions
Support Level
Appendices 307
Supported File Types: Organized by Common Name
Microsoft Windows Animated Cursor Image format
image/vnd.ms‐ani System Files *.ani Recognised
Microsoft Windows Cursor Image format
image/vnd.ms‐windows‐cursor Images *.cur Supported
Microsoft Windows Enhanced Metafile
image/vnd.ms‐emf Drawings *.emf Supported
Microsoft Windows Icon Image format
image/vnd.microsoft.icon System Files *.ico Supported
Microsoft Windows Metafile
image/vnd.ms‐wmf Drawings *.wmf Supported
Microsoft Word Document
application/vnd.ms‐word Word Processor Documents
*.doc, *.dot, *.wps, *.wpt
Supported
Microsoft Word Picture
application/vnd.ms‐word‐picture Drawings *.doc Recognised
Microsoft Word Pre‐OLE2 Document
application/vnd.ms‐word‐pre‐ole2 Word Processor Documents
*.doc Recognised
Microsoft Word XML Document
application/vnd.ms‐word+xml Word Processor Documents
*.xml Recognised
Microsoft Works Spreadsheet
application/vnd.ms‐works‐ss Spreadsheets *.wks, *.xlr Supported
Microsoft Works Word Processor Document
application/vnd.ms‐works‐wp Word Processor Documents
*.wps Supported
MIDI Audio File audio/midi Multimedia *.mid, *.kar, *.rmi
Recognised
MIME/HTML Archive application/x‐mime‐html Other Documents
*.mht, *.mhtml
Supported
Mozilla Mork Database
application/vnd.mozilla.mdb‐mork Databases *.mab, *.msf, *.dat
Supported
Mozilla/Firefox Browser Cache
application/vnd.mozilla‐browser‐cache System Files Supported
Common Name File Type KindPossible Extensions
Support Level
308 Appendices
Supported File Types: Organized by Common Name
Mozilla/Firefox Browser Cache Entry
application/vnd.mozilla‐browser‐cache‐entry System Files Supported
MPEG Audio File audio/mpeg Multimedia *.mp3, *.mp2
Recognised
MPEG Video File video/mpeg Multimedia *.mpg, *.mpeg, *.mpe, *.m1v
Recognised
MPEG‐4 Video File application/mp4 Multimedia *.mp4, *.m4a, *.mpeg4, *.mpeg, *.m4v
Recognised
MYOB Company File application/vnd.myob Databases *.myo, *.prm, *.dat, *.pls
Recognised
Native Language Support File
application/x‐nls System Files *.nls Recognised
Norton Ghost Disk Image
application/vnd.norton‐ghost Containers *.gho, *.ghs Recognised
Ogg Multimedia Container
application/ogg Multimedia *.ogg Recognised
OpenDocument Chart
application/vnd.oasis.opendocument.chart Drawings *.odc, *.otc Recognised
OpenDocument Database
application/vnd.oasis.opendocument.database
Drawings *.odb Partially Supported
OpenDocument Formula
application/vnd.oasis.opendocument.formula Other Documents
*.odf, *.otf Supported
OpenDocument Graphics
application/vnd.oasis.opendocument.graphics
Drawings *.odg, *.otg Supported
OpenDocument Image
application/vnd.oasis.opendocument.image Images *.odi, *.oti Recognised
OpenDocument Presentation
application/vnd.oasis.opendocument.presentation
Presentations *.odp, *.otp Supported
OpenDocument Spreadsheet
application/vnd.oasis.opendocument.spreadsheet
Spreadsheets *.ods, *.ots Supported
Common Name File Type KindPossible Extensions
Support Level
Appendices 309
Supported File Types: Organized by Common Name
OpenDocument Text application/vnd.oasis.opendocument.text Word Processor Documents
*.odt, *.ott, *.odm, *.oth
Supported
OpenType Font application/x‐font‐ttc System Files *.ttc Recognised
Parchive (Parity Archive) 1.0 File
application/x‐par Containers *.par Recognised
Parchive (Parity Archive) 2.0 File
application/x‐par2 Containers *.par, *.par2
Recognised
PCX Image image/pcx Images *.pcx Supported
Plain Text text/plain Other Documents, Unrecognised
*.txt Supported
POP Mail Account server/pop3 Containers Supported
POP Mail Folder server/pop3‐folder Containers Supported
Portable Document Format
application/pdf Word Processor Documents
*.pdf Partially Supported
Portable Network Graphic
image/png Images *.png Supported
Postscript File application/postscript Word Processor Documents
*.ps Recognised
Quattro Pro Spreadsheet
application/vnd.corel‐quattro Spreadsheets *.qpw, *.wq1, *.wq2, *.wb1, *.wb2
Recognised
RAR Archive File application/x‐rar‐compressed Containers *.rar Supported
RDF/XML Metadata File
application/rdf+xml Other Documents
*.rdf, *.xml Recognised
RFC822 Email Headers
message/rfc822‐headers Email *.eml Supported
RFC822 Email Message
message/rfc822 Email *.eml, *.mht
Supported
Common Name File Type KindPossible Extensions
Support Level
310 Appendices
Supported File Types: Organized by Common Name
Rich Text Format text/rtf Word Processor Documents
*.rtf Supported
RIFF WAVE Audio File
audio/wav Multimedia *.wav Recognised
RPM Archive File application/x‐rpm Containers *.rpm Recognised
Scraped Message message/x‐scraped Email *.eml Supported
Sonic Global Image application/vnd.sonic‐global‐image Containers *.gi Recognised
StarCalc Spreadsheet
application/vnd.stardivision.calc Spreadsheets *.sdc Recognised
StarCalc XML Spreadsheet
application/vnd.sun.xml.calc Spreadsheets *.sxc, *.stc Supported
StarDraw Drawing application/vnd.stardivision.draw Drawings *.sda Recognised
StarDraw XML Drawing
application/vnd.sun.xml.draw Drawings *.sxd, *.std Supported
StarImpress Presentation
application/vnd.stardivision.impress Presentations *.sdd, *.sdp Recognised
StarImpress XML Presentation
application/vnd.sun.xml.impress Presentations *.sxi, *.sti Supported
StarMath Formula application/vnd.stardivision.math Other Documents
*.smf Recognised
StarOMath XML Formula
application/vnd.sun.xml.math Other Documents
*.sxm Supported
StarWriter Document
application/vnd.stardivision.writer Word Processor Documents
*.sdw, *.sgl, *.vor
Recognised
StarWriter XML Document
application/vnd.sun.xml.writer Word Processor Documents
*.sxw, *.stw, *.sxg
Recognised
StuffIt Archive File application/x‐stuffit Containers *.sit, *.sitx Recognised
Symantec Vault DVS File
application/vnd.symantec‐vault Containers *.dvs Supported
Symbolic Link filesystem/symlink System Files Recognised
Tagged Image Format File
image/tiff Images *.tiff, *.tif Supported
Common Name File Type KindPossible Extensions
Support Level
Appendices 311
Supported File Types: Organized by Common Name
tar Archive File application/x‐tar Containers *.tar Supported
Targa Image File image/tga Images *.tga Recognised
Tencent Foxmail Box File
application/vnd.tencent‐foxmail‐box Containers *.box Supported
TrueType Font application/x‐font‐ttf System Files *.ttf Recognised
Type 1 Font application/x‐font‐type1 System Files *.pfm, *.pfb, *.pfa
Recognised
Uniform Office Presentation File
application/vnd.uof.presentation Presentations *.uop, *.uof Recognised
Uniform Office Spreadsheet File
application/vnd.uof.spreadsheet Spreadsheets *.uos, *.uof Recognised
Uniform Office Text File
application/vnd.uof.text Word Processor Documents
*.uot, *.uof Recognised
Unix Ar Archive File application/x‐ar Containers *.ar, *.deb, *.udeb, *.lib, *.a
Supported
UNIX compress‐Compressed File
application/x‐compress Containers *.z, *.taz Supported
UNIX Portable Bitmap Graphic
image/x‐portable‐bitmap Images *.pbm Supported
UNIX Portable Graymap Graphic
image/x‐portable‐graymap Images *.pgm Supported
UNIX Portable Pixelmap Graphic
image/x‐portable‐pixmap Images *.ppm Supported
Unix/Linux ELF Executable
application/x‐elf System Files Recognised
Valve GCF Archive File
application/vnd.valve‐gcf Containers *.gcf Recognised
WebM Video File video/webm Multimedia *.webm Recognised
WebP Image image/webp Images *.webp Recognised
Windows Bitmap Graphic
image/bmp Images *.bmp Supported
Windows Dynamic Link Library
application/dll System Files *.dll, *.ocx, *.drv
Recognised
Common Name File Type KindPossible Extensions
Support Level
312 Appendices
Supported File Types: Organized by Common Name
Windows Executable application/exe System Files *.exe, *.prx, *.scr, *.pif
Recognised
Windows Thumbs DB File
application/x‐thumbs‐db Containers *.db Supported
Wireless Bitmap Graphic
image/vnd.wap.wbmp Images *.wbmp Supported
WordPerfect Document
application/vnd.corel‐wordperfect Word Processor Documents
*.wpd Supported
WordPerfect Slide Show
application/vnd.corel‐slideshow Presentations *.shw Recognised
X11 Font application/x‐font‐pmf System Files *.pmf Recognised
XSL Formatting Objects File
application/xslfo+xml Other Documents
*.fo, *.xml Recognised
XSL Transformation File
application/xslt+xml System Files *.xsl, *.xslt, *.xml
Recognised
XZ Archive File application/x‐xz Containers *.xz Supported
Zip‐Compressed File application/x‐zip‐compressed Containers *.zip Supported
Common Name File Type KindPossible Extensions
Support Level
Appendices 313
Supported File Types: Organized by File Type
Supported File Types: Organized by File TypeTofollowisalistingofthefiletypesNuixDesktopsupportsorganizedinalphabeticalorderbyfiletype.
Common Name File Type Kind
Possible Extensions Status
COFF Object File application/coff System Files *.obj, *.o, *.exp
Recognised
DOS Executable application/com System Files *.com Recognised
Windows Dynamic Link Library
application/dll System Files *.dll Recognised
Windows Executable
application/exe System Files *.exe, *.prx, *.scr, *.pif
Recognised
Java Archive application/java‐archive Containers, System Files
*.jar, *.war, *.ear, *.sar
Supported
Java Class application/java‐class System Files *.class Supported
Mailbox File application/mbox Containers *.mbox Supported
MPEG‐4 Video File application/mp4 Multimedia *.mp4, *.m4a, *.mpeg4, *.mpeg, *.m4v
Recognised
Ogg Multimedia Container
application/ogg Multimedia *.ogg Recognised
Portable Document Format
application/pdf Word Processor Documents
*.pdf Partially Supported
Postscript File application/postscript Word Processor Documents
*.ps Recognised
Adobe Illustrator Artwork
application/vnd.adobe‐illustrator Drawings *.ai Recognised
Adobe Photoshop Image
application/vnd.adobe‐photoshop Images *.psd Recognised
314 Appendices
Supported File Types: Organized by File Type
Apple Mail.app Email File
application/vnd.apple‐emlx Containers *.emlx Supported
Apple UDIF Disk Image
application/vnd.apple‐udif Containers *.dmg Recognised
Borland Paradox Database
application/vnd.borland‐paradox Databases *.db, *.px Recognised
Corel Presentation application/vnd.corel‐presentations Presentations *.cpr, *.shw
Recognised
Quattro Pro Spreadsheet
application/vnd.corel‐quattro Spreadsheets *.qpw, *.wq1, *.wq2, *.wb1, *.wb2
Recognised
WordPerfect Slide Show
application/vnd.corel‐slideshow Presentations *.shw Recognised
WordPerfect Document
application/vnd.corel‐wordperfect Word Processor Documents
*.wpd Supported
EmailXtender Archive
application/vnd.emc‐mailxtender Containers *.emx Supported
EmailXtender Notes Message
application/vnd.emc‐mailxtender‐notes‐msg Containers *.onm Supported
EnCase Disk Image application/vnd.guidance‐encase Containers *.e01 Partially Supported
EnCase Logical Volume File
application/vnd.guidance‐encase‐lvf Containers *.l01 Partially Supported
Kingsoft Presentation Document
application/vnd.haansoft‐presentation Presentations *.hpt, *.rbk Recognised
Koomail Mail File application/vnd.koomail‐sml Containers *.sml Supported
Lotus 1‐2‐3 Spreadsheet File
application/vnd.lotus‐123 Spreadsheets *.wk4 Supported
Lotus Freelance Presentation
application/vnd.lotus‐freelance Presentations *.prz, *.pre Recognised
Common Name File Type Kind
Possible Extensions Status
Appendices 315
Supported File Types: Organized by File Type
Lotus Notes Database
application/vnd.lotus‐notes Containers *.nsf Supported
Lotus Notes Document
application/vnd.lotus‐notes‐document Email *.eml Supported
Lotus Notes View application/vnd.lotus‐notes‐view Containers Supported
Lotus WordPro Document
application/vnd.lotus‐wordpro Word Processor Documents
*.lwp Recognised
MicroPro WordStar Document
application/vnd.micropro‐wordstar Word Processor Documents
*.wsd Recognised
Mozilla Mork Database
application/vnd.mozilla.mdb‐mork Databases *.mab, *.msf, *.dat
Supported
Mozilla/Firefox Browser Cache
application/vnd.mozilla‐browser‐cache System Files Supported
Mozilla/Firefox Browser Cache Entry
application/vnd.mozilla‐browser‐cache‐entry System Files Supported
Microsoft Access Database
application/vnd.ms‐access Databases *.mdb Recognised
Microsoft Backup Tape Archive
application/vnd.ms‐backup Containers *.bkf Recognised
Microsoft Cabinet Archive
application/vnd.ms‐cab‐compressed Containers, System Files
*.cab, *.snp Recognised
Microsoft Excel Spreadsheet
application/vnd.ms‐excel Spreadsheets *.xls, *.xlt, *.nxl, *.nxt, *.et, *.ett
Supported
Microsoft Excel Chart
application/vnd.ms‐excel‐chart Spreadsheets, Drawings
*.xlc Supported
Microsoft Exchange Server Property Store
application/vnd.ms‐exchange‐edb Containers *.edb Supported
Microsoft Exchange Server Streaming Store
application/vnd.ms‐exchange‐stm Databases *.stm Supported
Common Name File Type Kind
Possible Extensions Status
316 Appendices
Supported File Types: Organized by File Type
Microsoft Bitmap Font File
application/vnd.ms‐fon System Files *.fon Recognised
Microsoft Compressed HTML Help File
application/vnd.ms‐htmlhelp System Files *.chm, *.chtml
Recognised
Microsoft Internet Explorer Cache
application/vnd.ms‐ie‐cache Containers *.dat Supported
Microsoft Internet Explorer Cache Entry
application/vnd.ms‐ie‐cache‐entry Containers Supported
Microsoft Installer File
application/vnd.ms‐installer Containers, System Files
*.msi Partially Supported
Microsoft OLE2 Attachment Wrapper
application/vnd.ms‐ole2‐attachment Containers Supported
Microsoft OLE2 Package File
application/vnd.ms‐ole2‐package Containers Supported
Microsoft Outlook Personal Folder
application/vnd.ms‐outlook Containers *.pst Supported
Microsoft Outlook Activity
application/vnd.ms‐outlook‐activity Email *.msg, *.eml
Supported
Microsoft Outlook Appointment
application/vnd.ms‐outlook‐appointment Email *.msg, *.eml
Supported
Microsoft Outlook Block
application/vnd.ms‐outlook‐block System Files *.dat Supported
Microsoft Outlook Contact
application/vnd.ms‐outlook‐contact Other Documents
*.msg Supported
Microsoft Outlook Express Mailbox
application/vnd.ms‐outlook‐express Containers *.dbx Supported
Microsoft Outlook Express 4 Mailbox
application/vnd.ms‐outlook‐express‐4 Containers *.mbx Supported
Microsoft Outlook Folder
application/vnd.ms‐outlook‐folder Containers Supported
Microsoft Outlook Item
application/vnd.ms‐outlook‐item Email *.msg, *.eml
Supported
Common Name File Type Kind
Possible Extensions Status
Appendices 317
Supported File Types: Organized by File Type
Microsoft Outlook Journal
application/vnd.ms‐outlook‐journal Other Documents
*.msg Supported
Microsoft Outlook Message
application/vnd.ms‐outlook‐msg Containers *.msg Supported
Microsoft Outlook Note
application/vnd.ms‐outlook‐note Email *.msg, *.eml
Supported
Microsoft Outlook Property Block
application/vnd.ms‐outlook‐property‐block System Files *.msg Supported
Microsoft Outlook Schedule
application/vnd.ms‐outlook‐schedule Email *.msg, *.eml
Supported
Microsoft Outlook Shortcut
application/vnd.ms‐outlook‐shortcut Containers *.msg Supported
Microsoft Outlook Sticky Note
application/vnd.ms‐outlook‐stickynote Other Documents
*.msg Supported
Microsoft Outlook Task
application/vnd.ms‐outlook‐task Other Documents
*.msg Supported
Microsoft PowerPoint Presentation
application/vnd.ms‐powerpoint Presentations *.ppt, *.pot, *.pps, *.dps, *.dpt
Supported
Microsoft Project File
application/vnd.ms‐project Other Documents
*.mpp, *.mpt
Supported
Microsoft Reader eBook File
application/vnd.ms‐reader Other Documents
*.lit Recognised
Microsoft Shell Scrap
application/vnd.ms‐shell‐scrap Containers *.shs, *.shb Supported
Microsoft Shortcut application/vnd.ms‐shortcut System Files *.lnk Recognised
Microsoft Transport Neutral Encapsulation Format File
application/vnd.ms‐tnef Other Documents
*.dat Supported
Microsoft Visio Drawing
application/vnd.ms‐visio Drawings *.vsd Recognised
Common Name File Type Kind
Possible Extensions Status
318 Appendices
Supported File Types: Organized by File Type
Microsoft Word Document
application/vnd.ms‐word Word Processor Documents
*.doc, *.dot, *.wps, *.wpt
Supported
Microsoft Works Spreadsheet
application/vnd.ms‐works‐ss Spreadsheets *.wks, *.xlr Supported
Microsoft Works Word Processor Document
application/vnd.ms‐works‐wp Word Processor Documents
*.wps Supported
MYOB Company File
application/vnd.myob Databases *.myo, *.prm, *.dat, *.pls
Recognised
OpenDocument Database
application/vnd.oasis.opendocument.database Drawings *.odb Recognised
OpenDocument Formula
application/vnd.oasis.opendocument.formula Other Documents
*.odf, *.otf Recognised
OpenDocument Graphics
application/vnd.oasis.opendocument.graphics Drawings *.odg, *.otg Recognised
OpenDocument Presentation
application/vnd.oasis.opendocument.presentation
Presentations *.odp, *.otp
Recognised
OpenDocument Spreadsheet
application/vnd.oasis.opendocument.spreadsheet
Spreadsheets *.ods, *.ots Recognised
OpenDocument Text
application/vnd.oasis.opendocument.text Word Processor Documents
*.odt, *.ott, *.odm, *.oth
Recognised
Microsoft 2007 PowerPoint Presentation
application/vnd.openxmlformats‐officedocument.presentationml.presentation
Presentations *.pptx, *.pptm, *.ppsx, *.ppsm
Supported
Microsoft 2007 Excel Binary Spreadsheet
application/vnd.openxmlformats‐officedocument.spreadsheet.binary
Spreadsheets *.xlsb Supported
Microsoft 2007 Excel Spreadsheet
application/vnd.openxmlformats‐officedocument.spreadsheetml.sheet
Spreadsheets *.xlsx, *.xlsm
Supported
Common Name File Type Kind
Possible Extensions Status
Appendices 319
Supported File Types: Organized by File Type
Microsoft 2007 Word Document
application/vnd.openxmlformats‐officedocument.wordprocessingml.document
Word Processor Documents
*.docx, *.docm, *.dotm, *.dotx
Supported
StarCalc Spreadsheet
application/vnd.stardivision.calc Spreadsheets *.sdc Recognised
StarDraw Drawing application/vnd.stardivision.draw Drawings *.sda Recognised
StarImpress Presentation
application/vnd.stardivision.impress Presentations *.sdd, *.sdp
Recognised
StarMath Formula application/vnd.stardivision.math Other Documents
*.smf Recognised
StarWriter Document
application/vnd.stardivision.writer Word Processor Documents
*.sdw, *.sgl, *.vor
Recognised
StarCalc XML Spreadsheet
application/vnd.sun.xml.calc Spreadsheets *.sxc, *.stc Recognised
StarDraw XML Drawing
application/vnd.sun.xml.draw Drawings *.sxd, *.std Recognised
StarImpress XML Presentation
application/vnd.sun.xml.impress Presentations *.sxi, *.sti Recognised
StarOMath XML Formula
application/vnd.sun.xml.math Other Documents
*.sxm Recognised
StarWriter XML Document
application/vnd.sun.xml.writer Word Processor Documents
*.sxw, *.stw, *.sxg
Recognised
Symantec Vault DVS File
application/vnd.symantec‐vault Containers *.dvs Supported
Tencent Foxmail Box File
application/vnd.tencent‐foxmail‐box Containers *.box Supported
Valve GCF Archive File
application/vnd.valve‐gcf Containers *.gcf Recognised
7‐Zip Archive File application/x‐7z‐compressed Containers *.7z Recognised
ACE Archive File application/x‐ace Containers *.ace Recognised
Common Name File Type Kind
Possible Extensions Status
320 Appendices
Supported File Types: Organized by File Type
Unix Ar Archive File application/x‐ar Containers *.ar, *.deb, *.udeb, *.lib
Recognised
BitTorrent File application/x‐bittorrent System Files *.torrent Recognised
bzip‐Compressed File
application/x‐bzip Containers *.bz2, *.tbz, *.tbz2
Supported
UNIX compress‐Compressed File
application/x‐compress Containers *.z, *.taz Supported
Compressed ISO9660 Disk Image
application/x‐cso‐image Containers *.cso Recognised
Disk Image application/x‐disk‐image Containers Supported
Unix/Linux ELF Executable
application/x‐elf System Files Recognised
Empty File application/x‐empty System Files Supported
Executable Script File
application/x‐executable‐script System Files Supported
X11 Font application/x‐font‐pmf System Files *.pmf Recognised
OpenType Font application/x‐font‐ttc System Files *.ttc Recognised
TrueType Font application/x‐font‐ttf System Files *.ttf Recognised
Type 1 Font application/x‐font‐type1 System Files *.pfm, *.pfb, *.pfa
Recognised
gzip‐Compressed File
application/x‐gzip Containers *.gz, *.tgz, *.wmz, *.emz
Supported
Haansoft Hangul Word Processing File
application/x‐hwp Word Processor Documents
*.hwp, *.hwt
Recognised
ISO9660 CD‐ROM Disk Image
application/x‐iso‐image Containers *.iso Recognised
Common Name File Type Kind
Possible Extensions Status
Appendices 321
Supported File Types: Organized by File Type
Ichitaro Word Processing File
application/x‐js‐taro Word Processor Documents
*.jtd, *.jtt, *.jtdc, *.jfw, *.jvw, *.jbw, *.juw, *.jaw, *.jtw, *.jsw
Recognised
LZH Archive File application/x‐lzh‐archive Containers *.lzh, *.lha, *.arc
Supported
LZX Archive File application/x‐lzx Containers *.lzx Recognised
Native Language Support File
application/x‐nls System Files *.nls Recognised
Parchive (Parity Archive) 1.0 File
application/x‐par Containers *.par Recognised
Parchive (Parity Archive) 2.0 File
application/x‐par2 Containers *.par, *.par2
Recognised
RAR Archive File application/x‐rar‐compressed Containers *.rar Supported
Adobe Shockwave/Flash File
application/x‐shockwave‐flash Multimedia *.swf Recognised
StuffIt Archive File application/x‐stuffit Containers *.sit, *.sitx Recognised
tar Archive File application/x‐tar Containers *.tar Supported
Zip‐Compressed File
application/x‐zip‐compressed Containers *.zip Supported
MIDI Audio File audio/midi Multimedia *.mid, *.kar, *.rmi
Recognised
MPEG Audio File audio/mpeg Multimedia *.mp3, *.mp2
Recognised
RIFF WAVE Audio File
audio/wav Multimedia *.wav Recognised
Matroska Audio File
audio/x‐matroska Multimedia *.mka Recognised
Extensible Music Format Audio File
audio/xmf Multimedia *.xmf, *.mxmf
Recognised
Directory filesystem/directory Containers Supported
Common Name File Type Kind
Possible Extensions Status
322 Appendices
Supported File Types: Organized by File Type
Drive filesystem/drive Containers Supported
Inaccessible Content
filesystem/inaccessible System Files Supported
Symbolic Link filesystem/symlink System Files Recognised
Windows Bitmap Graphic
image/bmp Images *.bmp Supported
Computer Graphics Metafile
image/cgm Drawings *.cgm Recognised
Compuserve Graphic Interchange Format
image/gif Images *.gif Supported
JPEG 2000 Image image/jp2 Images *.jp2, *.jpg2
Supported
JPEG/JIFF Image image/jpeg Images *.jpeg, *.jpg, *.jpe
Supported
PCX Image image/pcx Images *.pcx Supported
Portable Network Graphic
image/png Images *.png Supported
Targa Image File image/tga Images *.tga Recognised
Tagged Image Format File
image/tiff Images *.tiff, *.tif Supported
AutoCAD DWG Drawing
image/vnd.autocad‐dwg Drawings *.dwg Recognised
Corel Draw Drawing
image/vnd.corel‐draw Drawings *.cdr, *.cdt, *.drw
Recognised
Lotus Notes Bitmap Image
image/vnd.lotus‐notes‐bitmap Images Supported
Micrografx Designer Drawing
image/vnd.micrografx‐designer Drawings *.drw Recognised
Microsoft Windows Icon Image format
image/vnd.microsoft.icon System Files *.ico Supported
Common Name File Type Kind
Possible Extensions Status
Appendices 323
Supported File Types: Organized by File Type
Microsoft Windows Animated Cursor Image format
image/vnd.ms‐ani System Files *.ani Recognised
Microsoft Windows Enhanced Metafile
image/vnd.ms‐emf Drawings *.emf Supported
Microsoft Windows Cursor Image format
image/vnd.ms‐windows‐cursor Images *.cur Supported
Microsoft Windows Metafile
image/vnd.ms‐wmf Drawings *.wmf Supported
Wireless Bitmap Graphic
image/vnd.wap.wbmp Images *.wbmp Supported
Macintosh QuickDraw Picture
image/x‐pict Images *.pict, *.pct, *.pic
Recognised
UNIX Portable Bitmap Graphic
image/x‐portable‐bitmap Images *.pbm Supported
UNIX Portable Graymap Graphic
image/x‐portable‐graymap Images *.pgm Supported
UNIX Portable Pixelmap Graphic
image/x‐portable‐pixmap Images *.ppm Supported
RFC822 Email Message
message/rfc822 Email *.eml, *.mht
Supported
RFC822 Email Headers
message/rfc822‐headers Email *.eml Supported
Scraped Message message/x‐scraped Email *.eml Supported
IMAP Mail Account server/imap Containers Supported
IMAP Mail Folder server/imap‐folder Containers Supported
POP Mail Account server/pop3 Containers Supported
POP Mail Folder server/pop3‐folder Containers Supported
Comma Separated Values
text/csv Spreadsheets *.csv Supported
Common Name File Type Kind
Possible Extensions Status
324 Appendices
Supported File Types: Organized by File Type
Hypertext Markup Language Document
text/html Other Documents
*.html, *.htm
Partially Supported
Plain Text text/plain Other Documents
*.txt Supported
Rich Text Format text/rtf Word Processor Documents
*.rtf Supported
AVI Multimedia File
video/avi Multimedia *.avi Recognised
MPEG Video File video/mpeg Multimedia *.mpg, *.mpeg, *.mpe, *.m1v
Recognised
Apple QuickTime Multimedia File
video/quicktime Multimedia *.mov Recognised
Microsoft Advanced Systems Format (ASF) Multimedia File
video/vnd.ms‐asf Multimedia *.wmv, *.asf, *.wma
Recognised
Matroska Video File
video/x‐matroska Multimedia *.mkv Recognised
Common Name File Type Kind
Possible Extensions Status
Appendices 325
Rendering Documents to PDF or TIFF
Rendering Documents to PDF or TIFFNuixusesOffice2010torendersupporteddocumenttypestoPDF.ThecombinationofWord,Excel,andPowerPointprovideameansofopeningmostbusinessproductivityfiletypes,andsavingthemasaPDF.NuixwillfirstrenderadocumenttoPDF,andthenconvertthatPDFtoaTIFFusingGhostScript.
FILE TYPES EXCLUDED FROM IMAGE CONVERSION
NuixdoesnotattempttoconvertthefollowingfiletypestoPDForTIFF.InsteadaslipsheetisinsertedandthenativefileexportedwithamatchingDOCID.
Nuixfiletype(MIMEtype):
• application/vnd.corel‐quattro• application/vnd.lotus‐123• application/vnd.ms‐works‐ss• application/vnd.stardivision.calc• text/csv• application/vnd.ms‐access• application/octet‐stream• application/vnd.myob• video/*• audio/*
Conditionalimageconversion:
• application/vnd.ms.excel• application/vnd.openxmlformats‐officedocument.spreadsheetml.sheet
Note:ThetwoExcelfiletypesareconditionallyimagedbasedontheImageExcelSpreadsheetsoption.See“ImageExcelspreadsheets”onpage 86.
Theslipsheetwillread:"Unprintabledocument‐refertonativefile"andincludethesomeitemleveldetail:
• Name• GUID• MIMEType
Seethereferencedexampleslipsheet.
326 Appendices
Rendering Documents to PDF or TIFF
Note:ThisexampleisaJPEG.TheactualslipsheetwillbeeitheraTIFFonPDFdependingontheselectedimageexporttype.
Theseitemscanbereviewedbyeitherfilteringonthefiletype,searchingbyfiletypeofbrowsingthestatisticsview.IftheseitemsneedtobeconvertedtoeitherTIFForPDF,youcanusethePDFtaboftheitemview(withinthePreviewpane)toimportPDFsgeneratedoutsideofNuix.
FILE TYPES EXCLUDED FROM LEGAL EXPORT
Nuixonlyexportsitemsthatcontainbinarydata.
Itemsthatdonotcontainbinarydatacanbefoundusingthehas‐binarysearchsyntax.See“Examples:”onpage 191.
FileTypesexcludedfromlegalexports(unprintableMIMEtypes)includethefollowing.
Systemfiles(kind:system)
• application/com• application/dll• application/exe• application/java‐class• application/vnd.ms‐fon• application/vnd.ms‐htmlhelp• application/vnd.ms‐installer• application/vnd.ms‐outlook‐property‐block• application/vnd.ms‐shortcut• application/x‐empty• application/x‐font‐ttf• application/x‐nls• filesystem/inaccessible• image/vnd.microsoft.icon• image/vnd.ms‐ani
Containers(kind:container)
• application/vnd.ms‐exchange.edb• application/vnd.guidance‐encase
Appendices 327
Rendering Documents to PDF or TIFF
• application/vnd.ms‐exchange‐edb• application/vnd.ms‐ie‐cache• application/vnd.ms‐ie‐cache‐entry• application/vnd.ms‐outlook• application/vnd.ms‐outlook‐folder• application/vnd.nuix‐evidence• application/x‐disk‐image• application/x‐gzip• application/x‐zip‐compressed• filesystem/directory• filesystem/drive
IMAGE TYPES CONVERTED TO PDF/TIFF NuixconvertsthefollowingimagetypestoPDF/TIFFduringthelegalexport.ImagetypesnotonthislistarereplacedbyaslipsheetandtheirnativefileisexportedwiththeappropriateDOCID.
Imagetypes(MIMEtypes)convertedbyNuix:
• image/bmp• image/gif• image/jpeg• image/jp2• image/pcx• image/png• image/tiff• image/vnd_lotus_notes_bitmap• image/vnd_microsoft_icon• image/vnd_ms_emf• image/vnd_ms_wmf• image/vnd_wap_wbmp• image/x_portable_bitmap• image/x_portable_graymap• image/x_portable_pixmap
328 Appendices