Solution Guide

Analyze 81

Checking the Installation

When you have completed the installation, open the Task Manager on the

remote computer, and keep it open while you add the evidence and begin

processing. These steps will allow you to watch the activity of the

ProcessingEngine.exe in the Processes tab.

The Distributed Processing Engine does not activate until a case exceeds

approximately 30,000 items. When it does activate, you will see the CPU

percentage and Memory usage increase for the ProcessingEngine.exe in the

Task Manager.

Finding Files on the Network

Best practice demands that evidence and working files be stored separately on

the network. Dell recommends setting up two share drives, then establishing

case files and subfiles from there as illustrated in Figure 5-3.

Figure 5-3. Dell Recommended File Structure

Evidence Share

\\Fileserver\Evidence

CASE0001

CASE0002

Case0001-01.E01

Case0001-02.E01

Case0001-03.E01

Case0002-01.E01

Case0002-02.E01

Dell Forensics Domain

Workspace Share

\\Workspace\Share

CASE0001

CASE0002

Encase6

FTK3

FTK1.8

Encase6

FTK3

FTK1.8

V:\

M:\

Export

Temp

Index

Export

Temp

Index

XXXXX.&&&