Nuix Proof Finder Reference Guide
Working with Cases and Loading Data
Version 7.2
Revision History
The following changes have been made to this document.
VERSION NUMBER
REVISION DATE
DESCRIPTION
6.2
October 2015
Minor Improvements
7.2
December 2016
Minor changes
DISCLAIMER
© 2016 Nuix. All rights reserved.
This publication is intended for informational purposes only. The information contained herein is provided “as-is” and is subject to
change without notice. Although reasonable care has been taken to ensure that the facts stated in this publication are accurate and
that the opinions expressed are fair and reasonable, no representation or warranty, express or implied, is made as to the fairness,
accuracy or completeness of the information or opinions contained herein, and no reliance should be placed on such information or
opinions. Neither Nuix nor any of its respective members, directors, officers or employees nor any other person accepts any liability
whatsoever for any loss arising from any use of such information or opinions or otherwise arising in connection with this
publication. Furthermore, this publication contains the confidential and/or proprietary information of Nuix which may not be
reproduced, redistributed, or published in any form or by any means, in whole or in part, without the express prior written consent
of Nuix. The use, reproduction, and/or distribution of any Nuix software described in this publication requires an applicable
software license.
December 2016 Nuix Proof Finder Reference Guide
PAGE 2 of 31
Contents
Working with Cases.................................................................................................................. 4
Creating a Case .................................................................................................................. 4
New Case Settings ......................................................................................... 5
Open an existing Case ........................................................................................................ 6
Editing Case Information ................................................................................ 7
Helpful Links........................................................................................................................ 7
Loading Data ............................................................................................................................ 9
Adding Case Evidence ........................................................................................................ 9
Evidence Processing Settings........................................................................................... 14
Data Processing Settings ............................................................................. 15
Mime Type Settings ...................................................................................... 18
Logstash files in Proof Finder ....................................................................... 19
Parallel Processing Settings ......................................................................... 20
Decryption Keys............................................................................................ 21
Interrupting a Processing Job ........................................................................................... 26
The Statistics Tab.............................................................................................................. 28
Reload Data ...................................................................................................................... 29
Importing Annotations from a File ..................................................................................... 31
Best Practices ................................................................................................................... 31
Figures
Figure 1: Create Case via Welcome Window..........................................................................................................4
Figure 2: Create Case via File Menu.......................................................................................................................5
Figure 3: Create a New Case ..................................................................................................................................5
Figure 4: Edit Case Properties ................................................................................................................................7
Figure 5: Add Case Evidence ..................................................................................................................................9
Figure 6: Add Mail Store ........................................................................................................................................10
Figure 7: Sharepoint Location ...............................................................................................................................10
Figure 8: MS SQL Server Instance........................................................................................................................12
Figure 9: Dropbox Team Account..........................................................................................................................13
Figure 10: Data Processing Settings .....................................................................................................................15
Figure 11: Mime Type Settings..............................................................................................................................18
Figure 12: Logstash Files ......................................................................................................................................19
Figure 13: Parallel Processing Settings.................................................................................................................20
Figure 14: Decryption Keys ...................................................................................................................................21
Figure 15: Specify Regular Expression .................................................................................................................23
Figure 16: Add Lotus Notes ID File .......................................................................................................................23
Figure 17: Interrupting a Processing Job...............................................................................................................26
Figure 18: Stop Processing ...................................................................................................................................26
Figure 19: Reloading Data.....................................................................................................................................29
December 2016 Nuix Proof Finder Reference Guide
PAGE 3 of 31
Working with Cases
Proof Finder, created by Nuix, enables you to create new cases and add evidence to existing cases. During this
process, you specify the files, directories, or mail stores you want to add to the case. It then ingests the items
and processes them, adding metadata and indexing them for search, analysis, review, and export tasks. There
is no specified limit for adding items to a single case.
Creating a Case
The first step in getting data into Proof Finder is to create a case, which is the container for a collection of data
that holds an evidence for a particular investigation. You can create a new case by selecting New Case from
the Welcome Screen or select File > New Case from the File menu.
Figure 1: Create Case via Welcome Window
Or
December 2016 Nuix Proof Finder Reference Guide
PAGE 4 of 31
Figure 2: Create Case via File Menu
New Case Settings
The New Case window allows you to create a simple case or join several small cases together into a compound
case.
To create a case:
1.
2.
3.
4.
5.
6.
Specify a case name.
Select the directory location to save the case.
Specify the investigator (name or ID) for the case.
Briefly describe the case so that it is easily identifiable.
For Case type, select either Simple or Compound.
When you create a simple case, you can add any collection of items (emails, documents, images,
etc.), which are then ingested and indexed. A compound case is one that ties together multiple simple
cases that have already been processed; you cannot add individual items to the collection during this
step when you create a compound case.
Select OK to save the case.
Figure 3: Create a New Case
December 2016 Nuix Proof Finder Reference Guide
PAGE 5 of 31
These details can be edited by navigating to File > Case Properties. The information you specify here is saved
as a part of the case properties.
Proof Finder creates the case and the Add Case Evidence window displays allowing you to add evidence for
further processing.
Opening an existing Case
To open an existing case:
1.
2.
3.
Select a case from the list of recently opened cases that are displayed on the welcome screen.
Select Open Case from the welcome screen.
Select File > Recent Cases or File > Open Case from the File menu.
December 2016 Nuix Proof Finder Reference Guide
PAGE 6 of 31
Editing Case Information
To edit the descriptive case information defined when a case was created, select File > Case Properties. The
Case Properties window displays.
Figure 4: Edit Case Properties
The Case Properties window allows you to edit the case Name, Investigator and Description. This dialog
also allows you to set the investigation time zone (the time zone associated with the source data), which
controls all of the date/time presented in Proof Finder. This allows investigators to view the result sets and Event
Maps based on the geography/time zone of the custodian(s). Proof Finder also applies this time zone to the
exported metadata during all exports.
Proof Finder stores all date/time values in absolute time or system time. Absolute time or system time is
recorded as the number of ticks since epoch:
http://en.wikipedia.org/wiki/System_time.
For each date/time, Proof Finder calculates the offset based on the time zone, then stores the system time.
Helpful Links
The following helpful links are listed on the right side of the Proof Finder Home window:
Help Topics – shows a listing of help topics as a quick reference including:
–
ChangeLog
–
License Agreements
–
How to Search
–
Scripting
–
Reference
Online Help - navigates to the online version of the product documentation
Download Updates – shows helpful information including:
–
Download, Install, Purchase, Activate
–
Proof Finder License Terms and Conditions
December 2016 Nuix Proof Finder Reference Guide
PAGE 7 of 31
–
Getting Started
December 2016 Nuix Proof Finder Reference Guide
PAGE 8 of 31
Loading Data
Adding Case Evidence
After creating a new case, add evidence to be ingested through the Add Case Evidence window which appears
immediately after setting the properties of the case.
Figure 5: Add Case Evidence
The Add Case Evidence window allows you to add, remove and edit the metadata of case evidence before
Proof Finder retrieves and processes it.
Evidence can be added as either as a static folder, folder of files, image or mail store or as a
repository of evidence that can be re-scanned to index new files added.
Each piece of evidence can contain multiple files, directories or mail stores.
The evidence names within cases should be unique, in case you ever combine the simple case into a
compound case.
From the Add Case Evidence window, select Add > Add Evidence, the Add/Edit Evidence window displays.
When you select Add, the following options are available:
Add Files - allows the selection of files from a computer, network or external drive (For example: PST,
EDB, NSF, MBOX, etc.).
Add Folders - allows the selection of a directory that includes all files to be processed. This option is
recommended for importing an EnCase or Compressed EnCase image.
Add Split "DD" Files - allows the selection of the initial DD image files from a directory to add to the
case. DD files can be segmented image format files. All the file segments reside in the same directory,
and adding the initial or leading segment (file) adds the remaining segments as well.
Add this Computer - allows the addition of the computer to the local host as evidence.
Add Load File – allows the addition of an Autonomy, Concordance, or EDMR XML load file to the
December 2016 Nuix Proof Finder Reference Guide
PAGE 9 of 31
case.
Add Network Location - Select from the following optional locations:
–
Add Mail Store - Selects an individual mail store via POP or IMAP. Use this method to connect
to Novell GroupWise or for corporate mail servers that support POP and IMAP connections, as
well as loading Gmail, Hotmail and other internet-stored email data.
To collect information from any of these sources, the appropriate credentials must be provided
to Proof Finder. In the Add Mail Store window, specify the mail store type, server hostname,
server port, username and password, and click OK.
Figure 6: Add Mail Store
–
–
Note: Connecting to corporate mail servers can result in exporting large volumes of data, which
can put a heavy strain on the server. Also storing a binary copy of the items harvested from a
Mail Store should be considered as best practice as pointers to items can often change within
mail servers.
Add SharePoint Server - Connects to and extracts source data directly from SharePoint (2010)
using web services. To collect information from this source, the appropriate credentials must be
provided in the Sharepoint Location window. Specify the SharePoint server, domain,
username and password correctly before clicking OK.
Figure 7: Sharepoint Location
–
Add Amazon S3 Buckets - Connects to and extracts source data directly from Amazon S3
buckets using web services. To collect information from this source, the appropriate credentials
must be provided in the Amazon S3 window. Specify the access key, secret key, bucket/path
and endpoint correctly before clicking OK.
The ingestion can be limited to a specific named bucket or to a folder within the bucket by
specifying a bucket name followed by a path. If this is omitted, all buckets in the account will be
ingested, for example, "com.company.testbucket/nested/folder". The endpoint can usually be
left unspecified, but it can be used to force the service to connect to a particular S3 server which
can be useful to connect to a specific region. For example: https://s3.amazonaws.com.
December 2016 Nuix Proof Finder Reference Guide
PAGE 10 of 31
December 2016 Nuix Proof Finder Reference Guide
PAGE 11 of 31
–
Add MS SQL Server - Connects to and extracts source data directly from a live MS SQL Server
engine instance.
Note: Ensure your DB Administration procedures are up-to-date, including backup and
recovery. The engine instance needs to be configured to allow TCP/IP connections. Any firewall
restrictions between the Proof Finder application and the DB instance must be removed to allow
the connection. The engine instance must be live, but idle. If any concurrent activities are
performed on the engine instance when the content is being read or being reviewed and
analyzed, it can produce inconsistent Proof Finder results. The user credentials used to connect
to the DB requires the necessary permissions to read the DB content. It is preferred to use the
System Administrator (‘sa’) account, or another account with a fixed server role ‘sysadmin’. Ask
your DB Administration support for more information.
Further information on the MS SQL Server product can be found at:
http://www.microsoft.com/
In the MS SQL Server Instance window, specify the server name, instance name (optional, depending on the
engine configuration), domain (optional, needs credentials to access the server), user/password (user
credentials), and query (optional, the consistent SQL query to filter the content).
Note: The query parameter is an advanced option that allows you to specify the SQL query to obtain the data,
including the use of SQL JOIN to combine different databases and tables. It is intended for users with proficient
SQL knowledge. To select all data from a known list of databases and/or tables use the Pre-Filter Evidence
window to specify the required data.
Figure 8: MS SQL Server Instance
Click Test Connection to ensure you are connected to the server. Click OK to process data.
Check your DB client utility if you encounter a problem while connecting.
Add Dropbox Account – Connects to and extracts source data from a Dropbox account.
Warning: Ensure your computer is connected to the internet.
Dropbox account allows you to add a team account or an individual account.
December 2016 Nuix Proof Finder Reference Guide
PAGE 12 of 31
To Add Dropbox Team Account:
On selecting Add Team Account option, the Dropbox authentication page is displayed, click Allow once you
wish to authenticate. The login page is displayed, enter the team administrator credentials, and sign in.
Figure 9: Dropbox Team Account
The team account authentication page is displayed, click Allow to proceed.
In the Pre-Filter Evidence panel, a list of all the accounts in the team are displayed. You can select the accounts
you wish to ingest and click OK.
To Add Dropbox Individual Account:
Select Add Individual Account and follow the same procedure as To Add Dropbox Team Account providing
the credentials to the account you wish to ingest. In the Pre-filter Evidence panel, only the individual account is
listed to ingest. Click OK to proceed.
From the Add Case Evidence window, select Add, the Add/Edit Evidence window displays.
You need to describe the set the evidence that you are adding, including certain metadata properties:
Content - allows for free text entry.
Evidence Name - allows the evidence to be uniquely and intelligently describe the evidence for future
reference with your case. You should use unique, meaningful evidence names, as you can both
search for these names and view them in the Document Navigator but not change them once the
evidence is processed.
Comments - allows to add an optional description or further information about the evidence you are
adding.
Custodian - optionally allows the assignment of a custodian name to all the evidence which has been
added for processing. This custodian name can be added or modified post processing within the case.
Source Time Zone - should be set to reflect the original time zone in which the evidence was
harvested. Proof Finder records date/time values exactly as it finds them in the evidence stores, Proof
Finder stores date/time values in UTC format. The Source Time Zone can be used to adjust date/time
values when creating load files/report and rendering items to PDF or to TIFF format for items that do
not store time zone information if the default Investigator time zone is not used.
Source Encoding - Numerous encoding options are available to choose.
December 2016 Nuix Proof Finder Reference Guide
PAGE 13 of 31
Evidence Metadata - allows you to add custom metadata to every item within a given set of evidence,
either manually or by importing it via a .csv file.
You can also add the custom metadata to every item within a given set of evidence, either manually or by
importing it via a .csv file.
You can also set the processing settings for each load of evidence from the Settings section at the bottom right
corner.
Note: You can only add custom metadata when you add the evidence for processing. Once Proof Finder loads
the data, you can only add tags and comments to items.
Adding evidence as a repository allows the evidence location to be re-scanned and any new files added to the
repository to be indexed in addition to the originally indexed evidence. When adding an Evidence Repository,
add the root folder that contains the evidence. Each immediate sub-folder inside this folder is added as a
separate evidence container. Each immediate sub-folder can also be added as a new custodian on ingestion if
desired with the name of the sub-folder creating the custodian name.
Evidence Processing Settings
When you add evidence to a simple case or reload data from a source location, you can specify the type of
processing you wish Proof Finder to perform on the data.
The available tabs for Evidence Processing Settings are:
Data Processing Settings - lets you set various options for how the data is processed.
MIME Type Settings - lets you set Proof Finder to not process a particular evidence type, based on
the MIME type of the evidence.
Parallel Processing Settings - lets you set how individual worker machines will operate in a
distributed processing environment.
Decryption Keys - allows you to configure keys and passwords required to decrypt PGP and S/MIME
emails.
Audit Filtering - The Audit Filtering tab is only visible for “audited” license types, and allows you to define a
digest list to exclude items from the audit report. This tab displays only if you are using an Audit license.
December 2016 Nuix Proof Finder Reference Guide
PAGE 14 of 31
Data Processing Settings
Data Processing Settings - allows granular control over how evidence is ingested and reloaded.
Figure 10: Data Processing Settings
December 2016 Nuix Proof Finder Reference Guide
PAGE 15 of 31
Proof Finder offers the following options for processing evidence:
Perform Item Identification - allows items recognized with full metadata or minimal metadata if only
performing a light scan on folder of files.
Calculate Processing Size Up-Front - enables the progress bar to display progress during the
ingestion process by the physical file size of the evidence.
Traversal - Three options are provided for traversing the documents when ingesting.
–
Process Loose Files but not their contents - ingests only the files found at the directory level
without further extraction of attachments or internal items.
–
Process Loose Files and forensic images but not their contents - allows forensic images to
be treated like a file directory along with any loose files for ingestion without any further
extraction.
–
Full traversal - extracts all the items.
Evidence Settings:
–
Reuse Evidence Stores - allows new evidence to be added to existing evidence indexes,
which results in faster searching and exporting.
–
Calculate Audited Size - allows the audit size field to be populated with a valid file size for
items. This option is selected by default even if not set as it is essentially an audited license.
–
Store Binary of Data Items - allows a binary copy of the item to be stored within the case
directory as a static copy up to the maximum size set.
Note: Selecting this option will increase the case size considerably from approximately 50% - 200% of
the original data size. This option will also slow the optimum indexing speed down by approximately 15
- 20%.
Deleted File Recovery & Forensic Settings:
Note: * These options are generally used for larger forensic images. Since Proof Finder's case limit is
preset to 15 GB it would be unlikely these options could be used unless it is an extremely small image.
–
*Recover deleted files from disk images - recovers all the deleted files from disk images.
–
*Extract end-of-file slack space from disk images - extracts the end of file slack space from
disk images.
–
*Smart process Microsoft Registry files - to smart process registry files
–
*Extract from mailbox slack space - extracts files from mailbox slack space.
–
*Carve file system unallocated space - carves files from the system unallocated space.
Family Text Settings:
–
Create family search fields for top level items - creates an extra field in the text index that
contains the text of the top level item as well as the text of the descendants of that item.
Note: This field is hidden in the UI and is only used to facilitate faster searching.
–
Hide Immaterial Items (text rolled up to parent) - prevents the extraction and presentation of
immaterial items in the results pane. The extracted text from hidden immaterial items is rolled up
to its parent item so it is available for searching.
Text Indexing Settings:
–
Analysis language - allows the selection of the language to be used. Only one language can
be used per evidence store and cannot be changed when using the Reuse Evidence Store
option.
–
Use stop words - allows the English language stop words to not be indexed. Note: DTSearch
excludes stop words from its index by default. This can result in different search counts being
returned when comparing the results of Proof Finder and DTSearch based proximity queries.
–
Use stemming - allows the stemming of all words during processing. Note: Proof Finder does
not store both the stemmed and unstemmed variants of the words in the index therefore it is
very important to understand how stemming impacts a data set.
–
Enable exact queries - stores the text content of items so as to enable the use of punctuation
and capitalization when searching, essentially doing an exact string match. Note: Remember to
use single quotes (‘ ‘) around your search term to invoke exact queries.
December 2016 Nuix Proof Finder Reference Guide
PAGE 16 of 31
Item Content Settings:
–
Process text - allows you to capture text from the processed evidence items.
–
Enable near-duplicates - enables the creation of word shingles to allow for near duplicate
detection within the case.
–
Enable text summarization - enables the identification of word shingles to allow for Near
Duplicate detection and clustering within the case.
Named Entity Settings
–
Extract named entities from text - enables the capture of named entities from text for further
analysis.
»
Include text stripped items - allows you to include text stripped items while extracting
named entities from text.
–
Extract named entities from properties - enables the capture of named entities from
properties for further analysis.
Image Settings:
–
Generate thumbnails for image data - generates a thumbnail image for any image processed
within the dataset.
–
Perform image colour and skintone analysis - captures skintone information on any images
processed within the dataset.
Digest Settings:
–
Digests to Compute - allows the generation of extra digests, in addition to the default MD5, for
file signature checking up the maximum file size set. Select from SHA-1, SHA-256, and
SSDeep. The default Maximum digest size is set to 256 MB.
–
Maximum Digest Size - specifies the digest size which limits the number of bytes used to
compute a digest.
–
Email Digest Settings - allows you to select additional fields to add to the default fields used in
digest creation from emails only. Select from Include BCC and Include Item Date.
December 2016 Nuix Proof Finder Reference Guide
PAGE 17 of 31
Mime Type Settings
The MIME Type Settings tab allows you to control types of evidence items processed by Proof Finder,
including options for ignoring particular parts of the evidence item, based on the item’s MIME type.
Figure 11: Mime Type Settings
Select the MIME Type that needs to be processed. The table lists the following options:
Enable MIME Type - processes the MIME Type. Note: By deselecting this option, all other options are
cleared and therefore the selected MIME type is not processed.
Process descendants - processes descendants found within items of this MIME type. Some examples of
descendants are files within a zip archive, or files attached to one or more email messages stored within an
email store.
Process text mode - processes the text of the selected MIME types. You can select the Process Text, Text
Strip, or No Processing options. If you have selected the text Strip option, by default the descendants are
unselected.
Process images - allows generation of thumbnails and capture of skin-tine information when processing
images for the selected MIME types.
Process named entities - processes Named Entities on the selected MIME type. The Enable named entity
recognition option from the Data Processing Settings tab must be selected to enable the identification and
capture of named entities within the data set for further analysis.
December 2016 Nuix Proof Finder Reference Guide
PAGE 18 of 31
Store Binary - stores the binary of the selected MIME type. The Store Binary of Data Items option from the
Data Processing Settings tab must be selected to store the binary format within the databases in the case
directory.
TIP: Use (Ctrl+F) to search MIME types easily by entering keywords.
Logstash files in Proof Finder
Logstash is a free open source tool for collecting, and parsing log files. Logstash uses a simple workflow and
can parse any log files the investigator needs to analyze using a range of Logstash filters.
Using the output file from Logstash Proof Finder can ingest the log entries and apply context to the results that
can assist the investigator in analysis of the log entries, using a forensic tool with which they are familiar.
Once the user has parsed the logs using logstash the output can then be ingested into Proof Finder where
named entity extraction, search macros, word-lists and other Proof Finder features can be used to analyze the
entries.
Processing logstash log files
In order process logstash files within Proof Finder there are several pre-requisites that the user must remember:
The output must use the ‘file’ function in order for the file to be read correctly.
The fields must be either float, integer or decimal, only.
Some filters enter field information in a json format, this cannot be read by Proof Finder.
The logstash log file and logstash file entry must be enabled on the mime-type setting tab, set before
ingestion of data.
Figure 12: Logstash Files
Identification & Analysis of Logstash logs
Logstash log files/entries can be identified from the search bar using a mime-type search (mimetype:application/vnd.logstash-log, mime-type:application/vnd.logstash-log-entry), or from the filters pane under
Logs > logstash log file/ file entry. Log entries that are parsed are named the date in which the log entry
event occurred and like with other log files, all the log entry field data can be found under the metadata tab.
December 2016 Nuix Proof Finder Reference Guide
PAGE 19 of 31
Parallel Processing Settings
The Parallel Processing tab allows you to control how the Proof Finder workers operate while processing
(ingesting) the data. If you are using Proof Finder in a parallel processing environment, review the information
about distributed processing in the Installation and Configuration Guide.
Figure 13: Parallel Processing Settings
December 2016 Nuix Proof Finder Reference Guide
PAGE 20 of 31
Proof Finder offers the following Worker settings:
Number of Workers - sets the number of nuix_single_worker.exe instances to use during a
processing job. In the majority of cases, you should always set this to the maximum available based
on your license. However, there are some cases when the number of workers needs to be reduced
and the amount of RAM increased to successfully process a dataset. By default, the value is set to the
maximum allowed by your license.
Memory Per Worker (MB) - sets the amount of RAM that each nuix_single_worker.exe has
available during a processing job. Proof Finder does not immediately consume the allocated memory,
but rather sets this to a threshold for the Java Virtual Machine. By default, the value is set to 1,000.
Note: The sum of ("Number of Workers" × "Memory per-worker") + "System Options | Application
Memory" should be at least 2 GB less than the total available RAM on the system.
Worker Temp Directory - specifies the temporary location used by the Proof Finder during
processing. Proof Finder uses this directory as cache for any files that it needs to write to disk.
Note: When processing Lotus Notes data, Proof Finder creates one copy of the active NSF file for
each nuix_single_worker.exe. For example: If you are processing one 10 GB NSF file, with a 4-core
license, Proof Finder creates four copies of the NSF file in the case temp directory.
Decryption Keys
The Decryption Keys tab allows you to configure keys and passwords to be used when processing:
Encrypted PGP and S/MIME email messages
Mail Xtender key store volumes
Encrypted IBM (Lotus) Notes ID files
On encountering an encrypted email, Proof Finder reads private keys from its configured key ring collections or
key stores and on finding a matching key ID within the collection or store, decrypts the email.
Figure 14: Decryption Keys
December 2016 Nuix Proof Finder Reference Guide
PAGE 21 of 31
PGP Email Decryption
Proof Finder allows you to import key ring collections from both ASCII-armored and binary files.
To add key ring collection:
1.
Select Add and select the files to be added. The keys are then added to the Decryption Key
Management list where it displays:
Unique Identifier - displays a unique key ID (the last few digits of the finger print of the key). It
allows the user to distinguish multiple keys and sub-keys of the same user in a key ring
collection.
User ID - displays the user identity such as user’s email address, name or any unique string that
identifies the user to PGP.
Key Type - for PGP, the key type is PGP/MIME keyring.
Password - allows you to enter a password for each key.
2.
Enter the passwords for the keys and select OK to save changes.
S/MIME Email Decryption
Proof Finder allows you to import PKCS12 key store files with .p12 or .pfx extensions.
To add key store files:
1.
2.
3.
Select Add and select the files to be added.
On selecting Open, the Enter Password window displays prompting you to enter a password for the
key store file.
The key store files are password protected at the file level therefore you must provide a password
before the file is added to the Decryption Key Management list.
Once you have entered the passwords, the list is populated with keys found within the key stores
where it displays:
Unique Identifier: Displays the S/MIME key alias.
User ID: Displays the friendly name configured for the key, if any.
Key Type: For S/MIME, the key type is PKCS#12 File.
Password: Proof Finder does not support individual passwords for S/MIME keys but supports
key store level password protection.
Mail Xtender Volumes
Proof Finder allows you to import Mail Xtender key store volumes with a .emx extension. Each volume has a
password, which must be associated with the volume file. To add a key store file:
1.
2.
3.
4.
On the Decryption Key Management tab, select Add Keystore.
Select a Mail Xtender volume file (this is the same file that will be added as evidence to the case). The
Mail Xtender volume identifier will be read from the selected file and will be added as an entry to the
password table.
Type the password for the file in the Key Password field.
Repeat these steps for other volumes to be added to the case evidence.
December 2016 Nuix Proof Finder Reference Guide
PAGE 22 of 31
Alternatively, a regular expression can be specified and all volume identifiers that match the regular expression
can have the same password applied to them. To add a regular expression:
1.
2.
3.
4.
5.
On the Decryption Key Management tab, select Add password Regex.
From the Data type dropdown, select Mail Xtender.
Enter a regular expression search string in the Regular Expression field. The simplest one that will
match all volume identifiers in a case is “.*”.
In the Password field, enter the password that will be applied to all volumes that match the regular
expression.
Select OK.
Figure 15: Specify Regular Expression
Lotus Notes ID
Proof Finder allows you to import Lotus Notes ID files and map them to NSF mail stores that are in the
evidence. Notes ID files and their corresponding password are required to decrypt encrypted NSF files.
Note: IBM (Lotus) Notes is not supported on Mac or Linux.
To add a Lotus Notes ID file:
1.
2.
3.
4.
5.
On the Decryption Key Management tab, select Add Lotus Notes ID.
The Lotus Notes ID File Mapping window displays.
In the NSF file field, specify the encrypted NSF file name you wish to associate with an ID file. It is
optional to specify the complete path of the filename.
In the ID file field, browse to the location to the corresponding ID file.
In the Password field, enter the corresponding password for the ID file.
Select OK.
Figure 16: Add Lotus Notes ID File
December 2016 Nuix Proof Finder Reference Guide
PAGE 23 of 31
The supplied passwords are validated against the ID file before proceeding and displays an error if incorrect.
Ensure you have valid credentials to proceed.
Once the password is validated, the entry is then added to the Decryption Keys list and will be applied to the
encrypted NSF during extraction.
Processing Tab
The Processing tab displays information about the job that is being processed in real time. Proof Finder displays
the progress of the job, file statistics, and an overall job status with a time to completion. This tab is displayed
only when you load data into a newly created case, or when you add evidence to a case. Once closed, it is no
longer available for viewing, but processing statistics are always available for viewing in the Results pane, when
you View by: Statistics.
The tab is divided into three main areas:
Progress - logs the processing events, including the data being ingested and other related operations,
with a time stamp.
Statistics - displays the types of files processed, with the number corrupted, encrypted, deleted, and
related job percentages.
Job Status - displays the status of the overall job.
At the bottom of the tab, you can also view the elapsed time since the job began, and a status bar showing
percent complete.
From this tab, you can perform the following tasks:
Pause a job - halts the processing job temporarily, at which point the Resume button becomes active.
Pausing and then clicking Stop is the same as just clicking Stop.
Resume a job - continues processing from the point where it was left off.
Stop a job - displays a dialog that provides two options for stopping case processing, Stop and Abort.
Refer to
December 2016 Nuix Proof Finder Reference Guide
PAGE 24 of 31
Interrupting a Processing Job for more information.
Add Workers
Allows tasks to be distributed parallel processing framework for tasks to be distributed across multiple machines
or server farms for faster processing. You can Proof Finder Workers to running tasks to speed up the process.
Note: Worker Agent has license restrictions, contact the [email protected] for more information.
To add workers, click Add Workers. The Add Workers window displays. Enter the Worker agent hostname,
and number of workers you wish to run. Click OK.
A Worker Found information message is displayed with the details.
December 2016 Nuix Proof Finder Reference Guide
PAGE 25 of 31
Interrupting a Processing Job
While it is not advisable to interrupt a processing job, Proof Finder can be paused or stopped while it is ingesting
data.
From the Processing tab, select one of the following options to interrupt the processing of case evidence:
Figure 17: Interrupting a Processing Job
Pause - temporarily halts the processing job and the Resume button becomes active. Select Resume to
continue processing. Pausing and then selecting Stop quits the processing and cleans up the case.
Note: Pausing is a temporary state. You cannot pause a processing job on Proof Finder, restart your computer
and open Proof Finder back to resume processing. If you are looking to exit out of Proof Finder completely,
select Stop .
Stop - displays Stop Processing window, select Stop to quit processing and clean up the case, Abort to quit
processing and exit the case, or Cancel to resume processing.
Figure 18: Stop Processing
Note: Stopping or aborting processing can take time as Proof Finder needs to get to a point at which it can
stop/abort.
December 2016 Nuix Proof Finder Reference Guide
PAGE 26 of 31
December 2016 Nuix Proof Finder Reference Guide
PAGE 27 of 31
The Statistics Tab
The Statistics tab offers an itemized listing of all file types processed in the case and their respective frequency
within the dataset, including a listing of the raw file extensions found and any files classified as irregular files.
The Statistics tab offers a good overview of the items in the case and should be carefully reviewed after you
load data into a new case and subsequently each time you add evidence to a case. Open a new Statistics tab
by going to Reports > New Statistics Tab.
The tab is divided into three main areas:
Processed Files - shows statistics (processed, corrupted, encrypted, and deleted) by file type,
including percentage of that file type within all items processed. The Processed Files section includes
the files marked as irregular files.
Raw File Extensions - shows the number of items for each file extension type found within the raw
ingested files.
Irregular Files - shows how many of the processed items were marked irregular, and the percentage
of each irregular file type within all items marked as irregular. Files listed as Irregular are still
represented in the Processed Files section, the Irregular Files designation is simply an additional
attribute associated with the item.
Note: Proof Finder does not rely on an item's extension to determine its file type. Proof Finder checks the
contents of the file to ensure it accurately associates the file type. This eliminates the chance to hide evidence
simply by changing the file extension.
The Statistics tab differs from the View by: Statistics feature in the Results pane. While the Statistics tab shows
information about all case evidence, the latter view only shows information about the items in a given result set.
Statistics for processed files include:
File Type - lists all of the file types encountered during the ingestion process.
Processed - lists the total number of items processed for the specific file type.
Corrupted - lists the total number of items that Proof Finder was unable to process, or found to be
corrupted for a specific file type.
Encrypted - lists the total number of items that Proof Finder detected as encrypted.
Deleted - lists the total number of permanently deleted items found in Microsoft mail container formats
for a specific file type.
Percentage Encountered - lists the percentage, by item count, of the total dataset consumed by the
specific file type.
Statistics for raw file extensions include:
Raw File Extension - lists all of the file extensions of the raw evidence encountered during the
ingestion process.
Processed - lists the total number of items processed for the specific raw file extension.
Percentage Encountered - lists the percentage, by item count, of the total dataset consumed by the
specific raw file extension.
Types of irregular files include:
Text Stripped - items where Proof Finder recognized the file type, but does have a routine to cleanly
extract all text and metadata in accordance with the file types API. The results in an item that is
searchable, but the text may be garbled or not be properly formatted.
Unrecognized - items where Proof Finder did not recognize the header and was therefore unable to
assign a mime-type.
Bad Extension - items whose file type (MIME type) is not consistent with their file extension.
Corrupted - items that Proof Finder has been unable to process.
December 2016 Nuix Proof Finder Reference Guide
PAGE 28 of 31
Deleted - items that Proof Finder extracted from the slack space of Microsoft email boxes or are
flagged as deleted within an Encase Logical Evidence Files (LEF).
Encrypted - items that Proof Finder has determined to contain encrypted content. Proof Finder still
extracts metadata, and as much information as possible from an encrypted file, but Proof Finder is
unable to index all of the content.
Unsupported Items - items for which Proof Finder was unable to extract any content or text.
Non-Searchable PDFs - items that are determined to be a PDF through header recognition, but do
not contain text that can be indexed.
Empty - items that are zero (0) bytes in size.
You can perform the following operations within the Statistics tab:
Open a result set containing items for a specific file type by double-clicking on any row in the Statistics
tab.
Sort a column in ascending or descending order by single-clicking in the column header. The default is
ascending.
Export the Statistics view by using File > Export > Export View to export file type column values as
displayed in the user interface. Similarly, copying and pasting the table to a CSV displays the file type
column values as displayed in the user interface. To export file type strings that are used for mimetype search queries, use -Dnuix.investigator.statistics.exportQueryFileType=true command line
parameter to Proof Finder.
The Statistics Tab is for the entire case, and does not take into account excluded items.
Reload Data
Evidence can be reloaded into a case, updating the existing record and text for the items by selecting the
Import function after selecting the items to be reloaded from the results pane.
Figure 19: Reloading Data
The following options are offered when reloading evidence:
Import Annotations - allows the import of annotations into the current case. Detailed instructions for importing
annotations are provided in the next section.
Import Replacement Files - allows the import of single files or complete directories of files replacing the data,
text and pointer to the new native source file for each record. This can be useful to replace encrypted
documents with their 'plain text' version. Files imported in this way are assigned latest MD5 as well as recording
the original MD5 from processing to ensure files can be matched for chain of custody within the case. After
selecting the files to reload, the Evidence Processing Settings dialog displays to allow you to select the how
December 2016 Nuix Proof Finder Reference Guide
PAGE 29 of 31
the data should be processed when reloaded.
December 2016 Nuix Proof Finder Reference Guide
PAGE 30 of 31
Note: The items to be reloaded do not have to be in the same structure or location as the source data but it is
recommended that replacement files are stored along with the original source evidence as they will be required
for any action that points to those files, e.g. exporting or launching native.
Reload Items from Data Source - allows the original source evidence to be reloaded for the selected files with
new Evidence Processing Settings. This option can be useful in cases where only a light traversal of the
evidence was done in the first instance or an option such as near duplicates was not checked when the
evidence originally processed.
Scan for New Child Items - determines whether any new child items have been added to the selected items. If
new child items are found, these items can be ingested into the case.
Sync Items and Descendants - allows you to sync items with their descendants.
Importing Annotations from a File
If you have exported the annotations from a case that has been reviewed, which is typically a subset of another
case, you can import those annotations back into the parent case where Proof Finder automatically applies
them to the appropriate items.
To import annotations from a CSV file:
1.
Open the parent case into which you want to import the annotations.
2.
From the File menu, select Import > Import Annotations. The Open CSV Annotation File dialog
displays.
3.
Browse to the location where the .csv file is located, select the annotation file, and click Open. The
Import Annotations dialog is displayed, showing the GUIDs, Annotations Type (tag or comment), item
name, current annotations that exist in the parent case, and the new annotations that were supplied in
the case subset (or child case).
4.
Click OK to import the annotations into the parent case. For each item, Proof Finder appends the tags
applied in the case subset to any existing tags in the parent case. Proof Finder only applies unique
new tags; duplicate tags are ignored. Technically, this means that an item could be tagged with both
Responsive and Nonresponsive tags, for example, if one of those tags was applied to the item in the
parent case and another in the child case. After the items are tagged, the Annotation Complete dialog
is displayed indicating how many items were annotated.
5.
Click OK.
Best Practices
1.
2.
3.
4.
5.
6.
7.
Select the options which best suit your analysis requirements as selecting unnecessary options will
only increase indexing time.
Ensure you have enough disk space available for the index, specifically for large cases and if storing
the binary data.
Due to the complexity of datasets; Proof Finder cannot predict indexing times.
Consider splitting large cases/data sets into logical groupings such as, by custodian or data type so
that you can divide the processing work load and also easily filter by these groupings later.
Processing in smaller batches reduces risk of reprocessing everything in the event of some failure.
Add each grouping of data as either new evidence or as a new case and then join the cases later into
a compound case.
Plan a consistent naming schema for your cases (simple and compound)
December 2016 Nuix Proof Finder Reference Guide
PAGE 31 of 31
© Copyright 2026 Paperzz