Enterprise Vault™ EnCase® Ingest Connector Implementation Guide
Non-user data files
Many vault administrators prefer to exclude non-user data files such as those that belong to the operating system or executable programs from the Collection Set. Not sending these files to a vault can save considerable time and storage space.
You can instruct the Ingest Connector to automatically exclude these files from the Evidence Folder Tree by creating a Known Files Collection Set. The procedure is simple, but the implementation needs to be well considered.
To create a Known Files Collection Set
- Move the files to be included in the Known Files Collection Set into the Collection Set Tree or File List.
- From the menu bar, click File > Add to Known Files.
- The Ingest Connector adds all the files in the Collection Set to the Known Files Collection Set and automatically prevents them from appearing in the Ingest Connector in the future.
Creating a Known Files Collection Set from an evidence file that contains files to be excluded and files to be included can be time consuming and problematic. Administrators will often create the Known Files Collection Set from a clean machine disk image, and then use it later when processing other files.
For example, in a corporate environment where each user is issued a computer that is identically preconfigured, the administrator can create the Known Files Collection Set after configuring the machine but before issuing it. Then, when running the Ingest Connector on the user's computer, only files that the user created or modified are available for extraction.