2.
Evidence Settings
NUIX WORKSTATION:
ALL ABOUT PROCESSING
Rediscover Your Case Processing
Settings and How to Quickly Assess
and Manage Large Datasets for
Ingestion
A Processing Profile defines what processing options
to apply to items added to a case, and is the most
important window in Nuix Workstation.
DEFINE DATA PROCESSING SETTINGS
FROM THE USER INTERFACE
Enable appropriate settings for the Processing Profile.
1. Perform item identification – Further indexing
options to be performed on items beyond a light
scan of the file system properties on the outside of
items. If this option is not selected, Workstation
creates an "Unknown Binary File" entry for each
physical file it encounters along with only limited
file system metadata.
Calculate processing size up-front - This option
enables the progress bar to display progress
during the ingestion process by the physical file
size of the evidence.
Traversal - Options available for traversing the
documents at the time of ingestion are:
• Process loose files but not their contents
allows a quick directory listing of all the files
presented for ingestion without any further
extraction.
• Process loose files and forensic images but
not their contents allows forensic images to be
treated like a file directory along with any loose
files for ingestion without any further extraction.
• Full traversal will extract all items completely
according to the evidence processing settings
selected below.
Nuix Workstation: All About Processing — Copyright ©2021 Nuix. All rights reserved.
• Reuse evidence stores - Enables new evidence to
be added to existing evidence indexes, which in
turn will result in faster searching and exporting.
This setting should always be used.
• Calculate audited size - Enables the audit size
field to be calculated and updated with a file size
for items considered to be material items.
• Store binary of data items - Enables a copy of
the item to be stored in binary format within the
databases in the case directory. Only store
binaries for items that will be used as evidence.
Binaries for system files should not be stored.
o Pros: Enables very quick review of documents in
their native format, and speeds up the export of
native files.
o Cons: Reduces indexing speed, and increases
data storage requirements for evidence,
depending on the makeup of the data.
3. Deleted File Recovery & Forensic Settings
• Recover deleted files from disk images - It is a
good idea to turn this setting on.
• Extract end-of-file slack space from disk
images - This setting can be useful for finding
passwords in the file slack.
• Smart process Microsoft Registry files –- Only
sections of the Microsoft Windows Registry that
are most useful for forensic investigations are
processed when this option is selected. The main
Windows registry settings are Security, System,
Software and Sam.
• Extract from mailbox slack space - Extracts
deleted files from .pst, .ost and .edb mailboxes at
a different, lower level, allowing access to slack
PAGE 1 of 4
 space items. It is recommended that this is used
in conjunction with the Store binary option.
• Index unallocated space -Text strips unallocated
space for text index searches. The resulting item
will be the entire unallocated space when a match
is found.
• Carve file system unallocated space - It is
recommended that this setting only be used
when reloading selected unallocated space items
after initial processing.
• Carving block size (in bytes) – This will
determine how many bytes are processed at one
time. A smaller size will result in many shards of
files; a larger size will result in higher memory
consumption, but full files that are more likely to
be restored. By default, the data carving will
attempt to pick up the block size from the file
system which is being carved.
4. Family Text Settings
6. Upfront Processing Workflow Settings
• Create family search fields for top level items -
This option creates an extra field with all child
items’ text added to their parent's text, allowing
for use of "family" searches, for faster searching.
A top level item is a material item with no material
ancestors (first material item in item path).
7. Item Content Settings
• Hide immaterial items (text rolled up to
parent) - Allows immaterial items to be
automatically hidden to avoid clutter in the
results set. Extracted text from hidden immaterial
items is appended to its parent item so it is still
available for searching. While this setting may be
helpful for the e-discovery practitioner, digital
forensic practitioners should never turn this
setting on.
5. Text Indexing Settings
• Analysis language – Select the language (English
or Japanese) to be used for text indexing. Only
one language can be used per evidence store and
Nuix Workstation: All About Processing — Copyright ©2021 Nuix. All rights reserved.
cannot be changed when using the Reuse
Evidence Store option.
• Use stop words – By selecting this option, stop
words for the selected language will not be
indexed. Do not check this box unless you have a
specific reason to do so.
• Use stemming – When this option is set,
Workstation creates a different type of text index
that stores only stemmed components of words.
Once set, this option is applicable to the entire
case. Use the stemming option with caution
because you may get too many hits.
• Enable exact queries – This option stores text
content of items to enable use of punctuation and
capitalization when searching, essentially doing
an exact string match. Use single quotes (‘ ‘)
around the search term to invoke exact queries.
The query must be grammatically correct and is
case sensitive. Use this setting with caution.
• Enable preconfigured profiles/workflows for
printed images, export metadata or OCR.
Additional options may appear in this section for
specific Nuix license types.
• Process text – Enables Workstation to extract
the text content of evidence to enable searching.
If disabled, users will only be able to search
across an evidence item’s metadata. This setting
should always be turned on, or items will not be
indexed.
• Enable near duplicates – Enables identification
of word shingles to allow for near duplicate
detection and clustering within the case. It is
recommended that this setting be turned on.
PAGE 2 of 4
 • Enable Text Summarization – Calculate and
store text summaries from documents when data
is ingested. When selected, this option
automatically selects the Process text option, if
that option is not already selected.
• Extract named entities from text and Include
text stripped items – Enables you to include text
stripped items while extracting named entities
from text. Text stripping is a process used when
Nuix Workstation is able to identify an item’s file
type, but is unable to cleanly extract all text and
metadata in accordance with the file type’s API.
The result is a data item that is searchable, but
the text may be garbled or not properly
formatted.
• Extract named entities from properties.
• Extract named entities from communications -
Enables you to extract named entities from
communication metadata using standard or
custom named entities. When selected, this
option enables the Use custom named entity
profile option.
8. Image Settings
• Generate thumbnails for image data.
• Perform image color and skin-tone analysis –
Captures skin-tone information on images
processed within the dataset to identify a certain
ethnicity and age of people.
• Detect faces – Analyzes image for skin tones, and
determines if that area includes facial features.
• Classify images using Deep Learning – Uses
shapes to classify images into different
categories. By selecting the Configure option, the
Deep Learning model file can be set by finding its
location. Users can also load label files and set
input image width and height from here.
Nuix Workstation: All About Processing — Copyright ©2021 Nuix. All rights reserved.
9. Digest Settings
• Digests to compute – Enables generation of
extra digests in addition to the default MD5.
• Email Digest Settings – Email digest settings are
used by e-discovery practitioners, but not usually
by forensic practitioners.
MIME TYPE TAB
MIME Type Settings interact with the Evidence
Processing Settings. Select the MIME Types that
need to be processed. Everything here depends on
your data processing settings! Remove what you
don’t need, but beware. If you make bad selections,
you can completely miss information.
To reset the MIME Type Settings to defaults, click
Reset to defaults.
1. MIME type - Lists available MIME types.
2. Enabled - Select this option to process the
required MIME type. By deselecting this option
against MIME Type Settings, all other options are
cleared and the selected MIME type is minimally
processed.
3. Descendants - Select this option to process
descendants found within items of this MIME type.
Examples of descendants are files within a zip
archive, or files attached to one or more email
messages within an email store.
4. Text Mode - Select from the following options to
process text of the selected MIME types:
• Process text.
• Text strip (when selected, by default, descendants
are unselected).
• No processing.
PAGE 3 of 4
5. Images - Select this option to allow generation of
thumbnails and capture skin-tone information
when processing images for the selected MIME
types.
6. Entities - Select this option to process Named
Entities on the selected MIME type. The option
from the Data Processing Settings tab must be
selected to enable the identification and capture of
named entities within the data set for further
analysis.
7. Store Binary - Select this option to store the
binary of the selected MIME type. The option from
the Data Processing Settings tab must be selected
to store the binary format within the databases in
the case directory.
8. Data Carving - Select this option to control what
MIME types are included and excluded from Data
Carving.
Tip: Use CTRL+ F to search MIME types by entering
keywords.
There is a selection for all forms of email, contact, and
calendar items, including older versions, but not
‘special’ formats like XML.
If you are going to be selective, pay attention to your
containers:
• Make sure to select the evidence item itself… E01.
• Select directories to process a hierarchy.
Nuix Workstation: All About Processing — Copyright ©2021 Nuix. All rights reserved.
RELOAD ITEMS FROM SOURCE DATA
Reload and reprocess evidence as many times as
needed. In each processing run, select items to be
processed, right click, and select Reload Items from
Source Data. In the Processing options window,
select the appropriate profile, and click OK. The
following is an example of a reprocessing workflow
which would gain more control over processing time
and allow focus on data most relevant to the case. In
addition, processing is more efficient, as you will not
be examining items for information that they could
not possibly contain:
By processing in waves, you can:
• Gain some control over processing times.
• Focus on the data most relevant to the case much
more quickly.
• Make processing much more efficient by not
examining items for information that they cannot
contain.
Related Course(s): Nuix Workstation Forensic
Practitioner Foundations
Nuix Summer 2021 Pop-Up Webinar: All About
Processing
PAGE 4 of 4