Description

A special process is required to prepare physical evidence files (E01s) for processing as part of a case folder source, because E01 files do not include readily accessible metadata. To extract the metadata that is required for processing, we must first process the E01s using the Clearwell EDiscovery Mapfile Generator.

The MSI file for the generator (Clearwell E-DiscoveryMapfileGenerator.msi) can be downloaded from the FTP site. Contact Customer Support for download instructions.

Note: The Clearwell eDiscovery Mapfile Generator is only supported on the 32-bit version of Encase. To use the eDiscovery Mapfile Generator, we must have the Encase software installed. The Encase software and the EncaseEnscript utility should be installed on a different server than the appliance.

To prepare E01 files for processing

1. Download the EnScript installer file (MSI file) from the FTP site and copy it to a machine that has EnCase installed.
2. Run the EnScript installer and follow the on-screen instructions.
   1. This installs the Mapfile generator on the machine. The Mapfile generator is, in essence, an Encase plugin.
3. Start EnCase and open the case that contains the evidence files
4. Locate Clearwell E-Discovery Mapfile Generator in the EnScript tab of the EnCase application
5. Right-click Clearwell E-Discovery Mapfile Generator and choose Run to open the Mapfile Generator dialog box.
   1. Note: The Hash Files option must always be selected.
   2. Note: Selecting Evidence Files. It is recommended to always hash the file first, otherwise it will be necessary to do this at the time of discovery to support the de-NIST of files which could result in slower performance.
6. Select the evidence files, select the Hash Files option, and click OK to create the MDM file.
   1. Note: The MDM file must reside in the same folder as its associated evidence files (E01 files). As long as this is the case, the product will automatically recognize the evidence files when processing the case folder.
7. From the top navigation bar, for the selected case, click Processing > Sources & Pre-Processing, and add the case folder containing the evidence files and the corresponding MDM files.
   1. The case folder can contain any combination of loose files, emails, email container files, and L01/E01 files.
   2. Note: The E01 /MDM file pairs created by the MapFile Generator are portable. However, be sure to note the timezone in which the data was collected and stored in the EO1 files. The timezone needs to be set within the product to ensure the dates associated with the loose files match the information in Encase.