Nuix General
Tabs
Option | Description |
Workbench | Hosts the primary tasks of excluding, filtering, and searching data within the case. You can also analyze data, preview individual items, and tag from here. It is set to display by default when you open a case. |
Context | Allows you to visualize the data links between files in the case. |
Statistics | Displays information about the processed and irregular files by file type, including number, processed, corrupted, and encrypted, and a percentage of each file type encountered. |
Fast Review | Allows you to create jobs that can be batched together for review by investigators. For each job, you can specify tags and words to highlight. You can then associate items with each job, and those items are presented in a linear fashion for tagging. |
Search and Tag | Allows you to search processed data using queries, and tag the results for future reference. |
Production | Enables you to create a new production set. |
Items Menu
Items Menu The Items menu contains commands for editing, managing, and finding items in the case.
Items Command | Function |
Tags | Add and remove tags, including items in the associated family and/or duplicates. You can also remove a tag from the selected item(s), including items in the associated family and/or duplicates. Family relationships are generated when items are extracted from other items, such as a zip file or email with attachments. Documents with other items embedded within them, such as a Microsoft Word document with an embedded Excel Spreadsheet,PowerPoint Presentation, or video clip are also examples. Each of these items would be considered related and in a family. |
Custom Metadata | Add and remove custom metadata, and apply the selected Custom Metadata template. |
Custodian | Assign and unassign custodians with options to include associated family items. |
Item Set | Add items to and remove items from item sets. |
Review Job | Add items to and remove items from a Fast Review job. |
Production Set | Enables you to: Create a production set. Add items to a production set based on the specified sort order. Import and annotate document ID lists. Renumber a production set. Generate or delete print previews. Apply export rules to a production set. Remove items from a production set. Markup Add or edit markup sets, and process bulk redaction. |
Cluster Run | Generating clusters, adding items to an existing cluster, and removing clusters. |
Automatic Classifier | Create Automatic Classifier, add and remove training items, build model,automatically classify items, remove automatically classified items, remove skipped items, export model, import model and delete automatic classifiers. |
Exclude Items | Exclude items from being available for further case activity using a new or existing exclusion rule. This suppresses the items within the data set, including items in the associated family and/or duplicates. |
Delete Items | Delete all records and their descendants from the case. |
Populate Stores | Regenerate both the binary natives store and the PDF image store with options to format the PDF images on generation. |
Context Tab
Note: This tab is particularly useful in data breaches or security incidents investigation
The Context tab provides data links between files in the form of interactive visuals to allow for easier identification of patterns and trends in the data and to help identify any anomalies that may be relevant to the investigation.
To open a new Context tab:
Navigate to Window and select New Context Tab.
In the Results pane, select the items to be shown on the Context Tab and select Show and then select Show in Context from the right-click menu.
Note: I sometimes use this plus the Pivot function to find out the sequences of events
The Context tab consists of:
Analysis Graph
Analysis Table
Analysis Graph
The Analysis Graph consists of the:
Graph Menu bar
Graph
Magnification Menu
Timeline
Search and Tag Tab
To open a Search and Tag tab, go to Window and select New Search and Tag Tab.
Search and Tag activities use CSV Files .csv (comma delimited) or a JSON file
Scoping query limits the scope of all direct matches in the table rows and applies only to direct matches.
The fields that are searched:
In the GUI, fields listed in the Search under Global Options (content, properties, names, pathnames, and evidence metadata).
In Scripting API, the common set of 4 fields that are used elsewhere in scripting searches.
Import
Two kinds of files can be imported:
JSON file: If there is no data in the table already, then the settings from the JSON file will be used (if present). However, if the table already contains data then its present settings will be retained and the settings from the JSON file will be ignored.
CSV file: Importing files while there is data already appends the new rows to the end of the table and keeps the existing rows and settings intact.
They should be in the following format of two columns, with no header row:
The first column contains the tag name and supports the use of nested tags via the pipe (‘|’) character.
The second column contains any valid Nuix query or a simple keyword.
Registry/Database Viewer Tab
The Registry/Database Viewer tab is used to review the contents of the Windows Registry and SQLite databases. To open a Registry/Database Viewer tab, select the required items in the Results pane and right-click to select Show in Database Viewer. The tab includes the following UI components:
Evidence Tree: For Windows Registry, displays the decoded items, items in the case (having Nuix logo), and items not in the case (without Nuix logo) but you can still browse them. You can also browse other data such as ZIP files, registry hives, and view its file structure.
For SQLite databases, you can browse the tables or indexes. You can tag the required items loaded into the case or view them in Workbench or Context tabs.
Registry Key Values: When you select an item, the keys and values of the Windows Registry are displayed in this panel.
Table Data: When reviewing SQLite databases, select the required table to view its content in this panel.
SQL Query: Provides you an editor to write and execute SQL queries on the database.
Decoder: When you select an item from the metadata view, the decoded text, binary, and image values of the item are displayed in this panel.
Last updated
