Evidence Processor Performance Monitoring - Part I

Ken Mizota

Over the years, digital investigators using EnCase have become intimately familiar with EnCase status reporting for EnScripts and in recent years, Evidence Processor. Over the years, progress reporting in EnCase has more or less, looked like this:

If you’ve ever copied a large number of files in Windows, you know how a minimal amount of information can be at best, minimally helpful, and at worst, frustratingly misleading:

You may have asked any of these questions while staring at a status bar:
  • What is being executed?
  • If the task is taking longer than expected, where is it spending time?
  • What can I do to speed up the process?
We’ve heard, and asked these questions multitudes of times over the years. In EnCase Version 7.07, we decided to do something about it.

While Evidence Processor is running, click on View -->Performance:

The new Performance tab is launched. The first thing you’ll notice is that there are two halves to this tab, top and bottom.

The top half of the tab describes the current state of processing across an entire case.

This tab provides visibility to the granular tasks Evidence Processor executes. Running tallies and completed counts show how many items (i.e. work) remains in total for a given device. This view only operates on the current evidence file being processed. For example, if you are processing 5 evidence files, the statistics will be relevant to only the current device being processed.

The bottom half of the tab illustrates specific tasks currently being executed. The number of rows indicates the # of concurrent threads Evidence Processor is using. In this example, we have 14 worker threads.

A description of what is happening exactly and the status of the running task is shown.

All of these statistics are updated in near real-time, approximately once a second.

Through this view, we hope you can now better answer:

Q: What is being executed?

A: Currently running tasks and progress are identified, in near real-time.

Q: If processing is taking longer than expected, where is it spending time?

A: Take a look at the “Elapsed time” of any of the aggregate tasks. If a single task is a bottleneck, take a look at the Elapsed time to see what activity is currently being executed.

In the next feature spotlight, we’ll be talking about the third question:

Q: What can I do to speed up the process?

No comments :

Post a Comment