Skip to main content

Reveal Processing

Processing Large Containers

This article details considerations for ingesting large image and archive containers in the Reveal environment

Temp Space for Image Expansion

Temp space is required for decompressing and mounting forensic images and large archive containers. In Reveal 11 the temp locations for the processing agents have 1.7 TB free (400GB in Reveal 10).

If a forensic image/archive expands such that its size is larger than the allocated temp space, the import will fail.

Recommendations:

  1. Understand the data’s uncompressed size using a forensic or archiving tool.

  2. Use the source software to make a very large image or container into multiple smaller-sized images. We recommend 500GB or less, with 1TB being the upper limit of decompressed content. Overly large imports will take longer to process before review can begin, are more likely to introduce errors, and are generally not good practice.

  3. If in doubt, contact Reveal Support for advice about ingestion.

Multi-Part Image Naming

Reveal handles forensic images with over 99 parts, but only if the naming structure remains numeric (AD1, AD2....AD100, AD101, etc.). Some forensic image tools may create extensions with letters (e.g., E01, E02, … E99, EAA, EAB), which is not currently supported.

Recommendations:

  1. Reveal only handles numeric multi-part file numbering, not hexadecimal or other modes.

  2. If the software uses letters within the extension, then make sure the output is less than 100 parts. This can be done by setting the output size of each part high enough to prevent this.

  3. Reference Reveal Processing Supported File Formats for a list of Archive container types supported by Reveal.

In this section: