Skip to main content

Reveal Processing

Processing Large Containers

This article details considerations for ingesting large image and archive containers in the Reveal environment

Temp Space for Image Expansion

Temp space is required for decompressing and mounting forensic images and large archive containers. In Reveal 11 the temp locations for the processing agents have 1.7 TB free (400GB in Reveal 10).

If a forensic image/archive expands such that its size is larger than the allocated temp space, the import will fail.

Recommendations:

  1. Understand the data’s uncompressed size using a forensic or archiving tool.

  2. Use the source software to split a large image or container into multiple smaller-sized images. We recommend 500GB or less, with 1TB being the upper limit of decompressed content. Overly large imports will take longer to process before review can begin, are more likely to introduce errors, and are generally not good practice.

  3. If in doubt, contact Reveal Support for advice about ingestion.

Reference Reveal Processing Supported File Formats for a list of Archive container types supported by Reveal.

In this section: