You likely have a few different acquisition tools that you consistently use as part of your forensic toolkit. We understand the importance of the tool box approach to generate credible, reliable and repeatable results. Our goal has always been to help you do your job and with the latest Magnet AUTOMATE release, we’re helping you do your job faster by removing the complexity that a tool kit approach introduces into the workflow.
Now, with AUTOMATE 2.2 you can integrate any acquisition tool, including those without a command line interface, into your automated workflows. This means more of your toolkit can be synced together in one platform, saving you even more time and costs by reducing manual intervention by examiners and ensuring more of your forensic equipment is efficiently utilized 24/7.
The simplicity of Watch Folders is that once an image is acquired and appears in the specified “Watch Folder,” the workflow automatically begins processing.
With Watch Folder workflows, you can integrate any acquisition tool even if they don’t have a command line interface without needing to change or rewrite standard operating procedures (SOPs), including:
- Oxygen Forensics
- EnCase Endpoint Investigator
- Tableau TX1 Forensic Imager,
- and more!
Plus, you can always integrate any commercial tool that has a command-line interface and for increased flexibility, you can integrate your own custom scripts (Java and Python.)
How Do You Set up a Watch Folder Workflow?
Now, in the visual workflow builder, you can start with an initial block called “Watch Folder”. This block allows you to configure a file or networked path that points to where your acquisition tool will be saving images, this is the folder that the workflow will always be watching – hence the Watch Folder moniker.
During configuration, you can specify where AUTOMATE should look for relevant case variables, such as case number and evidence numbering, in the file path so that there’s no need to manually enter this information again after you did so in your acquisition tool during set-up.
Importantly, the Watch Folder is the root folder where the workflow is always monitoring for new images, as you can see in this case it is a folder called “Storage”. This is a static folder.
To avoid processing images over the network, you can set the workflow to copy the image to the processing node so that processing occurs locally.
Now that you have a Watch Folder starting block set up, you can easily create the rest of your customized workflow by dragging and dropping in additional elements. Existing integrations such as Magnet AXIOM, ACQUIRE, OUTRIDER and REVIEW, as well as Atola Task Force Imager, Griffeye Analyze (DI Pro Version) and Volatility Memory Forensics Framework, among others, can be synced together to fully automate the imaging and processing of your standard operating procedures.
What Happens to Images Saved in the Wrong Folder?
Sometimes, file path misconfigurations happen during the manual acquisition step – people can make mistakes! AUTOMATE makes it easy to identify if an image was saved to an unexpected folder within the root in a newly added “Pending Cases” tab.
In this tab, you can see when an image lands in the root of the Watch Folder but with missing information. This can happen if the image was saved directly into the root folder, resulting in several missing variables (i.e. case number, evidence number.) This requires that an examiner manually enter missing information before kicking off processing. Fortunately, you don’t need to go into your filesystem to correct the path and variables, you can enter this information right from AUTOMATE’s user interface.
Scale up Your Existing Resources and Processes to Complete Investigations Faster
Watch Folders are a deceptively simple yet powerful way to bring more of your toolkit together into automated workflows. Now, you can automate more of your forensic toolkit, so that you can focus your examiners time where it matters most to unlock your lab’s full capacity and better serve your agency. In fact, your examiners don’t even need to log in to the AUTOMATE platform to kick off a workflow, they start automatically when a Watch Folder workflow detects an image.
Let us help you find efficiencies in your lab with Magnet AUTOMATE. Visit our website at https://www.magnetforensics.com/products/magnet-automate/ and fill out the form to contact us.
We’re also hosting a live webinar on June 24 where you’ll be able to learn more about Watch Folders and to find out how these capabilities can help maximize workflow efficiency and eliminate downtime. Register today!