3.3.9. Add Logical Files and FoldersΒΆ

If you have a folder of files, you can import them by using the Logical Files feature. If registry hives and event logs are at the correct relative offset, then they will be parsed. For example:

  • The SAM registry hive could be locally stored at c:\cases\case1\host1\windows\system32\config\SAM.

  • You should import the c:\cases\case1\host1 folder so that the SAM file is at its usual relative offset.

All files in the imported folder will be added to the Incident.

Watch the Cyber Triage Basics Course Logical File video on this technique.

To import logical files:

  1. Choose the Logical Files button from the Add New Host screen.

  2. Enter a display name (it can be a host name or more descriptive).

  3. Browse to the logical file directory, press Select.

  4. Press Continue to then configure what data types to collect (see Data Collection Types) and malware settings (see Ingest-Time Settings).

../../_images/import_add_logical.jpg

The software will warn you if it cannot find a Windows subfolder within the selected folder, which may indicate that the incorrect folder was specified.