Overview
Typical collection workflow
A typical file collection with Nuix Collector Suite proceeds through four distinct stages:
| Stage |
Description |
| Configure a file collection, extraction or survey |
Run Nuix Collector Wizard to specify: which input folders or repositories to search which files to collect, extract or survey where to save collected/extracted files which logs and reports to generate |
| Perform the file collection, extraction or survey |
Run Nuix Collector to perform the collection, extraction or survey: First, Nuix Collector "crawls" the specified input folders or evidence file containers, searching for files which match the specified selection criteria. Files which meet the selection criteria are copied to the target destination which you configured earlier (unless performing a survey). As the crawl and file copying take place, a crawl database is saved. This database stores details regarding the input folders crawled, files collected, file metadata, etc. Once processing is complete, any logs and reports you selected earlier are generated from the crawl database. |
| Review collection/extraction logs and reports |
Review the logs and/or reports, taking note of any unanticipated results. If necessary, adjust the selection criteria and rerun the collection. |
| Review collected/extracted files |
Run Nuix Workstation (see note below) or Nuix Collector Evidence Browser to review the collected or extracted file set (unless performing a survey). |
Note: Once files are collected or extracted, use Nuix Workstation or other search and analysis products (licensed separately) to search the resulting file set. Nuix Workstation offers native support for the FileSafe evidence file format (as well as several other formats).
Nuix Collector Suite components
Nuix Collector Suite consists of several programs designed for each stage of the collection process:
Nuix Collector Wizard
A Windows program which guides you through the process of specifying a Nuix Collector job. File collection jobs can specify input file locations, file types, date ranges, use of file hash values, etc. Other job types include surveys, extractions, RAM image collection, volatile information collection and disk image collection. All job settings are saved to a "JobFile".
An option in the File menu allows you to launch Nuix Collector to begin processing immediately (unless preparing a portable file collection or disk image collection). Nuix Collector jobs can instead be run at a later time.
Nuix Collector
A Windows program which performs file collections, surveys, extractions, deletions, RAM image collections, and volatile information collections. Nuix Collector loads a JobFile (a file containing settings which is configured using the Nuix Collector Wizard, described above). Once the JobFile is loaded, Nuix Collector begins processing the job as defined in the JobFile. Nuix Collector also generates any logs or reports specified in the JobFile.
Nuix Collector can be run via a shortcut, command window or a script. For command-line switches, see topic Nuix Collector Command-Line Parameters.
Nuix Portable Collector
Portable Collector can run on remote PCs -- including Windows, Linux and macOS computers -- which are inaccessible from the local network, such as remote office PCs, home PCs, and PCs in the field. The program performs file collections, surveys, extractions, deletions, RAM image collections*, volatile information collections and disk image collections*. Portable Collector can also run on PCs within your main office – it can collect files from local volumes on Windows computers even if the files are open.
* see Note, below.
Portable Collector jobs are prepared using the Collector Wizard, which must be run from a Windows computer licensed to run Nuix Collector Suite with a Portable Collector license. The Wizard copies the Portable Collector program, JobFile and related files onto a "portable collection device" or a "portable disk imaging device", such as an external hard drive, USB flash drive, or network share. Once prepared, Portable Collector can be launched from the portable collection device on Windows, Linux and macOS computers.
For collection at remote sites, an external drive is typically prepared and then shipped to the remote location. Once plugged into the target PC, the Portable Collector program can be launched immediately – no software installation is required. Files or disk images from the target PC or network shares are collected; collected files are saved to an encrypted FileSafe file (usually on the same external drive holding Portable Collector).
Portable Collector can run from unlicensed computers; however, any files collected are stored in a FileSafe, which can only be processed on a computer licensed to run Nuix Collector Suite, Nuix Workstation or another Nuix product.
Note: RAM image collections and disk image collections are not supported on macOS 10.13 and newer.
Nuix Collector Evidence Browser
A Windows program for reviewing the contents of an evidence file, such as a FileSafe file. You can extract individual files from a FileSafe or other evidence file using Evidence Browser.
Evidence Browser can also be used as a lightweight tool for reviewing small native file collections, and for performing ad-hoc collections of smaller file sets.
Nuix Collector suite utilities
The following utilities are included with Nuix Collector Suite:
Report Generator
A Windows program which generates log files or reports from previous collections or extractions.
Verify FileSafe
A Windows program which verifies the integrity of FileSafe evidence files and reports any corruption including the files that are affected.
Create JobFile
A Windows program which creates an encrypted JobFile, by making an encrypted copy of a non-encrypted JobFile. JobFiles are commonly encrypted to keep any login credentials within the JobFile more secure. The encrypted JobFile can be executed by Nuix Collector or Nuix Portable Collector.
Extract JobFile
A Windows program which extracts a copy of a JobFile from a FileSafe. This JobFile is a copy of the original JobFile used to create the FileSafe. The JobFile can then be examined, e.g. to determine the collection's log directory.
The Extract JobFile utility can also decrypt an encrypted JobFile, so it can be modified with a text editor.
Additional utilities
Nuix Evidence Mover
A Windows program which moves collected files from one location to another in a forensically-sound manner. Nuix Evidence Mover is available for download from https://www.nuix.com/nuix-evidence-mover at no additional cost.
Job types
Nuix Collector supports the following types of jobs:
| Job type |
Description |
Licenses required |
| Network / Local Collection |
Collect files on network shares and/or local volumes from a Windows PC. Optionally capture volatile information and the contents of RAM. |
Nuix Network Collector license |
| Portable Collection |
Collect files on network shares and/or local volumes from a Windows, Linux or macOS PC in a remote location. Optionally capture volatile information and the contents of RAM. Collect a physical disk image or logical volume image from a local drive. Can be launched from an External Hard Disk Can be launched from a Network Share, except for disk/volume image collections. |
Nuix Portable Collector license |
| SharePoint Collection |
Collect content from a SharePoint server. |
Nuix SharePoint Collector license |
| Extraction from an Evidence File |
Copy files contained within certain evidence files or image files. These files can be saved as native files or as a FileSafe. |
One of the above three licenses |
| Network / Local Deletion |
Delete files on network shares and/or local volumes. Optionally collect the files prior to deleting them. |
Nuix Network Collector license |
| Portable Deletion |
Delete files on network shares and/or local volumes from a PC in a remote location. Optionally collect the files prior to deleting them. Can be launched from an External Hard Disk Can be launched from a Network Share |
Nuix Portable Collector license |
Survey mode
All file collections, extractions and deletions can be executed in Survey Mode. In this mode, folders are crawled, files are selected, reports and logs are generated – but no actual file copying, extraction or deletion takes place.
Survey Mode allows you to test which files will be selected for processing. It can help you to verify and refine Nuix Collector JobFile settings before performing an actual job.
Programs and job types
| Job Type |
Nuix Collector |
Portable Collector |
Evidence Browser |
| Network/Local Collection |
Yes |
No |
Yes |
| Portable Collection |
No |
Yes |
No |
| Disk Image Collection |
No |
Yes |
No |
| SharePoint Collection |
Yes |
No |
No |
| Evidence File Extraction |
Yes |
No |
Yes |
| Network/Local Deletion |
Yes |
No |
No |
| Portable Deletion |
No |
Yes |
No |
| Volatile Information Collection and RAM Capture |
Yes |
Yes |
No |
*Evidence Browser is capable of crawling input folders with a limited number of files and subfolders. Folder trees larger than 100,000 items are best processed using Nuix Collector or Portable Collector.
FileSafe files
The results of a Nuix Collector file collection or extraction can be saved to a FileSafe logical evidence file container. FileSafe files contain copies of the collected files, as well as metadata and hash information for post-collection validation. FileSafe files also contain a copy of the JobFile which was used to create them.
FileSafe files have the following qualities:
Once a FileSafe has been written it remains read-only from then on.
Items within a FileSafe can be extracted out as pristine native copies for processing or review, using Collector Wizard and/or Nuix Collector. FileSafe Items can also be extracted or viewed using Nuix Collector Evidence Browser, which features a Windows Explorer-like interface.
Nuix search and analysis products (licensed separately) can search the contents of a FileSafe. No extraction is required when using these products.
The standard filename extension for a FileSafe is .MFS01. A single FileSafe may be spanned across multiple file segments; for details, see topic Spanned FileSafe File Sets.
FileSafe files are Nuix Collector's standard evidence file container. For more information, see topic Supported Evidence File Formats.
The contents of a FileSafe are encrypted, so the contents cannot be discerned by examining the FileSafe with a hex editor or similar tool. In older versions of Nuix Collector, FileSafe encryption was optional, but beginning with Collector version 7.4, all new FileSafe files are encrypted.
Spanned FileSafe file sets
A single FileSafe can span multiple FileSafe segment files – each named with a sequentially-numbered extension, i.e.: .MFS01, .MFS02, .MFS03, etc. This allows large collections to be saved even if the underlying file system imposes a restrictive per-file size limit. The maximum size of each file in the FileSafe set can be configured.
Common scenarios for spanning a FileSafe include:
Saving larger collections onto FAT32-formatted external hard disks.
Saving collections for later copying to removable media, such as CD and DVD media using ISO 9660 and Joliet file systems.
For example, a FileSafe containing 5 GB of collected files and saved onto a FAT32-formatted volume would typically be spanned into multiple "segments", each no more than 2 GB, resulting in a set of three FileSafe segment files, as follows:
| Filename/Segment |
Size |
| SampleCollection.mfs01 |
2 GB |
| SampleCollection.mfs02 |
2 GB |
| SampleCollection.mfs03 |
1 GB |
When accessing a FileSafe using Nuix Collector, Evidence Browser or other FileSafe-compatible programs, you generally open only the first file (with the .mfs01 extension). The application will automatically open the secondary segment files as needed – provided they reside in the same folder as the first segment file.
Supported Evidence File Formats
Nuix Collector provides native support for numerous evidence file formats, including:
| Evidence/Image file type |
Filename extension |
Vendor |
| FileSafe |
.MFS01 |
Nuix* |
| EnCase Logical Evidence Files |
.L01 |
Guidance Software |
*FileSafe files from older editions of Nuix Collector are also supported.
Disk images saved with Nuix Collector Portable can be saved as .E01 files or as DD raw image files. These disk images can be processed in Nuix Workbench and other Nuix search and analysis products (licensed separately). In addition, these image files can be processed by other commercial and open source tools.
Other container file formats
Nuix Collector can retrieve files stored within certain kinds of container files, such as ZIP files, PST and OST files. This requires configuring a file collection using advanced keywords (i.e. a full-text search). For details see topic Keyword.
Note: ECC Client installers are available with and without the advanced search feature.
Only those ECC Clients which include the advanced search feature can perform advanced searches and collect files from within ZIP files and other container files. When installing ECC Client, be sure to use an installer which includes the search capability if you need to perform these kinds of collections.
Nuix Workstation (licensed separately) can search within container files and extract relevant items from them. So collections which are performed with the simpler ECC Client can be processed with Nuix Workstation to obtain this data. Contact your Nuix account representative for details.