Appendix A: Glossary
Active Directory
A directory service designed by Microsoft in which Windows servers acting as Domain Controllers provide a central system for managing user accounts, security groups, computers, printers and other members of the network (referred to as the "domain"). Active Directory Domain Controllers typically provide networking services such as DNS, WINS (NetBIOS name resolution), DHCP, etc. Active Directory can be accessed via LDAP.
See also: Domain, Domain Controller, Workgroup
Administrator
See Collection Administrator
See Systems Administrator
See Local Administrator
Administration Console
A Collection Center component, installed on one or more computers (typically on a small number of systems), allowing Collection Administrators to set up, manage and monitor the ECC system. Using Administration Console, a Collection Administrator can manage the Collection process for the entire organization. The following ECC entities can be configured via Admin Console:
| Entities |
Description |
| Cases |
A name associated with one or more Collections. |
| Collections |
A Collection defines one or more jobs which can be run from a computer where ECC Client is installed. Collections consist of file collection Targets, file selection Criteria, Destination paths and scheduling information. |
| Targets |
File locations to be processed (e.g. copied to a Destination). |
| Custodians |
People or entities responsible for files at specific Targets. |
| Groups |
Sets of Custodians. By selecting individual Custodians or Groups of Custodians, you can quickly select the Targets associated with those Custodians or Groups. |
| Criteria |
Filename patterns, file content types and date ranges used to restrict the files being processed. |
| Destinations |
File locations where collected files are stored. |
| Schedules |
Allow Collection Runs to occur at specific dates and times. |
Note: Each of the above terms has its own Glossary entry containing more details.
Case
Each Case may represent a separate legal matter, a phase of litigation, or other collection project. An organization may have only a single Case, or numerous Cases. Each Collection is associated with one Case, so Cases are used to organize Collections for different projects.
Client
ECC Client is a Collection Center component, installed on several computers (typically on a large number of systems), which will execute Collections that were set up via Administration Console.
ECC Client gathers files from local hard disks or accessible network shares. It can also run the other kinds of ECC collection tasks, such as disk image collection, RAM capture, network packet capture, SharePoint collection, launching commands, file deployments, etc.
See also: Worker PC
Collection
A specification for processing files or running a program or script, using one or more ECC Client computers to perform the actual processing.
Collections can be one of the following types:
| Type |
Description |
| Collect |
Copies files meeting the selection criteria from one or more Target locations. The copies are saved at the specified Destination as raw files or packed within a FileSafe file. Original files in each Target location are left unaltered by collection activity. |
| Collect and Delete |
Moves files from the Target locations to the Destination. First the files which meet the selection criteria are collected and saved at the specified Destination, then the original files are deleted. |
| Delete |
Deletes files meeting the specified selection criteria from the specified Target locations. |
| Survey |
Lists files meeting the specified selection criteria and residing in the specified Target locations. File listings include metadata such as creation date, MD5 hash value, etc. |
| Launch Command |
Executes the specified non-interactive program or script on the computer associated with each selected Target. |
Both the data locations and the ECC Client computers are specified by one or more Target selections. Collections also specify the file selection Criteria, the Destination path to save collected files to (for certain collection types), and a start time.
Each collection belongs to a specific Case. A Case may have multiple Collections, e.g. a Collection from all executive's computers, another Collection from all manager computers, a third Collection from non-managerial staff, and a fourth from server files. Collections could also be distinct due to different file selection criteria, such as file modification date range or file specification patterns.
Before a Collection can be created, ECC Client must be installed on one or more computers on the network, and Custodians and their associated Targets must be added via ECC Administrative Console.
See also: Target, Selection Criteria, Job XML Template, Job, JobFile, Survey Only Collection
Collection Administrator
A designated staff member with authorization to manage the Collection process using the ECC Administration Console. Collection Center permits multiple Collection administrators; ECC Administration Console may be installed on multiple computers.
Collection administrators typically coordinate with senior management and computer systems administrators to:
Obtain authorization and access to workstation and server computers across the organization, as needed
Oversee or conduct the installation of ECC Server, ECC Administration Console and ECC Client
Oversee or conduct the export of mailbox and public folder data stores from Microsoft Exchange Server to PST files
Collection administrators typically coordinate with the legal team and/or with project managers involved in the file collection project to:
Set up Cases, designate Custodians and the file locations (Targets) those Custodians utilize, establish Groups of Custodians, and to configure Destinations and Schedules for individual Collection runs. All these tasks are accomplished through the Administration Console.
Collection Configuration
A named bundle of settings, used as a template for creating new Collections quickly. A Collection Configuration can include any of the fields available in the first four pages of the New Collection Wizard, as well as the name of the underlying Job XML Template from the fifth page of the Wizard.
Crawl
The process by which a running Collection searches through various Targets (file locations) to gather files. The crawl process notes each file and sub-folder to be processed, along with statistics such as the total number of files and total bytes.
A Survey Collection can crawl drives, folders and network shares to generate logs of what would be processed – without actually processing any files.
See also: Crawl Database, Survey Only Collection
Crawl Database
A database, consisting of two files, created by ECC Client and saved in the Logs sub-folder for each Target:
Destination Folder\{Case Name}\{Collection Name}\{Custodian Name}\{Target Name}\Logs
The database contains the list of files and folders detected during the Collection's crawl process, along with statistics such as the total number of files and total bytes to be processed.
The database also stores log entries which record the status of the full collection process, including a list of files successfully processed, the total number of files and total bytes processed, plus any errors or warnings that occurred.
The \Logs folder and the database files within it should be retained for as long as necessary, according to your organization's policies.
See also: Crawl, Examining Collection Logs & Reports
Custodian
People or entities responsible for files at specific Targets. Custodians are typically specific managers and staff who keep files relevant to a Case.
Once the organization's Custodians and their specific Targets are entered into the system, it is very easy to select the files to be processed in a given Collection run.
Destination
A folder or network share where collected files are stored, and the format in which the files will be saved. The Destination can be a folder on a portable hard disk but is more often a network share on a server volume, NAS device or SAN device.
Care must be taken to specify Destinations with sufficient free disk space to store the collected files. If multiple Collections will store files at Destinations residing on the same physical disk or array, take care to:
Ensure free disk space is sufficient to store files from all the Collections.
Ensure Collections are scheduled to run in a staggered fashion, if necessary, so that disk I/O at the Destination does not become a performance bottleneck.
See also: Destination Type, FileSafe, Native Files, HTML
Destination Type
The kind of files that a Collection will save at the specified Destination.
Destination Types (formats) include:
| Type |
Description |
| Native Files |
Copies of the original files |
| FileSafe |
An evidence file format, containing multiple files and folders with metadata intact |
| HTML |
For storing files collected from SharePoint servers |
See also: Destination, FileSafe, Native Files, HTML
Disk Image Collection
A complete copy of a logical volume or an entire physical disk. Disk images include all the readable data for the volume or disk, including any unallocated sectors (which can contain the content of deleted files).
Because disk images are much larger than a "targeted file collection", they take more time to capture and transmit, as well as take more disk space to store. Furthermore, more time and disk space are required for disk images when performing any subsequent indexing and searching of the data (using a program such as Nuix Workstation™, licensed separately). For these reasons, disk images are generally used only for critical matters such as criminal investigations, or when mandated by a court order.
See also Physical Disk, Logical Volume, Targeted File Collection
Domain
A private Active Directory network which may include computers, printers, users, groups and organizational units across one or more connected local area networks. A domain can also refer to a top-level domain registered in the Internet's public Domain Name System (DNS), such as google.com.
See also: Active Directory, Domain Controller, Domain Name, Workgroup
Domain Controller
A server on an Active Directory network responsible for the network directory of users, security groups, computers, printers, etc. Such servers typically run Microsoft Windows Server 2008 or newer. Each new version of Windows Server has come with a new version of Active Directory.
When a domain user logs into a computer that is a member of the domain, their login is authenticated by a Domain Controller. Login scripts for Active Directory domains generally live on a domain controller.
See also: Active Directory, Domain, Domain Name, Workgroup
Domain Name
The name of the private Active Directory domain. This is typically a single word, e.g. MYDOMAIN; however, domain names may end in a suffix, such as MYDOMAIN.org, MYDOMAIN.com, or MYDOMAIN.net.
User IDs are sometimes prefixed with the Domain Name and a backslash, e.g. MYDOMAIN\MyUser, to distinguish domain User IDs from local User IDs.
Domain names can also refer to public domains registered in the Internet's public Domain Name System (DNS), such as google.com.
Computers on the domain are identified by their computer hostname together with the domain name and domain suffix, e.g. mycomputer.mydomain.org. Such names are referred to as Fully Qualified Domain Names, and appear in URLs such as https://mycomputer.mydomain.org:9443. IP address resolution is handled by DNS and the hosts file.
See also: Domain, Workgroup
EFS
Encrypting File System: On PCs running Microsoft Windows 2000 or newer, folders and files on NTFS-formatted volumes can be EFS-encrypted from Windows Explorer. EFS-encrypted files can only be unencrypted while logged in as (1) the user who performed the encryption, or (2) a user who is a designated Data Recovery Agent (the DRA user must have been designated a DRA prior to the time the files were originally encrypted).
ECC Client can collect EFS-encrypted files by running a process under the same credentials as the user who encrypted the files. The collected files are saved in unencrypted form at the Collection's specified Destination.
File Collection
A type of Collection where files in specified Target data locations are crawled (i.e. listed) and then copied to a specific Destination path.
See also: Job XML Template, Survey Only, Crawl
FileSafe
An evidence file format which preserves files and metadata information in a forensically-sound manner. FileSafes can span multiple files to breakup large Collections into manageable pieces.
FileSafe files can be accessed and searched using Nuix Workstation™ and certain other Nuix eDiscovery applications. The files and folders contained within a FileSafe can be extracted using utilities included in Nuix Collector™.
See also: Native Files
Group
A set of Custodians. Example Groups include Executives, Managers, Legal Department, Sales Department, or other management and staff Groupings.
Establishing Groups is optional but makes it easier to select the files to be processed.
Job
A Job is a task which runs on an ECC Client computer to perform the collection of files.
When a new Collection is added in ECC Administration Console, multiple JobFiles – one for each Target included in the Collection – are saved on the ECC Server.
Each JobFile, in turn, will be retrieved by an ECC Client computer, which will execute a new file collection job, using the parameters in the JobFile.
Job status can be viewed in ECC Administration Console, by clicking the Cases and Collections panel, then selecting a Case or Collection to reveal the Custodian, Target and Job lists. Jobs can be paused, cancelled and restarted.
JobFile
A JobFile defines the parameters for running a collection job, including:
the Type of Collection: Collect, Survey, Delete, Launch, etc.
the ECC Client to run the job (derived from one target selection within the collection)
the Target data locations to collect (derived from one target selection within the collection)
the destination path to save collected files to (for Collect-tasks only)
the file selection criteria (derived from the collection)
the scheduled start time (derived from the collection)
additional collection parameters (derived from the Job XML Template, which can be edited to adjust the behavior of jobs)
JobFiles are created whenever a new Collection is added. In ECC Administration Console, the final screen of the New Collection Wizard displays each of the JobFiles in the new Collection (one JobFile per Target).
Once a new Collection is submitted, each JobFile within the Collection is saved on the ECC Server, to be "picked up" by the associated ECC Client computer. Each ECC Client computer which receives a new JobFile will then run the job immediately or at the scheduled time using the parameters in the new JobFile.
Job XML Template
A file containing additional JobFile settings. These settings supplement the settings on the first four pages of the New Collection Wizard. A particular Job XML Template can be selected from the last page of the New Collection Wizard (which also allows adding, editing and deleting Job XML Templates).
Configuration options for JobFiles and Job XML Templates are documented in the Nuix Collector and ECC JobFile Reference. Please contact Nuix Technical Support for assistance with editing JobFiles or Job XML Templates.
Local Administrator
On a Windows PC, a user who is a member of the local security Group 'Administrators'. Such users typically have access to every folder and file on the system and can install and uninstall applications.
Logical Volume
A portion of the storage space on a physical disk which is treated as a distinct disk volume by the operating system. A logical volume can consist of one or more disk partitions. Nuix ECC supports disk image collections from logical volumes, as well as physical disk image collections.
See also Physical Disk, Disk Imaging Collection
Mapped Drive Letter
A computer may "map" a shared folder residing on another computer and assign that shared folder to a drive letter, e.g.: the UNC path \\myserver\myshare can be "mapped" to drive letter M: and subsequently referred to as M:.
Collection Center does not support collecting from paths with mapped drive letters. Specify the corresponding UNC path (and user account credentials) when configuring a Target Location to collect from a network share.
Note: Mapped drive letters may be associated with a particular user's Active Directory profile or network login script. Users can also manually establish drive letter mappings to shared folders.
Mapped drive letters are arbitrary – one user's mapped S: drive may point to a different shared folder than another user's S: drive.
Mapping a shared folder to a drive letter is typically done as a convenience, so the shared folder can be referred to in a concise manner. However, it may be necessary to map a drive letter to allow certain programs that lack UNC path support to be able to access files and folders on a shared folder.
Metadata
Data associated with a data file or record. For example, Creation Date is a property of a file or folder stored on an NTFS volume. Such data is stored in the file allocation table of the volume where the file resides, rather than directly in the file. There are numerous other properties for files and folders.
Metadata can also exist within a file, for example, a Microsoft Word document may track Author, Company Name, number of revisions, last modification date and other details. Such data is not presented to the user directly (although Word can reveal most of the metadata it stores in a document). Metadata can also include the full path to the file, previous edits and revision marks – even text deleted in previous sessions.
Native Files
Copies of original files. A Collection can save files collected from its Targets as either Native Files, or as a FileSafe.
See also: FileSafe
Network Capture
A type of ECC collection job which collects copies of network packets from computers running ECC Client. Such packets can be analyzed for network security or performance purposes.
See also: Network Packet, pcap file
Network Packet
A formatted unit of data carried by a TCP/IP-based network, enabling communication between devices on the network.
See also: Network Capture, pcap file
Owner
Each file and folder on a Windows NTFS partition has an "owner", which is a specific User ID or Security Group on the Active Directory domain or local computer. Future versions of Collection Center will allow Collections to be configured to gather files and folders based on their ownership.
See also: Custodian, Owner SID
Owner SID
The Windows Security Identifier used to identify the owner of a file or folder on an NTFS volume.
See also: SID
pcap file
A file containing copies of network packets which were captured from a particular computer. The pcap file format is supported by Wireshark and a number of other packet analysis programs. Refer to the Wikipedia English article on pcap for more information.
Physical Disk
A traditional hard disk, SSD disk, flash drive or other device. When selecting a physical disk as the source for a disk imaging job, all the readable data on the physical disk will be saved within a disk image file. If the physical disk contains multiple logical volumes, data from all these volumes will be saved in the resulting disk image file.
See also Logical Volume, Disk Imaging Collection
Promiscuous Mode
A mode in which the computer's network adapter can process all the network packets which reach the adapter, regardless of the device the packets are addressed to. Normally, Promiscuous Mode is disabled and the network adapter only listens for network packets that are specifically addressed to the adapter. Promiscuous Mode is effective only for computers connected to a network hub. Network switches isolate each network adapter from packets that are addressed to other network devices, limiting the usefulness of Promiscuous Mode.
RAM Capture
An image of the system memory of a computer running ECC Client. The resulting "dump file" can be processed with various tools.
See also Volatile Information
Run
A specific execution of a Collection, spawning one Collection Job for each Target in the Collection. Past, present and future (scheduled) Collection Runs can be viewed and managed via the Administration Console.
Samba
A set of software tools which allow Macintosh OS X and Linux computers to share folders on a network, in a manner where Windows PCs can access the files. Samba also includes Rsync – a utility for copying files and folders across a network and across computer platforms.
Selection Criteria
A specification for refining which files will be gathered from all the Targets in a Collection. Criteria include:
Filename extensions, such as ".doc, .docx, .xls, .xlsx, .pdf"
File content types
Date ranges for file metadata, including Creation Date, Last Modification Date and Last Access Date
Multiple date ranges can be combined, e.g. Created June 6 2021 through August 19 2021 AND Last Modified September 5 2021 through October 24 2021
Server
ECC Server acts as a hub to coordinate Collection activity among all ECC Clients and any ECC Administration Console computers. The Server also stores the Case, Collection, Custodian, Target and Destination configuration data, as well as log files and statistics for previous Collection runs. The Server typically does not serve as a Destination to store collected data.
ECC Server is usually installed on a single server dedicated to the role of coordinating collections. This component runs as a Java-based service or daemon.
When an administrator runs Administration Console, the data they see is being read from (and stored to) the Server.
When ECC Client is running on a computer, it communicates with the Server frequently to:
See whether any scheduled Collection Jobs need to be run
If a Collection is actively running on the Client, the Client reports Collection progress to the Server
SID
Security Identifier: a unique alphanumeric character sequence used to identify a Windows user or a group of users.
Survey Only Collection
A type of Collection which crawls its targets (finding sub-folders and files) and generates log files but does not collect any files.
The purpose of Survey Only collections is to gather file lists and statistics.
See also: Job XML Template, File Collection, Crawl
Systems Administrator
A staff member who has administrative rights to most or all the computers, user accounts, networks and shares within an organization.
When installing Collection Center and setting up Collection Targets, a Systems Administrator's participation is typically required to:
Prepare a server computer to host the ECC Server component.
Install ECC Administration Console on one or more computers.
Create a connection profile to the ECC Server, and embed this profile into ECC Client installation packages.
Deploy ECC Client to multiple computers throughout the organization, using previously modified ECC Client installers. This deployment involves installing ECC Client as a service or background task, accompanied by a Server Connection profile. These installations can occur:
Manually on each computer
Silently, via a script launched from a network login script
Silently, via Group Policy on an Active Directory Domain
Configure settings on the ECC Server, including email notification settings and client polling options.
Administer Collection Center, including:
Scheduling and monitoring backups of Server data
Scheduling and monitoring backups of collected files
Purging server log files
Updating server passwords and deploying new server connection profiles
Target
A Target defines:
one or more data locations (paths) to collect
the credentials needed to access each data location
the name of the ECC Client computer which will collect files from these data locations
Target types include:
Local volumes (every folder on each local volume)
Network shares (including all subfolders of the shared folder)
Specific folders within selected local volumes or network shares
A SharePoint Server URL
The ECC Client computer used to perform the collection could be the same computer where the files reside, or it could be a separate Worker PC.
Targets do not define: where collected files will be saved, which file selection criteria will limit the types of files collected, nor when a collection will occur. Such details are defined by a Collection.
See also: Collection, Selection Criteria; Destination, Worker PC
UNC
Universal Naming Convention: a way to specify a file or folder residing on a particular computer. UNC names begin with two backslashes, followed by a hostname, another backslash, and a share name corresponding to a shared folder or volume.
URI
Uniform Resource Identifier: a way to specify the name or location of a local or network resource, such as a file, folder, web page or other data. URI's can be local to a given computer, or can access resources across a local network or the Internet. URL is a narrower term, though is often used synonymously for URI.
URL
Uniform Resource Locator: a way to specify the location of a file, folder, web page or other data. URL's can be local to a given computer, or can access resources across a local network or the Internet. URI is a broader term, though is often used synonymously for URL. Website addresses are examples of URL's.
Volatile Information
Specific data held in the computer's memory, including operating system details, network information. Details on running processes, such as file handles and process handles may also be available, depending on the operating system. This data is captured as a set of log file entries saved in plain text.
On Windows computers, screenshots of the Windows Desktop and each open window or dialog can also be captured.
Volatile information can be helpful when auditing which programs are running on each computer, and can be especially helpful in certain cyber security incident response scenarios.
See also: RAM Capture
Worker PC
A computer running the ECC Client that has no local files of its own to collect. Instead, a Worker PC collects files from a network share on another computer, or from a SharePoint server. Worker PCs take on the CPU processing workload of collecting data, to minimize the CPU workload of the computers which hold the data.
Worker PCs cannot take on the entire performance burden of a Collection. The following workloads may still impact performance:
Disk I/O performance burden on systems holding Collection Targets (files being processed).
Network I/O (bandwidth) burden during the Collection, as gathered files are transferred across the network -- from the Target computer, to the Worker computer and on to the Destination computer.
Disk I/O performance burden on the Destination system.
Workgroup
A peer-to-peer networking scheme for connecting Windows PCs to each other. Each PC maintains its own independent list of local users and security groups. Computers on the workgroup are identified by their NetBIOS names, rather than by a fully qualified domain name. IP address resolution is handled by the NetBIOS Master Browser computer or a WINS server along with the lmhosts file, rather than by DNS and the hosts file.
See also: Domain, Domain Name