Certainly it should be working for PST files > 2GB. If it isn't we need to fix it. (I had the feeling we already testing out to at least 5GB per PST file). Did you try indexing your large PST file with the file size limit set to lower value?
For an ISO there is no point trying to do a direct text extraction. I think at the moment OSF isn't automatically unpacking the ISO to index the files inside. You would need to mount it as a separate drive to index it.
Let me check the behavior on these files types and get back to you.
We've checked into this.
A 2GB PST file does not need a "Max file size limit" set to 2GB. The "Max file size limit" only applies to the individual messages and attachments found within the PST file.
As for ISO files, as noted above, we are not indexing the contents of ISO files. You should mount the ISO image as a separate drive (under "Manage case"->"Add device") and index it separately. You must have manually added ".iso" to the list of extensions to index. We would advise to remove this.
So there should be no need to specify a max file size over 2GB if the only reason you are doing so at the moment is for PST files and ISO files.
Having said that, you might have run into some other limit during your original indexing attempt. You should check the log message. Perhaps you only needed to increase your max file size to 1GB?
I'll try with 1GB, but the actual PST is around 2.5GB.
Last edited by bfbcping; 06-25-2012 at 04:40 PM.
In fact you might find that a much lower limit is also OK.
But it really depends on what is on the disk that is being indexed. The value should be theory auto-set itself to something reasonable.
We are going to E-mail you a link to a pre-release of the next minor OSF release.
It will have changes to the regex handling noted above, among other things.
I appreciate all the work you guys have done to support this product. Unfortunately, OSForensics has proven to be a bit too unreliable and buggy for use as a forensics product. I really like your concept in simplifying the process with easy to follow steps and simple results. I spent 12 years at my last job using a very complicated and expensive forensics program for more nit-and-gritty investigating, but the current application seemed to be right in your wheelhouse - mining already gathered data for specific patterns and intelligence.
Unfortunately, the RegEx issues combined with a few crashes, some commands not responding at all, and the filter export only listing information and counts without locations or other contextual data have made us decide to look elsewhere for our limited use case.
Again, I appreciate your time and effort in supporting our testing process.
Hmmm. I thought the RegEx issue was solved with the build we sent you? Wasn't it?
We aren't aware of any crash problems in that release we sent? Can we get more detail?
We also aren't aware of any problem with the filter function not exporting the data you want.
I'll E-mail you, as these sound like fairly minor issues that are easy to solve if we have the details.
Update: This change to RegEx is also in the V1.2 public release.