Storage Items

What are storage items?

In Monolith, storage items are considered to be devices that are used for the purpose of storing forensic data that has either been collected, processed, or provided.

Examples of storage devices include:

  • External Hard Drives

  • USB Drives

  • Network Attached Storage devices

  • FTP Servers

  • Cloud Storage Systems (AWS, Google Drive, etc...)

Examples of stored data include:

  • Forensic Images

  • Smartphone Extractions

  • Case Data

  • Forensic Reports

What is the difference between Evidence Items and Storage Items?

First, everything in Monolith is considered evidence, but for the puposes of organization and management Monolith tracks evidence and storage items separately.

Evidence typically represents the original source of forenisc evidence or data. Usually, this includes hard assets like smartphones or laptops and soft assets like email or cloud accounts. You should track anything that is considered as the original or "best" evidence as an evidence item.

Storage represents the vessel that collected forensic data is stored on. So when tracking storage items in Monolith, you are essentially tracking all the device you use to store forensic data.

What is a "General" storage item?

Monolith tracks two categories of storage items: "General" and "Assigned".

General storage items are meant to represent large storage arrays that are used as a permenant cache for all case data. This is typically a NAS array that stores pristine copies of all your case data and forensic images. It is also a fixed asset that usually stays in the lab and does not move.

Assigned storage items represent storage that is associated with a specific case and stored very specific data. These devices are usually smaller and portable devices that move around a lot and may even be wiped, destroyed, or recycled at the end of a case or matter.

General Item Rules:

  • Cannot be assigned to a case.

  • Monolith does not track chain of custody for these items.

  • Tracks data from multiple cases.

Assigned Item Rules:

  • Must be assigned to a case to use.

  • Can only track data from one case.

  • Chain of custody is only logged when assigned to a case.

  • Can be removed from a case and reused/re-assigned.

  • Removing from a case will destroy its chain of custody and unlink any tracked acquisitions.

Assigning Storage Items

There are two ways to assign a storage item to a case: Create or Assign.

Create an Item

You an create a storage item from the "Storage Items" tab of a case. This will both create the new item and assign it to the case at the same time.

Assign an Item

You can also assign a storage item that already exists to the current case. This option is available in the "Storage Items" tab of a case and in the "Actions" menu as shown in the screenshot below.

PreviousItem LocationsNextAudits

Last updated