5 Replies Latest reply on Jul 23, 2015 10:39 AM by tonyw

    DLP 9.3 Evidence folder cleaning

    futuroman

      Hi

      How I can clean old evidence form evidence folder ? Is any procedure for that from EPO Console ? I ran database cleaning from dlp console but files in evidence folder still exist.

        • 1. Re: DLP 9.3 Evidence folder cleaning
          exbrit

          Moved provisionally to DLP for better support.

          ---

          Peter

          Moderator

          • 2. Re: DLP 9.3 Evidence folder cleaning
            Sathish L

            This is as designed. Evidence files must be manually deleted.

            • 3. Re: DLP 9.3 Evidence folder cleaning
              futuroman

              thanks for replay.

              • 4. Re: DLP 9.3 Evidence folder cleaning
                nicholas.klebs

                I also am looking for a creative way to delete files in the evidence share.

                I would like to maintain 6 months of evidence per internal retention schedule of this type of data.

                Looks like most Windows based tools spend more time enumerating the very large file structure created by the evidence share file/folder methodology.

                 

                Currently I am using this command:

                FORFILES /s /M *.dlpenc /C "cmd /c echo @fdate @path && del @path" /D -180

                 

                It works fine, it just takes a LONG TIME (days).

                 

                Our evidence share has 65k folders - 256 on root of share and then each root folder has 256 folders.  This is what I believe causes the commands I have tried so long to run.

                 

                Any other suggestions out there in the land of internet ?

                Any VB based solutions people have tried?

                • 5. Re: DLP 9.3 Evidence folder cleaning
                  tonyw

                  Best practice is to migrate the evidence path at the half point of your data retention policy.  If you have a 180 day plan, then migrate every 90 days.  Then once you have migrated twice, the oldest folder is deleted.

                   

                  Deleting based of date is risky.  The reason why is due to the way DLP handles the retention of files.  If a file is detected and triggers an event, the file is placed in the evidence path.  If say the same file 3 months later is detected again, it is not rewritten to the evidence, the database link to the old file path to save disk space. 

                   

                  If you then delete files based off timestamp, the old evidence file is deleted and any current evidence that points to that file will then return the error that the evidence cannot be found.