Manage Cases within your Inventory

Learn how to create and manage Nuix cases.

  5 minute read  

All data that is ingested and processed using the Nuix Engine is done so within a Nuix case. The case acts as a container for the collections of data and evidence related to an investigation. Nuix supports two types of cases:

  • Simple: A single case that contains all data for an investigation.
  • Compound: A collection of two or more related simple cases that can be accessed concurrently as a single large case.

After choosing the type of case best suited for your purpose, you can ingest evidence and begin any required post processing activities. All cases that are created are saved within your case inventory, which was defined during the installation of Nuix RESTful Service.

In this topic, you’ll learn how to:

  • Create a new case.
  • View existing cases.
  • Close a case.
  • Delete a case.

Create a case

New cases can be created by submitting a POST request to the /cases endpoint. Use the following request to create a simple case. For information on creating other case types, such as compound or elastic-based cases, see the Nuix RESTful Service API reference documentation.

curl -L -X POST 'http://127.0.0.1:8080/nuix-restful-service/svc/cases' \
-H 'nuix-auth-token: 49e225d7-b88d-4d1b-9cbc-296e83706a60' \
-H 'Content-Type: application/json' \
--data-raw '{
  "compound": false,
  "location": "inventory0",
  "name": "MyNuixCase",
  "description": "A simple case created using the REST API",
  "investigator": "Your Name"
}'

{
    "caseId": "0eedda2d297046ae8e67fbda9f192df9",
    "name": "MyNuixCase",
    "path": "C:\\Program Files\\Nuix\\Nuix RESTful Service\\cases\\MyNuixCase",
    "description": "A simple case created using the REST API",
    "investigator": "Your Name",
    "creationDate": 1602818339843,
    "compound": false,
    "elastic": false,
    "binaryStoreLocation": "",
    "indexId": "",
    "caseSize": 0,
    "casePathParent": "C:\\Program Files\\Nuix\\Nuix RESTful Service\\cases",
    "caseInvestigationTimeZone": "America/New_York",
    "hasExclusions": null,
    "hasNuixSystemTags": null,
    "hasProductionSets": null,
    "hasCalculatedAuditSize": null,
    "casePath": "C:\\Program Files\\Nuix\\Nuix RESTful Service\\cases\\MyNuixCase",
    "caseName": "MyNuixCase",
    "caseCreationDate": 1602818339843,
    "caseDescription": "A simple case created using the REST API",
    "caseInvestigator": "Your Name"
}

In the example above, five parameters are submitted in the body of the request as JSON as well as an authentication token in the header of the request.

  • compound: The type of case to create. A value of false will create a simple case.

  • location: A relative or absolute path that is within the defined inventory location used by REST where the case will be saved. A value of inventory0 references the first defined inventory location within your installation of REST. In this example, the first defined inventory is /cases/, so providing a value of inventory0 results in the absolute path of /cases/MyNuixCase.

    • Note: If an absolute path is provided outside an inventory location, the case is created inside the first inventory location with the path appended to it as a relative path.
    • Note: If you provide an absolute path that is outside a defined inventory location, it will be appended to the first inventory location in your installation of REST. Using the previous example, if you provided an absolute path value of /places or /cases, they would still be appended to the absolute path of /cases/MyNuixCase. This ensures cases are saved in the appropriate, defined inventory location.
    • For a detailed matrix describing the relationship between defined inventory locations and their resulting paths, see the Reference documentation for the POST /cases endpoint.

  • name: A unique name to identify the case. This value also defines the name of the directory which contains the case on the file system.

  • description: (Optional) A brief description to indicate the contents or purpose of the case.

  • investigator: The name of the person creating the case.

After submitting the request, details about the newly created case are included in the response, including the caseId of the case. The caseId value is a required parameter in all requests involving a case.

Identify existing cases

If cases have already been created within your inventory, they can be identified by submitting a GET request to the /inventory/digest endpoint with your authentication token. This will return information for all cases that exist within your configured inventory locations.

This request can be helpful if you need to look up details about a case, such as the caseId.

curl -L -X GET 'http://127.0.0.1:8080/nuix-restful-service/svc/v1/inventory/digest' \
-H 'nuix-auth-token: 49e225d7-b88d-4d1b-9cbc-296e83706a60' \

[
    {
        "caseId": "0eedda2d297046ae8e67fbda9f192df9",
        "name": "MyNuixCase",
        "path": "C:\\ProgramData\\Nuix\\NuixCases\\MyNuixCase",
        "description": "A case created using the REST API",
        "investigator": "Your Name",
        "creationDate": 1609909619982,
        "compound": false,
        "elastic": false,
        "binaryStoreLocation": "",
        "indexId": "",
        "productName": "Nuix",
        "version": "8.7.1",
        "isOpen": true,
        "childCases": [],
        "url": "http://10.101.100.66:8080",
        "serverId": "fdfc0544-4421-40df-bbd6-a200371b200d"
    }
]

Close a case

Any time a new case is created, or an existing case is used in a request, the case is considered open. When cases are opened, they become locked to prevent other users from accessing the case at the same time.

The status of a case can be determined by calling the /inventory/digest endpoint or the /inventory/{caseId} endpoint, if the caseId is known, to retrieve details about the case.

The response body to these requests includes the following parameter.

"isOpen": true

A value of true indicates that the case is open.

When you are finished working with a case, you should close it. When you close a case, it becomes unlocked and available to other users.

To close a case, submit a POST request to the /cases/{caseId}/close endpoint.

curl -L -X POST 'http://127.0.0.1:8080/nuix-restful-service/svc/cases/0eedda2d297046ae8e67fbda9f192df9/close' \
-H 'nuix-auth-token: 49e225d7-b88d-4d1b-9cbc-296e83706a60'

{
    "success": true
}

Delete a case

To delete a case from your inventory, submit a DELETE request to the /cases/{caseId} endpoint.

curl -L -X DELETE 'http://127.0.0.1:8080/nuix-restful-service/svc/cases/0eedda2d297046ae8e67fbda9f192df9' \
-H 'nuix-auth-token: fabbd5b7-8e4d-4af8-a970-feed76a34f46'

{
    "caseId": "0eedda2d297046ae8e67fbda9f192df9",
    "success": true,
    "childCases": null
}