Problems with FTK V...
 
Notifications
Clear all

Problems with FTK V5

14 Posts
4 Users
0 Likes
786 Views
(@fsuforensics)
Posts: 6
Active Member
Topic starter
 

Greetings all. I came from a lab that had Encase v7 to a lab that has FTK v5.

We are having issues in that FTK v5 seems to want to crash in nearly all facets. Imaging goes fine, but processing has major issues.

I have tried turning off carving/indexing, but that only worked for a couple of drives before starting to crash again. Also I cannot backup a case at all…just goes red in the progress bar despite the database being installed correctly.

My question is, does anyone else have these issues with FTK v5? We are debating switching software, but I would like some confirmation it is not just my shop.

I have done fresh installs numerous times.

Thx!

 
Posted : 21/07/2015 11:55 pm
(@bithead)
Posts: 1206
Noble Member
 

What OS for the workstation? Which version of 5? Which database? Network or standalone setup? If the database is not on the same computer as the user, what is the OS of the database server? Workgroup or domain? Is the database running under the same useraccount as the user that created the case? Is UAC off? Does every case crash? How many items in the case?

And those are just a few of the questions that can impact 5.

To answer your questions no it shouldn't crash like that.

All forensic programs are flaky, they take more care and feeding than most programs. Picking a new program will not necessarily be a pain free experience.

 
Posted : 22/07/2015 6:53 am
(@fsuforensics)
Posts: 6
Active Member
Topic starter
 

Windows 7 with up to date patches
FTK 5.6.3, although it has done this on every V5 I have had.

Simple standalone setup, i7 processer, 24 gb ram, etc…

Database is PostgreSQL…again have continued to update it.

Every case lately has crashed. It will do it in the processing phase, although I have had lock up issues just moving around the evidence.

we are talking at this point 10 different drives.

Fresh installs of the software…doesn't seem to matter.

Never had this issue with EnCase or Magnet.

Just curious if anyone else out there was experiencing issues with FTK. I know one of my fellow state agencies is also having issues.

Thx.

 
Posted : 22/07/2015 5:48 pm
(@scottyxx)
Posts: 13
Active Member
 

If it makes you feel better I too am having FTK issues. I was running FTK V 5.3 with postgres - I was backing up all my cases, and FTK corrupted the main database - corrupting all my cases. Sigh.

I had to forcibly remove postgres, and uninstall FTK and I upgraded to version 5.6.

I successfully added and processed one case so far, out of 6 attempts. It seems to just crash when I start processing.

At this point - I'm suspecting my machine is the issue.

But I figured I would post just to let you know you're not alone!!

 
Posted : 23/07/2015 12:50 am
(@fsuforensics)
Posts: 6
Active Member
Topic starter
 

Thx Scotty…I'm not so sure it is your machine!

 
Posted : 23/07/2015 12:52 am
(@bithead)
Posts: 1206
Noble Member
 

There are a lot of things that can contribute to the issues you are seeing. One of the biggest issues we run into is permission issues. This will manifest itself during processing and backups.

The other issue we have seen is with the total number of items in a single case. Although you have one drive, if it has say 5 million items and you are checking the expand all choice in processing you will exponentially increase the total number of items and Postgres will crash. We had to move to MS SQL to handle "bigger" cases.

Have you tried processing a drive with just minimal options? We process in multiple steps, get the data processed and then go back and carve, and then expand, and then . . . If you check all the processing options, your case will never finish or will crash.

Scott - AccessData has never been very good at interacting with databases. The scenario you describe is often caused because the database does not lock processes correctly. We had an examiner who thought a case was finished processing, detached the case while a background process was running and killed the database.

 
Posted : 23/07/2015 6:37 am
(@scottyxx)
Posts: 13
Active Member
 

I'm running disk checks on my computer today - just to check there aren't any corruptions.

My fresh install of FTK has currently hung during processing. The case had previously processed no problem, but obviously got corrupted in my major issue a few weeks back (as did the backup). My clean install is just hanging. I am wondering if it's too many items - or my issue is actually with a corruption / error in my postgreSQL install / service.

I'm troubleshooting today - so I may have a solution today (not holding my breath..)

 
Posted : 23/07/2015 6:47 pm
(@fsuforensics)
Posts: 6
Active Member
Topic starter
 

Ran a hard driver over night and again complete FTK crash. Going to do a complete wipe of the computer and then a fresh install…but I am worried these problems have more to do with Postgre.

 
Posted : 05/08/2015 5:26 pm
BraindeadVirtually
(@braindeadvirtually)
Posts: 115
Estimable Member
 

Ran a hard driver over night and again complete FTK crash. Going to do a complete wipe of the computer and then a fresh install…but I am worried these problems have more to do with Postgre.

How did you get on? One thing you didn't mention was your drive setup. How much space are you giving ADTemp for expansion of compound files? What quantity/speed of HDD/SSDs? Processing/indexing can absolutely hammer your I/Os, particularly with Postgresql sitting potentially on the same disk array.

 
Posted : 26/08/2015 1:59 am
(@fsuforensics)
Posts: 6
Active Member
Topic starter
 

Did the complete wipe, software still crashes.

I have a multi drive setup within one machine…ie one drive is on the operating system, one drive has FTK, one drive has POST. Machine is an i7…drives are 7200 or SSD. Plenty of space available.

I am guessing FTK is not very well designed for one computer use. Perhaps it does better in a network setting.

 
Posted : 26/08/2015 5:06 pm
Page 1 / 2
Share: