Notifications
Clear all

EnCase Issues

12 Posts
5 Users
0 Likes
2,924 Views
(@shawnx715)
Posts: 14
Active Member
Topic starter
 

Hello everyone,

I recently got an internship at a Forensics company, and I dont know a lot. One of my first tasks is to install Encase Enterprise(with SAFE) in the lab. I was first able to install EnCase Examiner, and I believe I installed it correctly. I am trying to process an image, and I've attempted it 3 times. Each time it says "Job failed" Does any one have any insight on why this happening?

Any info would be helpful.

-SZP

P.S. I'll be posting new issues in this thread rather creating a new post with each issue i run into.

 
Posted : 13/03/2014 10:36 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Standard troubleshooting IMHO

Did you already check the manual (particularly the "troubleshooting part")?
http//download.guidancesoftware.com/fYEavbLPmdZvCBIMvRaAQFW/V21CyK9yhxn0VEJbiC6xB7bq%2BlezFnh9MK/qoi32GgVz47/EilM%3D

What do you have in the event log?

Have you tried acquiring a different device/processing a different image?

Have you access to the Encase support forum? (which sounds like the "right" place for this kind of "Guidance specific" questions)
https://support.guidancesoftware.com/

jaclaz

 
Posted : 13/03/2014 11:40 pm
(@shawnx715)
Posts: 14
Active Member
Topic starter
 

What i have done today

I talked to customer support at guidance software.

They said they have some problems when selecting all of the processing options. He suggested that I try to process it 3 options at a time, then 1 at time. etc

So far I have done 3(with hash analysis, find emails, recover folders)…job failed
2 at a time(find internet artifacts, Find emails)….job failed
1(find emails)…failed
1(hash analysis)…failed.
1(recover folders)…failed

I am going to try and run another case and update you all today or monday.

I don't know if this would matter or not, but I havent installed the SAFE and servelets/nodes yet. I wanted to be able to process a case on Examiner first, and then work on SAFE

 
Posted : 14/03/2014 11:20 pm
(@kbertens)
Posts: 88
Trusted Member
 

I had this problem before and a reinstall did the job. The problem is probably within the processing engine, maybe have a look if it is running on the local port.
Next week i could send you some screenshots if you would.

You dont need the safe to process evidence.

 
Posted : 16/03/2014 11:35 pm
(@athulin)
Posts: 1156
Noble Member
 

I am going to try and run another case and update you all today or monday.

And there are no system log entries of errors or other problems? (Have you checked that you do get logs from platform problems?)

If you look at resource monitor when you run these jobs, … do you see that data is read/written for a while, and then stop? Or is it a sudden death failure, as soon processing starts?

Does anything else fail? Say, if you run something like Burnin Test, or SiSoft or similar load-generating or benchmarking test? Or is it only EnCase that produces this behaviour?

Do you have a sound platform for EnCase to work on? Power OK? Memory OK? Disks OK? File system OK? Cooling adequate?

 
Posted : 17/03/2014 12:23 pm
(@shawnx715)
Posts: 14
Active Member
Topic starter
 

I had this problem before and a reinstall did the job. The problem is probably within the processing engine, maybe have a look if it is running on the local port.
Next week i could send you some screenshots if you would.

You dont need the safe to process evidence.

I reinstalled once, and same thing. If you can send some screenshots, that'll be helpful

And there are no system log entries of errors or other problems? (Have you checked that you do get logs from platform problems?)

If you look at resource monitor when you run these jobs, … do you see that data is read/written for a while, and then stop? Or is it a sudden death failure, as soon processing starts?

Does anything else fail? Say, if you run something like Burnin Test, or SiSoft or similar load-generating or benchmarking test? Or is it only EnCase that produces this behaviour?

Do you have a sound platform for EnCase to work on? Power OK? Memory OK? Disks OK? File system OK? Cooling adequate?

When I look at the processor manager, it shows it at 0% majority of the time, then moves up and to aroun 80-99%(varies), then "job failed"

I believe everything is ok with my workstation, since I am able to run FTK and other forensic software on it.

 
Posted : 17/03/2014 6:39 pm
(@kbertens)
Posts: 88
Trusted Member
 

In Encase 7 in the process manager tab, do you see the node in the lowest part of the screen?

There should be something like local machine, 127.0.0.1, online, path…….portnr….
Check with netstat if that port is listening, options -anb.
What results do you get?
Did you try an other workstation?

 
Posted : 19/03/2014 5:16 pm
(@shawnx715)
Posts: 14
Active Member
Topic starter
 

I think I found out what the problem was. I talked to Customer Support and they said its most likely b/c of insufficient ram. My PC shows 16gb, but only 7.xx available. Most likely due to incompatible memory sticks.

Thanks for all your help….i'll be back if I run into any more issues.

 
Posted : 19/03/2014 7:30 pm
Chris_Ed
(@chris_ed)
Posts: 314
Reputable Member
 

Ehm..

If the software cannot do something as (relatively) simple as run a hash computation with 7GB RAM that is pretty terrible.

Not that it matters, but how big was the image you were trying to process?

 
Posted : 19/03/2014 7:45 pm
(@shawnx715)
Posts: 14
Active Member
Topic starter
 

it was actually a very big file. 600gb+

 
Posted : 19/03/2014 7:46 pm
Page 1 / 2
Share: