±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35390
New Yesterday: 2 Visitors: 120

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

EnCase processing errors

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

requiem
Newbie
 

EnCase processing errors

Post Posted: Mar 19, 19 08:12

Hi all,

I am completely new to EnCase and I am facing some issues which are not yet clear to me. I do have some experience with other tools, but this issue never occurred to me earlier on.

When executing any kind of processing option on any evidence item, the job fails or stays on "On Hold". No matter whether I choose to carve a specific file type (without selecting other options) or choose to execute a comprehensive processing job. I get a "Error Processing [evidence file]", but I do not see any more specific logs that explain why it fails. Are there any? I didn't see the processing bar on the bottom right either, so I guess the error occurred even before the processing started.

Does anybody at this forum know what this issue might mean?

Regards and thanks in advance.  
 
  

hommy0
Senior Member
 

Re: EnCase processing errors

Post Posted: Mar 19, 19 08:39

Hi,

With EnCase, what version are you using?

Also has this been upgraded from an earlier version to current (i.e. 8.01 to 8.08)?

Is the processing being done locally on the examination workstation, and if possible could you post a screen capture of the processing manager when the job has failed or put on hold.

Also when you start the processor do you have the box ticked to "Queue Immediately" if this is unticked, it will be placed on hold until you physically start the job from the processor manager.

Sorry to ask the questions, but it may help in determining what is wrong with the processor.

Regards  
 
  

pbobby
Senior Member
 

Re: EnCase processing errors

Post Posted: Mar 19, 19 09:08

Likely trying to process 'too much'.

Indexing is notorious. I recommend Processing in stages, signatures first etc. And do indexing or carving/email tasks separately. Leave indexing last.
_________________
Don't get baited. 
 
  

requiem
Newbie
 

Re: EnCase processing errors

Post Posted: Mar 19, 19 09:25

@hommy0

I am using 8.08, there were no upgrades since this is the first version installed.
Processing is on a local machine. Are there known issues with remote machine or remote storage then?

Just for the context, I am working on a (test) laptop for studying and testing purposes and not in a professional lab. Only 8GB RAM, could this also be an issue? Since many forensics tools are resource intensive.

The only thing I can currently find is the error I mentioned in my initial post, honestly. No detailed logs whatsoever. The box was ticked. Trying again now.

@pbobby

I have to admit that this was true for the first processing jobs I tried, but after seeing no results at all, I started focusing on one at a time. The errors still occur, even when only one option is selected.

Finding documents and pictures works fine though.  
 
  

kastajamah
Senior Member
 

Re: EnCase processing errors

Post Posted: Mar 19, 19 10:00

Is the Evidence Cache for your case on a separate drive? I had troubles with indexing in particular until I put the case cache on a separate drive. This is something that Guidance/OpenText recommends doing because of all the read/writing that is going on when an E01 is being processed.  
 
  

hommy0
Senior Member
 

Re: EnCase processing errors

Post Posted: Mar 19, 19 10:35

- requiem


Are there known issues with remote machine or remote storage then?

Just for the context, I am working on a (test) laptop for studying and testing purposes and not in a professional lab. Only 8GB RAM, could this also be an issue? Since many forensics tools are resource intensive.
.


If using remote storage using a UNC path will be required.

You may want to look at the Options (from Tools) and Debug and potentially increase the system cache - given you have 8GB RAM perhaps something like 4GB - 5GB would be a better setting (it could be down around the 2GB size at present).

When it comes to processing the main issues are normally related to the disk I/O and where the cache is being stored.

- kastajamah


Is the Evidence Cache for your case on a separate drive? I had troubles with indexing in particular until I put the case cache on a separate drive. This is something that Guidance/OpenText recommends doing because of all the read/writing that is going on when an E01 is being processed.


This is something I was also going to mention, the cache would normally be best on its own drive (but most certainly separate to windows). Also where possible use an SSD.

If all else fails, try a complete uninstall and reinstall of the software. This will include removing folders in Appdata/Roaming and ProgramData.

Regards  
 
  

jpickens
Senior Member
 

Re: EnCase processing errors

Post Posted: Mar 19, 19 13:49

- kastajamah
Is the Evidence Cache for your case on a separate drive?


Other than 8GB of RAM, this is a big issue for most people. Your temp processing data lives here so if you are processing a 250GB drive w/ indexing, on a laptop with 250GB of local storage, all the files that need decompressing, carving, etc... live here so you end up needing about 1.5x's the space. You want to have the Cache live on a separate drive that can handle the storage and has good speed (USB3 or SATA).  
 

Page 1 of 1