EnCase unable to pr...
 
Notifications
Clear all

EnCase unable to process image

5 Posts
3 Users
0 Likes
1,611 Views
(@jcforensics)
Posts: 3
New Member
Topic starter
 

I am using EnCase 8.09 to try and process an image. Processor Manager reports that processing is complete, but if you look in the evidence view, the processing status still states "unprocessed." No errors appear.

I enabled logging, and the logs do present an error during processing. The error is "Failed to index (this IndexWriter is closed). It appears countless times in the log.

Does anyone have any thoughts on what may be causing this or how to resolve it?

Thank you.

 
Posted : 18/06/2019 4:21 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

What can you share about the image? How was it required, using what tool/process? Of what type of device was the image taken?

 
Posted : 18/06/2019 4:47 pm
(@jcforensics)
Posts: 3
New Member
Topic starter
 

Thanks for your reply.

The image is publicly available and used for educational training purposes

http//downloads.digitalcorpora.org/corpora/scenarios/2009-m57-patents/drives-redacted/

Image name terry-2009-12-11-002.E01

On rare occasion, the image actually does process successfully. I have not been able to determine why this behavior occurs.

I do not know precisely what drive they used to acquire their images or the tool used.

Thanks.

 
Posted : 18/06/2019 8:45 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

Does the forensic image contain an encrypted partition perhaps?

Apologies if you have already done so, but open the image using FTK Imager and browse all of the partitions.

If the largest partition says "unrecognizable format" then it is encrypted.

Also, I recommend using multiple tools on the same evidence and comparing results. Try Autopsy on the image and compare results.

https://www.sleuthkit.org/autopsy/download.php

 
Posted : 19/06/2019 3:23 pm
(@jcforensics)
Posts: 3
New Member
Topic starter
 

Thank you for your reply.

Everything views fine in FTK.

I have also used Autopsy, and have not experienced any issues. It seems to be an EnCase issue.

 
Posted : 20/06/2019 9:45 pm
Share: