Forensic Toolkit v3 Tips and Tricks – Re-indexing a case

This is the first in a series of articles that will cover topics concerning AccessData Forensic Toolkit (FTK) version 3.

So you’ve created a case in FTK 3.X / Oracle and added 20 forensic images of seized computers and assorted media which previously had been successfully processed and indexed. You’ve worked on this case for weeks, painstakingly searching and bookmarking thousands of keywords provided by Inspector R. Runner who has been investigating the Acme Corporation.

Monday morning you come to work and fire up your FTK cluster, open your case, go to Indexed Search, type in the keywords Wile E. Coyote and Ka-Blam!! You get an error message saying a Search Request Error has occurred (Figure 1.) What happened, it was working fine on Friday?

It turns out the hard drive where you had your case folder stored had a sector that has been corrupted and is unrecoverable. Your case index was written to the cluster containing the sector that failed. To make matters worse, you didn’t backup your case folder. Your index is officially toasted (this actually happened to the author.)

Why is a functional index so important? Setting up FTK to fully index a case when it is created allows the examiner to query the index using specialized query language and to also recover embedded or deleted files by searching for specific file headers. When it finds a file header that is a recognized file type, FTK carves the file’s associated data. In addition to extending searching capabilities, indexing allows searches to be returned in seconds instead of the minutes or hours required for a live search. Indexed Search allows for fast searching based on keywords.

What should you do about the corrupted index?

• Send the Laboratory Director your retirement paperwork.
• Blubber and shed tears.
• Delete the case and start over.

None of the above, it turns out that FTK 3.X has the ability to re-index a case when the index has been corrupted.

 Re-indexing a case in FTK 3.X / Oracle:

 1. Determine the Case ID (when you log into FTK and highlight one of the cases listed on the left hand pane, the “CaselD” number will be displayed on the right hand side of the case management window. This is typically a four digit number.)

 2. Use a text editor to form your statement. The following statement currently shows “XXXX” for the value of the CaselD. Please copy and paste the following statement into a text editor and then edit the XXXX to represent the CaselD number from the case you identified in step 1. The statement also shows ftk_32, dependant upon your version of FTK, change this number according to the first two numbers in your version number.

 Example, if you are using FTK 3.1.2 the statement should say ftk_31.

 UPDATE ftk_32_cXXXX.objects SET ISINDEXED = ‘N’ WHERE ISINDEXED = ‘Y’; commit;

 3. Copy the above edited statement to your clipboard.

 4. Open the case you want to update.

 5. Drop down the “Tools” menu and select “Execute SQL …”

 6. Paste in the statement from the clipboard.

 7. Click “Execute”

 8. Exit out of FTK

 9. Rename the dts_idx folder located in your case folder to dts_idx_OLD.

 10. Reopen FTK and use “Additional Analysis” under “Evidence” to reindex all items in your case.

If you don’t trust the “Data Processing Status” window, as the case is processing you can directly observe if the indexing is running.

1. Open the Case folder for the case that you are indexing (after indexing has started.)

2. Inside the Case folder will be a dts_idx folder. Inside of this folder you will have some numbered folders. Each of these folders represents a CPU core. Each core writes to its own folder to speed up indexing. While a case is in the indexing stages of processing these folders will grow until the indexing is done.

3. Go back up to the dts_idx folder and check its properties (Figure 2), note the size of the folder, then close the properties and check the folder size a couple of minutes later to see if the folder size is increasing. If it is then the indexing process is still activity working.