Forensic Toolkit v3 Tips and Tricks – Re-indexing a case

This is the first in a series of articles that will cover topics concerning AccessData Forensic Toolkit (FTK) version 3.

So you’ve created a case in FTK 3.X / Oracle and added 20 forensic images of seized computers and assorted media which previously had been successfully processed and indexed. You’ve worked on this case for weeks, painstakingly searching and bookmarking thousands of keywords provided by Inspector R. Runner who has been investigating the Acme Corporation.

Monday morning you come to work and fire up your FTK cluster, open your case, go to Indexed Search, type in the keywords Wile E. Coyote and Ka-Blam!! You get an error message saying a Search Request Error has occurred (Figure 1.) What happened, it was working fine on Friday?

Search Request Error
Figure 1

It turns out the hard drive where you had your case folder stored had a sector that has been corrupted and is unrecoverable. Your case index was written to the cluster containing the sector that failed. To make matters worse, you didn’t backup your case folder. Your index is officially toasted (this actually happened to the author.)

Why is a functional index so important? Setting up FTK to fully index a case when it is created allows the examiner to query the index using specialized query language and to also recover embedded or deleted files by searching for specific file headers. When it finds a file header that is a recognized file type, FTK carves the file’s associated data. In addition to extending searching capabilities, indexing allows searches to be returned in seconds instead of the minutes or hours required for a live search. Indexed Search allows for fast searching based on keywords.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

What should you do about the corrupted index?

  • Send the Laboratory Director your retirement paperwork.
  • Blubber and shed tears.
  • Delete the case and start over.

None of the above, it turns out that FTK 3.X has the ability to re-index a case when the index has been corrupted.

 Re-indexing a case in FTK 3.X / Oracle:

 1. Determine the Case ID (when you log into FTK and highlight one of the cases listed on the left hand pane, the “CaselD” number will be displayed on the right hand side of the case management window. This is typically a four digit number.)

 2. Use a text editor to form your statement. The following statement currently shows “XXXX” for the value of the CaselD. Please copy and paste the following statement into a text editor and then edit the XXXX to represent the CaselD number from the case you identified in step 1. The statement also shows ftk_32, dependant upon your version of FTK, change this number according to the first two numbers in your version number.

 Example, if you are using FTK 3.1.2 the statement should say ftk_31.

 UPDATE ftk_32_cXXXX.objects SET ISINDEXED = ‘N’ WHERE ISINDEXED = ‘Y’; commit;

 3. Copy the above edited statement to your clipboard.

 4. Open the case you want to update.

 5. Drop down the “Tools” menu and select “Execute SQL …”

 6. Paste in the statement from the clipboard.

 7. Click “Execute”

 8. Exit out of FTK

 9. Rename the dts_idx folder located in your case folder to dts_idx_OLD.

 10. Reopen FTK and use “Additional Analysis” under “Evidence” to reindex all items in your case.

If you don’t trust the “Data Processing Status” window, as the case is processing you can directly observe if the indexing is running.

1. Open the Case folder for the case that you are indexing (after indexing has started.)

2. Inside the Case folder will be a dts_idx folder. Inside of this folder you will have some numbered folders. Each of these folders represents a CPU core. Each core writes to its own folder to speed up indexing. While a case is in the indexing stages of processing these folders will grow until the indexing is done.

3. Go back up to the dts_idx folder and check its properties (Figure 2), note the size of the folder, then close the properties and check the folder size a couple of minutes later to see if the folder size is increasing. If it is then the indexing process is still activity working.

dts_idx Properties
Figure 2

Congratulations! If all has gone well you’ve successfully re-indexed the case and will not need to start from scratch. 

9 thoughts on “Forensic Toolkit v3 Tips and Tricks – Re-indexing a case”

  1. I get the following error when I try to add an evidence to a case in FTK 5.0

    “Error occurred while adding evidence …..” regardless of the evidence file I add. Any clue..Thanks

Leave a Comment

Latest Videos

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools. 

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools.

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_7QiFTiuY7Vw

AI In CSAM Investigations And The Role Of Digital Evidence In Criminal Cases

Forensic Focus 22nd March 2023 12:44 pm

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_g6nTjfEMnsA

Tips And Tricks Data Collection For Cloud Workplace Applications

Forensic Focus 20th March 2023 12:00 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...