Join Us!

EnCase processing e...
 
Notifications
Clear all

EnCase processing errors  

  RSS
requiem
(@requiem)
New Member

Hi all,

I am completely new to EnCase and I am facing some issues which are not yet clear to me. I do have some experience with other tools, but this issue never occurred to me earlier on.

When executing any kind of processing option on any evidence item, the job fails or stays on "On Hold". No matter whether I choose to carve a specific file type (without selecting other options) or choose to execute a comprehensive processing job. I get a "Error Processing [evidence file]", but I do not see any more specific logs that explain why it fails. Are there any? I didn't see the processing bar on the bottom right either, so I guess the error occurred even before the processing started.

Does anybody at this forum know what this issue might mean?

Regards and thanks in advance.

Quote
Posted : 19/03/2019 1:12 pm
hommy0
(@hommy0)
Member

Hi,

With EnCase, what version are you using?

Also has this been upgraded from an earlier version to current (i.e. 8.01 to 8.08)?

Is the processing being done locally on the examination workstation, and if possible could you post a screen capture of the processing manager when the job has failed or put on hold.

Also when you start the processor do you have the box ticked to "Queue Immediately" if this is unticked, it will be placed on hold until you physically start the job from the processor manager.

Sorry to ask the questions, but it may help in determining what is wrong with the processor.

Regards

ReplyQuote
Posted : 19/03/2019 1:39 pm
pbobby
(@pbobby)
Active Member

Likely trying to process 'too much'.

Indexing is notorious. I recommend Processing in stages, signatures first etc. And do indexing or carving/email tasks separately. Leave indexing last.

ReplyQuote
Posted : 19/03/2019 2:08 pm
requiem
(@requiem)
New Member

@hommy0

I am using 8.08, there were no upgrades since this is the first version installed.
Processing is on a local machine. Are there known issues with remote machine or remote storage then?

Just for the context, I am working on a (test) laptop for studying and testing purposes and not in a professional lab. Only 8GB RAM, could this also be an issue? Since many forensics tools are resource intensive.

The only thing I can currently find is the error I mentioned in my initial post, honestly. No detailed logs whatsoever. The box was ticked. Trying again now.

@pbobby

I have to admit that this was true for the first processing jobs I tried, but after seeing no results at all, I started focusing on one at a time. The errors still occur, even when only one option is selected.

Finding documents and pictures works fine though.

ReplyQuote
Posted : 19/03/2019 2:25 pm
kastajamah
(@kastajamah)
Member

Is the Evidence Cache for your case on a separate drive? I had troubles with indexing in particular until I put the case cache on a separate drive. This is something that Guidance/OpenText recommends doing because of all the read/writing that is going on when an E01 is being processed.

ReplyQuote
Posted : 19/03/2019 3:00 pm
hommy0
(@hommy0)
Member

Are there known issues with remote machine or remote storage then?

Just for the context, I am working on a (test) laptop for studying and testing purposes and not in a professional lab. Only 8GB RAM, could this also be an issue? Since many forensics tools are resource intensive.
.

If using remote storage using a UNC path will be required.

You may want to look at the Options (from Tools) and Debug and potentially increase the system cache - given you have 8GB RAM perhaps something like 4GB - 5GB would be a better setting (it could be down around the 2GB size at present).

When it comes to processing the main issues are normally related to the disk I/O and where the cache is being stored.

Is the Evidence Cache for your case on a separate drive? I had troubles with indexing in particular until I put the case cache on a separate drive. This is something that Guidance/OpenText recommends doing because of all the read/writing that is going on when an E01 is being processed.

This is something I was also going to mention, the cache would normally be best on its own drive (but most certainly separate to windows). Also where possible use an SSD.

If all else fails, try a complete uninstall and reinstall of the software. This will include removing folders in Appdata/Roaming and ProgramData.

Regards

ReplyQuote
Posted : 19/03/2019 3:35 pm
jpickens
(@jpickens)
Active Member

Is the Evidence Cache for your case on a separate drive?

Other than 8GB of RAM, this is a big issue for most people. Your temp processing data lives here so if you are processing a 250GB drive w/ indexing, on a laptop with 250GB of local storage, all the files that need decompressing, carving, etc… live here so you end up needing about 1.5x's the space. You want to have the Cache live on a separate drive that can handle the storage and has good speed (USB3 or SATA).

ReplyQuote
Posted : 19/03/2019 6:49 pm
Share: