Join Us!

Notifications
Clear all

EnCase Ver 8 & 20  

  RSS
Jakester
(@jakester)
New Member

Good morning folks,

    I was wondering if anyone has been having problems with EnCase V8 or V20 crashing while trying to carve out jpg images using the Processor?  

The carver works great if you choose "JPEG Image Non-Standard"

It also works using "JPEG Image Uncommon"

However, when I choose the "JPEG Image Standard" it errors out after a couple of hours running!  I have tried running it three times using EnCase V8 and three times using Ver20.

The target machine is running VISTA, and I imaged the 1 TB drive using EnCase.

If anybody has any7 answers, I am all ears....  Or suggest to me a recommended software program that is good at retrieving JPG's in the unallocated area.

Thank you!

Jake

Quote
Posted : 22/06/2020 3:09 am
EnCaseDC
(@encasedc)
New Member

Hi Jake,

What is your RAM set to? Tools -> Options -> Debug -> Check "Controlled by EnCase." Min value 1, max value should be 4000 MB less than your max RAM (in MB).

Also, are both your case and evidence files local to your machine?

 

-Dean

ReplyQuote
Posted : 22/06/2020 9:14 pm
minime2k9
(@minime2k9)
Active Member
Posted by: @jakester

If anybody has any7 answers, I am all ears....  Or suggest to me a recommended software program that is good at retrieving JPG's in the unallocated area.

Pretty much anything other than Encase.

So PhotoRec is probably better as a free tool. Paid tools X-Ways easily, Griffeye Analyze DI with LACE carver. Or just LACE carver on its own (I believe they now do this). 

ReplyQuote
Posted : 23/06/2020 12:06 pm
Jakester
(@jakester)
New Member

@encasedc  Hello Dean!

Sorry for the delay, as we just got our power (including internet) back on.

To answer your question, I have a Gigabyte MW50-SV0 MB running a Xeon Processor 3.5 Ghz. with 64 Gigs of DDR4 RAM.  50 GB's devoted to EnCase.

My OS is on 2 SSD's set up as RAID 10.  Total size 846 GB (With 509 GB free space.)

Evidence files are kept on separate 2 TB SATA Drive.

Backup is kept on a separate 2 TB SATA Drive

For the CACHE, I have been using 4 SSD's setup as a RAID 10 with a total capacity of 1.65 TB.

After talking to Reynaldo Avalos yesterday, he mentioned that possibly the problem I am having is that my CACHE drive is too small.  He stated that EnCase recommends double the CACHE as the HDD I am examinin.  In this case it is a 1 TB HDD imaged from the target machine.  That would mean that I possibly should hace at least a 2 TB CACHE drive.  Further, which I never heard about before, supposedly EnCase says the drive that you have your OS on should also be at least twice the size of your target image.

So, being a poor one-man shop, I came up with a 4 TB Western Digital SATA drive and am in the process of using it as my CACHE drive as well as my case drive.

Any thoughts on this setup?  I won't know if the carver is going to crash until it starts writing the results to the case file.  It could be another couple of hours to find out.

Thank you in advance for any wisdom you can throw at me!

Jake

ReplyQuote
Posted : 23/06/2020 8:29 pm
Jakester
(@jakester)
New Member

@minime2k9

Thank you so much for your reply and suggestions. 

I am once more running the Case using a 4 TB SATA HDD instead of my 1.6 TB SSD's set up as a RAIN 10.

"See Below for my machine's specs.  If this doesn't work I will try PhotoRec.

I'll let you know what happens!

Thanks again for your reply!

Jake from Michigan

ReplyQuote
Posted : 23/06/2020 8:37 pm
Jakester
(@jakester)
New Member

Dean,

   An update.......  First I misspoke reference my RAID configuration.  I Meant to say RAID 0 (Striped), not RAID 10. 

 

Secondly, After running EnCase AGAIN using a 4 TB SATA for CACHE, it still crashed.  So the amount of CACHE doesn't seem to be the problem.  Like I mentioned earlier, I can run the other two processors for "JPEG Uncommon" and "JPEG Image Non-Standard" and when I do EnCase never crashes.

I don't know what else to try.  VERY frustrating to say the least!

Jake

ReplyQuote
Posted : 24/06/2020 2:55 pm
EnCaseDC
(@encasedc)
New Member

@jakester

Hi Jake,

I've escalated this issue with our support teams, and we will follow up with you on the ticket that you created with Reynaldo. He can give you the steps to capture dmp logs (use HEAP), etc. so that we can take a look at what's wrong.

Once you've enabled heap logging, you could set your max to 60000MB in debug -- and make sure you aren't running any other VMs or other processes while carving. If EnCase crashes again, you can send that file to Reynaldo and let development take a look.

 

--Dean

ReplyQuote
Posted : 24/06/2020 11:21 pm
Share: