Hello, I'm having an issue with encase forensic 6.11 when searching the estimated time will adjust a bit at first as normal and the search will move right along but after some period of time (its different depending on how many files I am searching) the search seems to stop, at least the number of hits does – and the timer just counts up for hours very slowly.
Does anyone know what could be the cause of this? I’m only searching 4.4k files right now with 3 keywords. At first it was about a 1000 process now it’s up to 4000.
Any help would be greatly appreciated, let me know if you need any more information.
Thanks!
There are a couple of possible explanations. Several recommendations I would make first are to make sure you are using the very latest version, which is 6.11.2.
If you don't have that version, I would download it and do a fresh install in a new folder. Any updates of Encase you install should be done to a fresh folder and not overwritten into an older version.
If you did an update into an existing version and you have the latest version, delete your installation and do a fresh install. If you then have an issue, try creating a new case and try your search again.
This is still a problem with 6.11.2 too. I found that by using version 6.10.2 my searches didn't hang (as much).
Thanks for the responses, I left the PC running over the weekend and the search did finish. In addition I found we had some AV scanning in the BG that was supposed to have been shut off so that might be the issue. It’s also possible we need to beef up this old system we are working with.
Thanks for the help, hopefully one of the possible fixes for this works!
FYI, it has been widely reported that the Encase progress bar/timer in V6 is very unreliable. Worse, it no longer flashes which means that sometimes you can't tell if it is doing anything. I commonly ignore it (and have since stopped using it to estimate, for my customers, when I might be done).
Also, the search menu has, in my humble opinion, become overloaded with functionality. I make it a point always to separate signature analysis from hashing from Internet searches from E-mail searches, etc., so that you aren't doing too many things at once.
Sean is right. Encase will let you try to do too much at once. So I seperate my searches as well to specific things Email, Hash, Sig Analysis, Internet, etc.
If you have a large case with multiple drives it gets worse.
I always do things in the same order anyway, so I am consistant from case to case.
I make it a point always to separate signature analysis from hashing from Internet searches from E-mail searches, etc., so that you aren't doing too many things at once.
Do you run these individual searches concurrently or one after another?
It seems to take forever to cancel a search too…the search status bar turns red and hangs (
Dear lord… I'm somewhat new to forensics, and the more I hear about Encase the the more disappointed I am that people are handing out thousands of dollars for this software.
I've got a few searches to do across multiple drives and thought Encase would do the job better (ie/ let me quickly view the results and determine if it's a false positive or not) than Autopsy/TSK, now I'm not so sure.
Sorry for going off topic - rant over.
I run them one after another. On small drives it does not matter so much. But when the case gets into 5 or six drives and approaches a terabyte, it is best to do one at a time.
Welcome to computer forensics, being new to this area, I can understand why you may have such a high expectiation regarding Encase. I am afraid you will have to get used to it.
PS just wait 'til you get hour hands on FTK2