Hi,
I am new in forensics and currently using FTK 4, as I live in a country where electricity short fall doesn't allow FTK to complete indexing process.
My question is if i added 4 hard drives and out of 4 1or 2 hard drive's index completed but other's interrupted now how could i restart the index process for only left 2 drives? or you can guide how should i restart process if interrupted?
I currently have only one solution that is delete the case and case folder and index again as new case.
Waiting for detail reply
Regards
105 views but no reply strange. (
Not specific to FTK4 as I don't (and never will again) use FTK, however if you have a very large data set, or multiple computers to process can you simply process smaller sets of data?
Does FTK allow you to add new sources to a case after it has been created? If it does you could process one computer at a time.
Alternatively does it allow you to merge cases?
And finally if neither of these work then you may have to work with multiple cases within FTK for the same job. Not ideal as you will be duplicating lots of searches etc, however if you don't have regular enough power supply to complete the full indexing process then this may be your only option.
That or switch to a faster tool P
If the power supply is the problem then why not address that directly?
Perhaps a battery based UPS to take up the slack if the mains fails with a backup generator to come on line before the batteries drain?
I once worked at a shop with a shoestring budget and I couldn't trust processing to run over the weekend because of power and heat issues.
1. Process one drive
2. Backup case
3. Repeat as needed
According to FTK tech support, interrupting indexing "should" be okay, but when I get that response from AD support I start running. I wouldn't trust a case that I crashed in unless I really had to, I've seen corrupt cases before and it isn't pretty. So just backup the case!