Is this common? FTK was decrypting some large mailboxes and blew up, causing me to reboot a few times before it could be started again. I was hoping that paying almost $1000 for a piece of software would reduce or eliminate crashing. Am I naive?
A
ac_forensics,
Well, first of all, it sounds like you're disparaging a product without providing much information as to what's happening.
What kind of mailboxes are you decrypting? What function are you using in FTK? Do you have any error messages? Have you contacted AccessData, and if so, what did they say?
Harlan
ac_
Have you taken any of the Accessdata classes? I think you would find them very helpful and they would give you a great understanding of the UTK.
Hi Harlan,
I actually have been very happy with FTK - just wondering if my expectations are too high.
FTK was decrypting a Microsoft Entourage mailbox as it was loading and indexing it when it dumped a "crash file" and shutdown. I sent both files to AccessData but have not heard back.
I have not taken the FTK classes. Sounds like you recommend them. I have limited funds, but I'll keep that in mind.
Thanks for the comments.
A
> I actually have been very happy with FTK - just wondering if my
> expectations are too high.
It's hard to tell. Are you expecting FTK to be able to do everything you want, even though you haven't taken any classes? You may be right…maybe your expectations need to be adjusted through more knowledge of the tools you're using.
> FTK was decrypting a Microsoft Entourage mailbox as it was loading and
> indexing it when it dumped a "crash file" and shutdown. I sent both files
> to AccessData but have not heard back.
Is there anywhere where AccessData claims that FTK can do that?
> I have not taken the FTK classes. Sounds like you recommend them. I
> have limited funds, but I'll keep that in mind.
That wasn't my recommendation, but it wouldn't hurt. At the very least, RTFM.
Harlan
I use FTK extensively, and will speculate that it crashes no more or less than other tools in its class. I'd guess that it crashes once on every four cases that I process. Invariably, I recover my data intact or can do a few undocumented steps and get back to where I left.
You can examine the crash log and try to determine the cause or send it to AD for intrepretation. Of the crashes I've experienced, a large percentage resulted from an object within an email client, particularly MSN DBX stores. Hence, I'm not surprised by the writer's experience. If crashes occur during preprocessing, there are ways to exclude the problem object, and that's most easily done by excluding the object's parent directory.
AC,
You might have better luck using a Mac and some Mac tools to do an Entourage mailbox. FTK isn't particularly good on Macs.
Steve
Steve,
I'm finding that out. They sent me to FTK Asia - a poor man's FTK. But it got the job done…eventually.
I found an interesting tidbit in the help file that explicitly cited emailboxes as needing a lot of temp storage space. So I pointed to a temp folder on a bigger drive. No problems yet…
A
AC_Forensics,
if you have had the chance to try other forensic tools, you'll notice by sheer frustration that they also sometimes get it wrong and crash.
As Harlan has pointed out, you may need to adjust your expectations slightly.. Analysing the data held within a hard disk is an enormously complicated task with almost limitless possibilities. While the developers of these tools are good, they are human and not capable of managing all possibilites hence the unexpected happens and crashes occur.
Its frustrating, but in experiencing a crash and forwarding the details, companies like Access Data are in a good position to fix the issue at hand. So in that sense, you have done your bit in making FTK more reliable. Don't be too frustrated by not hearing from them, they will be looking into it.