I have a question in working on a particular case in FTK. I agreed to do a second opinion forensics for an attorney. The client really does not want to pay for the time to reimage the original drive, so I reluctantly agreed to go with the previous examiner's .e01 files. The previous examiner provided me a hard drive with the image files. The total size of the drive is just barely under 1tb. Upon attempting to import the image files into FTK (im using FTK 4 on this project) I repeatedly receive a notice that there has been an error in adding the image file, and it quits.
I was wondering if I had a software issue so i loaded another set of image files and it processed perfectly.
I am able to mount the drives and pick through them in FTK Imager, but when I try to add them and process them in FTK, it crashes every time.
Any ideas on this issue?
You need to verify the images are OK, you can do this with FTK Imager and compare with the acquisition hash. If there is a mismatch, request another copy. If there is a match, you may be creating your case incorrectly or the install of FTK v4 is corrupt.
You could download Autopsy Sluethkit and examine using this if FTK is your only case tool.
Hope this helps,
http//
FTK may also fail to load if your E01 files are on a USB2 external drive, try to load them from a drive loaded directly to the motherboard or an eSata connection.
Hope this helps
Have you tried AccessData or their user forum?
Good afternoon Ehdelvin,
Are you by any chance using FTK v1.8x? The standalone generation of FTK will simply not permit an incomplete or corrupted image set to be loaded and processed. It may be a minor issue with a single E01 file, but the net effect will be the same. This does sound like what's happening in your case, especially if FTK Imager is able to load and preview the evidence set. If you have access to EnCase or FTK v5, you should be able to load the evidence set and also work out where the failure has occurred and what impact this has on the wider case/evidence.
Kind regards,
Ross
p.s I've always found the support from AccessData to be excellent - so definitely give them a bell or drop me a line http//
I was actually using FTK 4.2.
I also have Encase 7, but am also having problems loading the files there as well. I believe that the image is corrupted.
Teach me to allow an attorney to shortcircuit my normal methods.
If you try to verify the E01 in Imager what is the result?
ive seen x-ways load images that encase, nuix, and FTK said were bad and failed to load.
what made the E01s in question?
I have successfully processed an incomplete image into FTK 4.2, so….my guess would be that, that image is corrupted..
Usually it's a problem with the image. But call AD and see if they might have something that they can lead you through.