I have a raw DD image I’m trying to load it into FTK tool kit. The image has a large number of photos in it. After a few hours of processing files the "progress window" changes from numbers to a spinning cursor. I let it sit for a day and it stayed on the same file and nothing changed. I attempted to stop thr processing and close FTK and it sat for hours on closing case.
Can anyone tell me whats going on, is it frozen? Is there something in the image that can cause this?
Surveillance_Specialist,
It's been my experience that for dilemmas like this you might have better luck posting to Access Data's forum. That said, I had a simillar encounter recently with FTK. It appeared to be indexing the DD and didn't show any errors, or signs of "hanging", but it still kept indexing between bad sectors and pagefile data after 5 days - and this was for a 40 GB drive. In the interest of time, I used Encase and it handled it fine….
Greetings,
I've not used FTK in awhile, but one of the recommendations I remember, and have seen recently, is to do the image processing in stages. In particular, turn off indexing and file carving. Then, once the image has been added to the case, save the case and index it. Save it again and then do your file carving.
-David
Couple of things you could try
1. Try to load the DD into FTK Imager - does that work - can you see the directory structure? If not, the DD may be corrupt.
2. If you can load it into FTK Imager, convert it to an E01 and load the E01 into FTK and see if it processes it any better/faster?
At least you can eliminate a bad DD/image from being the problem.
Just some thoughts….
Hope that helps.
-=ART=-
My normal approach to these kind of occurences with FTK is first check to see if it's actually using the computer's processor. On numerous occasions i've seen it look like its crashed, but sit there taking 20% of the cpu, low and behold it comes back to life and finishes. This is the silver lining to most of the white screen moments and when the progress 'board' seems to freeze. Other things to check are if its actually writing any files to the disk (or the last time it did) and what file it is stuck on (in the log).
If as, crosser elludes to, its encountered a problem file or bad sectors I often find an alternative version is able to work past it. Or without rhyme or reason the same version once restarted will complete, no problem.
Sorry no real help or advice, but I can empathise with your pain.
I used to have that problem regularly. Worked with FTK, rolled back to 1.72 (what they called the stable version), uninstalled/reinstalled. The most promising solution was what David suggested, turn off all processing and load the case, then process in small chunks.
My final solution was to build custom single core computers with W2K3 Enterprise and at least 16GB RAM. Took care of almost all freezes.
BTW AD just announced a new release (1.81.3) of FTK today.
You might want to look at you processes via Task Manager. You may find a process 'FTKFilterHelper' taking up a lot of resources.
Kill this process and you're on you way!
The running job within FTK in regard to the file it is stuck with will be stopped. For instance the rendering of a thumbnail, will be skipped and will be left unrendered. Keep that in mind! Other than that, I think you're good.
For reinsurance contact AccessData.
All the best,
Remon Verkerk
I had the same problem as yourself not so long ago. I chose to try out the mantra - patience is a virtue, and it worked! Albeit taking a whole pile of time to do, and I pulled most of the hair from my head waiting for it for finish!
There is sense in creating the case in FTK without the Indexing and file carving, although I personally wouldn't start the analysis in FTK without these actions being carried out, and this is what takes the time in creating the file in FTK.
Also, just be aware of file disk space - especially when the file creation is taking a number of days. If it senses it's running out of disk space it will try and look for space elsewhere (e.g. in a different partition) so it can complete the process. I found this was a problem for us as case creations that took longer than 24 hours as it clashed with our back-up process which wanted to back up all the data on the remote hard drives which stored the imaged disks!
It also depends on the system configuration!!
I had similar problem before… Then I choose 64bit Atlon Vista machine with 4GB RAM & Hard disk size of 250GB…
Also the DD image split can be of size 20-30GB otherwise the internal threads gets hanged and we will not even know!!!
Then everything went smooth…
All,
We are aware of several customers reporting various hangs during pre-processing or additional analysis. In order to investigate these issues we would like to suggest the following
1- C\ftk2-data\[long alpha-numeric unique case ID string]\ftkWorker.infolog.txt (NOTE If you don't know which long alpha-numeric unique case ID string that represents your case, open FTK2 and highlight the name of your case. You will see the case path listed on the right)
2- C\ftk2-data\[long alpha-numeric unique case ID string]\ftkWorker.processing.dat (NOTE There may be more than one of these files in the case folder. You should look for ftkWorker.processing[1].dat, ftkWorker.processing[2].dat, etc. Please send all of these that you find.)
If you are certain that the worker is hung and it is not progressing on its own, you may benefit from restarting the worker processing tree. Here's how
1. Open the Windows Task Manager
2. Locate the "FTK Worker Helper" process on the processes tab.
3. Right click the "FTK Worker Helper" and choose "End Process Tree"
4. Close the FTK2 application completely.
5. Launch FTK2 again and re-open the case.
6. Please note that the "Active" "Queued" and "Completed" numbers are calculated on a per-session basis and therefore the completion percentage is based on the work performed since the last time the worker was launched. The best way to gauge progress is to note the total number of file items listed in the "File Category" section of the Overview tab. For more information read the next section.
The data processing window shows a per session count of database objects identified by the worker proceess since the last time it started. If the worker is interrupted during processing, the user should not expect the counts to return to where they where before the interruption occurred. Additionally, database objects do not directly correlate to the total number of items in the case. Some items can be represented by numerous database objects within Oracle. That is why sometimes the completed number closely represents the total number of file items in the case, and sometimes it does not. These three categories were added to the Data Processing Window in an attempt to help a user get a feel for the progress being made by FTK 2. Please understand that as the worker explores the data, it queues up more work to be done. That is why the completion percentage goes down from time to time.