/Sarcasm roll
OK, stupid problem I'm having, but a very annoying and frustrating one that I hope there is a work around!
I have basically been working really hard (as I do) on a case, loads of bookmarks, internet history, emails, etc and then in the middle of an extraction of some data and docs it crapped out and died on me (as EnCase does)
However, I have all this saved and its created a 114MB Case File and now, when I try to reopen it, it gets so far and shuts down on me? Its SO frustrating, its a few days worth of work and I can not open it. Oh, its EnCase v6.18
And before asked, no I don't have a backup file, don't ask why, I dunno, grrrr… oops So I'm basically stuck. Does anybody know how I could go about opening this, are there any tweaks (memory, software, processes, etc) I could do to aid it in its process to opening? Its getting to Recovering Internet (just after unallocated) when loading and dyin then.
And as per most forensic PCs, its high enough spec'd (12GB RAM, 3.something GHz Zeon, etc etc…)
Any hints mucho appreciated!
Thanks.
Try reverting to an older version and/or contacting guidance. I have never tried it and don't know if it would work but the .case file is plain text so you might try editing the offending section (inet from unallocated).
I am in the habit of making my own incremental .case file backups particularly before I run something like email or internet search which seems to cause the problem quite often.
Thanks for the reply. I opened the .case file and its text jim, but not as we know it! I don't think I will be editing it, its all over the shop. Plus 114MB text file took an age to open too.
I might just start again and load it into FTK (out of spite!) )
Does it get as far as seeing the disks in the entries tab? I've had this problem before when I used comprehensive internet history search.
As soon as the disks are shown in the entries tab the process bar in the bottom right of the EnCase Window said " resolving hits" or words to that effect. I clicked on these to cancel the "resolving hits" and "internet history" processes during start up. I was able to get my case file open and do some tidying up of bookmarks, unmounting files etc to reduce the size.
You could move the source E01 files to another folder if you have multiple exhibits and when the case opens it will ask for them one by one, this may allow you to create incremental cases and get around the problem. Make sure you use a copy of the original though. If you only have one E01 try loading with an encase dongle with reduced licences or modules or as suggested earlier use an older version of EnCase and see if that allows you to recover some work. Good luck & let us know if you get a result.
if you have backup enabled then have a look in you c\program files \encase*\backup directory… there you'll find automatic incremental backup's of your case file which encase creates for you, try a few of them, one will hopefully work, you may have lost some data but some of it should be there…
I've had the same problem on numerous occasions, encase is crap at times…
the best way around having such issues is to try creating different case files for different jobs, i.e. use one to do the internet history, one for search hits etc etc… should make life a little easier. ) good luck, let us know how you get on.
Unfortunately I don't have backup enabled (I do now though) I never changed my settings when I went from 6.17 to 6.18 (Doh!)
Dan, I was toying with that. I might try it again. I did it, but too early and it killed something. Its one that I will have to be patient with, it takes about 20/30 mins to get to that point, but I only have a few seconds to cancel before it craps out. Staring at that box for 30 mins can be tedious!
I will soldier on and I have turned on backups now… I will only make this mistake once )
thanks.
Thanks for the reply. I opened the .case file and its text jim, but not as we know it! I don't think I will be editing it, its all over the shop. Plus 114MB text file took an age to open too.
You might be past this stage now, but for furture reference
Did you try opening it in an early version ? I have had a similar issue, I opened it in 6.13 and it worked fine for me.
Not tried an earlier version. Might give that a try. At present, I started it and have caught it in 'Resolving Internet hits' and have cancelled it, its currently on the pale whiteout screen, thinking about doing something… I dare touch it! lol It might come back to life. its normally closed down by this stage, so fingers crossed!