Regarding FTK and E...
 
Notifications
Clear all

Regarding FTK and Encase

8 Posts
6 Users
0 Likes
586 Views
(@gryphon316)
Posts: 6
Active Member
Topic starter
 

Heres the situation

Started indexing of a 40gb hard drive 3 days ago ( still going) using FTK
total items examined is 807,000 and counting
system running it is 2.0ghz
drive connected via usb2

now my question is how much better would it have been to use encase ( looking at getting it) as we cannot even start examining the hard drive, until its done.

James

 
Posted : 16/03/2006 12:51 am
nickfx
(@nickfx)
Posts: 131
Estimable Member
 

3 days for a 40gig drive, something is not right. Did you image the drive first of all, if so what format did you image to? SMART, DD or E01?

Secondly, what type of hardware are you running and are you totally sure that your drive is connected via USB2. I had a issue recently where some work was happening slowly and I discovered that the ports on the front of the PC were actually USB 1 and the ports on the back USB2. Worth checking, it makes a X 10 difference! Also, are you writing the index back to the USB drive or to the local drive?

Encase enables you to work directly on the drive/image without indexing but running any searches is very time consuming. FTK preindexes and so searching is essentially instant.

Nick

 
Posted : 16/03/2006 1:24 am
(@armresl)
Posts: 1011
Noble Member
 

It's like night and day.

Did you take the timer down to 1 minute for the logs?

What file is it stuck on? When it gets to drive freespace it will show say 3 of 4195 and it slows down a ton, but I woldn't think that much.

 
Posted : 16/03/2006 4:13 am
arashiryu
(@arashiryu)
Posts: 122
Estimable Member
 

I recently encountered this in a case that I was processing with FTK. The findings in my case were that the FTK indexing process was hung up with a 12gig + temp file used / left back by Siebel application software. The process was hung up for me overnight as well.
I didn't have time to contact FTK support but you may want to give them a call as well since the indexing feature is very nice in FTK.

Workaround
I then processed the same evidence in WinHex and was able to complete the case.

Its funny because the case started on the suspicion that hard drive space was almost used up and was turned in for inappropriate content audit. No inappropriate content found. Just a big tmp file. ;~)

 
Posted : 16/03/2006 7:27 pm
(@gmarshall139)
Posts: 378
Reputable Member
 

You can restart the case and deselect the indexing options. You should then be able to work the case as usual minus the features reliant on indexing.

 
Posted : 16/03/2006 9:00 pm
(@gryphon316)
Posts: 6
Active Member
Topic starter
 

Thing is that its not hung up at all, and its still going strong, almost at the 4 day mark, logging is at 10 minutes, and at well over a million files on a 40gb hard drive, and the numbers are still increasing. There are just a hell of alot of files on the comp, which means suspect was up to some interesting stuff.

all i can say is thank god im not the one thats gonna be going over this case

James M

 
Posted : 16/03/2006 11:44 pm
(@armresl)
Posts: 1011
Noble Member
 

logging should be set to 1 minute

 
Posted : 17/03/2006 12:11 am
(@mdshukri)
Posts: 13
Active Member
 

are you sure you have enough space for FTK to store the indexing data in your workstation. I'd faced same problem before and found out that I did not have enough space for FTK to store the temp files. It took a few days before I realized that )

If you have accessed to both EnCase and FTK, I suggest you image to another drive first before processing it. That's what we do now, as our client sometimes would like to see us produce somehting for them. So, we used EnCase to preview and do short analysis, and FTK for full blown keyword search and enrcypted files analysis.

 
Posted : 23/03/2006 12:44 pm
Share: