±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36783
New Yesterday: 0 Visitors: 149

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Encase errors when importing an L01 file with ADS

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

mbytescs
Newbie
 

Encase errors when importing an L01 file with ADS

Post Posted: Oct 18, 19 13:43

Running w/EnCase v8.08 and attempting to ingest an L01 containing ADS files from the CFREDS dataset. The ADS files are "expanded" meaning they were exported to the L01 with their file content.

So for example the file $Secure which has $Secure_$SDS as an alternate stream was written to the L01 as two files, $Secure @ 491.7KB and $Secure_$SDS @ 395.1KB.

When the L01 is imported into EnCase and then selected to display its content there are two error dialogs:

The first is "Error loading evidence file", after clicking OK on that dialog and re-selecting the L01 a second dialog pops up,

"Error loading evidence file <name of L01>: Device cache file size does not match". EnCase also shows "File Integrity - Unverified" in the Name-Value fields below.

Did some Googling for this error but nothing significant came up. I also didn't find anything in the forums here about this specific issue. I'm doing some forensics research w/EnCase and L01 files and I wanted to determine if this is possibly a bug in EnCase or that the L01 is somehow misformatted.

Hoping there may be someone in the forum from EnCase that may have a deeper understanding of the errors above and could shed some light.  
 
  

mbytescs
Newbie
 

Re: Encase errors when importing an L01 file with ADS

Post Posted: Oct 18, 19 15:11

As these things usually go, you think you've unturned every rock before asking the question only to discover the problem after you've asked. Seems the L01 was indeed misformatted, once this was corrected EnCase was able to ingest the L01 and its contents could be viewed w/o error. Sorry for the post but perhaps it was part of the debug process anyway Wink  
 

Page 1 of 1