Legal TechBase LTB-Anniversary


Legal Bytes

Thoughts and ideas on Digital Forensics and Data Security.

Digital Forensics STOP!... and Go

by Rob Fitzgerald

As you know, The Lorenzi Group recently upgraded to AccessData’s new FTK3.0.  Over the past week or so, we had a few crazy issues arise, mostly on our side.  However, there was one thing that frustrated me like mad: FTK Crashes. 

In FTK 1.7 and 1.8, there are problems.  We still like, and use, these versions, however, if something isn’t “just right” – say the Red Sox lose a game, or an image isn’t perfect, or it’s not a waning moon, or… god only knows why, FTK will crash while it is Processing the image (average time: 24-28 hours to process a drive). 

BTW: We use the term Processing to describe to technophobes what the machine is doing.  Others will say Data Carving and Indexing, if that makes you feel bigger in your britches, go ahead and say that instead.  

Anyway, as with ALL rules of Murphy’s Law, this crashing typically happens when there is a critical timeline that needs to be met.  Often, we find out later that a file or drive sector is corrupted within the image and we need to skip over it – however, we must start the entire Processing of the drive image over – Another 24-48 hours of time wasted.

This past weekend, we ran some images through FTK3.  One of them, CRASHED!  Ugh.  Besides the nice pretty colors and tabs in FTK3, I wanted to see some real data.  These were supposed to be images of heavily used, not well maintained, machines.  I was not happy.  Explaining to an already suspicious and anxious client why their data isn’t ready to analyze and why the processing failed can be difficult, to say the least.  However, much to my excitement, when I when to restart the image processing, instead of having to start from the beginning, I was able to begin processing from where it left off! 

This is HUGE news in the digital forensics world. 

Why we haven’t been able to do this before, I don’t know.  In my mind, if a software download over the internet can be interrupted and restarted, I never understood why Processing couldn’t either.  So, instead of restarting the image Processing from scratch, I CONTINUED the image Processing.  There was enough time to complete the processing and let us review the data before the weekend was over.  And, because of this, TODAY, the client thinks we are heroes!

NOTE: THIS WAS SUPPOSED TO POST ABOUT A WEEK AGO – Unfortunately, a little thing called real life got in the way…

posted on 11/5/2009 0 0 Digg Delicious Reddit StumbleUpon

Commentspost new comment