If you use the File System Browser in OSF can you browse the folders on the drive (both when accessed via a drive letter and when doing direct access)?

Was this a single partition NTFS drive? Was the image of a full disk or just a partition?

At what step did it freeze up? Did you leave it for a couple of minutes to see if anything happened? Maybe it was just indexing a large file, or opening a large Zip file, etc..

Are you using V1.1.1002 of OSF ?

What indexing options did you select? Maybe 57 is correct if for example example there are only 57 Office documents on the disk and you only selected office documents to be indexed.

You should have a look at the log.

You can find logs of the indexing process here for failed sessions,
C:\Users\David\Documents\PassMark\OSForensics\last failedindexlog.txt

Or here for index sessions that ended normally.
"C:\Users\<User name>\Documents\PassMark\OSForensics\Cases\<Case name>\Index\<Index Name>\indexlog.txt"

The case is back at the office. I'll answer what I can now and more tomorrow:

When using the File System Browser I can navigate through both partitions and all the folders on the image of the drive.

When mounting the image using Mount Drive Image and getting a drive letter assignment I can navigate through most of the folders. I get permission errors when accessing the primary user account folders on the boot partition.

[quote]Was this a single partition NTFS drive? Was the image of a full disk or just a partition?/[quote]

It's a full disk .dd image with two partitions. The recovery partition might be FAT. The boot partition is NTFS / Win7 Home Premium.

At what step did it freeze up? Did you leave it for a couple of minutes to see if anything happened? Maybe it was just indexing a large file, or opening a large Zip file, etc..

[quote]Are you using V1.1.1002 of OSF ?/[quote]

Don't know for sure .. I'll check in the AM. Probably as I just installed it a few days ago. If not 1.1.1002 then 1.1.

Win7PRO X64

I checked all the options except unallocated and I would like to manually ..... I didn't tinker with the advanced options.

Ok, I'll look in the AM.

When I pointed the file indexer to the mounted partition (the drive letter) it cooked right along. I'd say I was there for about an hour before I left and the indexer indicated it was about 1/4 of the way through. When I went to check today, it was stuck and "Not Responding". It appeard to have finished the index, but no index appears in the case manager.

I have 1.1.1001 installed.

I'll download 1.1.1002 an install that.

This is normal when a drive from another machine is added via the mounting method, or by directly connecting a foreign physical drive. It is trivial (via right click on folder) to change the folder permissions if you have write access to the drive. Using the direct access method in OSF by passes all the NTFS permissions, so this is another solution.

The logs should hopefully shed some light on the other issue.

Hi there,

I am using OSF 1.1.1002 and it seems I am facing indexing problems too. What I did. I treid to index E-Mails. I mounted an Encas-Image Partition under I:\ and started indexing. The indexer did not find the PST-files on the partition and therefore did not index any e-Mails.

Searching for PST-files in the file browser allocates 2 PST-fikes, named output and archive.

Any ideas how I can fix this problem.

best regards from Austria
Horst

In the indexing options did you turn on the indexing of E-mails (there is a check box).

How large were the PST files?

Can you send us the log from the indexing session? See the post above for where the logs can be found.

Can you restrict the indexing to just the folder where the PST files are and only index EMails. Then see what happens.

The free version of OSF is limited to indexing 200,000 files or EMails. So maybe you hit this limit before the PST files were encountered on the hard drive if you were indexing a full hard drive?

Hi David

Thank you for answering so fast.

The PST-Files were about 345 MB.

I restricted the indexing (EMails) to the folder containing the PST-Files.

Snippet of the indexing logfile----

03|07/26/12 18:32:49|Writing index data for CGI/Win32 search... (Please wait)
03|07/26/12 18:32:49|Created pagedata data file (zoom_pagedata.zdat)
03|07/26/12 18:32:49|Created pagetext data file (zoom_pagetext.zdat)
03|07/26/12 18:32:49|Created pageinfo data file (zoom_pageinfo.zdat)
03|07/26/12 18:32:49|Created dictionary data file (zoom_dictionary.zdat)
03|07/26/12 18:32:49|Created wordmap data file (zoom_wordmap.zdat)
03|07/26/12 18:32:49|Created script settings file (settings.zdat)
09|07/26/12 18:32:49|No files found to index in bm01-1:\Users\xxx\Outlook privat\Outlook
09|07/26/12 18:32:49|Check that the path exists and that files satisfies configuration settings
10|07/26/12 18:32:49|Indexing completed at Thu Jul 26 18:32:49 201212|07/26/12 18
---

the path exists. I can access it via the file system browser.

Don´t think i reached the 200000 limit.

best regards.
Horst

<Quote> Using the direct access method in OSF by passes all the NTFS permissions, so this is another solution. </Quote>

How can I directly access the EnCase Image Files a I am facing permission problems too and do not want for forensic reasons alter the permission rights.
thx Horst

Horst,

Can you E-Mail us the entire log file(s). We'll keep them private. I think the more interesting bit of the log was before the snippet you posted.

If you had reached the file limit then there should have been a message in the log further up.

You can select the access mode in the "Select device to add" window. See below.



The items circled in blue result in direct access mode being used (by passing the file system). In this case the sectors on the disk (or disk image) are read and the NTFS structures are directly parsed by OSF. Hidden files can be seen and file permissions are ignored.

The red items result in the file system being used. In this case the disk is accessed via the standard operating system API calls, like ReadFile(), and NTFS permissions are enforced by the operating system.

Hi Mark,

thanks again for your fast response.

In the meantime I created a new case and directly added the device to the case. started again indexing and faced the same troubles again.

--- System Messages copied from blog
Zoom Search Engine Indexer 64-bit (Enterprise Edition)
Version 7.0.osf15 (Build: Custom for OSForensics) on Windows 7
Start indexing (offline mode) at Fri Jul 27 11:34:47 2012
---

--- Warning messages coipied from blog

No files found to index in bm02-1_C:
Check that the path exists and that files satisfies configuration settings
---

--- Error Messages copied from log

Failed to mount device E:\Evidence\bm02\bm02.E01 (bm02-1_C)
... one line
Invalid folder (does not exist): bm02-1_C:

---

I did save the whole log of the indexing process. If you could provide an email address I shall send it to you personally.

best regards from Austria
Horst

PS: there are no kangaroos in Austria.

And by the way. The problem also occured for office docs indexing.

E-mail address can be found here.

Horst,

We couldn't reproduce the problem using the latest public build and some test Encase images. But getting your log would still be good if possible.

Can you confirm that you added the image file via the option in the screenshot here, circled in blue?

That is, you have selected the "Image file" radio button for the "Data source" and NOT via the "Drive letter" or the "Mount image" underlined option (which launches OSFMount).

Please make sure to add a device using the "Image file" option, and NOT OSFMount, and try again.

If you did index from a device that was mounted via OSFMount, you need to make sure that the image file is still mounted before indexing. That is, if you have rebooted the machine since mounting the image, then it would no longer be mounted and the error you see could happen.

Indexing problem

Hi Ray,

I added the image in both ways. Indexing failed in both ways. It started and stopped with an error after approx 160 words. I faced this problem by indexing E-Mails and office docs. It is very strange. all I want to do is extracting E-Mails from an ordinary PST-File.

best regards
Horst