Announcement

Collapse
No announcement yet.

Corrupt Case Item

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Corrupt Case Item

    I updated to 1.2.1001. Now Manage Case shows me corrupted Case Items for Lists, Files and Indexes.

    Module column says "File Missing". Although files *.OSFMeta are in case Location.

    Update: New Indexing does not work either. The indexer (Version 7.0.osf22) does not recognize the directory structure of the file system and seems to index only unallocated space.

    Using a former version of the programm (OSF 1.1.1002) fixes the problem of "File Missing". Now the Case Manager works again. But leads to a new problem: No files were added for indexing. I do remember that I did face this problem before and it was due to unrecogniced partitions when the indexed partition was not the first partition (as far as I remember). Do we have the problem again???

    Indexer Version 7.0.osf18 (Build: Custom for OSForensics) on Windows 7 does not have this problem!

    Any idea how I can fix this?
    Last edited by Forensik; Oct-02-2012, 07:38 PM.

  • #2
    It seems this is a bug that was introduced in 1.2.1001. We've put out a new patch release (1.2.1002) that should fix this.

    http://www.osforensics.com/download.html

    Comment


    • #3
      I updated to 1.2.1002. It fixed the "File Missing" problem. Problem description see above.

      The indexing problem is still there. Former versions of the indexer seemed to index the allocated sectors of the file system first and then unallaocatd space. Now, starting folder is not recognised and only unallocated sectors are indexed, see log of indexlog.txt.

      .... snippet of indexlog.txt

      02|10/03/12 07:14:31|Search root directory: bm01-1-wd-hdd:
      02|10/03/12 07:14:31|Web site URL: bm01-1-wd-hdd:
      02|10/03/12 07:14:31|Estimated RAM required during index process: 1585519 KB
      08|10/03/12 07:14:32|Invalid folder (does not exist): bm01-1-wd-hdd:
      11|10/03/12 07:14:32|Moving on to next start point: unallocatedclusters://bm01-1-wd-hdd:
      02|10/03/12 07:14:32|Indexing unallocated clusters...
      02|10/03/12 07:14:32|Initializing cluster reading...
      02|10/03/12 07:14:32|Reading disk cluster information...

      .... snippet of indexlog.txt

      Best regards

      PS. I´d like do deinstall the program and install a new stable version from scratch. How can I backup the case data of existing cases without loosing any data?
      Last edited by Forensik; Oct-03-2012, 05:28 AM.

      Comment


      • #4
        The above fixes the corrupted case issues but we're still investigating the indexing issue. Let us know if you have any more details, such as the type of image you are indexing (HFS, FAT32, NTFS, etc.)

        Update: Found the cause of the problem. It's not the partition but the root folder, indexing a particular subfolder works okay. Anyhow, it should be fixed in the next revision.
        Last edited by Ray (PassMark); Oct-03-2012, 06:58 AM.
        Ray
        PassMark Software

        Comment


        • #5
          Thanks Ray,

          as I lost an important index I do need a solution quickly. How can I re-install an elder version of OSF (with an working indexer) without loosing my case data?

          Comment


          • #6
            1003 is up now. Sorry about the previous release, there was some confusion on my part as to what had/hadn't been fixed.

            With this I don't believe you will need to re-install an older version, although for reference slightly older versions can usually still read newer case files as we don't change the format of the files too often.

            Unless you specifically chose to store them somewhere else the case files are in yourcurrent user's documents folder under "PassMark\OSForensics\Cases", the exact path for any particular case should be listed as the location in the case management window. To backup a case you should simply copy the entire case folder as is.
            Last edited by Michael (Passmark); Oct-03-2012, 07:41 AM.

            Comment


            • #7
              Thanks a lot. I'll try this right now.

              Question related to indexing: It seems that the indexer does not index E-Mail Adresses. Is there any way I can tell the indexer to index E-Mail adresses as one word?

              Comment


              • #8
                Email addresses should be indexed. We are joining all words with the following punctuation characters:
                .-_':@

                But if an e-mail address is joined by a character not in the above, then it would be split. Do you have an example of an e-mail address that isn't being indexed? And where can it be found -- is it in a PDF document for example? Or are they links on a HTML file? Or are they contacts from Outlook?
                Ray
                PassMark Software

                Comment


                • #9
                  I thougt it will work like this. But it does not. At least it does not in unallocated clusters (UC), fe there is a hit for a keyword in an unallocated cluster. The Hex/string Viewer shows the hit and there is an email-address next to the hit containing the kw in an email address format like xxxx.keyword@company.tld. Looking up the E-Mail in the Browse Index list does not show the email-address as an entry.

                  The email address is embedded in ASCII and can be displayed by the Text Viewer. Searching for the keyword in the search of Hex/String Viewer shows several "keyword@company"-words as hits. Though, no first part of the email address, no tld are shown.

                  probable cause : both words are less than 4 characters. ???

                  What do you think

                  best regards

                  Comment


                  • #10
                    I just ran some tests.

                    Indexed unallocated clusters from an image.

                    "Browse Index" shows a list of all the e-mail addresses that I expected. They're all intact and searchable.





                    Then viewed the unallocated sectors from the internal viewer, Hex/String view, located the addresses and also used "Extract" in the viewer. It pulled them up although the .tld is missing since dots aren't joining words (and the min string length is 5). If I change it to 3, it shows up with the .com, etc.



                    So can you give us a more specific example where you're having the problem? Perhaps the address is not in ASCII and is in Unicode?
                    Ray
                    PassMark Software

                    Comment


                    • #11
                      Email addresses are part of artifacts of html-emails found in unallocated space. they are readable in the ASCII section of the Hex/String Viewer but are not found during search index operations.

                      Comment


                      • #12
                        Can you show us the hex dump/view (e.g. screenshot) of the section in question. Perhaps there's a special character that you haven't noticed that is part of the email address, and not like the ones I've demonstrated in my post before.
                        Ray
                        PassMark Software

                        Comment


                        • #13
                          Hi ray,

                          during the weekend i worked on a case study with an open source image (m57-jean scenario, available from http://www.digitalcorpora.org). I created an index and searched for a specific e-Mail address (simsong@xy.dreamhostps.com) included in the header (return path:...) of the original email. As in the case above neither the email address or parts of it were found or included in the browse index.

                          Opening the email in OSF does not show the header either. But adding the file to the case does.

                          Best regards
                          Last edited by Forensik; Oct-15-2012, 03:58 PM.

                          Comment


                          • #14
                            The scenario files are not available on the Digital Corpora website. Here is the scenario page: http://digitalcorpora.org/corpora/scenarios/m57-jean

                            The links to the .E01, .E02 and .PDF files all lead to a "403 Forbidden access" error.

                            If you can get these files to us via e-mail or FTP we can take a look. Or ask Digital Corpora to put them back online.
                            Ray
                            PassMark Software

                            Comment


                            • #15
                              Hi Ray,

                              thanks for your quick response. I do not know whether the author has removed the files on purpose. They were still there on saturday. The evidence files are about 3 GB. But I shall send the outlook.pst file containing the referenced emails to your help [at] passmark adress including further details.

                              best regards
                              Last edited by Ray (PassMark); Oct-18-2012, 12:37 AM. Reason: Edited email link to avoid spam

                              Comment

                              Working...
                              X