Announcement

Collapse
No announcement yet.

When creating the index OSForensics stop working

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • When creating the index OSForensics stop working

    hi,
    I clone a 160GB Windows 7 disk (300MB reserved partition and 160 GB OS partition) with OSFClone version 1.0.1008b. The destination is a 1TB USB Lacie disk prepared with "drive preparation" feature. When i try to create an index (it doesn't matter if email with or without attachment or zip files or whatever) the OSForensics application stop working after three to four minute while i can see the pre scan step going forward. I tried the creation index with OSForensics version 2, 3.01 beta e 3.0.2 beta. Same results.
    The index phase succeeded with two other cloned machines without any error.
    The machine used for OSForensics analysis is a Windows 8.1 x64 machine (but also with a Windows 7 x64 VM i have the same behaviour).
    Please let me know how we can resolve the issue.
    Best regards
    here the application event log details:
    email index and attachment log:
    Log Name: Application
    Source: Application Error
    Date: 5/9/2014 9:01:23 AM
    Event ID: 1000
    Task Category: (100)
    Level: Error
    Keywords: Classic
    User: N/A
    Computer: NBEMINELLI.simgroup.lan
    Description:
    Faulting application name: osf64.exe, version: 3.0.2.0, time stamp: 0x535f0433
    Faulting module name: ntdll.dll, version: 6.3.9600.17031, time stamp: 0x530895af
    Exception code: 0xc0000374
    Fault offset: 0x00000000000f8c9c
    Faulting process id: 0xb14
    Faulting application start time: 0x01cf6ae4d0ce796d
    Faulting application path: C:\Program Files\OSForensics\osf64.exe
    Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
    Report Id: bab98ed2-d747-11e3-827d-ecf4bb16bef8
    Faulting package full name:
    Faulting package-relative application ID:
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="Application Error" />
    <EventID Qualifiers="0">1000</EventID>
    <Level>2</Level>
    <Task>100</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-05-09T07:01:23.000000000Z" />
    <EventRecordID>19066</EventRecordID>
    <Channel>Application</Channel>
    <Computer>NBEMINELLI.simgroup.lan</Computer>
    <Security />
    </System>
    <EventData>
    <Data>osf64.exe</Data>
    <Data>3.0.2.0</Data>
    <Data>535f0433</Data>
    <Data>ntdll.dll</Data>
    <Data>6.3.9600.17031</Data>
    <Data>530895af</Data>
    <Data>c0000374</Data>
    <Data>00000000000f8c9c</Data>
    <Data>b14</Data>
    <Data>01cf6ae4d0ce796d</Data>
    <Data>C:\Program Files\OSForensics\osf64.exe</Data>
    <Data>C:\Windows\SYSTEM32\ntdll.dll</Data>
    <Data>bab98ed2-d747-11e3-827d-ecf4bb16bef8</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    </EventData>
    </Event>
    Plain Text index log
    Log Name: Application
    Source: Application Error
    Date: 5/9/2014 10:36:31 AM
    Event ID: 1000
    Task Category: (100)
    Level: Error
    Keywords: Classic
    User: N/A
    Computer: NBEMINELLI.simgroup.lan
    Description:
    Faulting application name: osf64.exe, version: 3.0.2.0, time stamp: 0x535f0433
    Faulting module name: ntdll.dll, version: 6.3.9600.17031, time stamp: 0x530895af
    Exception code: 0xc0000374
    Fault offset: 0x00000000000f8c9c
    Faulting process id: 0x15d8
    Faulting application start time: 0x01cf6b5d367345b0
    Faulting application path: C:\Program Files\OSForensics\osf64.exe
    Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
    Report Id: 05039b3b-d755-11e3-827d-ecf4bb16bef8
    Faulting package full name:
    Faulting package-relative application ID:
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="Application Error" />
    <EventID Qualifiers="0">1000</EventID>
    <Level>2</Level>
    <Task>100</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-05-09T08:36:31.000000000Z" />
    <EventRecordID>19127</EventRecordID>
    <Channel>Application</Channel>
    <Computer>NBEMINELLI.simgroup.lan</Computer>
    <Security />
    </System>
    <EventData>
    <Data>osf64.exe</Data>
    <Data>3.0.2.0</Data>
    <Data>535f0433</Data>
    <Data>ntdll.dll</Data>
    <Data>6.3.9600.17031</Data>
    <Data>530895af</Data>
    <Data>c0000374</Data>
    <Data>00000000000f8c9c</Data>
    <Data>15d8</Data>
    <Data>01cf6b5d367345b0</Data>
    <Data>C:\Program Files\OSForensics\osf64.exe</Data>
    <Data>C:\Windows\SYSTEM32\ntdll.dll</Data>
    <Data>05039b3b-d755-11e3-827d-ecf4bb16bef8</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    </EventData>
    </Event>

  • #2
    Looks like it crashed inside the operating system (ntdll.dll). So unfortunately the crash summary isn't going to tell us much as the real bug will be elsewhere in the code.

    It might be some particular file, or file system corruption, or something like that, provoking the issue.

    If possible can you run V3 beta in debug mode and E-mail us the log.
    http://www.osforensics.com/faqs-and-...ebug-mode.html

    Comment


    • #3
      OK! For now i'm able to skip the problem by creating the index "email with attachment" only under "PhysicalDrive1-1:\Users" and it seems is working. Clearly this is only a workaround. When finished 'll try as you suggest. I'll post here the resulting logs
      Thanks

      Comment


      • #4
        OK glad you found a work around, but we would still like to fix whatever the problem was.
        If the log is large, then E-mail might be better than posting it.

        Comment


        • #5
          I just sent you an email with two logs (same index settings). I hope it will be useful

          Comment

          Working...
          X