Methodology, Software

Forensic Toolkit v3 Tips and Tricks – Re-indexing a case

This is the first in a series of articles that will cover topics concerning AccessData Forensic Toolkit (FTK) version 3.

So you’ve created a case in FTK 3.X / Oracle and added 20 forensic images of seized computers and assorted media which previously had been successfully processed and indexed. You’ve worked on this case for weeks, painstakingly searching and bookmarking thousands of keywords provided by Inspector R. Runner who has been investigating the Acme Corporation.

Monday morning you come to work and fire up your FTK cluster, open your case, go to Indexed Search, type in the keywords Wile E. Coyote and Ka-Blam!! You get an error message saying a Search Request Error has occurred (Figure 1.) What happened, it was working fine on Friday?

Search Request Error

Figure 1

It turns out the hard drive where you had your case folder stored had a sector that has been corrupted and is unrecoverable. Your case index was written to the cluster containing the sector that failed. To make matters worse, you didn’t backup your case folder. Your index is officially toasted (this actually happened to the author.)

Why is a functional index so important? Setting up FTK to fully index a case when it is created allows the examiner to query the index using specialized query language and to also recover embedded or deleted files by searching for specific file headers. When it finds a file header that is a recognized file type, FTK carves the file’s associated data. In addition to extending searching capabilities, indexing allows searches to be returned in seconds instead of the minutes or hours required for a live search. Indexed Search allows for fast searching based on keywords.

What should you do about the corrupted index?

  • Send the Laboratory Director your retirement paperwork.
  • Blubber and shed tears.
  • Delete the case and start over.

None of the above, it turns out that FTK 3.X has the ability to re-index a case when the index has been corrupted.

 Re-indexing a case in FTK 3.X / Oracle:

 1. Determine the Case ID (when you log into FTK and highlight one of the cases listed on the left hand pane, the “CaselD” number will be displayed on the right hand side of the case management window. This is typically a four digit number.)

 2. Use a text editor to form your statement. The following statement currently shows “XXXX” for the value of the CaselD. Please copy and paste the following statement into a text editor and then edit the XXXX to represent the CaselD number from the case you identified in step 1. The statement also shows ftk_32, dependant upon your version of FTK, change this number according to the first two numbers in your version number.

 Example, if you are using FTK 3.1.2 the statement should say ftk_31.

 UPDATE ftk_32_cXXXX.objects SET ISINDEXED = ‘N’ WHERE ISINDEXED = ‘Y'; commit;

 3. Copy the above edited statement to your clipboard.

 4. Open the case you want to update.

 5. Drop down the “Tools” menu and select “Execute SQL …”

 6. Paste in the statement from the clipboard.

 7. Click “Execute”

 8. Exit out of FTK

 9. Rename the dts_idx folder located in your case folder to dts_idx_OLD.

 10. Reopen FTK and use “Additional Analysis” under “Evidence” to reindex all items in your case.

If you don’t trust the “Data Processing Status” window, as the case is processing you can directly observe if the indexing is running.

1. Open the Case folder for the case that you are indexing (after indexing has started.)

2. Inside the Case folder will be a dts_idx folder. Inside of this folder you will have some numbered folders. Each of these folders represents a CPU core. Each core writes to its own folder to speed up indexing. While a case is in the indexing stages of processing these folders will grow until the indexing is done.

3. Go back up to the dts_idx folder and check its properties (Figure 2), note the size of the folder, then close the properties and check the folder size a couple of minutes later to see if the folder size is increasing. If it is then the indexing process is still activity working.

dts_idx Properties

Figure 2

Congratulations! If all has gone well you’ve successfully re-indexed the case and will not need to start from scratch. 

About Brian K. Glass

I am a Senior Forensic Computer Analyst. I work for the U.S. Postal Inspection Service Forensic Laboratory Services / Digital Evidence Unit located in Philadelphia, PA. I have testified about computer forensics as a expert witness in Federal Court. PROFESSIONAL CERTIFICATIONS: Access Data Certified Examiner, Certified Malware Investigator, Computer Information Forensics Investigator, Microsoft Certified Systems Engineer, Microsoft Certified Systems Administrator, Microsoft Certified Database Administrator, Comptia: Server , Security & A plus, Electronics Technician U.S.C.G. PROFESSIONAL ORGANIZATIONS: High Technology Crime Investigation Association, Consortium of Digital Forensic Specialists, International Association of Financial Crimes Investigators, Association for Computing Machinery.

Discussion

7 thoughts on “Forensic Toolkit v3 Tips and Tricks – Re-indexing a case

  1. Thanks much! This works and we just had to do it the other day. Thanks for putting it out there.

    Posted by William O'Sullivan | October 4, 2011, 2:24 am
  2. Brian, thanks for the tips. This issue and your future FTK v. 3 tips/tricks will definitely come in handy for us down the road. Keep up the good posts.

    Posted by Derek Shewmon | October 4, 2011, 2:30 pm
  3. Excellent post Brian!!! Thanks so much for sharing this!! Shafik Punja

    Posted by shafik punja | October 5, 2011, 7:17 am
  4. Brilliant thanks Brian.

    Posted by Cults14 | October 5, 2011, 8:29 am
  5. Thanks a lot. This could very well be a “lifesafer”!

    Posted by mannappie | October 11, 2011, 4:56 pm

Trackbacks/Pingbacks

  1. Pingback: Forensic Focus Blog: Tip on Re-Indexing a Case in FTK v. 3 » Scope 2.0 - a new perspective - October 4, 2011

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 657 other followers

%d bloggers like this: