Fatal error v3.0b3 (multiple EWF images)

[FabianoQ]

While ingesting an EWF hd image (Windows XP inside) i received the following error "Fatal error during ingest. Caused by: java.lang.NoSuchMethodError: org.sleuthkit.datamodel.TskCoreException: method ()V not found" after answering OK Autopsy closed.

I can provide the hd image.

--NOTE: the linkage issue is resolved, but see issue about multiple EWF images in a Case below

[adam-m]

Hi Fabiono,

It looks like you have not (re)compiled the Java bindings - the error is usually an indication of that. Please add the sleuthkit/bindings/java project to netbeans and rebuild the project (or, alternatively, use ant from command line).

With regards to the missing activity problem, are you running your Autopsy build on Linux ? Unfortunately, on Linux recent activity module is unsupported (we need to handle this better), because it currently relies on some windows-only tools (maybe we could get them to run with wine, but it's slightly hackish).

Thanks, Adam (Autopsy team)

On Mon, Jun 18, 2012 at 5:01 PM, FabianoQ < reply@reply.github.com

wrote:

While ingesting an EWF hd image (Windows XP inside) i received the following error "Fatal error during ingest. Caused by: java.lang.NoSuchMethodError: org.sleuthkit.datamodel.TskCoreException: method ()V not found" after answering OK Autopsy closed.

I can provide the hd image.

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53

[FabianoQ]

Hi Adam, thanks for your lightning-fast response.

My pc environment is Windows 7 Ultimate SP1 x64; about the "not (re)compiled" stuff, i'm using Autopsy from the installer not from the source and i tried 3 or 4 hd images and just one produced the error.

If we can think of a method to deal with the size of them (and you think it's useful) i can provide the .e01 images.

Regards

Fabiano Querceto

---

Da: adam reply@reply.github.com A: FabianoQ fabiano.querceto@yahoo.it Inviato: Lunedì 18 Giugno 2012 23:13 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiono,

It looks like you have not (re)compiled the Java bindings - the error is usually an indication of that. Please add the sleuthkit/bindings/java project to netbeans and rebuild the project (or, alternatively, use ant from command line).

With regards to the missing activity problem, are you running your Autopsy build on Linux ? Unfortunately, on Linux recent activity module is unsupported (we need to handle this better), because it currently relies on some windows-only tools (maybe we could get them to run with wine, but it's slightly hackish).

Thanks, Adam (Autopsy team)

On Mon, Jun 18, 2012 at 5:01 PM, FabianoQ < reply@reply.github.com

wrote:

While ingesting an EWF hd image (Windows XP inside) i received the following error "Fatal error during ingest. Caused by: java.lang.NoSuchMethodError: org.sleuthkit.datamodel.TskCoreException: method ()V not found" after answering OK Autopsy closed.

I can provide the hd image.

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6409217

[adam-m]

Thanks, Fabiano,

Yes, it'd be very useful. We'll see if we can find a (secure) way for you to upload them and get back to you.

Adam

On Mon, Jun 18, 2012 at 5:28 PM, FabianoQ < reply@reply.github.com

wrote:

Hi Adam, thanks for your lightning-fast response.

My pc environment is Windows 7 Ultimate SP1 x64; about the "not (re)compiled" stuff, i'm using Autopsy from the installer not from the source and i tried 3 or 4 hd images and just one produced the error.

If we can think of a method to deal with the size of them (and you think it's useful) i can provide the .e01 images.

Regards

Fabiano Querceto

---

Da: adam reply@reply.github.com A: FabianoQ fabiano.querceto@yahoo.it Inviato: Lunedì 18 Giugno 2012 23:13 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiono,

It looks like you have not (re)compiled the Java bindings - the error is usually an indication of that. Please add the sleuthkit/bindings/java project to netbeans and rebuild the project (or, alternatively, use ant from command line).

With regards to the missing activity problem, are you running your Autopsy build on Linux ? Unfortunately, on Linux recent activity module is unsupported (we need to handle this better), because it currently relies on some windows-only tools (maybe we could get them to run with wine, but it's slightly hackish).

Thanks, Adam (Autopsy team)

On Mon, Jun 18, 2012 at 5:01 PM, FabianoQ < reply@reply.github.com

wrote:

While ingesting an EWF hd image (Windows XP inside) i received the following error "Fatal error during ingest. Caused by: java.lang.NoSuchMethodError: org.sleuthkit.datamodel.TskCoreException: method ()V not found" after answering OK Autopsy closed.

I can provide the hd image.

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6409217

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6409648

[adam-m]

Hi Fabiano, what is roughly the size of the Win XP image ? We have an FTP site we could use if it fits, what's your email I can use (need to send you the creds). Thanks, Adam

On Mon, Jun 18, 2012 at 5:31 PM, Adam Malinowski amalinowski@basistech.comwrote:

Thanks, Fabiano,

Yes, it'd be very useful. We'll see if we can find a (secure) way for you to upload them and get back to you.

Adam

On Mon, Jun 18, 2012 at 5:28 PM, FabianoQ < reply@reply.github.com

wrote:

Hi Adam, thanks for your lightning-fast response.

My pc environment is Windows 7 Ultimate SP1 x64; about the "not (re)compiled" stuff, i'm using Autopsy from the installer not from the source and i tried 3 or 4 hd images and just one produced the error.

If we can think of a method to deal with the size of them (and you think it's useful) i can provide the .e01 images.

Regards

Fabiano Querceto

---

Da: adam reply@reply.github.com A: FabianoQ fabiano.querceto@yahoo.it Inviato: Lunedì 18 Giugno 2012 23:13 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiono,

It looks like you have not (re)compiled the Java bindings - the error is usually an indication of that. Please add the sleuthkit/bindings/java project to netbeans and rebuild the project (or, alternatively, use ant from command line).

With regards to the missing activity problem, are you running your Autopsy build on Linux ? Unfortunately, on Linux recent activity module is unsupported (we need to handle this better), because it currently relies on some windows-only tools (maybe we could get them to run with wine, but it's slightly hackish).

Thanks, Adam (Autopsy team)

On Mon, Jun 18, 2012 at 5:01 PM, FabianoQ < reply@reply.github.com

wrote:

While ingesting an EWF hd image (Windows XP inside) i received the following error "Fatal error during ingest. Caused by: java.lang.NoSuchMethodError: org.sleuthkit.datamodel.TskCoreException: method ()V not found" after answering OK Autopsy closed.

I can provide the hd image.

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6409217

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6409648

[FabianoQ]

Hi Adam

all the images i tested are over 100gb (compressed)let me know ...

  Fabiano Querceto

---

Da: adam reply@reply.github.com A: FabianoQ fabiano.querceto@yahoo.it Inviato: Martedì 19 Giugno 2012 18:36 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano, what is roughly the size of the Win XP image ?  We have an FTP site we could use if it fits, what's your email I can use (need to send you the creds). Thanks, Adam

On Mon, Jun 18, 2012 at 5:31 PM, Adam Malinowski amalinowski@basistech.comwrote:

Thanks, Fabiano,

Yes, it'd be very useful.  We'll see if we can find a (secure) way for you to upload them and get back to you.

Adam

On Mon, Jun 18, 2012 at 5:28 PM, FabianoQ < reply@reply.github.com

wrote:

Hi Adam, thanks for your lightning-fast response.

My pc environment is Windows 7 Ultimate SP1 x64; about the "not (re)compiled" stuff, i'm using Autopsy from the installer not from the source and i tried 3 or 4 hd images and just one produced the error.

If we can think of a method to deal with the size of them (and you think it's useful) i can provide the .e01 images.

Regards

Fabiano Querceto

---

  Da: adam reply@reply.github.com A: FabianoQ fabiano.querceto@yahoo.it Inviato: Lunedì 18 Giugno 2012 23:13 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiono,

It looks like you have not (re)compiled the Java bindings - the error is usually an indication of that. Please add the sleuthkit/bindings/java project to netbeans and rebuild the project (or, alternatively, use ant from command line).

With regards to the missing activity problem, are you running your Autopsy build on Linux ? Unfortunately, on Linux recent activity module is unsupported (we need to handle this better), because it currently relies on some windows-only tools (maybe we could get them to run with wine, but it's slightly hackish).

Thanks, Adam (Autopsy team)

On Mon, Jun 18, 2012 at 5:01 PM, FabianoQ < reply@reply.github.com

wrote:

While ingesting an EWF hd image (Windows XP inside) i received the following error "Fatal error during ingest. Caused by: java.lang.NoSuchMethodError: org.sleuthkit.datamodel.TskCoreException: method ()V not found" after answering OK Autopsy closed.

I can provide the hd image.

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6409217

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6409648

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6430357

[adam-m]

Hi Fabiano,

We will release another beta next week that likely fixes the linking error you experienced. We can then see if the image can be added to Autopsy or not. If not, we can then decide how further to debug issue with the image (100GB upload is huge, but not impossible).

Thanks, Adam

On Wed, Jun 20, 2012 at 4:44 PM, FabianoQ < reply@reply.github.com

wrote:

Hi Adam

all the images i tested are over 100gb (compressed)let me know ...

Fabiano Querceto 339-3032968 348-4707739

---

Da: adam reply@reply.github.com A: FabianoQ fabiano.querceto@yahoo.it Inviato: Martedì 19 Giugno 2012 18:36 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano, what is roughly the size of the Win XP image ? We have an FTP site we could use if it fits, what's your email I can use (need to send you the creds). Thanks, Adam

On Mon, Jun 18, 2012 at 5:31 PM, Adam Malinowski amalinowski@basistech.comwrote:

Thanks, Fabiano,

Yes, it'd be very useful. We'll see if we can find a (secure) way for you to upload them and get back to you.

Adam

On Mon, Jun 18, 2012 at 5:28 PM, FabianoQ < reply@reply.github.com

wrote:

Hi Adam, thanks for your lightning-fast response.

My pc environment is Windows 7 Ultimate SP1 x64; about the "not (re)compiled" stuff, i'm using Autopsy from the installer not from the source and i tried 3 or 4 hd images and just one produced the error.

If we can think of a method to deal with the size of them (and you think it's useful) i can provide the .e01 images.

Regards

Fabiano Querceto

---

Da: adam reply@reply.github.com A: FabianoQ fabiano.querceto@yahoo.it Inviato: Lunedì 18 Giugno 2012 23:13 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiono,

It looks like you have not (re)compiled the Java bindings - the error is usually an indication of that. Please add the sleuthkit/bindings/java project to netbeans and rebuild the project (or, alternatively, use ant from command line).

With regards to the missing activity problem, are you running your Autopsy build on Linux ? Unfortunately, on Linux recent activity module is unsupported (we need to handle this better), because it currently relies on some windows-only tools (maybe we could get them to run with wine, but it's slightly hackish).

Thanks, Adam (Autopsy team)

On Mon, Jun 18, 2012 at 5:01 PM, FabianoQ < reply@reply.github.com

wrote:

While ingesting an EWF hd image (Windows XP inside) i received the following error "Fatal error during ingest. Caused by: java.lang.NoSuchMethodError: org.sleuthkit.datamodel.TskCoreException: method ()V not found" after answering OK Autopsy closed.

I can provide the hd image.

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6409217

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6409648

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6430357

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6466644

[adam-m]

Hi Fabiano,

Uploading 100GB file may be quite difficult. However, we may be able to trace the issue other ways. Would you be mind to run a sleuthkit command on the image and send us a log ?

Steps: 1) download latest beta sleuthkit build from

http://sourceforge.net/projects/sleuthkit/files/sleuthkit/4.0.0/sleuthkit-win32-4.0.0b1.zip/download

2) unzip it

3) execute command from windows shell, like:

sleuthkit-win32-4.0.0b1\bin\tsk_loaddb.exe -v YOUR_IMAGE.E01 > tsk_loaddb.txt 2>&1

it will generate a huge log file, tsk_loaddb.txt

4) zip the tsk_loaddb.txt file and email to us. If it's too large, we can setup FTP.

Thanks, Adam

On Fri, Jun 22, 2012 at 2:05 PM, Adam Malinowski amalinowski@basistech.comwrote:

Hi Fabiano,

We will release another beta next week that likely fixes the linking error you experienced. We can then see if the image can be added to Autopsy or not. If not, we can then decide how further to debug issue with the image (100GB upload is huge, but not impossible).

Thanks, Adam

On Wed, Jun 20, 2012 at 4:44 PM, FabianoQ < reply@reply.github.com

wrote:

Hi Adam

all the images i tested are over 100gb (compressed)let me know ...

Fabiano Querceto 339-3032968 348-4707739

---

Da: adam reply@reply.github.com A: FabianoQ fabiano.querceto@yahoo.it Inviato: Martedì 19 Giugno 2012 18:36 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano, what is roughly the size of the Win XP image ? We have an FTP site we could use if it fits, what's your email I can use (need to send you the creds). Thanks, Adam

On Mon, Jun 18, 2012 at 5:31 PM, Adam Malinowski amalinowski@basistech.comwrote:

Thanks, Fabiano,

Yes, it'd be very useful. We'll see if we can find a (secure) way for you to upload them and get back to you.

Adam

On Mon, Jun 18, 2012 at 5:28 PM, FabianoQ < reply@reply.github.com

wrote:

Hi Adam, thanks for your lightning-fast response.

My pc environment is Windows 7 Ultimate SP1 x64; about the "not (re)compiled" stuff, i'm using Autopsy from the installer not from the source and i tried 3 or 4 hd images and just one produced the error.

If we can think of a method to deal with the size of them (and you think it's useful) i can provide the .e01 images.

Regards

Fabiano Querceto

---

Da: adam reply@reply.github.com A: FabianoQ fabiano.querceto@yahoo.it Inviato: Lunedì 18 Giugno 2012 23:13 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiono,

It looks like you have not (re)compiled the Java bindings - the error is usually an indication of that. Please add the sleuthkit/bindings/java project to netbeans and rebuild the project (or, alternatively, use ant from command line).

With regards to the missing activity problem, are you running your Autopsy build on Linux ? Unfortunately, on Linux recent activity module is unsupported (we need to handle this better), because it currently relies on some windows-only tools (maybe we could get them to run with wine, but it's slightly hackish).

Thanks, Adam (Autopsy team)

On Mon, Jun 18, 2012 at 5:01 PM, FabianoQ < reply@reply.github.com

wrote:

While ingesting an EWF hd image (Windows XP inside) i received the following error "Fatal error during ingest. Caused by: java.lang.NoSuchMethodError: org.sleuthkit.datamodel.TskCoreException: method ()V not found" after answering OK Autopsy closed.

I can provide the hd image.

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6409217

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6409648

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6430357

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6466644

[FabianoQ]

Ok, this evening i'll do ..

  Fabiano Querceto 339-3032968 348-4707739

---

Da: adam reply@reply.github.com A: FabianoQ fabiano.querceto@yahoo.it Inviato: Lunedì 25 Giugno 2012 18:16 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano,

Uploading 100GB file may be quite difficult.  However, we may be able to trace the issue other ways. Would you be mind to run a sleuthkit command on the image and send us a log ?

Steps: 1) download latest beta sleuthkit build from

http://sourceforge.net/projects/sleuthkit/files/sleuthkit/4.0.0/sleuthkit-win32-4.0.0b1.zip/download

2) unzip it

3) execute command from windows shell, like:

sleuthkit-win32-4.0.0b1\bin\tsk_loaddb.exe -v YOUR_IMAGE.E01 > tsk_loaddb.txt 2>&1

it will generate a huge log file, tsk_loaddb.txt

4) zip the tsk_loaddb.txt file and email to us.  If it's too large, we can setup FTP.

Thanks, Adam

On Fri, Jun 22, 2012 at 2:05 PM, Adam Malinowski amalinowski@basistech.comwrote:

Hi Fabiano,

We will release another beta next week that likely fixes the linking error you experienced. We can then see if the image can be added to Autopsy or not.  If not, we can then decide how further to debug issue with the image (100GB upload is huge, but not impossible).

Thanks, Adam

On Wed, Jun 20, 2012 at 4:44 PM, FabianoQ < reply@reply.github.com

wrote:

Hi Adam

all the images i tested are over 100gb (compressed)let me know ...

Fabiano Querceto 339-3032968 348-4707739

---

  Da: adam reply@reply.github.com A: FabianoQ fabiano.querceto@yahoo.it Inviato: Martedì 19 Giugno 2012 18:36 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano, what is roughly the size of the Win XP image ?  We have an FTP site we could use if it fits, what's your email I can use (need to send you the creds). Thanks, Adam

On Mon, Jun 18, 2012 at 5:31 PM, Adam Malinowski amalinowski@basistech.comwrote:

Thanks, Fabiano,

Yes, it'd be very useful.  We'll see if we can find a (secure) way for you to upload them and get back to you.

Adam

On Mon, Jun 18, 2012 at 5:28 PM, FabianoQ < reply@reply.github.com

wrote:

Hi Adam, thanks for your lightning-fast response.

My pc environment is Windows 7 Ultimate SP1 x64; about the "not (re)compiled" stuff, i'm using Autopsy from the installer not from the source and i tried 3 or 4 hd images and just one produced the error.

If we can think of a method to deal with the size of them (and you think it's useful) i can provide the .e01 images.

Regards

Fabiano Querceto

---

  Da: adam reply@reply.github.com A: FabianoQ fabiano.querceto@yahoo.it Inviato: Lunedì 18 Giugno 2012 23:13 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiono,

It looks like you have not (re)compiled the Java bindings - the error is usually an indication of that. Please add the sleuthkit/bindings/java project to netbeans and rebuild the project (or, alternatively, use ant from command line).

With regards to the missing activity problem, are you running your Autopsy build on Linux ? Unfortunately, on Linux recent activity module is unsupported (we need to handle this better), because it currently relies on some windows-only tools (maybe we could get them to run with wine, but it's slightly hackish).

Thanks, Adam (Autopsy team)

On Mon, Jun 18, 2012 at 5:01 PM, FabianoQ < reply@reply.github.com

wrote:

While ingesting an EWF hd image (Windows XP inside) i received the following error "Fatal error during ingest. Caused by: java.lang.NoSuchMethodError: org.sleuthkit.datamodel.TskCoreException: method ()V not found" after answering OK Autopsy closed.

I can provide the hd image.

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6409217

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6409648

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6430357

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6466644

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6551813

[FabianoQ]

The tsk_loaddb.txt file is about 2gb (89 mb compressed) here is the link to my dropbox https://dl.dropbox.com/u/42442949/tsk_loaddb.rar

Let me know ...

  Fabiano Querceto 339-3032968 348-4707739

---

Da: adam reply@reply.github.com A: FabianoQ fabiano.querceto@yahoo.it Inviato: Lunedì 25 Giugno 2012 18:16 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano,

Uploading 100GB file may be quite difficult.  However, we may be able to trace the issue other ways. Would you be mind to run a sleuthkit command on the image and send us a log ?

Steps: 1) download latest beta sleuthkit build from

http://sourceforge.net/projects/sleuthkit/files/sleuthkit/4.0.0/sleuthkit-win32-4.0.0b1.zip/download

2) unzip it

3) execute command from windows shell, like:

sleuthkit-win32-4.0.0b1\bin\tsk_loaddb.exe -v YOUR_IMAGE.E01 > tsk_loaddb.txt 2>&1

it will generate a huge log file, tsk_loaddb.txt

4) zip the tsk_loaddb.txt file and email to us.  If it's too large, we can setup FTP.

Thanks, Adam

On Fri, Jun 22, 2012 at 2:05 PM, Adam Malinowski amalinowski@basistech.comwrote:

Hi Fabiano,

We will release another beta next week that likely fixes the linking error you experienced. We can then see if the image can be added to Autopsy or not.  If not, we can then decide how further to debug issue with the image (100GB upload is huge, but not impossible).

Thanks, Adam

On Wed, Jun 20, 2012 at 4:44 PM, FabianoQ < reply@reply.github.com

wrote:

Hi Adam

all the images i tested are over 100gb (compressed)let me know ...

Fabiano Querceto 339-3032968 348-4707739

---

  Da: adam reply@reply.github.com A: FabianoQ fabiano.querceto@yahoo.it Inviato: Martedì 19 Giugno 2012 18:36 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano, what is roughly the size of the Win XP image ?  We have an FTP site we could use if it fits, what's your email I can use (need to send you the creds). Thanks, Adam

On Mon, Jun 18, 2012 at 5:31 PM, Adam Malinowski amalinowski@basistech.comwrote:

Thanks, Fabiano,

Yes, it'd be very useful.  We'll see if we can find a (secure) way for you to upload them and get back to you.

Adam

On Mon, Jun 18, 2012 at 5:28 PM, FabianoQ < reply@reply.github.com

wrote:

Hi Adam, thanks for your lightning-fast response.

My pc environment is Windows 7 Ultimate SP1 x64; about the "not (re)compiled" stuff, i'm using Autopsy from the installer not from the source and i tried 3 or 4 hd images and just one produced the error.

If we can think of a method to deal with the size of them (and you think it's useful) i can provide the .e01 images.

Regards

Fabiano Querceto

---

  Da: adam reply@reply.github.com A: FabianoQ fabiano.querceto@yahoo.it Inviato: Lunedì 18 Giugno 2012 23:13 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiono,

It looks like you have not (re)compiled the Java bindings - the error is usually an indication of that. Please add the sleuthkit/bindings/java project to netbeans and rebuild the project (or, alternatively, use ant from command line).

With regards to the missing activity problem, are you running your Autopsy build on Linux ? Unfortunately, on Linux recent activity module is unsupported (we need to handle this better), because it currently relies on some windows-only tools (maybe we could get them to run with wine, but it's slightly hackish).

Thanks, Adam (Autopsy team)

On Mon, Jun 18, 2012 at 5:01 PM, FabianoQ < reply@reply.github.com

wrote:

While ingesting an EWF hd image (Windows XP inside) i received the following error "Fatal error during ingest. Caused by: java.lang.NoSuchMethodError: org.sleuthkit.datamodel.TskCoreException: method ()V not found" after answering OK Autopsy closed.

I can provide the hd image.

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6409217

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6409648

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6430357

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6466644

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6551813

[adam-m]

Thanks very much! Adam

On Tue, Jun 26, 2012 at 4:53 PM, FabianoQ < reply@reply.github.com

wrote:

The tsk_loaddb.txt file is about 2gb (89 mb compressed) here is the link to my dropbox https://dl.dropbox.com/u/42442949/tsk_loaddb.rar

Let me know ...

Fabiano Querceto 339-3032968 348-4707739

---

Da: adam reply@reply.github.com A: FabianoQ fabiano.querceto@yahoo.it Inviato: Lunedì 25 Giugno 2012 18:16 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano,

Uploading 100GB file may be quite difficult. However, we may be able to trace the issue other ways. Would you be mind to run a sleuthkit command on the image and send us a log ?

Steps: 1) download latest beta sleuthkit build from

http://sourceforge.net/projects/sleuthkit/files/sleuthkit/4.0.0/sleuthkit-win32-4.0.0b1.zip/download

2) unzip it

3) execute command from windows shell, like:

sleuthkit-win32-4.0.0b1\bin\tsk_loaddb.exe -v YOUR_IMAGE.E01 > tsk_loaddb.txt 2>&1

it will generate a huge log file, tsk_loaddb.txt

4) zip the tsk_loaddb.txt file and email to us. If it's too large, we can setup FTP.

Thanks, Adam

On Fri, Jun 22, 2012 at 2:05 PM, Adam Malinowski amalinowski@basistech.comwrote:

Hi Fabiano,

We will release another beta next week that likely fixes the linking error you experienced. We can then see if the image can be added to Autopsy or not. If not, we can then decide how further to debug issue with the image (100GB upload is huge, but not impossible).

Thanks, Adam

On Wed, Jun 20, 2012 at 4:44 PM, FabianoQ < reply@reply.github.com

wrote:

Hi Adam

all the images i tested are over 100gb (compressed)let me know ...

Fabiano Querceto 339-3032968 348-4707739

---

Da: adam reply@reply.github.com A: FabianoQ fabiano.querceto@yahoo.it Inviato: Martedì 19 Giugno 2012 18:36 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano, what is roughly the size of the Win XP image ? We have an FTP site we could use if it fits, what's your email I can use (need to send you the creds). Thanks, Adam

On Mon, Jun 18, 2012 at 5:31 PM, Adam Malinowski amalinowski@basistech.comwrote:

Thanks, Fabiano,

Yes, it'd be very useful. We'll see if we can find a (secure) way for you to upload them and get back to you.

Adam

On Mon, Jun 18, 2012 at 5:28 PM, FabianoQ < reply@reply.github.com

wrote:

Hi Adam, thanks for your lightning-fast response.

My pc environment is Windows 7 Ultimate SP1 x64; about the "not (re)compiled" stuff, i'm using Autopsy from the installer not from the source and i tried 3 or 4 hd images and just one produced the error.

If we can think of a method to deal with the size of them (and you think it's useful) i can provide the .e01 images.

Regards

Fabiano Querceto

---

Da: adam reply@reply.github.com A: FabianoQ fabiano.querceto@yahoo.it Inviato: Lunedì 18 Giugno 2012 23:13 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiono,

It looks like you have not (re)compiled the Java bindings - the error is usually an indication of that. Please add the sleuthkit/bindings/java project to netbeans and rebuild the project (or, alternatively, use ant from command line).

With regards to the missing activity problem, are you running your Autopsy build on Linux ? Unfortunately, on Linux recent activity module is unsupported (we need to handle this better), because it currently relies on some windows-only tools (maybe we could get them to run with wine, but it's slightly hackish).

Thanks, Adam (Autopsy team)

On Mon, Jun 18, 2012 at 5:01 PM, FabianoQ < reply@reply.github.com

wrote:

While ingesting an EWF hd image (Windows XP inside) i received the following error "Fatal error during ingest. Caused by: java.lang.NoSuchMethodError: org.sleuthkit.datamodel.TskCoreException: method ()V not found" after answering OK Autopsy closed.

I can provide the hd image.

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6409217

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6409648

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6430357

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6466644

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6551813

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6587467

[adam-m]

Fabiano.

We just released a new version that fixes some bugs and adds better error handing.

http://sourceforge.net/projects/autopsy/files/autopsy/3.0.0%20beta/

Could you try to reproduce the issue with the image using 3b4 ? If it still fails to add the image, it should at least provide a better error log.

Thanks, Adam

On Tue, Jun 26, 2012 at 5:14 PM, Adam Malinowski amalinowski@basistech.comwrote:

Thanks very much! Adam

On Tue, Jun 26, 2012 at 4:53 PM, FabianoQ < reply@reply.github.com

wrote:

The tsk_loaddb.txt file is about 2gb (89 mb compressed) here is the link to my dropbox https://dl.dropbox.com/u/42442949/tsk_loaddb.rar

Let me know ...

Fabiano Querceto 339-3032968 348-4707739

---

Da: adam reply@reply.github.com A: FabianoQ fabiano.querceto@yahoo.it Inviato: Lunedì 25 Giugno 2012 18:16 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano,

Uploading 100GB file may be quite difficult. However, we may be able to trace the issue other ways. Would you be mind to run a sleuthkit command on the image and send us a log ?

Steps: 1) download latest beta sleuthkit build from

http://sourceforge.net/projects/sleuthkit/files/sleuthkit/4.0.0/sleuthkit-win32-4.0.0b1.zip/download

2) unzip it

3) execute command from windows shell, like:

sleuthkit-win32-4.0.0b1\bin\tsk_loaddb.exe -v YOUR_IMAGE.E01 > tsk_loaddb.txt 2>&1

it will generate a huge log file, tsk_loaddb.txt

4) zip the tsk_loaddb.txt file and email to us. If it's too large, we can setup FTP.

Thanks, Adam

On Fri, Jun 22, 2012 at 2:05 PM, Adam Malinowski amalinowski@basistech.comwrote:

Hi Fabiano,

We will release another beta next week that likely fixes the linking error you experienced. We can then see if the image can be added to Autopsy or not. If not, we can then decide how further to debug issue with the image (100GB upload is huge, but not impossible).

Thanks, Adam

On Wed, Jun 20, 2012 at 4:44 PM, FabianoQ < reply@reply.github.com

wrote:

Hi Adam

all the images i tested are over 100gb (compressed)let me know ...

Fabiano Querceto 339-3032968 348-4707739

---

Da: adam reply@reply.github.com A: FabianoQ fabiano.querceto@yahoo.it Inviato: Martedì 19 Giugno 2012 18:36 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano, what is roughly the size of the Win XP image ? We have an FTP site we could use if it fits, what's your email I can use (need to send you the creds). Thanks, Adam

On Mon, Jun 18, 2012 at 5:31 PM, Adam Malinowski amalinowski@basistech.comwrote:

Thanks, Fabiano,

Yes, it'd be very useful. We'll see if we can find a (secure) way for you to upload them and get back to you.

Adam

On Mon, Jun 18, 2012 at 5:28 PM, FabianoQ < reply@reply.github.com

wrote:

Hi Adam, thanks for your lightning-fast response.

My pc environment is Windows 7 Ultimate SP1 x64; about the "not (re)compiled" stuff, i'm using Autopsy from the installer not from the source and i tried 3 or 4 hd images and just one produced the error.

If we can think of a method to deal with the size of them (and you think it's useful) i can provide the .e01 images.

Regards

Fabiano Querceto

---

Da: adam reply@reply.github.com A: FabianoQ fabiano.querceto@yahoo.it Inviato: Lunedì 18 Giugno 2012 23:13 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiono,

It looks like you have not (re)compiled the Java bindings - the error is usually an indication of that. Please add the sleuthkit/bindings/java project to netbeans and rebuild the project (or, alternatively, use ant from command line).

With regards to the missing activity problem, are you running your Autopsy build on Linux ? Unfortunately, on Linux recent activity module is unsupported (we need to handle this better), because it currently relies on some windows-only tools (maybe we could get them to run with wine, but it's slightly hackish).

Thanks, Adam (Autopsy team)

On Mon, Jun 18, 2012 at 5:01 PM, FabianoQ < reply@reply.github.com

wrote:

While ingesting an EWF hd image (Windows XP inside) i received the following error "Fatal error during ingest. Caused by: java.lang.NoSuchMethodError: org.sleuthkit.datamodel.TskCoreException: method ()V not found" after answering OK Autopsy closed.

I can provide the hd image.

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6409217

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6409648

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6430357

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6466644

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6551813

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6587467

[FabianoQ]

Great, i'll give it a try immediatly

  Fabiano Querceto 339-3032968 348-4707739

---

Da: adam reply@reply.github.com A: FabianoQ fabiano.querceto@yahoo.it Inviato: Mercoledì 4 Luglio 2012 0:11 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Fabiano.

We just released a new version that fixes some bugs and adds better error handing.

http://sourceforge.net/projects/autopsy/files/autopsy/3.0.0%20beta/

Could you try to reproduce the issue with the image using 3b4 ? If it still fails to add the image, it should at least provide a better error log.

Thanks, Adam

On Tue, Jun 26, 2012 at 5:14 PM, Adam Malinowski amalinowski@basistech.comwrote:

Thanks very much! Adam

On Tue, Jun 26, 2012 at 4:53 PM, FabianoQ < reply@reply.github.com

wrote:

The tsk_loaddb.txt file is about 2gb (89 mb compressed) here is the link to my dropbox https://dl.dropbox.com/u/42442949/tsk_loaddb.rar

Let me know ...

Fabiano Querceto 339-3032968 348-4707739

---

  Da: adam reply@reply.github.com A: FabianoQ fabiano.querceto@yahoo.it Inviato: Lunedì 25 Giugno 2012 18:16 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano,

Uploading 100GB file may be quite difficult.  However, we may be able to trace the issue other ways. Would you be mind to run a sleuthkit command on the image and send us a log ?

Steps: 1) download latest beta sleuthkit build from

http://sourceforge.net/projects/sleuthkit/files/sleuthkit/4.0.0/sleuthkit-win32-4.0.0b1.zip/download

2) unzip it

3) execute command from windows shell, like:

sleuthkit-win32-4.0.0b1\bin\tsk_loaddb.exe -v YOUR_IMAGE.E01 > tsk_loaddb.txt 2>&1

it will generate a huge log file, tsk_loaddb.txt

4) zip the tsk_loaddb.txt file and email to us.  If it's too large, we can setup FTP.

Thanks, Adam

On Fri, Jun 22, 2012 at 2:05 PM, Adam Malinowski amalinowski@basistech.comwrote:

Hi Fabiano,

We will release another beta next week that likely fixes the linking error you experienced. We can then see if the image can be added to Autopsy or not.  If not, we can then decide how further to debug issue with the image (100GB upload is huge, but not impossible).

Thanks, Adam

On Wed, Jun 20, 2012 at 4:44 PM, FabianoQ < reply@reply.github.com

wrote:

Hi Adam

all the images i tested are over 100gb (compressed)let me know ...

Fabiano Querceto 339-3032968 348-4707739

---

  Da: adam reply@reply.github.com A: FabianoQ fabiano.querceto@yahoo.it Inviato: Martedì 19 Giugno 2012 18:36 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano, what is roughly the size of the Win XP image ?  We have an FTP site we could use if it fits, what's your email I can use (need to send you the creds). Thanks, Adam

On Mon, Jun 18, 2012 at 5:31 PM, Adam Malinowski amalinowski@basistech.comwrote:

Thanks, Fabiano,

Yes, it'd be very useful.  We'll see if we can find a (secure) way for you to upload them and get back to you.

Adam

On Mon, Jun 18, 2012 at 5:28 PM, FabianoQ < reply@reply.github.com

wrote:

Hi Adam, thanks for your lightning-fast response.

My pc environment is Windows 7 Ultimate SP1 x64; about the "not (re)compiled" stuff, i'm using Autopsy from the installer not from the source and i tried 3 or 4 hd images and just one produced the error.

If we can think of a method to deal with the size of them (and you think it's useful) i can provide the .e01 images.

Regards

Fabiano Querceto

---

  Da: adam reply@reply.github.com A: FabianoQ fabiano.querceto@yahoo.it Inviato: Lunedì 18 Giugno 2012 23:13 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiono,

It looks like you have not (re)compiled the Java bindings - the error is usually an indication of that. Please add the sleuthkit/bindings/java project to netbeans and rebuild the project (or, alternatively, use ant from command line).

With regards to the missing activity problem, are you running your Autopsy build on Linux ? Unfortunately, on Linux recent activity module is unsupported (we need to handle this better), because it currently relies on some windows-only tools (maybe we could get them to run with wine, but it's slightly hackish).

Thanks, Adam (Autopsy team)

On Mon, Jun 18, 2012 at 5:01 PM, FabianoQ < reply@reply.github.com

wrote:

While ingesting an EWF hd image (Windows XP inside) i received the following error "Fatal error during ingest. Caused by: java.lang.NoSuchMethodError: org.sleuthkit.datamodel.TskCoreException: method ()V not found" after answering OK Autopsy closed.

I can provide the hd image.

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6409217

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6409648

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6430357

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6466644

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6551813

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6587467

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6747990

[FabianoQ]

Hi Adam

i had a go with 3b4 and the crash did not happened :-)

the recent activity module made it job too :-)

.. but ...

no internet history was found while before it worked :-( all the hd images i have are made by Tableau TD1 in EWF format split in 2gb chunks (some programs report them as being made by encase v3.22g ... ) now this happens:

when i start a new case and add the first hd image everything works fine (the image is correctly recognized as EWF format and so on ..) if i add a second (or third) image to the case it is mistaken as a plain dd image the size of just the first chunk and consequently nothing is extracted from the image;

if i start a new case and add the image that didn't worked as the first image in the case it works fine 8still no internet history, no connected devices

:-(

let me know if i can do anything to help address this issue.

Thanks

  Fabiano Querceto

---

Da: adam reply@reply.github.com A: FabianoQ fabiano.querceto@yahoo.it Inviato: Mercoledì 4 Luglio 2012 0:11 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Fabiano.

We just released a new version that fixes some bugs and adds better error handing.

http://sourceforge.net/projects/autopsy/files/autopsy/3.0.0%20beta/

Could you try to reproduce the issue with the image using 3b4 ? If it still fails to add the image, it should at least provide a better error log.

Thanks, Adam

On Tue, Jun 26, 2012 at 5:14 PM, Adam Malinowski amalinowski@basistech.comwrote:

Thanks very much! Adam

On Tue, Jun 26, 2012 at 4:53 PM, FabianoQ < reply@reply.github.com

wrote:

The tsk_loaddb.txt file is about 2gb (89 mb compressed) here is the link to my dropbox https://dl.dropbox.com/u/42442949/tsk_loaddb.rar

Let me know ...

Fabiano Querceto 339-3032968 348-4707739

---

  Da: adam reply@reply.github.com A: FabianoQ fabiano.querceto@yahoo.it Inviato: Lunedì 25 Giugno 2012 18:16 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano,

Uploading 100GB file may be quite difficult.  However, we may be able to trace the issue other ways. Would you be mind to run a sleuthkit command on the image and send us a log ?

Steps: 1) download latest beta sleuthkit build from

http://sourceforge.net/projects/sleuthkit/files/sleuthkit/4.0.0/sleuthkit-win32-4.0.0b1.zip/download

2) unzip it

3) execute command from windows shell, like:

sleuthkit-win32-4.0.0b1\bin\tsk_loaddb.exe -v YOUR_IMAGE.E01 > tsk_loaddb.txt 2>&1

it will generate a huge log file, tsk_loaddb.txt

4) zip the tsk_loaddb.txt file and email to us.  If it's too large, we can setup FTP.

Thanks, Adam

On Fri, Jun 22, 2012 at 2:05 PM, Adam Malinowski amalinowski@basistech.comwrote:

Hi Fabiano,

We will release another beta next week that likely fixes the linking error you experienced. We can then see if the image can be added to Autopsy or not.  If not, we can then decide how further to debug issue with the image (100GB upload is huge, but not impossible).

Thanks, Adam

On Wed, Jun 20, 2012 at 4:44 PM, FabianoQ < reply@reply.github.com

wrote:

Hi Adam

all the images i tested are over 100gb (compressed)let me know ...

Fabiano Querceto 339-3032968 348-4707739

---

  Da: adam reply@reply.github.com A: FabianoQ fabiano.querceto@yahoo.it Inviato: Martedì 19 Giugno 2012 18:36 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano, what is roughly the size of the Win XP image ?  We have an FTP site we could use if it fits, what's your email I can use (need to send you the creds). Thanks, Adam

On Mon, Jun 18, 2012 at 5:31 PM, Adam Malinowski amalinowski@basistech.comwrote:

Thanks, Fabiano,

Yes, it'd be very useful.  We'll see if we can find a (secure) way for you to upload them and get back to you.

Adam

On Mon, Jun 18, 2012 at 5:28 PM, FabianoQ < reply@reply.github.com

wrote:

Hi Adam, thanks for your lightning-fast response.

My pc environment is Windows 7 Ultimate SP1 x64; about the "not (re)compiled" stuff, i'm using Autopsy from the installer not from the source and i tried 3 or 4 hd images and just one produced the error.

If we can think of a method to deal with the size of them (and you think it's useful) i can provide the .e01 images.

Regards

Fabiano Querceto

---

  Da: adam reply@reply.github.com A: FabianoQ fabiano.querceto@yahoo.it Inviato: Lunedì 18 Giugno 2012 23:13 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiono,

It looks like you have not (re)compiled the Java bindings - the error is usually an indication of that. Please add the sleuthkit/bindings/java project to netbeans and rebuild the project (or, alternatively, use ant from command line).

With regards to the missing activity problem, are you running your Autopsy build on Linux ? Unfortunately, on Linux recent activity module is unsupported (we need to handle this better), because it currently relies on some windows-only tools (maybe we could get them to run with wine, but it's slightly hackish).

Thanks, Adam (Autopsy team)

On Mon, Jun 18, 2012 at 5:01 PM, FabianoQ < reply@reply.github.com

wrote:

While ingesting an EWF hd image (Windows XP inside) i received the following error "Fatal error during ingest. Caused by: java.lang.NoSuchMethodError: org.sleuthkit.datamodel.TskCoreException: method ()V not found" after answering OK Autopsy closed.

I can provide the hd image.

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6409217

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6409648

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6430357

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6466644

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6551813

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6587467

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6747990

[adam-m]

Hi Fabiano, Thanks for the useful analysis. Could you please send the zipped username\appdata\roaming.autopsy directory with the log file after these issues were encountered ? No need for turning on verbose log for now.

Thanks, Adam

On Thu, Jul 5, 2012 at 5:48 PM, FabianoQ < reply@reply.github.com

wrote:

Hi Adam

i had a go with 3b4 and the crash did not happened :-)

the recent activity module made it job too :-)

.. but ...

no internet history was found while before it worked :-( all the hd images i have are made by Tableau TD1 in EWF format split in 2gb chunks (some programs report them as being made by encase v3.22g ... ) now this happens:

when i start a new case and add the first hd image everything works fine (the image is correctly recognized as EWF format and so on ..) if i add a second (or third) image to the case it is mistaken as a plain dd image the size of just the first chunk and consequently nothing is extracted from the image;

if i start a new case and add the image that didn't worked as the first image in the case it works fine 8still no internet history, no connected devices

:-(

let me know if i can do anything to help address this issue.

Thanks

Fabiano Querceto

---

Da: adam reply@reply.github.com A: FabianoQ fabiano.querceto@yahoo.it Inviato: Mercoledì 4 Luglio 2012 0:11 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Fabiano.

We just released a new version that fixes some bugs and adds better error handing.

http://sourceforge.net/projects/autopsy/files/autopsy/3.0.0%20beta/

Could you try to reproduce the issue with the image using 3b4 ? If it still fails to add the image, it should at least provide a better error log.

Thanks, Adam

On Tue, Jun 26, 2012 at 5:14 PM, Adam Malinowski amalinowski@basistech.comwrote:

Thanks very much! Adam

On Tue, Jun 26, 2012 at 4:53 PM, FabianoQ < reply@reply.github.com

wrote:

The tsk_loaddb.txt file is about 2gb (89 mb compressed) here is the link to my dropbox https://dl.dropbox.com/u/42442949/tsk_loaddb.rar

Let me know ...

Fabiano Querceto 339-3032968 348-4707739

---

Da: adam reply@reply.github.com A: FabianoQ fabiano.querceto@yahoo.it Inviato: Lunedì 25 Giugno 2012 18:16 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano,

Uploading 100GB file may be quite difficult. However, we may be able to trace the issue other ways. Would you be mind to run a sleuthkit command on the image and send us a log ?

Steps: 1) download latest beta sleuthkit build from

http://sourceforge.net/projects/sleuthkit/files/sleuthkit/4.0.0/sleuthkit-win32-4.0.0b1.zip/download

2) unzip it

3) execute command from windows shell, like:

sleuthkit-win32-4.0.0b1\bin\tsk_loaddb.exe -v YOUR_IMAGE.E01 > tsk_loaddb.txt 2>&1

it will generate a huge log file, tsk_loaddb.txt

4) zip the tsk_loaddb.txt file and email to us. If it's too large, we can setup FTP.

Thanks, Adam

On Fri, Jun 22, 2012 at 2:05 PM, Adam Malinowski amalinowski@basistech.comwrote:

Hi Fabiano,

We will release another beta next week that likely fixes the linking error you experienced. We can then see if the image can be added to Autopsy or not. If not, we can then decide how further to debug issue with the image (100GB upload is huge, but not impossible).

Thanks, Adam

On Wed, Jun 20, 2012 at 4:44 PM, FabianoQ < reply@reply.github.com

wrote:

Hi Adam

all the images i tested are over 100gb (compressed)let me know ...

Fabiano Querceto 339-3032968 348-4707739

---

Da: adam reply@reply.github.com A: FabianoQ fabiano.querceto@yahoo.it Inviato: Martedì 19 Giugno 2012 18:36 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano, what is roughly the size of the Win XP image ? We have an FTP site we could use if it fits, what's your email I can use (need to send you the creds). Thanks, Adam

On Mon, Jun 18, 2012 at 5:31 PM, Adam Malinowski amalinowski@basistech.comwrote:

Thanks, Fabiano,

Yes, it'd be very useful. We'll see if we can find a (secure) way for you to upload them and get back to you.

Adam

On Mon, Jun 18, 2012 at 5:28 PM, FabianoQ < reply@reply.github.com

wrote:

Hi Adam, thanks for your lightning-fast response.

My pc environment is Windows 7 Ultimate SP1 x64; about the "not (re)compiled" stuff, i'm using Autopsy from the installer not from the source and i tried 3 or 4 hd images and just one produced the error.

If we can think of a method to deal with the size of them (and you think it's useful) i can provide the .e01 images.

Regards

Fabiano Querceto

---

Da: adam reply@reply.github.com A: FabianoQ fabiano.querceto@yahoo.it Inviato: Lunedì 18 Giugno 2012 23:13 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiono,

It looks like you have not (re)compiled the Java bindings - the error is usually an indication of that. Please add the sleuthkit/bindings/java project to netbeans and rebuild the project (or, alternatively, use ant from command line).

With regards to the missing activity problem, are you running your Autopsy build on Linux ? Unfortunately, on Linux recent activity module is unsupported (we need to handle this better), because it currently relies on some windows-only tools (maybe we could get them to run with wine, but it's slightly hackish).

Thanks, Adam (Autopsy team)

On Mon, Jun 18, 2012 at 5:01 PM, FabianoQ < reply@reply.github.com

wrote:

While ingesting an EWF hd image (Windows XP inside) i received the following error "Fatal error during ingest. Caused by: java.lang.NoSuchMethodError: org.sleuthkit.datamodel.TskCoreException: method ()V not found" after answering OK Autopsy closed.

I can provide the hd image.

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53

---

Reply to this email directly or view it on GitHub:

https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6409217

---

Reply to this email directly or view it on GitHub:

https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6409648

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6430357

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6466644

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6551813

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6587467

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6747990

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6791663

[FabianoQ]

Hi Adam

here is the link for the archive: https://dl.dropbox.com/u/42442949/.autopsy.rar the archive has a password (qwerty) i had to put the password because yahoo mailer kept saying tha it had a virus ?!?!?!? and in the end the mail was not delivered because of the size (just 4mb) so take it from my drop box.

let me know if i can help ..

regards

Fabiano Querceto

---

Da: adam reply@reply.github.com A: FabianoQ fabiano.querceto@yahoo.it Inviato: Venerdì 6 Luglio 2012 15:19 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano, Thanks for the useful analysis. Could you please send the zipped username\appdata\roaming.autopsy directory with the log file after these issues were encountered ?  No need for turning on verbose log for now.

Thanks, Adam

On Thu, Jul 5, 2012 at 5:48 PM, FabianoQ < reply@reply.github.com

wrote:

Hi Adam

i had a go with 3b4 and the crash did not happened :-)

the recent activity module made it job too :-)

.. but ...

no internet history was found while before it worked :-( all the hd images i have are made by Tableau TD1 in EWF format split in 2gb chunks (some programs report them as being made by encase v3.22g ... ) now this happens:

when i start a new case and add the first hd image everything works fine (the image is correctly recognized as EWF format and so on ..) if i add a second (or third) image to the case it is mistaken as a plain dd image the size of just the first chunk and consequently nothing is extracted from the image;

if i start a new case and add the image that didn't worked as the first image in the case it works fine 8still no internet history, no connected devices

:-(

let me know if i can do anything to help address this issue.

Thanks

Fabiano Querceto

---

  Da: adam reply@reply.github.com A: FabianoQ fabiano.querceto@yahoo.it Inviato: Mercoledì 4 Luglio 2012 0:11 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Fabiano.

We just released a new version that fixes some bugs and adds better error handing.

http://sourceforge.net/projects/autopsy/files/autopsy/3.0.0%20beta/

Could you try to reproduce the issue with the image using 3b4 ? If it still fails to add the image, it should at least provide a better error log.

Thanks, Adam

On Tue, Jun 26, 2012 at 5:14 PM, Adam Malinowski amalinowski@basistech.comwrote:

Thanks very much! Adam

On Tue, Jun 26, 2012 at 4:53 PM, FabianoQ < reply@reply.github.com

wrote:

The tsk_loaddb.txt file is about 2gb (89 mb compressed) here is the link to my dropbox https://dl.dropbox.com/u/42442949/tsk_loaddb.rar

Let me know ...

Fabiano Querceto 339-3032968 348-4707739

---

  Da: adam reply@reply.github.com A: FabianoQ fabiano.querceto@yahoo.it Inviato: Lunedì 25 Giugno 2012 18:16 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano,

Uploading 100GB file may be quite difficult.  However, we may be able to trace the issue other ways. Would you be mind to run a sleuthkit command on the image and send us a log ?

Steps: 1) download latest beta sleuthkit build from

http://sourceforge.net/projects/sleuthkit/files/sleuthkit/4.0.0/sleuthkit-win32-4.0.0b1.zip/download

2) unzip it

3) execute command from windows shell, like:

sleuthkit-win32-4.0.0b1\bin\tsk_loaddb.exe -v YOUR_IMAGE.E01 > tsk_loaddb.txt 2>&1

it will generate a huge log file, tsk_loaddb.txt

4) zip the tsk_loaddb.txt file and email to us.  If it's too large, we can setup FTP.

Thanks, Adam

On Fri, Jun 22, 2012 at 2:05 PM, Adam Malinowski amalinowski@basistech.comwrote:

Hi Fabiano,

We will release another beta next week that likely fixes the linking error you experienced. We can then see if the image can be added to Autopsy or not.  If not, we can then decide how further to debug issue with the image (100GB upload is huge, but not impossible).

Thanks, Adam

On Wed, Jun 20, 2012 at 4:44 PM, FabianoQ < reply@reply.github.com

wrote:

Hi Adam

all the images i tested are over 100gb (compressed)let me know ...

Fabiano Querceto 339-3032968 348-4707739

---

  Da: adam reply@reply.github.com A: FabianoQ fabiano.querceto@yahoo.it Inviato: Martedì 19 Giugno 2012 18:36 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano, what is roughly the size of the Win XP image ?  We have an FTP site we could use if it fits, what's your email I can use (need to send you the creds). Thanks, Adam

On Mon, Jun 18, 2012 at 5:31 PM, Adam Malinowski amalinowski@basistech.comwrote:

Thanks, Fabiano,

Yes, it'd be very useful.  We'll see if we can find a (secure) way for you to upload them and get back to you.

Adam

On Mon, Jun 18, 2012 at 5:28 PM, FabianoQ < reply@reply.github.com

wrote:

Hi Adam, thanks for your lightning-fast response.

My pc environment is Windows 7 Ultimate SP1 x64; about the "not (re)compiled" stuff, i'm using Autopsy from the installer not from the source and i tried 3 or 4 hd images and just one produced the error.

If we can think of a method to deal with the size of them (and you think it's useful) i can provide the .e01 images.

Regards

Fabiano Querceto

---

  Da: adam reply@reply.github.com A: FabianoQ fabiano.querceto@yahoo.it Inviato: Lunedì 18 Giugno 2012 23:13 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiono,

It looks like you have not (re)compiled the Java bindings - the error is usually an indication of that. Please add the sleuthkit/bindings/java project to netbeans and rebuild the project (or, alternatively, use ant from command line).

With regards to the missing activity problem, are you running your Autopsy build on Linux ? Unfortunately, on Linux recent activity module is unsupported (we need to handle this better), because it currently relies on some windows-only tools (maybe we could get them to run with wine, but it's slightly hackish).

Thanks, Adam (Autopsy team)

On Mon, Jun 18, 2012 at 5:01 PM, FabianoQ < reply@reply.github.com

wrote:

While ingesting an EWF hd image (Windows XP inside) i received the following error "Fatal error during ingest. Caused by: java.lang.NoSuchMethodError: org.sleuthkit.datamodel.TskCoreException: method ()V not found" after answering OK Autopsy closed.

I can provide the hd image.

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53

---

Reply to this email directly or view it on GitHub:

https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6409217

---

Reply to this email directly or view it on GitHub:

https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6409648

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6430357

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6466644

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6551813

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6587467

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6747990

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6791663

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6804705

[adam-m]

Hi Fabiano,

Is it possible that your image:

F:\CTU04_Hitachi_HDP725025GLA380_GEK231RB14B6ZA\CTU04.E01

has no file systems in it ? I see that there are 3 partitions that have no filesystems. Perhaps there is no other partition with a filesystem.

We are currently not handling "no filesystems" case well, but plan to.

You could also send the verbose log (as earlier) to help us find out, if you are unsure.

Also, are there additional image chunks such as CTU04.E02, CTU04.E03, CTU04.E04, .... ? If so, they all need to be in the same directory for the image to be opened properly.

Thanks, Adam

[FabianoQ]

It's a normal Windows XP Installation with two ntfs partitions and some extra unpartitioned space; the image is regularly opened by FTK Imager 3 and ProDiscover Basic; all the chunks are in the same dir with the first one;

If F:\CTU04_Hitachi_HDP725025GLA380_GEK231RB14B6ZA\CTU04.E01 is the FIRST image i add to a new case everything works as expected;

if i add it as the second (or third ...) image of a case the error occurs; every image i have WORKS if added as FIRST image, DOESN'T WORK if added as second image of the case

  Fabiano Querceto 339-3032968 348-4707739

---

Da: adam reply@reply.github.com A: FabianoQ fabiano.querceto@yahoo.it Inviato: Martedì 10 Luglio 2012 23:18 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano,

Is it possible that your image:

F:\CTU04_Hitachi_HDP725025GLA380_GEK231RB14B6ZA\CTU04.E01

has no file systems in it ?  I see that there are 3 partitions that have no filesystems.  Perhaps there is no other partition with a filesystem.

We are currently not handling "no filesystems" case well, but plan to.

You could also send the verbose log (as earlier) to help us find out, if you are unsure.

Also, are there additional image chunks such as CTU04.E02, CTU04.E03, CTU04.E04, .... ? If so, they all need to be in the same directory for the image to be opened properly.

Thanks, Adam

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6889705

[adam-m]

Hi Fabiano, Would you be able to also collect and upload the verbose log showing 2 images being added.

Thanks, Adam

On Tue, Jul 10, 2012 at 6:19 PM, FabianoQ < reply@reply.github.com

wrote:

It's a normal Windows XP Installation with two ntfs partitions and some extra unpartitioned space; the image is regularly opened by FTK Imager 3 and ProDiscover Basic; all the chunks are in the same dir with the first one;

If F:\CTU04_Hitachi_HDP725025GLA380_GEK231RB14B6ZA\CTU04.E01 is the FIRST image i add to a new case everything works as expected;

if i add it as the second (or third ...) image of a case the error occurs; every image i have WORKS if added as FIRST image, DOESN'T WORK if added as second image of the case

Fabiano Querceto 339-3032968 348-4707739

---

Da: adam reply@reply.github.com A: FabianoQ fabiano.querceto@yahoo.it Inviato: Martedì 10 Luglio 2012 23:18 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano,

Is it possible that your image:

F:\CTU04_Hitachi_HDP725025GLA380_GEK231RB14B6ZA\CTU04.E01

has no file systems in it ? I see that there are 3 partitions that have no filesystems. Perhaps there is no other partition with a filesystem.

We are currently not handling "no filesystems" case well, but plan to.

You could also send the verbose log (as earlier) to help us find out, if you are unsure.

Also, are there additional image chunks such as CTU04.E02, CTU04.E03, CTU04.E04, .... ? If so, they all need to be in the same directory for the image to be opened properly.

Thanks, Adam

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6889705

---

Reply to this email directly or view it on GitHub: https://github.com/sleuthkit/autopsy/issues/53#issuecomment-6891886

[adam-m]

Hi Fabiano, We just released Autopsy 3.0.0, could you see if you are still having issues adding your multiple EWF images ? http://sourceforge.net/projects/autopsy/files/autopsy/3.0.0/

Thanks, Adam

[FabianoQ]

I only did a quick test with to small (pendrive) images and everything worked as expected. Thanks

  Fabiano Querceto 339-3032968 348-4707739

---

Da: adam notifications@github.com A: sleuthkit/autopsy autopsy@noreply.github.com Cc: FabianoQ fabiano.querceto@yahoo.it Inviato: Mercoledì 17 Ottobre 2012 15:53 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano, We just released Autopsy 3.0.0, could you see if you are still having issues adding your multiple EWF images ? http://sourceforge.net/projects/autopsy/files/autopsy/3.0.0/ Thanks, Adam — Reply to this email directly or view it on GitHub.

[adam-m]

Thanks, Fabiano, I will close the issue, feel free to reopen if you re-encounter the issue with other images.

Adam

On Thu, Oct 18, 2012 at 1:00 PM, FabianoQ notifications@github.com wrote:

I only did a quick test with to small (pendrive) images and everything worked as expected. Thanks

Fabiano Querceto 339-3032968 348-4707739

---

Da: adam notifications@github.com A: sleuthkit/autopsy autopsy@noreply.github.com Cc: FabianoQ fabiano.querceto@yahoo.it Inviato: Mercoledì 17 Ottobre 2012 15:53 Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano, We just released Autopsy 3.0.0, could you see if you are still having issues adding your multiple EWF images ? http://sourceforge.net/projects/autopsy/files/autopsy/3.0.0/ Thanks, Adam — Reply to this email directly or view it on GitHub.

— Reply to this email directly or view it on GitHubhttps://github.com/sleuthkit/autopsy/issues/53#issuecomment-9572184.