Fatal error v3.0b3 (multiple EWF images)

[FabianoQ]

While ingesting an EWF hd image (Windows XP inside) i received the following error
"Fatal error during ingest.
Caused by: java.lang.NoSuchMethodError: org.sleuthkit.datamodel.TskCoreException: method ()V not found"
after answering OK Autopsy closed.

I can provide the hd image.

--NOTE: the linkage issue is resolved, but see issue about multiple EWF images in a Case below

[adam-m]

Hi Fabiono,

It looks like you have not (re)compiled the Java bindings - the error is
usually an indication of that.
Please add the sleuthkit/bindings/java project to netbeans and rebuild the
project (or, alternatively, use ant from command line).

With regards to the missing activity problem, are you running your Autopsy
build on Linux ?
Unfortunately, on Linux recent activity module is unsupported (we need to
handle this better), because it currently relies on some windows-only tools
(maybe we could get them to run with wine, but it's slightly hackish).

Thanks,
Adam (Autopsy team)

On Mon, Jun 18, 2012 at 5:01 PM, FabianoQ <
reply@reply.github.com

wrote:

While ingesting an EWF hd image (Windows XP inside) i received the
following error
"Fatal error during ingest.
Caused by: java.lang.NoSuchMethodError:
org.sleuthkit.datamodel.TskCoreException: method ()V not found"
after answering OK Autopsy closed.

I can provide the hd image.

---

Reply to this email directly or view it on GitHub:
#53

[FabianoQ]

Hi Adam, thanks for your lightning-fast response.

My pc environment is Windows 7 Ultimate SP1 x64;
about the "not (re)compiled" stuff, i'm using Autopsy
from the installer not from the source and i tried 3
or 4 hd images and just one produced the error.

If we can think of a method to deal with the size of them
(and you think it's useful) i can provide the .e01 images.

Regards

Fabiano Querceto

---

Da: adam reply@reply.github.com
A: FabianoQ fabiano.querceto@yahoo.it
Inviato: Lunedì 18 Giugno 2012 23:13
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiono,

It looks like you have not (re)compiled the Java bindings - the error is
usually an indication of that.
Please add the sleuthkit/bindings/java project to netbeans and rebuild the
project (or, alternatively, use ant from command line).

With regards to the missing activity problem, are you running your Autopsy
build on Linux ?
Unfortunately, on Linux recent activity module is unsupported (we need to
handle this better), because it currently relies on some windows-only tools
(maybe we could get them to run with wine, but it's slightly hackish).

Thanks,
Adam (Autopsy team)

On Mon, Jun 18, 2012 at 5:01 PM, FabianoQ <
reply@reply.github.com

wrote:

While ingesting an EWF hd image (Windows XP inside) i received the
following error
"Fatal error during ingest.
Caused by: java.lang.NoSuchMethodError:
org.sleuthkit.datamodel.TskCoreException: method ()V not found"
after answering OK Autopsy closed.

I can provide the hd image.

---

Reply to this email directly or view it on GitHub:
#53

---

Reply to this email directly or view it on GitHub:
#53 (comment)

[adam-m]

Thanks, Fabiano,

Yes, it'd be very useful. We'll see if we can find a (secure) way for you
to upload them and get back to you.

Adam

On Mon, Jun 18, 2012 at 5:28 PM, FabianoQ <
reply@reply.github.com

wrote:

Hi Adam, thanks for your lightning-fast response.

My pc environment is Windows 7 Ultimate SP1 x64;
about the "not (re)compiled" stuff, i'm using Autopsy
from the installer not from the source and i tried 3
or 4 hd images and just one produced the error.

If we can think of a method to deal with the size of them
(and you think it's useful) i can provide the .e01 images.

Regards

Fabiano Querceto

---

Da: adam reply@reply.github.com
A: FabianoQ fabiano.querceto@yahoo.it
Inviato: Lunedì 18 Giugno 2012 23:13
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiono,

It looks like you have not (re)compiled the Java bindings - the error is
usually an indication of that.
Please add the sleuthkit/bindings/java project to netbeans and rebuild the
project (or, alternatively, use ant from command line).

With regards to the missing activity problem, are you running your Autopsy
build on Linux ?
Unfortunately, on Linux recent activity module is unsupported (we need to
handle this better), because it currently relies on some windows-only tools
(maybe we could get them to run with wine, but it's slightly hackish).

Thanks,
Adam (Autopsy team)

On Mon, Jun 18, 2012 at 5:01 PM, FabianoQ <
reply@reply.github.com

wrote:

While ingesting an EWF hd image (Windows XP inside) i received the
following error
"Fatal error during ingest.
Caused by: java.lang.NoSuchMethodError:
org.sleuthkit.datamodel.TskCoreException: method ()V not found"
after answering OK Autopsy closed.

I can provide the hd image.

---

Reply to this email directly or view it on GitHub:
#53

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

[adam-m]

Hi Fabiano,
what is roughly the size of the Win XP image ? We have an FTP site we
could use if it fits, what's your email I can use (need to send you the
creds).
Thanks,
Adam

On Mon, Jun 18, 2012 at 5:31 PM, Adam Malinowski
amalinowski@basistech.comwrote:

Thanks, Fabiano,

Yes, it'd be very useful. We'll see if we can find a (secure) way for you
to upload them and get back to you.

Adam

On Mon, Jun 18, 2012 at 5:28 PM, FabianoQ <
reply@reply.github.com

wrote:

Hi Adam, thanks for your lightning-fast response.

My pc environment is Windows 7 Ultimate SP1 x64;
about the "not (re)compiled" stuff, i'm using Autopsy
from the installer not from the source and i tried 3
or 4 hd images and just one produced the error.

If we can think of a method to deal with the size of them
(and you think it's useful) i can provide the .e01 images.

Regards

Fabiano Querceto

---

Da: adam reply@reply.github.com
A: FabianoQ fabiano.querceto@yahoo.it
Inviato: Lunedì 18 Giugno 2012 23:13
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiono,

It looks like you have not (re)compiled the Java bindings - the error is
usually an indication of that.
Please add the sleuthkit/bindings/java project to netbeans and rebuild the
project (or, alternatively, use ant from command line).

With regards to the missing activity problem, are you running your Autopsy
build on Linux ?
Unfortunately, on Linux recent activity module is unsupported (we need to
handle this better), because it currently relies on some windows-only
tools
(maybe we could get them to run with wine, but it's slightly hackish).

Thanks,
Adam (Autopsy team)

On Mon, Jun 18, 2012 at 5:01 PM, FabianoQ <
reply@reply.github.com

wrote:

While ingesting an EWF hd image (Windows XP inside) i received the
following error
"Fatal error during ingest.
Caused by: java.lang.NoSuchMethodError:
org.sleuthkit.datamodel.TskCoreException: method ()V not found"
after answering OK Autopsy closed.

I can provide the hd image.

---

Reply to this email directly or view it on GitHub:
#53

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

[FabianoQ]

Hi Adam

all the images i tested are over 100gb (compressed)let me know ...

 
Fabiano Querceto

---

Da: adam reply@reply.github.com
A: FabianoQ fabiano.querceto@yahoo.it
Inviato: Martedì 19 Giugno 2012 18:36
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano,
what is roughly the size of the Win XP image ?  We have an FTP site we
could use if it fits, what's your email I can use (need to send you the
creds).
Thanks,
Adam

On Mon, Jun 18, 2012 at 5:31 PM, Adam Malinowski
amalinowski@basistech.comwrote:

Thanks, Fabiano,

Yes, it'd be very useful.  We'll see if we can find a (secure) way for you
to upload them and get back to you.

Adam

On Mon, Jun 18, 2012 at 5:28 PM, FabianoQ <
reply@reply.github.com

wrote:

Hi Adam, thanks for your lightning-fast response.

My pc environment is Windows 7 Ultimate SP1 x64;
about the "not (re)compiled" stuff, i'm using Autopsy
from the installer not from the source and i tried 3
or 4 hd images and just one produced the error.

If we can think of a method to deal with the size of them
(and you think it's useful) i can provide the .e01 images.

Regards

Fabiano Querceto

---

  Da: adam reply@reply.github.com
A: FabianoQ fabiano.querceto@yahoo.it
Inviato: Lunedì 18 Giugno 2012 23:13
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiono,

It looks like you have not (re)compiled the Java bindings - the error is
usually an indication of that.
Please add the sleuthkit/bindings/java project to netbeans and rebuild the
project (or, alternatively, use ant from command line).

With regards to the missing activity problem, are you running your Autopsy
build on Linux ?
Unfortunately, on Linux recent activity module is unsupported (we need to
handle this better), because it currently relies on some windows-only
tools
(maybe we could get them to run with wine, but it's slightly hackish).

Thanks,
Adam (Autopsy team)

On Mon, Jun 18, 2012 at 5:01 PM, FabianoQ <
reply@reply.github.com

wrote:

While ingesting an EWF hd image (Windows XP inside) i received the
following error
"Fatal error during ingest.
Caused by: java.lang.NoSuchMethodError:
org.sleuthkit.datamodel.TskCoreException: method ()V not found"
after answering OK Autopsy closed.

I can provide the hd image.

---

Reply to this email directly or view it on GitHub:
#53

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

[adam-m]

Hi Fabiano,

We will release another beta next week that likely fixes the linking error
you experienced.
We can then see if the image can be added to Autopsy or not. If not, we
can then decide how further to debug issue with the image (100GB upload is
huge, but not impossible).

Thanks,
Adam

On Wed, Jun 20, 2012 at 4:44 PM, FabianoQ <
reply@reply.github.com

wrote:

Hi Adam

all the images i tested are over 100gb (compressed)let me know ...

Fabiano Querceto
339-3032968
348-4707739

---

Da: adam reply@reply.github.com
A: FabianoQ fabiano.querceto@yahoo.it
Inviato: Martedì 19 Giugno 2012 18:36
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano,
what is roughly the size of the Win XP image ? We have an FTP site we
could use if it fits, what's your email I can use (need to send you the
creds).
Thanks,
Adam

On Mon, Jun 18, 2012 at 5:31 PM, Adam Malinowski
amalinowski@basistech.comwrote:

Thanks, Fabiano,

Yes, it'd be very useful. We'll see if we can find a (secure) way for
you
to upload them and get back to you.

Adam

On Mon, Jun 18, 2012 at 5:28 PM, FabianoQ <
reply@reply.github.com

wrote:

Hi Adam, thanks for your lightning-fast response.

My pc environment is Windows 7 Ultimate SP1 x64;
about the "not (re)compiled" stuff, i'm using Autopsy
from the installer not from the source and i tried 3
or 4 hd images and just one produced the error.

If we can think of a method to deal with the size of them
(and you think it's useful) i can provide the .e01 images.

Regards

Fabiano Querceto

---

Da: adam reply@reply.github.com
A: FabianoQ fabiano.querceto@yahoo.it
Inviato: Lunedì 18 Giugno 2012 23:13
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiono,

It looks like you have not (re)compiled the Java bindings - the error is
usually an indication of that.
Please add the sleuthkit/bindings/java project to netbeans and rebuild
the
project (or, alternatively, use ant from command line).

With regards to the missing activity problem, are you running your
Autopsy
build on Linux ?
Unfortunately, on Linux recent activity module is unsupported (we need
to
handle this better), because it currently relies on some windows-only
tools
(maybe we could get them to run with wine, but it's slightly hackish).

Thanks,
Adam (Autopsy team)

On Mon, Jun 18, 2012 at 5:01 PM, FabianoQ <
reply@reply.github.com

wrote:

While ingesting an EWF hd image (Windows XP inside) i received the
following error
"Fatal error during ingest.
Caused by: java.lang.NoSuchMethodError:
org.sleuthkit.datamodel.TskCoreException: method ()V not found"
after answering OK Autopsy closed.

I can provide the hd image.

---

Reply to this email directly or view it on GitHub:
#53

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

[adam-m]

Hi Fabiano,

Uploading 100GB file may be quite difficult. However, we may be able to
trace the issue other ways.
Would you be mind to run a sleuthkit command on the image and send us a log
?

Steps:

1. download latest beta sleuthkit build from

http://sourceforge.net/projects/sleuthkit/files/sleuthkit/4.0.0/sleuthkit-win32-4.0.0b1.zip/download

2. unzip it

3. execute command from windows shell, like:

sleuthkit-win32-4.0.0b1\bin\tsk_loaddb.exe -v YOUR_IMAGE.E01 >
tsk_loaddb.txt 2>&1

it will generate a huge log file, tsk_loaddb.txt

4. zip the tsk_loaddb.txt file and email to us. If it's too large, we can
   setup FTP.

Thanks,
Adam

On Fri, Jun 22, 2012 at 2:05 PM, Adam Malinowski
amalinowski@basistech.comwrote:

Hi Fabiano,

We will release another beta next week that likely fixes the linking error
you experienced.
We can then see if the image can be added to Autopsy or not. If not, we
can then decide how further to debug issue with the image (100GB upload is
huge, but not impossible).

Thanks,
Adam

On Wed, Jun 20, 2012 at 4:44 PM, FabianoQ <
reply@reply.github.com

wrote:

Hi Adam

all the images i tested are over 100gb (compressed)let me know ...

Fabiano Querceto
339-3032968
348-4707739

---

Da: adam reply@reply.github.com
A: FabianoQ fabiano.querceto@yahoo.it
Inviato: Martedì 19 Giugno 2012 18:36
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano,
what is roughly the size of the Win XP image ? We have an FTP site we
could use if it fits, what's your email I can use (need to send you the
creds).
Thanks,
Adam

On Mon, Jun 18, 2012 at 5:31 PM, Adam Malinowski
amalinowski@basistech.comwrote:

Thanks, Fabiano,

Yes, it'd be very useful. We'll see if we can find a (secure) way for
you
to upload them and get back to you.

Adam

On Mon, Jun 18, 2012 at 5:28 PM, FabianoQ <
reply@reply.github.com

wrote:

Hi Adam, thanks for your lightning-fast response.

My pc environment is Windows 7 Ultimate SP1 x64;
about the "not (re)compiled" stuff, i'm using Autopsy
from the installer not from the source and i tried 3
or 4 hd images and just one produced the error.

If we can think of a method to deal with the size of them
(and you think it's useful) i can provide the .e01 images.

Regards

Fabiano Querceto

---

Da: adam reply@reply.github.com
A: FabianoQ fabiano.querceto@yahoo.it
Inviato: Lunedì 18 Giugno 2012 23:13
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiono,

It looks like you have not (re)compiled the Java bindings - the error
is
usually an indication of that.
Please add the sleuthkit/bindings/java project to netbeans and rebuild
the
project (or, alternatively, use ant from command line).

With regards to the missing activity problem, are you running your
Autopsy
build on Linux ?
Unfortunately, on Linux recent activity module is unsupported (we need
to
handle this better), because it currently relies on some windows-only
tools
(maybe we could get them to run with wine, but it's slightly hackish).

Thanks,
Adam (Autopsy team)

On Mon, Jun 18, 2012 at 5:01 PM, FabianoQ <
reply@reply.github.com

wrote:

While ingesting an EWF hd image (Windows XP inside) i received the
following error
"Fatal error during ingest.
Caused by: java.lang.NoSuchMethodError:
org.sleuthkit.datamodel.TskCoreException: method ()V not found"
after answering OK Autopsy closed.

I can provide the hd image.

---

Reply to this email directly or view it on GitHub:
#53

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

[FabianoQ]

Ok, this evening i'll do ..

 
Fabiano Querceto
339-3032968
348-4707739

---

Da: adam reply@reply.github.com
A: FabianoQ fabiano.querceto@yahoo.it
Inviato: Lunedì 25 Giugno 2012 18:16
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano,

Uploading 100GB file may be quite difficult.  However, we may be able to
trace the issue other ways.
Would you be mind to run a sleuthkit command on the image and send us a log
?

Steps:

1. download latest beta sleuthkit build from

http://sourceforge.net/projects/sleuthkit/files/sleuthkit/4.0.0/sleuthkit-win32-4.0.0b1.zip/download

2. unzip it

3. execute command from windows shell, like:

sleuthkit-win32-4.0.0b1\bin\tsk_loaddb.exe -v YOUR_IMAGE.E01 >
tsk_loaddb.txt 2>&1

it will generate a huge log file, tsk_loaddb.txt

4. zip the tsk_loaddb.txt file and email to us.  If it's too large, we can
   setup FTP.

Thanks,
Adam

On Fri, Jun 22, 2012 at 2:05 PM, Adam Malinowski
amalinowski@basistech.comwrote:

Hi Fabiano,

We will release another beta next week that likely fixes the linking error
you experienced.
We can then see if the image can be added to Autopsy or not.  If not, we
can then decide how further to debug issue with the image (100GB upload is
huge, but not impossible).

Thanks,
Adam

On Wed, Jun 20, 2012 at 4:44 PM, FabianoQ <
reply@reply.github.com

wrote:

Hi Adam

all the images i tested are over 100gb (compressed)let me know ...

Fabiano Querceto
339-3032968
348-4707739

---

  Da: adam reply@reply.github.com
A: FabianoQ fabiano.querceto@yahoo.it
Inviato: Martedì 19 Giugno 2012 18:36
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano,
what is roughly the size of the Win XP image ?  We have an FTP site we
could use if it fits, what's your email I can use (need to send you the
creds).
Thanks,
Adam

On Mon, Jun 18, 2012 at 5:31 PM, Adam Malinowski
amalinowski@basistech.comwrote:

Thanks, Fabiano,

Yes, it'd be very useful.  We'll see if we can find a (secure) way for
you
to upload them and get back to you.

Adam

On Mon, Jun 18, 2012 at 5:28 PM, FabianoQ <
reply@reply.github.com

wrote:

Hi Adam, thanks for your lightning-fast response.

My pc environment is Windows 7 Ultimate SP1 x64;
about the "not (re)compiled" stuff, i'm using Autopsy
from the installer not from the source and i tried 3
or 4 hd images and just one produced the error.

If we can think of a method to deal with the size of them
(and you think it's useful) i can provide the .e01 images.

Regards

Fabiano Querceto

---

  Da: adam reply@reply.github.com
A: FabianoQ fabiano.querceto@yahoo.it
Inviato: Lunedì 18 Giugno 2012 23:13
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiono,

It looks like you have not (re)compiled the Java bindings - the error
is
usually an indication of that.
Please add the sleuthkit/bindings/java project to netbeans and rebuild
the
project (or, alternatively, use ant from command line).

With regards to the missing activity problem, are you running your
Autopsy
build on Linux ?
Unfortunately, on Linux recent activity module is unsupported (we need
to
handle this better), because it currently relies on some windows-only
tools
(maybe we could get them to run with wine, but it's slightly hackish).

Thanks,
Adam (Autopsy team)

On Mon, Jun 18, 2012 at 5:01 PM, FabianoQ <
reply@reply.github.com

wrote:

While ingesting an EWF hd image (Windows XP inside) i received the
following error
"Fatal error during ingest.
Caused by: java.lang.NoSuchMethodError:
org.sleuthkit.datamodel.TskCoreException: method ()V not found"
after answering OK Autopsy closed.

I can provide the hd image.

---

Reply to this email directly or view it on GitHub:
#53

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

[FabianoQ]

The tsk_loaddb.txt file is about 2gb (89 mb compressed)
here is the link to my dropbox https://dl.dropbox.com/u/42442949/tsk_loaddb.rar

Let me know ...

 
Fabiano Querceto
339-3032968
348-4707739

---

Da: adam reply@reply.github.com
A: FabianoQ fabiano.querceto@yahoo.it
Inviato: Lunedì 25 Giugno 2012 18:16
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano,

Uploading 100GB file may be quite difficult.  However, we may be able to
trace the issue other ways.
Would you be mind to run a sleuthkit command on the image and send us a log
?

Steps:

1. download latest beta sleuthkit build from

http://sourceforge.net/projects/sleuthkit/files/sleuthkit/4.0.0/sleuthkit-win32-4.0.0b1.zip/download

2. unzip it

3. execute command from windows shell, like:

sleuthkit-win32-4.0.0b1\bin\tsk_loaddb.exe -v YOUR_IMAGE.E01 >
tsk_loaddb.txt 2>&1

it will generate a huge log file, tsk_loaddb.txt

4. zip the tsk_loaddb.txt file and email to us.  If it's too large, we can
   setup FTP.

Thanks,
Adam

On Fri, Jun 22, 2012 at 2:05 PM, Adam Malinowski
amalinowski@basistech.comwrote:

Hi Fabiano,

We will release another beta next week that likely fixes the linking error
you experienced.
We can then see if the image can be added to Autopsy or not.  If not, we
can then decide how further to debug issue with the image (100GB upload is
huge, but not impossible).

Thanks,
Adam

On Wed, Jun 20, 2012 at 4:44 PM, FabianoQ <
reply@reply.github.com

wrote:

Hi Adam

all the images i tested are over 100gb (compressed)let me know ...

Fabiano Querceto
339-3032968
348-4707739

---

  Da: adam reply@reply.github.com
A: FabianoQ fabiano.querceto@yahoo.it
Inviato: Martedì 19 Giugno 2012 18:36
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano,
what is roughly the size of the Win XP image ?  We have an FTP site we
could use if it fits, what's your email I can use (need to send you the
creds).
Thanks,
Adam

On Mon, Jun 18, 2012 at 5:31 PM, Adam Malinowski
amalinowski@basistech.comwrote:

Thanks, Fabiano,

Yes, it'd be very useful.  We'll see if we can find a (secure) way for
you
to upload them and get back to you.

Adam

On Mon, Jun 18, 2012 at 5:28 PM, FabianoQ <
reply@reply.github.com

wrote:

Hi Adam, thanks for your lightning-fast response.

My pc environment is Windows 7 Ultimate SP1 x64;
about the "not (re)compiled" stuff, i'm using Autopsy
from the installer not from the source and i tried 3
or 4 hd images and just one produced the error.

If we can think of a method to deal with the size of them
(and you think it's useful) i can provide the .e01 images.

Regards

Fabiano Querceto

---

  Da: adam reply@reply.github.com
A: FabianoQ fabiano.querceto@yahoo.it
Inviato: Lunedì 18 Giugno 2012 23:13
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiono,

It looks like you have not (re)compiled the Java bindings - the error
is
usually an indication of that.
Please add the sleuthkit/bindings/java project to netbeans and rebuild
the
project (or, alternatively, use ant from command line).

With regards to the missing activity problem, are you running your
Autopsy
build on Linux ?
Unfortunately, on Linux recent activity module is unsupported (we need
to
handle this better), because it currently relies on some windows-only
tools
(maybe we could get them to run with wine, but it's slightly hackish).

Thanks,
Adam (Autopsy team)

On Mon, Jun 18, 2012 at 5:01 PM, FabianoQ <
reply@reply.github.com

wrote:

While ingesting an EWF hd image (Windows XP inside) i received the
following error
"Fatal error during ingest.
Caused by: java.lang.NoSuchMethodError:
org.sleuthkit.datamodel.TskCoreException: method ()V not found"
after answering OK Autopsy closed.

I can provide the hd image.

---

Reply to this email directly or view it on GitHub:
#53

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

[adam-m]

Thanks very much!
Adam

On Tue, Jun 26, 2012 at 4:53 PM, FabianoQ <
reply@reply.github.com

wrote:

The tsk_loaddb.txt file is about 2gb (89 mb compressed)
here is the link to my dropbox
https://dl.dropbox.com/u/42442949/tsk_loaddb.rar

Let me know ...

Fabiano Querceto
339-3032968
348-4707739

---

Da: adam reply@reply.github.com
A: FabianoQ fabiano.querceto@yahoo.it
Inviato: Lunedì 25 Giugno 2012 18:16
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano,

Uploading 100GB file may be quite difficult. However, we may be able to
trace the issue other ways.
Would you be mind to run a sleuthkit command on the image and send us a log
?

Steps:

1. download latest beta sleuthkit build from

http://sourceforge.net/projects/sleuthkit/files/sleuthkit/4.0.0/sleuthkit-win32-4.0.0b1.zip/download

2. unzip it

3. execute command from windows shell, like:

sleuthkit-win32-4.0.0b1\bin\tsk_loaddb.exe -v YOUR_IMAGE.E01 >
tsk_loaddb.txt 2>&1

it will generate a huge log file, tsk_loaddb.txt

4. zip the tsk_loaddb.txt file and email to us. If it's too large, we can
   setup FTP.

Thanks,
Adam

On Fri, Jun 22, 2012 at 2:05 PM, Adam Malinowski
amalinowski@basistech.comwrote:

Hi Fabiano,

We will release another beta next week that likely fixes the linking
error
you experienced.
We can then see if the image can be added to Autopsy or not. If not, we
can then decide how further to debug issue with the image (100GB upload
is
huge, but not impossible).

Thanks,
Adam

On Wed, Jun 20, 2012 at 4:44 PM, FabianoQ <
reply@reply.github.com

wrote:

Hi Adam

all the images i tested are over 100gb (compressed)let me know ...

Fabiano Querceto
339-3032968
348-4707739

---

Da: adam reply@reply.github.com
A: FabianoQ fabiano.querceto@yahoo.it
Inviato: Martedì 19 Giugno 2012 18:36
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano,
what is roughly the size of the Win XP image ? We have an FTP site we
could use if it fits, what's your email I can use (need to send you the
creds).
Thanks,
Adam

On Mon, Jun 18, 2012 at 5:31 PM, Adam Malinowski
amalinowski@basistech.comwrote:

Thanks, Fabiano,

Yes, it'd be very useful. We'll see if we can find a (secure) way for
you
to upload them and get back to you.

Adam

On Mon, Jun 18, 2012 at 5:28 PM, FabianoQ <
reply@reply.github.com

wrote:

Hi Adam, thanks for your lightning-fast response.

My pc environment is Windows 7 Ultimate SP1 x64;
about the "not (re)compiled" stuff, i'm using Autopsy
from the installer not from the source and i tried 3
or 4 hd images and just one produced the error.

If we can think of a method to deal with the size of them
(and you think it's useful) i can provide the .e01 images.

Regards

Fabiano Querceto

---

Da: adam reply@reply.github.com
A: FabianoQ fabiano.querceto@yahoo.it
Inviato: Lunedì 18 Giugno 2012 23:13
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiono,

It looks like you have not (re)compiled the Java bindings - the error
is
usually an indication of that.
Please add the sleuthkit/bindings/java project to netbeans and
rebuild
the
project (or, alternatively, use ant from command line).

With regards to the missing activity problem, are you running your
Autopsy
build on Linux ?
Unfortunately, on Linux recent activity module is unsupported (we
need
to
handle this better), because it currently relies on some windows-only
tools
(maybe we could get them to run with wine, but it's slightly
hackish).

Thanks,
Adam (Autopsy team)

On Mon, Jun 18, 2012 at 5:01 PM, FabianoQ <
reply@reply.github.com

wrote:

While ingesting an EWF hd image (Windows XP inside) i received the
following error
"Fatal error during ingest.
Caused by: java.lang.NoSuchMethodError:
org.sleuthkit.datamodel.TskCoreException: method ()V not
found"
after answering OK Autopsy closed.

I can provide the hd image.

---

Reply to this email directly or view it on GitHub:
#53

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

[adam-m]

Fabiano.

We just released a new version that fixes some bugs and adds better error
handing.

http://sourceforge.net/projects/autopsy/files/autopsy/3.0.0%20beta/

Could you try to reproduce the issue with the image using 3b4 ?
If it still fails to add the image, it should at least provide a better
error log.

Thanks,
Adam

On Tue, Jun 26, 2012 at 5:14 PM, Adam Malinowski
amalinowski@basistech.comwrote:

Thanks very much!
Adam

On Tue, Jun 26, 2012 at 4:53 PM, FabianoQ <
reply@reply.github.com

wrote:

The tsk_loaddb.txt file is about 2gb (89 mb compressed)
here is the link to my dropbox
https://dl.dropbox.com/u/42442949/tsk_loaddb.rar

Let me know ...

Fabiano Querceto
339-3032968
348-4707739

---

Da: adam reply@reply.github.com
A: FabianoQ fabiano.querceto@yahoo.it
Inviato: Lunedì 25 Giugno 2012 18:16
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano,

Uploading 100GB file may be quite difficult. However, we may be able to
trace the issue other ways.
Would you be mind to run a sleuthkit command on the image and send us a
log
?

Steps:

1. download latest beta sleuthkit build from

http://sourceforge.net/projects/sleuthkit/files/sleuthkit/4.0.0/sleuthkit-win32-4.0.0b1.zip/download

2. unzip it

3. execute command from windows shell, like:

sleuthkit-win32-4.0.0b1\bin\tsk_loaddb.exe -v YOUR_IMAGE.E01 >
tsk_loaddb.txt 2>&1

it will generate a huge log file, tsk_loaddb.txt

4. zip the tsk_loaddb.txt file and email to us. If it's too large, we can
   setup FTP.

Thanks,
Adam

On Fri, Jun 22, 2012 at 2:05 PM, Adam Malinowski
amalinowski@basistech.comwrote:

Hi Fabiano,

We will release another beta next week that likely fixes the linking
error
you experienced.
We can then see if the image can be added to Autopsy or not. If not, we
can then decide how further to debug issue with the image (100GB upload
is
huge, but not impossible).

Thanks,
Adam

On Wed, Jun 20, 2012 at 4:44 PM, FabianoQ <
reply@reply.github.com

wrote:

Hi Adam

all the images i tested are over 100gb (compressed)let me know ...

Fabiano Querceto
339-3032968
348-4707739

---

Da: adam reply@reply.github.com
A: FabianoQ fabiano.querceto@yahoo.it
Inviato: Martedì 19 Giugno 2012 18:36
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano,
what is roughly the size of the Win XP image ? We have an FTP site we
could use if it fits, what's your email I can use (need to send you the
creds).
Thanks,
Adam

On Mon, Jun 18, 2012 at 5:31 PM, Adam Malinowski
amalinowski@basistech.comwrote:

Thanks, Fabiano,

Yes, it'd be very useful. We'll see if we can find a (secure) way
for
you
to upload them and get back to you.

Adam

On Mon, Jun 18, 2012 at 5:28 PM, FabianoQ <
reply@reply.github.com

wrote:

Hi Adam, thanks for your lightning-fast response.

My pc environment is Windows 7 Ultimate SP1 x64;
about the "not (re)compiled" stuff, i'm using Autopsy
from the installer not from the source and i tried 3
or 4 hd images and just one produced the error.

If we can think of a method to deal with the size of them
(and you think it's useful) i can provide the .e01 images.

Regards

Fabiano Querceto

---

Da: adam reply@reply.github.com
A: FabianoQ fabiano.querceto@yahoo.it
Inviato: Lunedì 18 Giugno 2012 23:13
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiono,

It looks like you have not (re)compiled the Java bindings - the
error
is
usually an indication of that.
Please add the sleuthkit/bindings/java project to netbeans and
rebuild
the
project (or, alternatively, use ant from command line).

With regards to the missing activity problem, are you running your
Autopsy
build on Linux ?
Unfortunately, on Linux recent activity module is unsupported (we
need
to
handle this better), because it currently relies on some
windows-only
tools
(maybe we could get them to run with wine, but it's slightly
hackish).

Thanks,
Adam (Autopsy team)

On Mon, Jun 18, 2012 at 5:01 PM, FabianoQ <
reply@reply.github.com

wrote:

While ingesting an EWF hd image (Windows XP inside) i received the
following error
"Fatal error during ingest.
Caused by: java.lang.NoSuchMethodError:
org.sleuthkit.datamodel.TskCoreException: method ()V not
found"
after answering OK Autopsy closed.

I can provide the hd image.

---

Reply to this email directly or view it on GitHub:
#53

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

[FabianoQ]

Great, i'll give it a try immediatly

 
Fabiano Querceto
339-3032968
348-4707739

---

Da: adam reply@reply.github.com
A: FabianoQ fabiano.querceto@yahoo.it
Inviato: Mercoledì 4 Luglio 2012 0:11
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Fabiano.

We just released a new version that fixes some bugs and adds better error
handing.

http://sourceforge.net/projects/autopsy/files/autopsy/3.0.0%20beta/

Could you try to reproduce the issue with the image using 3b4 ?
If it still fails to add the image, it should at least provide a better
error log.

Thanks,
Adam

On Tue, Jun 26, 2012 at 5:14 PM, Adam Malinowski
amalinowski@basistech.comwrote:

Thanks very much!
Adam

On Tue, Jun 26, 2012 at 4:53 PM, FabianoQ <
reply@reply.github.com

wrote:

The tsk_loaddb.txt file is about 2gb (89 mb compressed)
here is the link to my dropbox
https://dl.dropbox.com/u/42442949/tsk_loaddb.rar

Let me know ...

Fabiano Querceto
339-3032968
348-4707739

---

  Da: adam reply@reply.github.com
A: FabianoQ fabiano.querceto@yahoo.it
Inviato: Lunedì 25 Giugno 2012 18:16
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano,

Uploading 100GB file may be quite difficult.  However, we may be able to
trace the issue other ways.
Would you be mind to run a sleuthkit command on the image and send us a
log
?

Steps:

1. download latest beta sleuthkit build from

http://sourceforge.net/projects/sleuthkit/files/sleuthkit/4.0.0/sleuthkit-win32-4.0.0b1.zip/download

2. unzip it

3. execute command from windows shell, like:

sleuthkit-win32-4.0.0b1\bin\tsk_loaddb.exe -v YOUR_IMAGE.E01 >
tsk_loaddb.txt 2>&1

it will generate a huge log file, tsk_loaddb.txt

4. zip the tsk_loaddb.txt file and email to us.  If it's too large, we can
   setup FTP.

Thanks,
Adam

On Fri, Jun 22, 2012 at 2:05 PM, Adam Malinowski
amalinowski@basistech.comwrote:

Hi Fabiano,

We will release another beta next week that likely fixes the linking
error
you experienced.
We can then see if the image can be added to Autopsy or not.  If not, we
can then decide how further to debug issue with the image (100GB upload
is
huge, but not impossible).

Thanks,
Adam

On Wed, Jun 20, 2012 at 4:44 PM, FabianoQ <
reply@reply.github.com

wrote:

Hi Adam

all the images i tested are over 100gb (compressed)let me know ...

Fabiano Querceto
339-3032968
348-4707739

---

  Da: adam reply@reply.github.com
A: FabianoQ fabiano.querceto@yahoo.it
Inviato: Martedì 19 Giugno 2012 18:36
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano,
what is roughly the size of the Win XP image ?  We have an FTP site we
could use if it fits, what's your email I can use (need to send you the
creds).
Thanks,
Adam

On Mon, Jun 18, 2012 at 5:31 PM, Adam Malinowski
amalinowski@basistech.comwrote:

Thanks, Fabiano,

Yes, it'd be very useful.  We'll see if we can find a (secure) way
for
you
to upload them and get back to you.

Adam

On Mon, Jun 18, 2012 at 5:28 PM, FabianoQ <
reply@reply.github.com

wrote:

Hi Adam, thanks for your lightning-fast response.

My pc environment is Windows 7 Ultimate SP1 x64;
about the "not (re)compiled" stuff, i'm using Autopsy
from the installer not from the source and i tried 3
or 4 hd images and just one produced the error.

If we can think of a method to deal with the size of them
(and you think it's useful) i can provide the .e01 images.

Regards

Fabiano Querceto

---

  Da: adam reply@reply.github.com
A: FabianoQ fabiano.querceto@yahoo.it
Inviato: Lunedì 18 Giugno 2012 23:13
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiono,

It looks like you have not (re)compiled the Java bindings - the
error
is
usually an indication of that.
Please add the sleuthkit/bindings/java project to netbeans and
rebuild
the
project (or, alternatively, use ant from command line).

With regards to the missing activity problem, are you running your
Autopsy
build on Linux ?
Unfortunately, on Linux recent activity module is unsupported (we
need
to
handle this better), because it currently relies on some
windows-only
tools
(maybe we could get them to run with wine, but it's slightly
hackish).

Thanks,
Adam (Autopsy team)

On Mon, Jun 18, 2012 at 5:01 PM, FabianoQ <
reply@reply.github.com

wrote:

While ingesting an EWF hd image (Windows XP inside) i received the
following error
"Fatal error during ingest.
Caused by: java.lang.NoSuchMethodError:
org.sleuthkit.datamodel.TskCoreException: method ()V not
found"
after answering OK Autopsy closed.

I can provide the hd image.

---

Reply to this email directly or view it on GitHub:
#53

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

[FabianoQ]

Hi Adam

i had a go with 3b4 and the crash did not happened :-)

the recent activity module made it job too :-)

.. but ...

no internet history was found while before it worked :-(
all the hd images i have are made by Tableau TD1 in EWF format
split in 2gb chunks (some programs report them as being made by encase v3.22g ... )
now this happens:

when i start a new case and add the first hd image everything works fine
(the image is correctly recognized as EWF format and so on ..)
if i add a second (or third) image to the case it is mistaken as a plain
dd image the size of just the first chunk and consequently nothing is extracted
from the image;

if i start a new case and add the image that didn't worked as the first image
in the case it works fine 8still no internet history, no connected devices

:-(

let me know if i can do anything to help address this issue.

Thanks

 
Fabiano Querceto

---

Da: adam reply@reply.github.com
A: FabianoQ fabiano.querceto@yahoo.it
Inviato: Mercoledì 4 Luglio 2012 0:11
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Fabiano.

We just released a new version that fixes some bugs and adds better error
handing.

http://sourceforge.net/projects/autopsy/files/autopsy/3.0.0%20beta/

Could you try to reproduce the issue with the image using 3b4 ?
If it still fails to add the image, it should at least provide a better
error log.

Thanks,
Adam

On Tue, Jun 26, 2012 at 5:14 PM, Adam Malinowski
amalinowski@basistech.comwrote:

Thanks very much!
Adam

On Tue, Jun 26, 2012 at 4:53 PM, FabianoQ <
reply@reply.github.com

wrote:

The tsk_loaddb.txt file is about 2gb (89 mb compressed)
here is the link to my dropbox
https://dl.dropbox.com/u/42442949/tsk_loaddb.rar

Let me know ...

Fabiano Querceto
339-3032968
348-4707739

---

  Da: adam reply@reply.github.com
A: FabianoQ fabiano.querceto@yahoo.it
Inviato: Lunedì 25 Giugno 2012 18:16
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano,

Uploading 100GB file may be quite difficult.  However, we may be able to
trace the issue other ways.
Would you be mind to run a sleuthkit command on the image and send us a
log
?

Steps:

1. download latest beta sleuthkit build from

http://sourceforge.net/projects/sleuthkit/files/sleuthkit/4.0.0/sleuthkit-win32-4.0.0b1.zip/download

2. unzip it

3. execute command from windows shell, like:

sleuthkit-win32-4.0.0b1\bin\tsk_loaddb.exe -v YOUR_IMAGE.E01 >
tsk_loaddb.txt 2>&1

it will generate a huge log file, tsk_loaddb.txt

4. zip the tsk_loaddb.txt file and email to us.  If it's too large, we can
   setup FTP.

Thanks,
Adam

On Fri, Jun 22, 2012 at 2:05 PM, Adam Malinowski
amalinowski@basistech.comwrote:

Hi Fabiano,

We will release another beta next week that likely fixes the linking
error
you experienced.
We can then see if the image can be added to Autopsy or not.  If not, we
can then decide how further to debug issue with the image (100GB upload
is
huge, but not impossible).

Thanks,
Adam

On Wed, Jun 20, 2012 at 4:44 PM, FabianoQ <
reply@reply.github.com

wrote:

Hi Adam

all the images i tested are over 100gb (compressed)let me know ...

Fabiano Querceto
339-3032968
348-4707739

---

  Da: adam reply@reply.github.com
A: FabianoQ fabiano.querceto@yahoo.it
Inviato: Martedì 19 Giugno 2012 18:36
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano,
what is roughly the size of the Win XP image ?  We have an FTP site we
could use if it fits, what's your email I can use (need to send you the
creds).
Thanks,
Adam

On Mon, Jun 18, 2012 at 5:31 PM, Adam Malinowski
amalinowski@basistech.comwrote:

Thanks, Fabiano,

Yes, it'd be very useful.  We'll see if we can find a (secure) way
for
you
to upload them and get back to you.

Adam

On Mon, Jun 18, 2012 at 5:28 PM, FabianoQ <
reply@reply.github.com

wrote:

Hi Adam, thanks for your lightning-fast response.

My pc environment is Windows 7 Ultimate SP1 x64;
about the "not (re)compiled" stuff, i'm using Autopsy
from the installer not from the source and i tried 3
or 4 hd images and just one produced the error.

If we can think of a method to deal with the size of them
(and you think it's useful) i can provide the .e01 images.

Regards

Fabiano Querceto

---

  Da: adam reply@reply.github.com
A: FabianoQ fabiano.querceto@yahoo.it
Inviato: Lunedì 18 Giugno 2012 23:13
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiono,

It looks like you have not (re)compiled the Java bindings - the
error
is
usually an indication of that.
Please add the sleuthkit/bindings/java project to netbeans and
rebuild
the
project (or, alternatively, use ant from command line).

With regards to the missing activity problem, are you running your
Autopsy
build on Linux ?
Unfortunately, on Linux recent activity module is unsupported (we
need
to
handle this better), because it currently relies on some
windows-only
tools
(maybe we could get them to run with wine, but it's slightly
hackish).

Thanks,
Adam (Autopsy team)

On Mon, Jun 18, 2012 at 5:01 PM, FabianoQ <
reply@reply.github.com

wrote:

While ingesting an EWF hd image (Windows XP inside) i received the
following error
"Fatal error during ingest.
Caused by: java.lang.NoSuchMethodError:
org.sleuthkit.datamodel.TskCoreException: method ()V not
found"
after answering OK Autopsy closed.

I can provide the hd image.

---

Reply to this email directly or view it on GitHub:
#53

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

[adam-m]

Hi Fabiano,
Thanks for the useful analysis.
Could you please send the zipped username\appdata\roaming.autopsy
directory with the log file after these issues were encountered ? No need
for turning on verbose log for now.

Thanks,
Adam

On Thu, Jul 5, 2012 at 5:48 PM, FabianoQ <
reply@reply.github.com

wrote:

Hi Adam

i had a go with 3b4 and the crash did not happened :-)

the recent activity module made it job too :-)

.. but ...

no internet history was found while before it worked :-(
all the hd images i have are made by Tableau TD1 in EWF format
split in 2gb chunks (some programs report them as being made by encase
v3.22g ... )
now this happens:

when i start a new case and add the first hd image everything works fine
(the image is correctly recognized as EWF format and so on ..)
if i add a second (or third) image to the case it is mistaken as a plain
dd image the size of just the first chunk and consequently nothing is
extracted
from the image;

if i start a new case and add the image that didn't worked as the first
image
in the case it works fine 8still no internet history, no connected devices

:-(

let me know if i can do anything to help address this issue.

Thanks

Fabiano Querceto

---

Da: adam reply@reply.github.com
A: FabianoQ fabiano.querceto@yahoo.it
Inviato: Mercoledì 4 Luglio 2012 0:11
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Fabiano.

We just released a new version that fixes some bugs and adds better error
handing.

http://sourceforge.net/projects/autopsy/files/autopsy/3.0.0%20beta/

Could you try to reproduce the issue with the image using 3b4 ?
If it still fails to add the image, it should at least provide a better
error log.

Thanks,
Adam

On Tue, Jun 26, 2012 at 5:14 PM, Adam Malinowski
amalinowski@basistech.comwrote:

Thanks very much!
Adam

On Tue, Jun 26, 2012 at 4:53 PM, FabianoQ <
reply@reply.github.com

wrote:

The tsk_loaddb.txt file is about 2gb (89 mb compressed)
here is the link to my dropbox
https://dl.dropbox.com/u/42442949/tsk_loaddb.rar

Let me know ...

Fabiano Querceto
339-3032968
348-4707739

---

Da: adam reply@reply.github.com
A: FabianoQ fabiano.querceto@yahoo.it
Inviato: Lunedì 25 Giugno 2012 18:16
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano,

Uploading 100GB file may be quite difficult. However, we may be able to
trace the issue other ways.
Would you be mind to run a sleuthkit command on the image and send us a
log
?

Steps:

1. download latest beta sleuthkit build from

http://sourceforge.net/projects/sleuthkit/files/sleuthkit/4.0.0/sleuthkit-win32-4.0.0b1.zip/download

2. unzip it

3. execute command from windows shell, like:

sleuthkit-win32-4.0.0b1\bin\tsk_loaddb.exe -v YOUR_IMAGE.E01 >
tsk_loaddb.txt 2>&1

it will generate a huge log file, tsk_loaddb.txt

4. zip the tsk_loaddb.txt file and email to us. If it's too large, we
   can
   setup FTP.

Thanks,
Adam

On Fri, Jun 22, 2012 at 2:05 PM, Adam Malinowski
amalinowski@basistech.comwrote:

Hi Fabiano,

We will release another beta next week that likely fixes the linking
error
you experienced.
We can then see if the image can be added to Autopsy or not. If not,
we
can then decide how further to debug issue with the image (100GB
upload
is
huge, but not impossible).

Thanks,
Adam

On Wed, Jun 20, 2012 at 4:44 PM, FabianoQ <
reply@reply.github.com

wrote:

Hi Adam

all the images i tested are over 100gb (compressed)let me know ...

Fabiano Querceto
339-3032968
348-4707739

---

Da: adam reply@reply.github.com
A: FabianoQ fabiano.querceto@yahoo.it
Inviato: Martedì 19 Giugno 2012 18:36
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano,
what is roughly the size of the Win XP image ? We have an FTP site
we
could use if it fits, what's your email I can use (need to send you
the
creds).
Thanks,
Adam

On Mon, Jun 18, 2012 at 5:31 PM, Adam Malinowski
amalinowski@basistech.comwrote:

Thanks, Fabiano,

Yes, it'd be very useful. We'll see if we can find a (secure) way
for
you
to upload them and get back to you.

Adam

On Mon, Jun 18, 2012 at 5:28 PM, FabianoQ <
reply@reply.github.com

wrote:

Hi Adam, thanks for your lightning-fast response.

My pc environment is Windows 7 Ultimate SP1 x64;
about the "not (re)compiled" stuff, i'm using Autopsy
from the installer not from the source and i tried 3
or 4 hd images and just one produced the error.

If we can think of a method to deal with the size of them
(and you think it's useful) i can provide the .e01 images.

Regards

Fabiano Querceto

---

Da: adam reply@reply.github.com
A: FabianoQ fabiano.querceto@yahoo.it
Inviato: Lunedì 18 Giugno 2012 23:13
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiono,

It looks like you have not (re)compiled the Java bindings - the
error
is
usually an indication of that.
Please add the sleuthkit/bindings/java project to netbeans and
rebuild
the
project (or, alternatively, use ant from command line).

With regards to the missing activity problem, are you running your
Autopsy
build on Linux ?
Unfortunately, on Linux recent activity module is unsupported (we
need
to
handle this better), because it currently relies on some
windows-only
tools
(maybe we could get them to run with wine, but it's slightly
hackish).

Thanks,
Adam (Autopsy team)

On Mon, Jun 18, 2012 at 5:01 PM, FabianoQ <
reply@reply.github.com

wrote:

While ingesting an EWF hd image (Windows XP inside) i received
the
following error
"Fatal error during ingest.
Caused by: java.lang.NoSuchMethodError:
org.sleuthkit.datamodel.TskCoreException: method ()V not
found"
after answering OK Autopsy closed.

I can provide the hd image.

---

Reply to this email directly or view it on GitHub:
#53

---

Reply to this email directly or view it on GitHub:

#53 (comment)

---

Reply to this email directly or view it on GitHub:

#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

[FabianoQ]

Hi Adam

here is the link for the archive: https://dl.dropbox.com/u/42442949/.autopsy.rar
the archive has a password (qwerty) i had to put the password because yahoo mailer
kept saying tha it had a virus ?!?!?!? and in the end the mail was not delivered
because of the size (just 4mb) so take it from my drop box.

let me know if i can help ..

regards

Fabiano Querceto

---

Da: adam reply@reply.github.com
A: FabianoQ fabiano.querceto@yahoo.it
Inviato: Venerdì 6 Luglio 2012 15:19
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano,
Thanks for the useful analysis.
Could you please send the zipped username\appdata\roaming.autopsy
directory with the log file after these issues were encountered ?  No need
for turning on verbose log for now.

Thanks,
Adam

On Thu, Jul 5, 2012 at 5:48 PM, FabianoQ <
reply@reply.github.com

wrote:

Hi Adam

i had a go with 3b4 and the crash did not happened :-)

the recent activity module made it job too :-)

.. but ...

no internet history was found while before it worked :-(
all the hd images i have are made by Tableau TD1 in EWF format
split in 2gb chunks (some programs report them as being made by encase
v3.22g ... )
now this happens:

when i start a new case and add the first hd image everything works fine
(the image is correctly recognized as EWF format and so on ..)
if i add a second (or third) image to the case it is mistaken as a plain
dd image the size of just the first chunk and consequently nothing is
extracted
from the image;

if i start a new case and add the image that didn't worked as the first
image
in the case it works fine 8still no internet history, no connected devices

:-(

let me know if i can do anything to help address this issue.

Thanks

Fabiano Querceto

---

  Da: adam reply@reply.github.com
A: FabianoQ fabiano.querceto@yahoo.it
Inviato: Mercoledì 4 Luglio 2012 0:11
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Fabiano.

We just released a new version that fixes some bugs and adds better error
handing.

http://sourceforge.net/projects/autopsy/files/autopsy/3.0.0%20beta/

Could you try to reproduce the issue with the image using 3b4 ?
If it still fails to add the image, it should at least provide a better
error log.

Thanks,
Adam

On Tue, Jun 26, 2012 at 5:14 PM, Adam Malinowski
amalinowski@basistech.comwrote:

Thanks very much!
Adam

On Tue, Jun 26, 2012 at 4:53 PM, FabianoQ <
reply@reply.github.com

wrote:

The tsk_loaddb.txt file is about 2gb (89 mb compressed)
here is the link to my dropbox
https://dl.dropbox.com/u/42442949/tsk_loaddb.rar

Let me know ...

Fabiano Querceto
339-3032968
348-4707739

---

  Da: adam reply@reply.github.com
A: FabianoQ fabiano.querceto@yahoo.it
Inviato: Lunedì 25 Giugno 2012 18:16
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano,

Uploading 100GB file may be quite difficult.  However, we may be able to
trace the issue other ways.
Would you be mind to run a sleuthkit command on the image and send us a
log
?

Steps:

1. download latest beta sleuthkit build from

http://sourceforge.net/projects/sleuthkit/files/sleuthkit/4.0.0/sleuthkit-win32-4.0.0b1.zip/download

2. unzip it

3. execute command from windows shell, like:

sleuthkit-win32-4.0.0b1\bin\tsk_loaddb.exe -v YOUR_IMAGE.E01 >
tsk_loaddb.txt 2>&1

it will generate a huge log file, tsk_loaddb.txt

4. zip the tsk_loaddb.txt file and email to us.  If it's too large, we
   can
   setup FTP.

Thanks,
Adam

On Fri, Jun 22, 2012 at 2:05 PM, Adam Malinowski
amalinowski@basistech.comwrote:

Hi Fabiano,

We will release another beta next week that likely fixes the linking
error
you experienced.
We can then see if the image can be added to Autopsy or not.  If not,
we
can then decide how further to debug issue with the image (100GB
upload
is
huge, but not impossible).

Thanks,
Adam

On Wed, Jun 20, 2012 at 4:44 PM, FabianoQ <
reply@reply.github.com

wrote:

Hi Adam

all the images i tested are over 100gb (compressed)let me know ...

Fabiano Querceto
339-3032968
348-4707739

---

  Da: adam reply@reply.github.com
A: FabianoQ fabiano.querceto@yahoo.it
Inviato: Martedì 19 Giugno 2012 18:36
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano,
what is roughly the size of the Win XP image ?  We have an FTP site
we
could use if it fits, what's your email I can use (need to send you
the
creds).
Thanks,
Adam

On Mon, Jun 18, 2012 at 5:31 PM, Adam Malinowski
amalinowski@basistech.comwrote:

Thanks, Fabiano,

Yes, it'd be very useful.  We'll see if we can find a (secure) way
for
you
to upload them and get back to you.

Adam

On Mon, Jun 18, 2012 at 5:28 PM, FabianoQ <
reply@reply.github.com

wrote:

Hi Adam, thanks for your lightning-fast response.

My pc environment is Windows 7 Ultimate SP1 x64;
about the "not (re)compiled" stuff, i'm using Autopsy
from the installer not from the source and i tried 3
or 4 hd images and just one produced the error.

If we can think of a method to deal with the size of them
(and you think it's useful) i can provide the .e01 images.

Regards

Fabiano Querceto

---

  Da: adam reply@reply.github.com
A: FabianoQ fabiano.querceto@yahoo.it
Inviato: Lunedì 18 Giugno 2012 23:13
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiono,

It looks like you have not (re)compiled the Java bindings - the
error
is
usually an indication of that.
Please add the sleuthkit/bindings/java project to netbeans and
rebuild
the
project (or, alternatively, use ant from command line).

With regards to the missing activity problem, are you running your
Autopsy
build on Linux ?
Unfortunately, on Linux recent activity module is unsupported (we
need
to
handle this better), because it currently relies on some
windows-only
tools
(maybe we could get them to run with wine, but it's slightly
hackish).

Thanks,
Adam (Autopsy team)

On Mon, Jun 18, 2012 at 5:01 PM, FabianoQ <
reply@reply.github.com

wrote:

While ingesting an EWF hd image (Windows XP inside) i received
the
following error
"Fatal error during ingest.
Caused by: java.lang.NoSuchMethodError:
org.sleuthkit.datamodel.TskCoreException: method ()V not
found"
after answering OK Autopsy closed.

I can provide the hd image.

---

Reply to this email directly or view it on GitHub:
#53

---

Reply to this email directly or view it on GitHub:

#53 (comment)

---

Reply to this email directly or view it on GitHub:

#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

[adam-m]

Hi Fabiano,

Is it possible that your image:

F:\CTU04_Hitachi_HDP725025GLA380_GEK231RB14B6ZA\CTU04.E01

has no file systems in it ? I see that there are 3 partitions that have no
filesystems. Perhaps there is no other partition with a filesystem.

We are currently not handling "no filesystems" case well, but plan to.

You could also send the verbose log (as earlier) to help us find out, if
you are unsure.

Also, are there additional image chunks such
as CTU04.E02, CTU04.E03, CTU04.E04, .... ?
If so, they all need to be in the same directory for the image to be opened
properly.

Thanks,
Adam

[FabianoQ]

It's a normal Windows XP Installation with two ntfs partitions and some extra unpartitioned space;
the image is regularly opened by FTK Imager 3 and ProDiscover Basic;
all the chunks are in the same dir with the first one;

If F:\CTU04_Hitachi_HDP725025GLA380_GEK231RB14B6ZA\CTU04.E01 is the FIRST
image i add to a new case everything works as expected;

if i add it as the second (or third ...) image of a case the error occurs;
every image i have WORKS if added as FIRST image, DOESN'T WORK if added as
second image of the case

 
Fabiano Querceto
339-3032968
348-4707739

---

Da: adam reply@reply.github.com
A: FabianoQ fabiano.querceto@yahoo.it
Inviato: Martedì 10 Luglio 2012 23:18
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano,

Is it possible that your image:

F:\CTU04_Hitachi_HDP725025GLA380_GEK231RB14B6ZA\CTU04.E01

has no file systems in it ?  I see that there are 3 partitions that have no
filesystems.  Perhaps there is no other partition with a filesystem.

We are currently not handling "no filesystems" case well, but plan to.

You could also send the verbose log (as earlier) to help us find out, if
you are unsure.

Also, are there additional image chunks such
as CTU04.E02, CTU04.E03, CTU04.E04, .... ?
If so, they all need to be in the same directory for the image to be opened
properly.

Thanks,
Adam

---

Reply to this email directly or view it on GitHub:
#53 (comment)

[adam-m]

Hi Fabiano,
Would you be able to also collect and upload the verbose log showing 2
images being added.

Thanks,
Adam

On Tue, Jul 10, 2012 at 6:19 PM, FabianoQ <
reply@reply.github.com

wrote:

It's a normal Windows XP Installation with two ntfs partitions and some
extra unpartitioned space;
the image is regularly opened by FTK Imager 3 and ProDiscover Basic;
all the chunks are in the same dir with the first one;

If F:\CTU04_Hitachi_HDP725025GLA380_GEK231RB14B6ZA\CTU04.E01 is the FIRST
image i add to a new case everything works as expected;

if i add it as the second (or third ...) image of a case the error occurs;
every image i have WORKS if added as FIRST image, DOESN'T WORK if added as
second image of the case

Fabiano Querceto
339-3032968
348-4707739

---

Da: adam reply@reply.github.com
A: FabianoQ fabiano.querceto@yahoo.it
Inviato: Martedì 10 Luglio 2012 23:18
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano,

Is it possible that your image:

F:\CTU04_Hitachi_HDP725025GLA380_GEK231RB14B6ZA\CTU04.E01

has no file systems in it ? I see that there are 3 partitions that have no
filesystems. Perhaps there is no other partition with a filesystem.

We are currently not handling "no filesystems" case well, but plan to.

You could also send the verbose log (as earlier) to help us find out, if
you are unsure.

Also, are there additional image chunks such
as CTU04.E02, CTU04.E03, CTU04.E04, .... ?
If so, they all need to be in the same directory for the image to be opened
properly.

Thanks,
Adam

---

Reply to this email directly or view it on GitHub:
#53 (comment)

---

Reply to this email directly or view it on GitHub:
#53 (comment)

[adam-m]

Hi Fabiano,
We just released Autopsy 3.0.0, could you see if you are still having issues adding your multiple EWF images ?
http://sourceforge.net/projects/autopsy/files/autopsy/3.0.0/

Thanks,
Adam

[FabianoQ]

I only did a quick test with to small (pendrive) images
and everything worked as expected.
Thanks

 
Fabiano Querceto
339-3032968
348-4707739

---

Da: adam notifications@github.com
A: sleuthkit/autopsy autopsy@noreply.github.com
Cc: FabianoQ fabiano.querceto@yahoo.it
Inviato: Mercoledì 17 Ottobre 2012 15:53
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano,
We just released Autopsy 3.0.0, could you see if you are still having issues adding your multiple EWF images ?
http://sourceforge.net/projects/autopsy/files/autopsy/3.0.0/
Thanks,
Adam
—
Reply to this email directly or view it on GitHub.

[adam-m]

Thanks, Fabiano, I will close the issue, feel free to reopen if you
re-encounter the issue with other images.

Adam

On Thu, Oct 18, 2012 at 1:00 PM, FabianoQ notifications@github.com wrote:

I only did a quick test with to small (pendrive) images
and everything worked as expected.
Thanks

Fabiano Querceto
339-3032968
348-4707739

---

Da: adam notifications@github.com
A: sleuthkit/autopsy autopsy@noreply.github.com
Cc: FabianoQ fabiano.querceto@yahoo.it
Inviato: Mercoledì 17 Ottobre 2012 15:53
Oggetto: Re: [autopsy] Fatal error v3.0b3 (#53)

Hi Fabiano,
We just released Autopsy 3.0.0, could you see if you are still having
issues adding your multiple EWF images ?
http://sourceforge.net/projects/autopsy/files/autopsy/3.0.0/
Thanks,
Adam
—
Reply to this email directly or view it on GitHub.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/53#issuecomment-9572184.