Problem

Files decrypted in FTK have the Category "Newly-decrypted files" instead of being properly categorized.  This may result in the files not imaging, producing, or exporting properly in Summation/eDiscovery.

 

Resolution

In FTK, perform File Signature Analysis on the decrypted files with the following steps:

  1. Go to the "Overview" tab
  2. Expand "File Status"
  3. Select "Decrypted Files"
  4. Checkmark all the listed files
  5. Expand the "Evidence" menu
  6. Click "Additional Analysis"
  7. Click the "Miscellaneous" tab
  8. Check the "File Signature Analysis" box in the upper-left
  9. Select "Checked Items" at the bottom
  10. Click "OK"

 

Cause

Under some scenarios, FTK may fail to automatically run "File Signature Analysis" after performing decryption.  This may prevent the decrypted files from being able to be viewed or produced.