Evidence not found after moving evidence, or case folder, with expanded VSCs : Support Portal

Evidence not found after moving evidence, or case folder, with expanded VSCs Print

Modified on: Wed, May 24, 2023 at 9:29 AM

Problem

After moving the evidence or case folder for a case with expanded Volume Shadow Copies (Restore Points), and then trying to correct the Evidence Path, FTK still reports it can't find the evidence. The error is "unable to open evidence".

Resolution

Open the ADX file(s) for the case (stored in /images/VSC) in a text editor and make sure the evidence/image path is correct
Open FTK
In the Add/Remove Evidence dialog, make sure it's pointing to the ADX file
Restart FTK and check your evidence
(Optional)Using the database manager of your choice, find the cmn_evidence table for your case and make sure it points to the ADX file(s) instead of the image

Cause

When using evidence with expanded Volume Shadow Copies, we create an ADX file to keep track of the expanded restore points, and the database points to those ADX files rather than the evidence itself.

Applies To

AD Enterprise

AD Lab

FTK

Did you find it helpful? Yes No

Evidence not found after moving evidence, or case folder, with expanded VSCs Print

Related Articles