Problem: Case has become corrupt. This can be determined when a case will either not open (Could not open case) or when the case is opened but the case appears to be empty except for the bookmarks.

 

Cause:  A database will likely become corrupt and unusable if at any time FTK is interrupted while communicating with its internal database (c-Tree by Faircom).  The most common type of interruption occurs when a user chooses to End task on FTK.exe because Windows shows that it is Not Responding.

 

Resolution:  There is no way to restore a case that has a 527 message in the CTSTATUS.FCS log.  However, it is possible to restore bookmarks to a newly created case (based on the same evidence) by following the steps outlined below:

 

  1. Keep in mind for the bookmarks to be restored successfully, the case must be reprocessed in exactly the same way it was done originally. The same processing options must be selected, and the evidence must be added in the same order.
    1. Open the case log for the corrupt case (FTK.log) and note the following:

                                          i.    Processing options selected.

                                        ii.    Refinement options (if any)

                                       iii.    Order in which the evidence was added.

  1. Create a new case with these same options selected.
  2. Allow the evidence to process completely.
  3. Once the case is open, back it up, so that we can avoid any complications with the bookmark restoration.
  4. Once the case is backed up, locate these four files from the newly created case folder:
    1. Bookmark.dat
    2. Bookmark.idx
    3. BFM.dat
    4. BFM.idx
  5. Move those files to a safe location.
  6. Locate the same four files in the corrupt case folder.
  7. Copy those four files into the newly created case folder.
  8. Open FTK and select the new case with the restored bookmarks.
  9.  Note: If desired, the searchresults.txt can also be restored in the same manner