FTK: “Runtime error” on raw-image

  • Posted on January 11, 2011 at 23:07

Today we discovered some strange behavior of Forensic ToolKit opening a raw image.

We use different software to acquire evidence:

  1. rdd-copy (my favorite)
  2. FTK Imager
  3. Tableau IMager

Fortunately we now only use uncompressed raw images*. And depending on the situation we create them with one of the above mentioned tools. For some strange reason FTK crashed immediately after adding a raw image made by rdd-copy. My colleague appeared to be so patient and eager to find the reason for this strange behavior that he acquired that same harddrive again. Even though rdd-copy didn’t report any errors on the device! And this time he used Tableau IMager….

After all that was done, he added the raw-image, made by Tableau IMager, to the case… And to our big surprise: It worked flawlessly! And it got even more strange when we checked the hashes, The MD5s were the same! Go figure…

The extension! WTF! Our default choice for an evidence-extension is .IMG. (Works pretty nice with OS X)
And this was causing that runtime error!

We changed .IMG to .DMG. Keeping the powerful functions of OS X available.
Everybody happy.

*If you want discussions about EnCase Evidencefiles again,
If you honestly really don’t know why not,
Or if you just want to make me mad,
Send an email to ‘whatssodamnhorribleaboutencaseevidencefiles@krujs.nl

