Follow

Decrypted files are categorized "Newly-decrypted files"

Created by: Brendan Bone
Created date:
Last Updated date:

Problem

Files decrypted in FTK have the Category "Newly-decrypted files" instead of being properly categorized.  This may result in the files not imaging, producing, or exporting properly in Summation/eDiscovery.

 

Resolution

In FTK, perform File Signature Analysis on the decrypted files with the following steps:

  1. Go to the "Overview" tab
  2. Expand "File Status"
  3. Select "Decrypted Files"
  4. Checkmark all the listed files
  5. Expand the "Evidence" menu
  6. Click "Additional Analysis"
  7. Click the "Miscellaneous" tab
  8. Check the "File Signature Analysis" box in the upper-left
  9. Select "Checked Items" at the bottom
  10. Click "OK"

 

Cause

Under some scenarios, FTK may fail to automatically run "File Signature Analysis" after performing decryption.  This may prevent the decrypted files from being able to be viewed or produced.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk