AccessData FAQs

Device

Max iOS Version

iLogical Extraction

Physical Extraction

iTunes Backup Parsing

iPhone (1st generation)

3.1.3

Yes

Yes

Yes

iPhone 3G

4.2.1

Yes

Yes

Yes

iPhone 3GS

6.1.6

Yes

Yes

Yes

iPhone 4

7.1.2

Yes

Yes

Yes

iPhone 4S

9.x

Yes

No

Yes

iPhone 5

10.2.0

Yes

No

Yes

iPhone 5C

10.2.0

Yes

No

Yes

iPhone 5S

10.2.0

Yes

No

Yes

iPhone SE

10.2.0

Yes

No

Yes

iPhone 6

10.2.0

Yes

No

Yes

iPhone 6 Plus

10.2.0

Yes

No

Yes

iPhone 6S

10.2.0

Yes

No

Yes

iPhone 6S Plus

10.2.0

Yes

No

Yes

iPhone 7

10.2.0

Yes

No

Yes

iPhone 7 Plus

10.2.0

Yes

No

Yes

iPad (1st generation)

5.1.1

Yes

Yes

Yes

iPad 2

9.x

Yes

No

Yes

iPad (3rd generation)

9.x

Yes

No

Yes

iPad (4th generation)

10.2.0

Yes

No

Yes

iPad Mini (1st generation)

9.x

Yes

No

Yes

iPad Mini2

10.2.0

Yes

No

Yes

iPad Mini 3

10.2.0

Yes

No

Yes

iPad Mini 4

10.2.0

Yes

No

Yes

iPad Air

10.2.0

Yes

No

Yes

iPad Air 2

10.2.0

Yes

No

Yes

iPad Pro

10.2.0

Yes

No

Yes

iPod Touch (1st generation)

3.1.3

Yes

No

Yes

iPod Touch (2nd generation)

4.2.1

Yes

No

Yes

iPod Touch (3rd generation)

5.1.1

Yes

Yes

Yes

iPod Touch (4th generation)

6.1.6

Yes

Yes

Yes

iPod Touch (5th generation)

9.x

Yes

No

Yes

iPod Touch (6th generation)

10.2.0

Yes

No

Yes

There are a few reasons this can occur:

1) Internet Explorer High Memory Usage

Below is the default value for caching viewer content for records in the item list grid. This setting is located in "C:\Program Files\Accessdata\Map\Web.config", and affects all users.

<add key="GridCacheCount" value="3" />

You can lower this setting all the way to '0' which turns off caching completely. The '3' means your end users are caching 4 total documents as they move forward in linear review, i.e. it will always be cached 3 ahead. So if your users jump around the grid, lower this option to reduce memory consumption on Internet explorer.

Note: This solution has also been shown to work in preventing, or greatly reducing, an intermittent notification to install Adobe Flash that can occur with the "Standard viewer" mode of the viewer.

2) Loading Large Native into Alternate Viewer

Another value that affects end user experience is the native viewer max which you would adjust down to prevent large files from even attempting to load into the Alternate Viewer. By default it is on 50 MB.

Error Message:The current documents file size is larger than the current settings allow to display.

<add key="NativeViewerMaxFileSizeMegaBytes" value="50" />

If you have a specific format that causes the Alternate Viewer issue, you can add the extension.

<add key="ExcludeFileExtensionsFromNativeViewer" value="...

The settings above are also located in "C:/Program Files/Accessdata/Map/Web.config", and affect all users.

3) Corrupt Browser Cache Content

Lastly if you never have cleared your Internet Explorer cache, especially after an upgrade, please use the following script. This would be done on each workstation.

@echo offECHO Clearing IE cache...RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 9RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2ECHO(ECHO(ECHO Job completepause

Introduction: The AccessData Agent requires network discovery and file sharing to be enabled. The following will explain how to do this.

Procedure:

Windows XP:

Open Windows Explorer.

Click on Tools > Folder Options.

Select the View tab and scroll to the bottom of the list.

Deselect "Use simple file sharing"

Click "Apply to All Folders", then Apply and OK.

Windows Vista and Newer:

Open the Control Panel and select "Network and Internet".

Select "Network and Sharing Center".

Select "Change advanced sharing settings" near the upper-left.

Expand the type of network for which you'd like to change the settings.

Select "Turn on network discovery.

Select "Turn on file and printer sharing".

Click "Save changes" then "OK".

Problem

When browsing to one of our web-based products you get the error

Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://XXXX again. If this error persists, contact your site administrator.

Resolution

Make sure the URL you entered contains the correct hostname

Verify the HTTPS protocol is bound to a certificate in IIS

Open IIS Manager

On the left, expand the entry for your server

Expand "Sites"

Right-click "Default Web Site" and select "Edit Bindings"

Double-click the entry for "https"

Select the desired certificate in the "SSL certificate" drop-down and click "OK"

On the right, click "Restart"

Verify TLS in enabled in Internet Explorer

Open Internet Options

Go to the Advanced tab

In the Settings pane, scroll to the bottom and enable "Use TLS 1.0", "Use TLS 1.1", and "Use TLS 1.2"

Restart Internet Explorer

Cause

Server hostname is incorrect

HTTPS is not bound to a certificate

TLS is not enabled

Question

How do I configure Summation or eDiscovery to use Distributed Processing?

Prerequisites

A domain-level service account with local administrator permissions to all involved machines and full access to case, evidence, and export shares.

Open the following incoming ports on the servers running their respective components:

Component

Port

Microsoft SQL Server

1433 (or custom port)

Distributed Processing Manager

34096

Distributed Processing Engine

34097

All machines

135 (DTC), 1024-65535 (DCOM)

Answer

Install both theDistributed Processing Managerand Distributed Processing Engineon the machine running the Work Manager component responsible for processing and export jobs.

Make sure to check "Install as a Distributed Processing Engine" when installing the Processing Engine.

Install theDistributed Processing Engineon any desired additional machines.

Make sure to check "Install as a Distributed Processing Engine" when installing the Processing Engine.

Open theDistributed Processing Manager Configuration, typically located at"[drive]:\Program Files\AccessData\Distributed Processing Manager\[version]\ProcessingManagerConfig.exe", as Administrator.

For each of the machines running the Distributed Processing Engine, do the following:

In theComputer name/IP field, enter the name/IP of the machine.

ClickAdd.

After adding all desired processing machines, clickSave andClose.

Notes

Always use the same service account credentials for all components.

When installing the other Summation/eDiscovery components, when prompted for the "Processing Manager", make sure to specify the name of the machine that will house both theWork Manager andDistributed Processing Manager components.

While there must be aDistributed Processing Engine installed on theWork Manager machine for certain jobs, that machine doesn't necessarily need to be used for processing. You can leave this machine out at step 4 if you do not wish it to be used for processing jobs.

Question

How do I configure Quin-C to use Distributed Processing?

Prerequisites

A domain-level service account with local administrator permissions to all involved machines and full access to case, evidence, and export shares.

Open the following incoming ports on the servers running their respective components:

Component

Port

Microsoft SQL Server

1433 (or custom port)

Distributed Processing Manager

34096

Distributed Processing Engine

34097

Quin-C Server

4443 (or custom port)

All machines (if using MSSQL)

135 (DTC), 1024-65535 (DCOM)

Answer

Install theDistributed Processing Manageron the desired machine.

Install theDistributed Processing Engineon any desired machines.

Make sure to check "Install as a Distributed Processing Engine" when installing the Processing Engine.

Open theDistributed Processing Manager Configuration, typically located at"[drive]:\Program Files\AccessData\Distributed Processing Manager\[version]\ProcessingManagerConfig.exe", as Administrator.

For each of the machines running the Distributed Processing Engine, do the following:

In theComputer name/IP field, enter the name/IP of the machine.

ClickAdd.

After adding all desired processing machines, clickSave andClose.

If theDistributed Processing Manager is installed on a different machine thanQuin-C Server, do the following:

Navigate to the Forensic Tools bin folder (typically "[drive]:\Program Files\AccessData\Forensic Tools\[version]\bin\").

Open ADG.WeblabSelfHost.exe.config in a text editor.

In the appSettings section, find and change the value of the ProcessManagerkey tothe hostname of the Distributed Processing Manager machine, as shown below:

<add key="ProcessingManager" value="myDPM" />

Inthe client section under thesystem.serviceModel section,find and change the address and name of the endpointkey tothe reflect hostname of the Distributed Processing Manager machine, as shown below:

<endpoint address="net.pipe://myDPM/ProcessingManager" binding="netNamedPipeBinding" bindingConfiguration="LocalBinding" contract="AccessData.EvidenceProcessing.SharedTypes.Interfaces.IProcessingManagerService" name="myDPM" />

Restart the AccessData Quin-C Self Host Service service.

Notes

Always use the same service account credentials for all components.

Question

How can Iexport a PST file in Summation Pro and/or eDiscovery?

Requirements

Use one of the following methods to prepare your environment to export email to PST. This should only need to be completed once.

Method 1: Apsose (Summation/eDiscovery 6.3.0 SP9 and newer)

On the machinerunning the "AccessDataWork Manager" configured for Exports, navigate to the Work Manager installation folder (typically "[drive]:\Program Files\AccessData\eDiscovery\Work Manager").

OpenInfrastructure.WorkExecutionServices.Host.exe.config in a text editor.

Find the keyUseAsposeForPSTExport and change its value to true.

<add key="UseAsposeForPSTExport" value="true" />

Save and close the file.

Recycle all Summation/eDiscovery services.

Notes:

OST is supported only to create a new PST, but will not reduce it.

NSF will not be supported with ASPOSE. It will continue to use the Lotus Notes client to reduce NSF.

This does not work on an ANSI formatted PST (outlook 97-2002). If application encounters such a PST, it will not attempt to reduce it, but rather fall back to new PST option.

Method 2: Outlook/MAPI (all versions of Summation/eDiscovery)

On the machinerunning the "AccessDataWork Manager" configured for Exports, install onethe below versions of Outlook:Outlook 2007 32-bit Standard & ProfessionalOutlook 2010 32-bit Standard & ProfessionalOutlook 2013 32-bit Professional PlusOutlook 2016 32-bit Professional Plus (Summation/eDiscovery 7.0 and later only)

Recycle all Summation/eDiscovery services.

Exporting Methods

There are three methods to exporting a PST file:

Export New PST

Export Reduced PST

Export SMART PST (Summation/eDiscovery 6.3.0 and later only)

New PST

If the export contains a PST file, this option creates a new PST for each PST file and adds only the messages (with their attachments) that are being exported.

Reduced PST

This option creates a copy of each original PST and then removes all the messages that are not being exported.This option is faster if the majority of the emails within the original PST are being exported. However, this method may take much longer to complete if the majority of the emails within a PST are not being exported.

SMART PST

If the export contains a PST file, the application will examine each PST to be exported and determine the faster method between creating a new or reduced PST. If there are multiple PSTs being exported, the best method will be determined for each PST based on whether the majority of email families will or will not be exported.

Examples:

If you have a 10 GB PST file and are exporting 500 MB. This requires removing 9.5 GB of data from the original. New PST would be faster.

If you have a 10 GB PST file and are exporting9.5 GB. This requires removing 500 MB of data from the original. Reduced PST would be faster.

Summation Admin and Reviewer Guides are linked at the bottom of this article.

The Admin Guide is geared towards IT, System Admin, and litigation support personnel and covers the following:

Administering Summation and Users

Configuring Data Sources

Managing Projects

Loading Summation Data

Using Lit Holds

Configuring and Using the Multi-Tenant Environment

Configuring and Using LawDrop

The Reviewer Guide is geared towards end user litigation support, paralegals, attorneys and covers the following:

Customizing the UI Layouts and panels

Viewing Data in Layouts and panels

Deleting Documents

Configuring and running quick and advanced searches

Using filters to cull data

Using Visualization - Social Analyzer, Geolocation, Heatmap

Working with Transcripts and Exhibits

Imaging documents

Applying Tags / Labels

Coding Documents - Grid, Review Sets, Predictive Coding

Annotating Evidence

Bulk Printing

Managing Review Sets

Exporting Data - Export and Production Sets

Getting Started with KFF

Introduction

The following will allow you generate and apply a Quin-C license from or Quin-C Order Number.

Your Quin-C Order Number will typically be contained in an email entitled "Thank you for your recent Quin-C order!", and will be sent from [email protected].

If you have not received or have misplaced an expected Quin-C Order Number, please contact your Sales representative or [email protected].

Procedure

Obtain your license key:

Navigate to https://www.quincforensics.com/quincsupport.html.

In the Get Your License Keybox, enter you Order Number (from the above mentioned email), you Quin-C Server Machine Name (Base URL), and your Email Address, then clickSubmit.Note: The "Machine Name" field must be the base URL you will use to navigate to Quin-C. This could be your server's NETBIOS name, FQDN, or a DNS alias.

Copy out one of the resulting strings, depending on your desired licensing methods, and save it for your records.License Key: License string to use when not using either a CodeMeter physical or virtual dongle.Dongle String: License string to use when using either a CodeMeter physical or virtual dongle.

Chooseone of the license activation methods shown below.

Option 1 - Activate your license without a CodeMeter dongle:

Log into Quin-C, making sure to use the Machine Name/Base URL used when obtaining your license.

If you're immediately prompted to enter a License Key, enter the full License Key obtained above and clickEnter.

If you are running another, unexpired, license or trial, you can update your license by doing the following:1. Open theAdmin widget.2. Go to theSystem Administration tab.3. Open theLicense Info sub-tab.4. Enter the full License Key from step 3 and clickEnter.

Option 2 - Activate your license with a CodeMeter dongle:

Make sure both CodeMeter and License Manager are installed.

Contact your Sales representative and give them yourDongle String obtained above. They can then provide you with a new CodeMeter dongle or update an existing one.

Insert/activate your CodeMeter dongle and make sure it's refreshed. License Manager should show anInsight license that looks like the following:

Navigate to the the Quin-C bin folder (typically "[drive]:\Program Files\AccessData\Forensic Tools\[version]\bin\").

From the bin folder, open ADG.WeblabSelfHost.exe.config in a text editor.

In the appSettings section, find and change the value of the DongleLicenseValidator key totrue, as shown below, then save the file:

<add key="DongleLicenseValidator" value="true"/>

Restart the AccessData Quin-C Self Host Service service.

NOTE: If you try to navigate to Quin-C using a different Machine Name/Base URL than used when activating your license, you will be prompted to enter a new license.

Revision: 6.2 --Date: 31 March 2017

Problem

When navigating to the Summation/eDiscovery web interface, you get the error:

"There was no endpoint listening at net.tcp://<server_name>:9132/LicenseService/service that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details."

Resolution

Verify SQL is started.

Make sure the machine running the "AccessData Business Services Common" service can see SQL over the correct port (typically 1433), and can communicate with SQL using Windows Authentication via the service account.

Check thedbo.ConfigurationInfo table in the eDiscovery database to see what schema version that database is on (refer to this article to verify the proper schema version).- Check the DatabaseUpgrade logs (in "%ProgramData\AccessData%") for AppDB upgrades and make sure the eDiscovery database was successfully upgraded.- Upgrade AppDB if needed

Check MSDTC settings on all servers involved (SQL included).

Recycle the AccessDataservices.

Check disk space on the SQL database and logs drives.

Cause

If the eDiscovery database is not accessible or is not intactwhen "AccessData eDiscovery Business Services" service starts, youwill get the error above.

Symptom:

Ingest an Outlook email or archive that contains a "blank" date field. After exporting from AccessData, the date shows as 1/1/4501.

Cause:

According to Microsoft, the date field can never be stored as blank or NULL. If no value is written to the field, the value will default to 1/1/4501.

For more information see:

Microsoft Outlook 2007 Programming: Jumpstart for Power Users and Administrators by Sue Mosher, "Working with dates and times" pg 207

and

https://answers.microsoft.com/en-us/msoffice/forum/all/in-user-defined-fielddatetimedisplays-weird/d4ca95cb-ec8c-478e-a810-25cfeaa1b671

Resolution:

There technically is no resolution to this issue as this is working as designed by Microsoft.

Introduction: The following will allow you to reset an FTK password.

Note: To reset an FTK password you must have a previously created, valid Password Reset File. These can be created via the "Administer Users" dialog and are unique to an individual user name, password, and database.

Procedure:

After attempting to logon with a bad password, click the "Reset password" button.

Browse to and select your previously created, valid Password Reset Token File.

When prompted, create a new password (don't forget to create a new Password Reset File).

Note: a "password reset file" will have an extension of "TKN". E.g. the filename might be "FTK Password Reset.tkn".

Question

How do I create a SQL maintenance plan to removeold backup files?

Important

You should consider space needed and acceptable losses when determining a SQL backup retention policy.

Answer

Open up SQL Server Management Studio

In the Object Explorer pane, expandManagement

Right-click Maintenance Plans

SelectMaintenance Plan Wizard

When prompted, provide a meaningful Name and Description for your plan

If you would like this plan to run on a regular schedule, rather than On Demand, click Changeto specify when the plan should run

Click Next

Check Maintenance Cleanup Task, then click NextNote: Highlighting a Task will show a description of what it does

If also performing other maintenance tasks, set the order in which they should be performed, then click Next

Select to delete Backup files, specify the location and file extension of your backups, and specify the age at which those backup files should be deletedNote: Full SQL backups typically use the BAK extension while Transaction Log backups typically use the TRN extension

ClickNext

Specify the location to save or send reports when the maintenance job completes, then click Next

Review the settings for the maintenance plan, then click Finish

Overview

The purpose of this article is to provide the basic steps of creating a maintenance task within SQL Server which is crucial to the success of heavily coded or large databases. It is recommended to run this in accordance with your maintenance plan. A maintenance plan is suggested in our specifications guide. For a custom maintenance plan please contact our services department.

Question

How can I use Microsoft's DTCPing tool to verify that the Distributed Transaction Coordinator is communicating correctly?

Answer

DTCPing is run between two machines at a time. If your environment has more than 2 servers, you will need to perform this processmultiple times on different servers to test all the network segments.

Machine A and B:

Download DTCPing fromhttp://www.microsoft.com/en-us/download/details.aspx?id=2868

Run the DTCPing download and tell it where to Unzipits contents

Start "Dtcping.exe" from the unzipped contents

Machine A:

Enter Machine B's netBIOS name into the "Remote Server Name" field

Click "Ping"

If you receive a message similar to the following, DTCPing was successful in this direction and you may proceed

Machine B:

Enter Machine A's netBIOS name into the "Remote Server Name" field

Click "Ping"

If you receive a message similar to the following, DTCPing was successful on this network sergment

Overview

Microsoft's Distributed Transaction Coordinator must be able to successfully communicate between all servers for Summation or eDiscovery to function correctly.

This article outlines the support boundaries and procedures for supporting virtualized environments with AccessData software.

While virtual machines have not traditionally been supported with AD Products; the fact is that most customers small/medium business as well as large enterprise have rapidly moved away from a 1:1 server configuration for their workloads. Running virtual machines and sharing the resources have long been a way to maximize the investment of computing resources.

A virtual machine / virtualized environment that is properly configured will work as reliably, and perform essentially the same as a physical server with dedicated resources.

Supported Virtual Environments:

AccessData products are certified, and will work on the following Hypervisors and Cloud Based Environments:

AccessData realizes there are other options for your cloud compute and virtualization infrastructure, however our products have not been tested on them for functionality and will not support providers and infrastructure outside of the guidance listed above.

Support Boundaries:

AccessData will support its products in a virtual environment running on a supported operating system and environment by both the Vendor/manufacturer and AccessData.

Our software is designed and tested to work on various versions of Microsoft Windows, and our support strategy is based upon these being in compliance with vendor support and end-of-life (EOL) Matrices.

AccessData does require that all of a customer's virtual resources are configured in alignment with our best practices and configuration workflow, as outlined in our product documentation or as specified by our support team(s).

This includes ensuring that Virtual Machine resources are statically set and not dynamically set, nor controlled by the hypervisor. This applies specifically to the Processor Allocation, RAM, and Block Storage for a virtual machine, to ensure they never go below a minimum threshold as outlined in our configuration guidelines.

Support Exclusions:

Underlying Network Performance problems on a Virtual switch.

Underlying disk performance problems on a virtual machine and/or host

Connectivity to storage beyond ensuring AccessDatas products can connect to their resource(s).

Non-AccessData software issues (e.g. Microsoft SQL Server)

Protocol specific errors, including but not limited to:

iSCSI Protocol Errors

VLAN Tagging

Virtual Machine Queue(s) (VMQ) on 10GB Networks

Attempting to mount volumes over Network File System(s) (NFS)

Under-provisioning/configuration errors on a virtual machine.

Question

How do I rebuild my SQL indexes using a maintenance plan?

Answer

Open up SQL Server Management Studio

Expand out Management

Right Click on Maintenance Plans

Choose Maintenance Plan Wizard

Name your plan something you can remember what it does "Rebuild Indexes on the fly" for example.

Click Next

Check "Rebuild Index" and "Update Statistics"

Click Next

Rebuild should be at the top

Click Next

Choose under Databases: All user databases

Click Next

Choose under Databases: All user databases

Click Next

Note or Change the location of the report of this task

Click Next

Click Finish

Final screen upon successful creation

Now you will have your task created under Maintenance Plans

Right click on your maintenance plan, it will show the name you gave it in step 6

Click Execute

Note: If it fails immediately check your SQL Agent, it should be green as you see below with a little play button. If it is not started do so then try 22 and 23 above again.

If you have any trouble with getting this to run we will need to engage our services group as a paid engagement.

Overview

The purpose of this article is to provide the basic steps of creating a maintenance task within SQL Server which is crucial to the success of heavily coded or large databases. It is recommended to run this in accordance with your maintenance plan. A maintenance plan is suggested in our specifications guide. For a custom maintenance plan please contact our services department.

Question

How can I run Imager from a portable drive?

Answer

Prerequisites:

A computer other than the target system

Procedure:

On a machine other than the system to be imaged, install FTK Imager

Insert a flash drive formatted with either the FAT32 or NTFS file system

Copy the entire FTK Imager installation folder (typically "C:\Program Files\AccessData\FTK Imager" or "C:\Program Files (x86)\AccessData\FTK Imager") to your flash drive

Insert the flash drive in the system to be imaged

Navigate to the folder you created on the flash drive

Run FTK Imager.exe (as Administrator) and use Imager as you normally would

Note: Because a live system is constantly changing, imaging a live system may produce an image that is not replicable. FTK Imager will write to the system RAM and perhaps the hard drive page file during the imaging process. Be aware of the risks of imaging a live system and make the decision carefully.

Overview

This will allow a user to create a portable "Imager Lite" from any full release of Imager.

Even with UAC disabled, are you using an administrative command prompt?

The security token for administratively running IISRESET isn't there under a normal command prompt even if you've moved the UAC slider to "Never Notify".

You can follow these steps:

Open PowerShell

Type Regedit then hit enter

Browse to HKEY_LOCAL_MACHINE\SOFTWARE\MicrosoftWindows\CurrentVersion\policies\system

Double click on EnableLUA

Change the Value data to a 0

Click OK, then reboot the server

to completely disable UAC, and then try running IISRESET from a normal cmd prompt, but it isn't good practice to completely disable UAC on any server.

ISSUE/SYMPTOMS:

The icons are grayed-out on the Case Explorer interface and on the case selection dialog(Case > Open dialog) when running the Summation iBlaze or Summation Enterprise client on a workstation running Windows 8.1, Windows 10, or a terminal server runningWindows Server 2012.

CAUSE/DESCRIPTION:The Summation iBlaze 3.1.0 client and Summation Enterprise 2.7.1 client have not been validated on the following OS's.

Windows 8.1

Windows 10

Windows Server 2012

Anecdotal: Many endusers have reported that running the client in compatibility mode has worked fine. You may attempt to run iBlaze (SW32.exe) or Enterprise (SummSSE.exe) in either of the following compatibility modes:

Windows 7

Windows Vista

Windows XP

APPLIES TO:

Summation iBlaze client versions 3.1.0 and earlier

Summation Enterprise client versions 2.7.1 and earlier

Problem

When attempting to open FTK/Lab/Enterprise, a new window pops up with an error message stating that the system or server is busy and gives you the options to "Switch to" or "Retry".

Resolution

Open the firewall port 5432 between the FTK client and PostgreSQL database. The commands below can be run through a command prompt to accomplish this.

netsh advfirewall firewall add rule name="AccessData PostgreSQL" dir=in action=allow protocol=TCP localport=5432

netsh advfirewall firewall add rule name="AccessData PostgreSQL" dir=out action=allow protocol=TCP localport=5432

Cause

This issue is caused by communication being blocked by the client (FTK) and/or server (PostgreSQL).

NOTE: the port value will be different than 5432 if during FTK installation, a non-default port was selected.

Note: If the above is not helpful, then here is a help article describing other possible causes.

https://support.accessdata.com/hc/en-us/articles/205584078-Server-Busy-Error

Question

What does the option "Disable Tag Indexing" do on a case, and where do I change it?

Answer

In order to shorten indexing time and decrease index size, this option disables indexing of the "Labels" and "Issues" fields as well as any checkbox or radio button fields.

The following fields types will always kick off a reindex job

Date Field

Text Field

Number Field

The Disable Tag Indexing Option is located in: Processing Options:

Notes

Search results of tag-type fields may appear inconsistent if this setting is not used appropriately. This is because, even with "Disable Tag Indexing" checked, simplequeries (ie "Labels contains Bob") will still work on the affected fields. However, complex queries containing connectors or multiple fields (ie "Labels contains Bob OR From contains Jim") will only work if "Disable Tag Indexing" is unchecked.

Full functionality of the filter facets will still exist regardless of this setting.

Problem

How do I install the CodeMeter software?

Resolution

To install CodeMeter:

Run the CodeMeter executable as an Administrator. The CodeMeter Runtime Kit Setup Wizard will appear. Click Next.

Review and accept the license agreement and click Next.

In the Installation Scope dialog, fill in the User name and Organization information and click Next.

Note: The recommended option is Install for only this user.

Review the Custom Setup dialog and click Next.

Click Install.

Click Finish.

Cause

CodeMeter is required for AD License Manager (and all other software) to recognize installed licenses.

Problem

How can I move my "Cases" and "CaseData" folders to another server/share? This assumes the application is remaining where it is, and only the data is moving.

Resolution

1) Copy the "Cases" and "Casedata" folders to their new location;

2) Update the paths in all .CI and .INI files in the Cases folder and its subfolders. This can be done easily in a text editor such as Notepad++ by searching the Cases folder for all files of type .CI and .INI, and then using Replace to edit all of the listed files at once. Replace the old server name/case path with the updated name/path.

PLEASE NOTE: When performing an advanced find-and-replace against multiple files at once, be sure to limit the filetypes that the advanced text editor will modify.Failure to limit the mass edit could cause database corruption.E.g. only perform mass edits against files with the following extensions:

*.ci*.ini*.udl*.xml

3) Update the paths in all .UDL and .XML folders in the CaseData subfolders using the same method described in step 2;

NOTE: Textpad should not be used with UDL files; Textpad can edit a UDL file, but then it also may toggle a binary flag on each UDL file. The presence of the binary flag on a UDL will cause problems when iBlaze attempts to open the linked data content using the UDL.

4) In the Admin Console, go to the Groups tab and use the Case Paths button to update the case listing location for at least the Admin group (if you are using Summation security, change the case listing for all groups);

NOTE:It may be necessary to run SWAdmin.exe to open the Admin console. If so, then please be sure to run SWAdmin from a network path (i.e. browse to the "Admin" folder via a UNC path, and run SWAdmin.exe).

5) Use the Case Options button to Verify Case Info files in the new location after the path has been changed;

6) Be sure to change the Case Listing location (Case -> Tools -> Set Case Listing Location) and the Case Create (Case -> Open -> Right-click on top level folder -> Set Case Create Location) locations so that new cases are created in the proper place.

Clean-Up

If your image paths in the Imginfo table are not predicated on @I, they may also need to be updated. For example if your images reside in the Images folder but the path is hard-coded, they will no longer be viewable in the new location until the path has been corrected. You can do this in the Imginfo table's Defdir field using Global Replace.

Problem

When attempting to start PRTK, "Starting the User Interface" appears and then the PRTK window closes.

Solution

If a "GodMode" control panel folder is located on the desktop, then delete or move that folder to a different location.

Overview

If a "GodMode" control panel folder is located on the desktop, this will prevent PRTK from opening completely.

This seems to occur with Windows 10 only, i.e. PRTK can open and function fine in Windows 8.1 and Windows 7 while a "GodMode" folder is on the desktop.

Applies To

PRTK/DNA

Windows 10, all editions

Original Summation Pro/eDiscovery 6.3.0 announcement and installation media

Release Notes

See attached

Installation Media

"v6.3.0/SP9" folder at the below location:

Hostname: ftp.accessdata.com

Protocol: SFTP

Port: 22

Username: accessdata-edisco

Password: fi67EM/mTC%JOR

https://ftp.accessdata.com

Username: accessdata-edisco

Password: fi67EM/mTC%J

Installation

On all machines involved in your setup:

Log into Windows using the credentials for your Summation/eDiscoveryservice account

Open the Microsoft Services snap-in (services.msc)

If any"AccessData" sevicesaremarked as Disabled, set their Startup Type to Automatic

Copy the downloaded "eDisco_6.3.0_SP9.exe" locally to the system

Right-click on the Patch EXE and choose "Run as Administrator"

Click "Great! Continue"

Accept the End User License Agreement

Allow the installer to complete to have all components on that machine patched automatically

Note: The SP installer will also install .NET 4.7.1 on the machine running the "AccessData WCF Services".

On any machines used to access the Summation/eDiscovery Web UI:

Clear the IE cache

Browse to the Summation/eDiscovery Web UI and log in

Click the version information in the top right hand corner and confirm it matches the version numbers below:

.NETuses the AESalgorithm, which is not part of the Windows Platform FIPS validated cryptographic algorithms. Microsoft removed this setting from its security baseline settings in 2014 due in part to its impact on software leveraging the.NET Framework. You can read more about their reasoning here:

https://blogs.technet.microsoft.com/secguide/2014/04/07/why-were-not-recommending-fips-mode-anymore/

Servers that are set to enforce the FIPS algortithm can prevent services from starting and communication to fail with this error being reported:

System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

at System.Security.Cryptography.AesManaged..ctor() at ADG.Database.DAL.DALConnection.Decrypt(String __Data) at ADG.Database.DAL.DALCommand.ExecuteNonQueryWithDecrypt(String format, String encrypted) at ADG.Database.Definition.UDBInstallUninstall.PrepareDatabase(IDALConnection conn, UDBParams udbParams, Boolean reinstallADMSSQL, CaseDBRecoveryMode recoveryMode) at ADG.Database.Definition.UDBInstallUninstall.CreateDatabase(UDBParams udbParams, String adminUser, String adminPassword, Boolean reinstallADMSSQL, CaseDBRecoveryMode recoveryMode, Boolean fixSequences) at ADG.Database.Definition.UDBInstallUninstall.InstallUnifiedDB(UDBParams udbParams, CredentialContext context, IProgress`1 progress, Boolean createAlias) at DatabaseConfigurationTool.CreateDatabase.CreateDatabaseSteps() at DatabaseConfigurationTool.DatabaseForm.CreateDatabaseThread(Object o)

The issue can be resolved with the following steps:

On each server in the environment, open the Registry Editor (regedit.exe).

Navigate toChanged this registry key to 0: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\fipsalgorithmpolicy\Enabled.

Change the value of the key from 1 to 0.

Reboot the server.

NOTE: Please be aware that this registry change is subject to being re-enabled by Group Policy. The Group Policy setting responsible for this setting is called "System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing" and can be found by expanding the Group Policy console tree to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\.

Original Summation Pro/eDiscovery 6.3.0 announcement and installation media

Release Notes

See attached

Installation Media

"v6.3.0/SP7" folder at the below location:

Hostname: ftp.accessdata.com

Protocol: SFTP

Port: 22

Username: accessdata-edisco

Password: fi67EM/mTC%JOR

https://ftp.accessdata.com

Username: accessdata-edisco

Password: fi67EM/mTC%J

Installation

On all machines involved in your setup:

Log into Windows using the credentials for your Summation/eDiscoveryservice account

Open the Microsoft Services snap-in (services.msc)

If any"AccessData" sevicesaremarked as Disabled, set their Startup Type to Automatic

Copy the downloaded "eDisco_6.3.0_SP7.exe" locally to the system

Right-click on the Patch EXE and choose "Run as Administrator"

Click "Great! Continue"

Accept the End User License Agreement

Allow the installer to complete to have all components on that machine patched automatically

Note: The SP installer will also install .NET 4.7.1 on the machine running the "AccessData WCF Services".

Collection Work Manager:

Follow the steps here to make sure your Work Manager collection staging folder is still set correctly.

On any machines used to access the Summation/eDiscovery Web UI:

Clear the IE cache

Browse to the Summation/eDiscovery Web UI and log in

Click the version information in the top right hand corner and confirm it matches the version numbers below:

For every file on an NTFS volume, there are the following dates:

File Created

File Accessed

File Modified

MTF last written

Each of these dates are explained below:

File Created: This is the date the file was created on the volume. This does not change when working normally with a file, e.g. opening, closing, saving, or modifying the file.

File Accessed: This is the date the file was last accessed. An access can be a move, an open, or any other simple access. It can also be tripped by Anti-virus scanners, or Windows system processes. Therefore caution has to be used when stating a file was last accessed by user XXX if there is only the File Access date in NTFS to work from.

File Modified: This date as shown by Windows there has been a change to the file itself. E.g a notepad document is has more date added to it, would trip the date it was modified.

MFT Entry Modified: A basic understanding of NTFS and the MFT is required for this section. This is a date not shown by Windows Explorer or the average windows interface, but requires forensic tools, e.g EnCase, FTK, iLook, WinHex, etc. This date shows when the MFT entry, which points to the file of concern, was changed. This means that if the record that points to the file is changed, then this date would trip. As all the dates, file name, file sizes are stored in the MFT, if any of those are changed then the date will change. For example, if the file size changes then the MFT Entry modified date is changed. If the file name is changed, than the MFT entry modified is changed.

Yes and no.Deleted user data (SMS, call history, contacts, etc.):

These data types are stored in SQLITE databases. Typically, when a user selects to delete one of these data types, the corresponding database entry is dropped from the appropriate database. However, any text associated with that entry may still persist, without structure, in the database's free space until the phone decides to cleanup and vacuum the database. If you an image of an iOS device, you can right-click these SQLite files and select "Parse Database for Deleted Data" to carve for deleted data within them. Even logical images of iOS devices contain many of these SQLite database, allowing you to find deleted data.

The "Deleted" button in the Main toolbar can also be used as a shortcut to automatically find and carve the appropriate SQLite files for deleted SMS and Call History. However, this shortcut may not work with all devices.Deleted files (old file versions from factory resets, photos taken with the camera, etc.):

All Apple mobile devices shipped with or restored to iOS 4 or later employ file-level encryption for most files on the device. It is nearly impossible to find and carve out these files after they are deleted. This is not a limitation of our software but is because Apple removes the key files from the device for files in unallocated space. You can, however, still attempt to carve for and find unencrypted files within the file system. On legacy and pre-iOS 4 devices, file carving will yield more results. This limitation imposed by Apple should not stop you from attempting a recovery, but should explain why recovery cannot be accomplished on certain devices.

Problem

You run into one of the following issues when trying to lay down a new database with FTK/Lab 7.1:

When trying to lay down a new database in PostgreSQL with FTK, it says database not found.

When trying to lay down a new database in PostgreSQL with DBConfig, you get an error about missing assembly "System.ValueTuple".

When trying to connect to an existing database in PostgreSQL with FTK, it says database not found.

When trying to lay down a new database in MSSQL with FTK, it prompts for a login but then throws "Preparation failed". The ADG database is created, but it's empty.

Neither "%WINDIR%\Microsoft.NET\Framework\v4.0.30319" or "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319" containSystem.ValueTuple.dll.

Work Around

Use DBControl to clean up any partially laid down database

Download and install .NET Framework 4.7.2 Runtime

Try to lay down the database again

Note:.NET 4.7.1 and 4.7.2 can also be installed via Windows Update.

Cause

FTK/Lab 7.1 requires the System.ValueTuple assembly in .NET. This is included in .NET 4.7.1 and newer.

Question

How do Ichangethe default backup location in MSSQL 2012?

Answer

Open up SQL Server Management Studio

In the Object Explorer pane, right-click your database instance and click Properties

On the left, select theDatabaseSettings page

Change the Backupentry to the desired backup folder, then click OK

Restart the SQL Server service

Problem

Incorrect encoding can lead to several issues during import, including the following:

When starting an Import, the Field Mapping (Map Fields) dialog is blank with no fields shown.

After the import has started, you receive the errorthe error message "Error: Index was outside the bounds of the array."

After the import has started, you receive the errorthe error message "Error: Cannot be less than zero."

After the import has started, you receive the errorthe error message "Error: Sequence contains no elements."

Import completes successfully, butsome fields haveunexpected characters, such as "".

Resolution

1) Verify the load file encoding.

Using Notepad++, confirm the encoding is not UTF-8 without BOM. Any of the following are acceptable encoding:

UTF-8 with BOM (sometimes called UTF-8-BOM)

ANSI

ASCII

If you have Concordance/Relativity files, make sure that both files have the same encoding.

------------------------------------------------------------

Important:

In newer versions of Notepad++, the selection "UTF-8" is actually the unsupported UTF-8 without BOM, while the selection "UTF-8-BOM" is the supported UTF-8 with BOM.

If your version of Notepad++ offers "UTF-8" and "UTF-8 without BOM", you want "UTF-8".

If your version of Notepad++ offers "UTF-8" and "UTF-8-BOM", you want "UTF-8-BOM".

------------------------------------------------------------

2) Verify the delimiters are correct.

Confirm your delimiters are put in correctly before clicking map fields.

Load File SSPI Error

Confirm you have the proper delimiter for your version, see below section.

3) Verify that all field headers are completely unique.

If you still cannot map fields even with the correct delimiters and encoding, check that you do not have duplicate headers.

4) Separate Web Server only:Confirm the check file serviceis set properly.

For environments where the Ediscovery/Summation Pro web server (MAP) is a different server from the application server, confirm the check file serviceis set properly on the MAP server. Here is a help link about that:

Cause

When you click map fields here's what happens:

The file is opened and looks for the unique identifier in the first column based on the delimiters chosen

In 5.2.x - "Required document identifier column is missing" will populate in the system log

Docid

In 5.6.x

DocID

DocNumber

DocNo

BegDoc

BegDocID

BegBates

ID

ControlID

ControlNo

ControlNum

ControlNumber

CtrlID

CtrlNo

CtrlNum

CtrlNumber

BegNum

BegNumber

Bates

BatesNo

BegBatesNo

BegBatesNumber

Identifier

Load files with an encoding of "UTF-8 without BOM" (screen shot from Notepad++ v6.7.7) is an unsupported type.

Question

How do I configure eDiscovery to collect from OneDrive through a single connector?

Prerequisites

eDiscovery 6.3 or newer

Web access to OneDrive from the Collections Work Manager.

Credentials for a O365 user with the "Global administrator" role, as well as the "Site Collection Administrator" permission for all users' OneDrives.

Resolution

To configure the application to collect from OneDrive is a two part process.

First, you must create aOneDrive Server application:

1. Navigate to the Microsoft Azure Portal (https://portal.azure.com/)

2. Log in with your organizations OneDrive global administrators credentials

3. In the Search bar at the top center, search for, and click on, "App registrations"

4. At App registrations" click "New registration"

4. Give your application a Name

5. Under "Supported account types", select "Accounts in any organizational directory"

6. Under "Redirect URI", select "Web" in the drop-down and enter aURL in the form https://<eDiscoBaseURL>/accessdata

NOTE: You must use your organization's named URL from the "AD eDiscovery" application.

7. Click "Register"

8. In the Overview, copy the Application ID

9. Click "Certificates & secrets"

10. Click "New client secret" and choose a name and expiration, then click "Add"

11. Copy the "Client Secret" (it will not be shown again)

12. In eDiscovery, click "Data Sources"

13. Select the OneDrive tab

14. In eDiscovery, enter the noted Application ID, Client Secret, and Redirect URL

15. Click Authorize

16. When prompted, log in with your organizations OneDrive global administrator's credentials and click Accept

You may need to allow pop-ups.

The account used to Authorize the connection must have the "Global Administrator" role in O365as well as the "Site Collection Administrator" permission for all users' OneDrives.

Verify that you get the message: You have successfully connected to the OneDrive!

17. Close the secondary window.

18. Click OK. (This must be done within a limited amount of time.)

Note: You can configure more than one connector if needed.

Associating People to OneDrive

For the application to collect from OneDrive, People must be configured with a valid O365 email address.

Question

How do I enable SSL/HTTPS in Quin-C?

Prerequisites

Certificate archive, in password-protected PFX format, whose "Issued To" name either matches the base URL of the Quin-C website or has a domain wildcard.

Note: The password cannot contain certain characters, such as quotes, for it to work in the XML config file.

Answer

Copy your PFX file into the Quin-C bin folder (typically "[drive]:\Program Files\AccessData\Forensic Tools\[version]\bin\")

From the bin folder, open ADG.WeblabSelfHost.exe.config in a text editor

In the appSettings section, find and change the value of thehttps key totrue, as shown below:

<add key="https" value="true" />

Find and change the value of the certificateFileNamekey tothe full path to your PFX file, as shown below:

<add key="certificateFileName" value="C:\Program Files\AccessData\Forensic Tools\7.2\bin\myCertificate.pfx" />

Find and change the value of the certificatePasswordkey tothe password for your PFX file, as shown below:

<add key="certificatePassword" value="myPassword" />

Find and change the value of the JobMasterLinkkey touse https, as shown below:

<add key="JobMasterLink" value="https://localhost:4443/"/>

Restart the AccessData Quin-C Self Host Service service

Spec guide for AD Enterprise 6.5

Question

How can I install QView?

Background

QView is a locally-installed alternative client for Quin-C

Prerequisites

A working installation of Quin-C

A client machine with access to Quin-C, typically over port 4443

Answer

Get a copy of the QView installer,AccessData_QView.exe, from the Quin-C Server machine'sbin\QView_installer folder (typically "[drive]:\Program Files\AccessData\Forensic Tools\[version]\bin\QView_Installer\")

Copy the installer to the client machine and run the installerNote: When prompted for a "Path to check for install updates", leave it set tonone unless you have a share where you will store all future QView installers

Wait for the installation to finish, including any viewer installers that automatically run

Launch QView from the Desktop shortcut or Start Menu entry

At the QView Login dialog, do the following and click Login:

If Quin-C is configured to use Integrated Windows Authentication, check Use Windows Authentication. Otherwise, enter yourUsername andPassword.

Enter theBase Urlfor your Quin-C server in the format http://[server]:[port] as shown below:Note: Use https instead of http if Quin-C is configured to use SSL

Question

How do I configure Quin-C to use Active Directory authentication?

Notes:

Active Directory authentication can only be tied to one domain. If your users are spread over multiple domains, you should not use Active Directory authentication.

Application-level, non-domain users will not be able to log in to Quin-C if Active Directory authentication is enabled.

Answer

1. Log in to Quin-C and open the Admin widget this

2. Open the System Administration tab, and then the System Values tab

3. Scroll down to the Active Directory Information section, and complete the values as defined below:

Server: Name or IP of the Domain ControllerPort: LDAP port (see typical options below)

389 = Standard LDAP/TLS Port on a non-global catalog server636 = SSL Encrypted LDAPS on a non-global catalog server3268 = Standard LDAP/TLS Port on a global catalog server3269 = SSL Encrypted LDAPS on a global catalog server

Base DN:Distinguished Name of the base OUUserDN: Distinguished Name of a user with Domain Read Object privilegesUseGC: Whether or not to use Global Catalog

4. Click Save

5. Import at least one User from Active Directory via the Admin widget, and give them the Application Administrator RoleNote: Any existingnon-domain users will not be able to log in to Quin-C beyond this point

6. On the Quin-C server, navigate to the Quin-C bin folder (typically "C:\Program Files\AccessData\Forensic Tools\<version>\bin")

7. OpenADG.WeblabSelfHost.exe.config in a text editor

8. Under the appSettings section, find and edit the value of the UseAD key as defined below:

<add key="UseAD" value="0" />

1:Integrated Windows Authentication (User-based authentication)2:Integrated Windows Authentication (Group-based authentication, see )3:AD + Forms (User-based authentication)

9. Save your changes, and restart theAccessData Quin-C Self Host Service service

Note: If UseAD is set to 1 or 2, you should leave LoginPage.html off the URL when navigating to Quin-C.

Introduction

Starting with the release of FTK 7.2, the ABBYY OCR engine is now supported as an optional workflow path. When using ABBYY OCR, all graphic images in the case will be sent for OCR analysis. Graphic images are sent directly to the ABBYY OCR engine and they do not follow the DPM / DPE / EP / Additional Analysis code paths that other processed data follows within the application.

https://abbyy.technology/en:products:fre:finereader_engine_quick_start_guide12

Prerequisites

ABBYY must be installed to same system as FTK

FTK 7.2 or newer

Compatible version of Quin-C

How to Install and Configure ABBYY

Install ABBYY FineReader 12 by following the SDK Installation steps outlined here:

If using a Software license serial number, follow the steps under the License Activation heading found on that same quick start guide.

At this point ABBYY FineReader should be installed and licensed.

On the system where Quin-C is installed, open the following configuration file in a text editor: [DRIVE]:\Program Files\AccessData\Forensic Tools\[x.x]\bin\ADG.WeblabSelfHost.exe.config

Locate the following keys and enter the appropriate values:

Your ABBYY Customer Project ID where it says useyourkey including double quotes: <add key="AbbyProjectId" value="useyourkey" />

In the following key, enter the folder path to the FREngine.dll where it says PathTowhereAbbyis including double quotes: <add key="AbbyDllPath" value="PathTowhereAbbyis" /> For example: <add key="AbbyDllPath" value="E:\Program Files\ABBYY SDK\12\FineReader Engine\Bin64\" /> NOTE: Admin share (i.e. \\hostname\C$ ) paths are not supported for this value.

Save your changes when done

At this point, the option to Run ABBYY OCR processing will be available the next time you open your case in FTK.

Problem

During the installation of various components (NativeViewer, WCF services, Work Manager, QView, etc.) the Windows Installer Coordinator will appear to hang,saying "Please wait while the application is preparing for the first use". You may also get an error saying "Install server not responding".

http://support.microsoft.com/kb/2655192

Resolution

Open the Local Group Policy Editor (gpedit.msc)

In the left pane, go to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Application Compatibility

In the right pane, double-click Turn off Windows RDS Compatibility

Select Enabled and click OK

Run the desired installer again.

Optional:Repeat steps 1-4, and return the "RDS" option to its previous setting. (E.g. set the option back toEnabled).

Cause

This issue is caused by incompatibility between Embedded MSI and Windows Installer Coordinator. Suggestion is to enable "Turn off Windows Installer RDS Compatibility" for the duration of the installation. More information about the issue and resolution can be found here ().

Question

How do I change the location where the Processing Enginewrites temp files (a.k.a, ADTemp)?

Answer

There are 2 places this setting should be changed. The registry is where a Distributed Processing Engine (DPE) stores this value and the config file (application) is where a local Processing Engine (EP) stores it. The attached script will help automate making changes to both.

Registry (eDiscovery, Summation, DPEs)

1. Open the registry by clicking Start >> Run >> regedit.

2. Open the registry key

HKEY_LOCAL_MACHINE\SOFTWARE\AccessData\Products\Common.

3. Select the Common key and in the window pane on the right, right-click TempDir and select Modify...

https://support.accessdata.com/hc/en-us/articles/202705989-Performance-Guidelines

4. Enter the exact path of the desired ADTemp folder and click OK.

Application (FTK, AD Lab, AD Enterprise)

1. Open the application (i.e., FTK, Lab, Enterprise) and sign in.

2. On the menu bar click Tools and select Preferences...

3. Click the ellipsis (...) and choose the desired folder.

4. Click OK.

Note: This saves the preferences to the file"C:\ProgramData\AccessData\Shared\sds\Preferences.xml".

Additional Note: As of version 7.1.0, the preferences.xml is found at the following location."%programdata%\AccessData\Products\Evidence Processing Engine\{ep_version}\Preferences.xml". This will be the effective location for future versions as well.E.g. for 7.1.0, the location would be:%programdata%\AccessData\Products\Evidence Processing Engine\10.21\Preferences.xml

Overview

A dedicated ADTemp folder on a fast disk with low fragmentation (i.e., SSD) will improve performance dramatically. For more information on ADTemp, please see the articles below.

https://support.accessdata.com/hc/en-us/articles/202930889-ADTemp-and-StateDirectory

The attached chart lists location and details about some commonly helpful registry keys in Windows.

Problem

When running an application on OS X, like Mac Imager CLI, you receive the error "Your security preferences allow installation of only apps from the Mac App Store and identified developers."

Resolution

Find the application in the Finder

Hold down the "control" key and click on the app icon

Choose "Open" from the contextual menu that appears

When prompted with the message "AppName is from an unidentified developer. Are you sure you want to open it?" choose "Open"

The application will now have a permanent exception on that computer and can be opened normally

Cause

As of OS X 10.8 (Mountain Lion) Apple changed the default security settings to only allow installation of apps from the Mac App Store and identified developers unless you grant an exception with the above steps.

Symptom: You get the error "Unable to connect to database requested" or a similar error message when starting FTK using the PostgreSQL database.Cause: The causes can vary, so this will walk you through the usual troubleshooting process for PostgreSQL connection issues.Possible Solutions:

Make sure the database drive isn't write-protected. If it is, unblock it and reboot. Also check the drive permissions to make sure you have full access.

Open the Services snap-in (services.msc) to see if the PostgreSQL service is "started". The service name will be PostgreSQL followed by the version information:

PostgreSQL 11.2

Make sure that the drives being used are formatted NTFS

If the PostgreSQL service isn't started, double-click on it, make sure the "Startup type" is set to Automatic, then click "Start".

If the PostgreSQL service will not start, do the following:

DO NOT MAKE ANY CHANGES TO THE REGISTRY VALUES

1) Open "regedit".

2) Navigate to "HKey_Local_Machine\SYSTEM\CurrentControlSet\services\postgresql-x**-*.*".

3) Check the "ImagePath" value. It should look similar to the following:

C:\Program Files\AccessData\PostgreSQL\bin\pg_ctl.exe runservice -N "postgresql-x64-9.1" -D "D:\pgdata" -w

Note: The first underlined path is the location of PostgreSQL binaries. The second underlined path is the location of PostgreSQL data.

4) If either of the underlined paths are pointing to an incorrect location The service will not start, you will need to correct the path in Windows

Note:For example, the drive letter has simply changed. You'll want to use Disk Management utilities to correct the drive letters to match what is in the registry. If you attempt to change the registry entries the database will not work as it has internal mappings pointing to the original drive letter.

5) Go back to "services.msc".

6) Double-click the PostgreSQL service to open the service properties.

7) Under the "Log On" tab, make sure it's either set to run under the Local System account (for one-box setups) or another account with Administrator rights (for multi-box setups or DPE).

8) Start the service.

If everything is listed correctly in regedit and the log on properties, open task manager and check to see if any postgres processes are running. If they are, right click and choose "end task" until all postgres processes are gone, then go back to Services and try to start the service again.

If the PostgreSQL service will still not start, there may be minor corruption, requiring the transaction logs be reset.

If the PostgreSQL service starts, but FTK doesn't connect or list any cases and/or all options are greyed out, you may need to repair the PostgreSQL junction links.

If the PostgreSQL starts then stops immediately, reboot the machine and see if it will start.

Overview

The following lists the operating systems supported by the Enterprise Agent installers that ship with the 6.2.x and 6.3.x line of products.

Agent Installer Name

Supported Operating Systems

AccessData Agent.msi

Windows 7 32-bit Windows 8.x 32-bit Windows 10 32-bit

AccessData Agent (64-bit).msi

Windows 7 64-bitWindows Server 2008 R2 64-bit Windows 8.x 64-bitWindows Server 2012 R2 64-bitWindows 10 64-bitWindows Server 2016 64-bit

agent-mac10.6.mpkg

Mac OS X 10.9.x 64-bitMac OS X 10.10.x 64-bitMac OS X 10.11.x 64-bitMac OS X 10.12.0 64-bit

agent-rh3.sh

agent-rh3x64.sh(older 6.1 agent; available on request)

RedHat 3 (32- & 64-bit)Novell Linux Desktop (NLD) 9 (32-bit)SLED 10 (Suse Linux Enterprise Desktop) (32- & 64-bit)

agent-rh5.sh

Red Hat Enterprise Linux 7.1 32-bitRed Hat Enterprise Linux 7.3 32-bitUbuntu14.04 32-bitUbuntu16.04 32-bitDebian 8.7 32-bit

agent-rh5x64.sh

CentOS Enterprise 5 (32- & 64-bit)CentOS 7.1 64-bitDebian 8.764-bitRedHat 5 (32- & 64-bit)Red Hat Enterprise Linux 7.1 64-bitRed Hat Enterprise Linux 7.3 64-bitSLED 11 (Suse Linux Enterprise Desktop) (32- & 64-bit)Ubuntu 9 (and newer) (64-bit)

agent-linux32.sh

Amazon Linux v1Amazon Linux v2CentOS_5.11_x32CentOS 7.xDebian 8.7 and newerRed Hat Linux 7.xUbuntu 14 and newer

agent-linux64.sh

Amazon Linux v1Amazon Linux v2CentOS_5.11_x32CentOS 7.xDebian 8.7 and newerRed Hat Linux 7.xUbuntu 14 and newer

Instructions

The Agent installers can be found in any FTK, AD Lab, AD Enterprise, or eDiscovery installation.

Refer to the following articles for steps on installing the Agent:

Manually Installing the Windows Enterprise Agent

Manually Uninstalling the Windows Enterprise Agent

Manually Installing the Mac Enterprise Agent (AD Enterprise 3.3.2+)

Manually Uninstalling the Mac Enterprise Agent

Manually Installing the Mac Enterprise Agent via SSH (AD Enterprise 3.3.2+)

Manually Installing the Unix/Linux Enterprise Agent

Manually Uninstalling the Unix/Linux Enterprise Agent

Problem

I have a classroom/lab environment where I have made a master image of a computer with FTK already installed on it. After deploying the image and changing the host name of the computer, FTK is unable to create cases. If I leave the hostname the same, it works fine.

How can I make it so that FTK will work after I change the hostname?

Resolution

On your master image, install FTK but do not launch FTK and lay down the schema (connect to the database for the first time). Do this after the image has been deployed.

Cause

When FTK connects to the database for the first time, it ties the hostname of the computer to the database. So make sure that the hostname is in it's permanent state before laying down the schema.

Question

How do Ichangethe default backup location in MSSQL 2008?

Answer

Open up SQL Server Management Studio

In the Object Explorer pane, right-click your database instance and click Facets

In the Facet drop-down select Server Settings

Change the BackupDirectory entry to the desired backup folder, then click OK

Restart the SQL Server service

Question

What is Cerberus and how does it work?

Answer

The links below provide information on Cerberus.

http://accessdata.com/solutions/digital-forensics/cerberus http://accessdata.com/resources/digital-forensics/cerberus-data-sheet http://accessdata.com/solutions/digital-forensics/cerberus/features http://accessdata.com/resources/digital-forensics/cerberus-white-paper

Overview

Cerberus is a malware triage tool integrated into FTK.

Problem

How do I configure MSDTC properly for AD software?

Resolution

On all servers involved in your Summation, eDiscovery, or Quin-C setup, enable the following Security settings in your Local DTC Properties

Click Start Administrative Tools Component Services Computers My Computer Distributed Transaction Coordinator Local DTC

(Win7 : Control Panel\System and Security\Administrative Tools)

Cause

Several issues will arise (including a failure when creating cases) if MSDTC has not been configured properly.

Prerequisites

A working installation of FTK, Lab, or Enterprise in conjunction with Quin-C Server

A valid FTK, Lab, or Enterprise license

A valid "ADAPI" feature license

Preparation

Download and install Python 3.7, following the notes below:

Perform an Customized install

Check the option to install PIP

Check the option to install for all users

Check the option to add it to the environment variables

Open a Command Prompt as Administrator

Run the below command:

pip install requests

Open FTK, Lab, or Enterprise and go to Tools > Access API Key

Highlight the administrator user for whom you need an API key, and click Generate KeyNote:API keys inherit the permissions of their associated user.

Take note of the generated API key, as it is only shown once (a new key must be generated if the current key is lost)

Procedure

Download the attached BAT test.py and open it in a text editor

Update the quincURL variable to be your Quin-C base URL

Update the apiKey variable to be the API key generated in previous steps

Update the caseFolder to be your default case folderNote:This must be a UNC share that the Quin-C service account has full access to, and you must replace back slashes in the path with forward slashes.

Save your changes

Double-click the script to execute it

The script should prompt for a case name, then attempt to create a case with that name. If case creation is successful, then your API should be working correctly.