Section 6 Lab: Ingestion Fails for Read Error

Hi,

I’ve tried running the ingest plugins twice but it fails after 15% giving the following error

Error encountered while calculating the hash value for /Windows/servicing/Sessions/30774123_1296942165.back.xml (Deleted File).

image

Is there any hash for the device1_laptop.e01 file that I can compare with my downloaded file?

Yes,

The hashes are listed in Section 1.

For your convenience, here they are as well:

MD5 (device1_laptop.e01) = dc176d653c5613e305e831525e874090
MD5 (device2_mediacard.e01) = c8343d3976eec2985e7580a2b6321591

it’s weird. The hashes do match.

:man_shrugging:

It looks like you have some of the hits that are required, and for some reason you are getting errors on a file. As long as you are able to get the data that is required (you have Correlation Engine hits, and Hash Lookup results, it looks like its actually running properly, it just cannot read one single file)

I seem to have the same or similar error when trying to run the Ingest Module “Hash Lookup”.

Error encountered while calculating the hash value for /Windows/servicing/Sessions/30774123_1296942165.back.xml (Deleted File).

It would be great if anyone has a solutions, since I cannot continue the course. I’ve verified MD5 checksum, recreated the case, re-run ingest modules…no luck. Thanks guys!

For some reason you are getting errors on Autopsy reading a file. That does not mean that it is not working properly, or anything like that, you are just getting a notification that a file cannot be read. That alone should not prevent you from doing anything else.

Thank you

@BrianMoran, issue solved thanks! :see_no_evil:

1 Like

i am facing the same since two days kindly let me know how i can fix this

Chances are, these .back.xml files (as well as .wer files, while we’re at it) have been deleted and the data blocks they’ve been using are no longer associated with them, which of course means they cannot be read. You can check the error messages marked these files as “Deleted File”, and if you check them out in the “Data Sources” file tree, you can verify that these files no longer have associated data.