000034963 - RSA NetWitness Endpoint 4.x ECATUI $MFT access fails with "Problem accessing MFT"

Document created by RSA Customer Support Employee on Mar 23, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000034963
Applies ToRSA Product Set: NetWitness Endpoint, ECAT
RSA Product/Service Type: ECAT Server, ECAT UI
RSA Version: 4.x
Platform: Windows
IssueIn the ECATUI.exe program trying to access the $MFT module of a Machine, it returns the error "Problem accessing MFT".
User-added image
This happens when trying the following operations:
  • Save Local Copy...
  • Download and Open MFT
User-added image
CauseThis error generally indicates the Files UNC Path is incorrectly configured.
User-added image
Note in the above screenshot the Red X, indicating the given path doesn't exist.
Also note this check won't verify the path given is to the correct ECAT Server Files folder.  It only checks that the folder or share exists.
The error can also occur when the expected $MFT file is not found on the ECAT Server.
Resolution

Incorrect Files UNC Path


See in the ECATUI, Configure > Connection
The Files UNC Path: should be the correct path to the ECAT Server Files folder.
1. If the ECATUI.exe program is been run on the ECAT Server, then the Files UNC Path can be configured with the full pathname to the Files folder.
Where the default location on the ECAT Server for the Files folder is: c:\ECAT\Server\Files
User-added image
Browse to the full pathname and confirm the entered path is correct for your environment.
For an explanation of the file and directory structure expected to be seen under the ECAT Server Files folder, see RSA Knowledgebase article, What is the ECAT Server filename and directory structure of the files under the C:\ECAT\Server\Files folder?
Note: It is also valid to configure using the UNC path, see below when using UNC path.
2. If the ECATUI.exe program is been run from a Machine that is remote to the ECAT Server then enter the correct UNC path to the Files folder on the ECAT Server, ensure the share exist, and give the share at least Read Permission.
User-added image
Substitute from the above example ECATSUPPORT1 with the correct hostname for your ECAT Server, or the IP address of the ECAT Server.
Check on the ECAT Server that the Windows share exists to the Files folder from a command prompt run,
net share

User-added image
Confirm the "Files" Share name exists.
 

$MFT file is not found


1. Check for the existence on the ECAT Server in the Files folder of the $MFT file for the problem machine.
See the ECAT Server Files folder, default directory, c:\ECAT\Server\Files\Machines\{Machine_Name}\
Where {Machine_Name} is the machine name of the problem system.
The $MFT filename in this directory should be in the format of, $MFT_{SHA256}_{random}_
Where
{SHA256} is the SHA256 calculated value of the $MFT file.
{random} is 6 random text characters
2. If the $MFT file is not found on the ECAT Server then confirm both the ECAT Server Files folder, and the problem machine have sufficient free disk space to create and store the $MFT file.  For example, have at least 1GB of free disk space on both systems.
3. Ensure there is no third party product which may have moved/deleted the $MFT file from the correct ECAT Server Files folder.
4. Run in the ECATUI.exe program the operation to collect the $MFT file for the problem machine.
In the ECATUI > Machines
Right-click the machine, and select the operation Forensics > Request MFT...
5. Once $MFT file exists you can also check the file is not corrupt by copying it to another directory, and using the ECATUI to try read the file.
In the ECATUI, Tools > MFT Viewer
Browse to the location of the copied $MFT file.
Open
NotesIf the Files UNC Path: is not configured at all.
The operation Save Local Copy... will show,
User-added image
The operation Download and Open MFT will show,
User-added image
Configure the Files UNC Path: with the correct path to the ECAT Server Files folder.
Reference RSA Knowledgebase article, RSA ECAT 4.x UI returns an error "Unable to access the selected File(s)"

Attachments

    Outcomes