eDiscovery Collection ends in 'Partial Success' with: "Checksum in metadata file did not match content file"

book

Article ID: 100013431

calendar_today

Updated On:

Description

Error Message

A collected item did not pass validation
Checksum in metadata file did not match content file

Cause

LOGICAL FLOW:
- The Metadata data files\4\0.csv hash values are written during the ScanDir process. (located at the Destination Server)

- The 'other' hash values used to compare are generated in memory within the Java process.
NOTE: There are several Hash Values generated

- During the Aggregation phase the two values are compared for validity.

- At this point is the failure; what is written in the metadata file 0.csv is not what is calculated in the Java process.

-Third party software is monitoring/scanning the Source or a third party product is accessing the Scratch folder on the eDiscovery server or the Destination folder.

Resolution

Remove the offending third party software.
 

STEP A:
- Determine if any other process is scanning the scratch folders during the Collection Task.


WHAT:
1. Download ProcMon to the eDiscovery Server.
technet.microsoft.com/en-us/sysinternals/bb896645.aspx

2. Start up ProcMon, select Filter | Filter..., set up the four filters:

Path | Contains | evidence_repo | include
Path | Contains | collection_rslt | include

Note: Apply the above filters now. ProcMon should have entries if a collection is running... If not, the filters are not correct.

3. Continue to apply the rest of the filters

Process Name | is | cwjava.exe | exclude
Process Name | is | mysqld.exe | exclude

User | is | < Assigned Source Account > | exclude
User | is | < EsaApplicationService Account > | exclude

Command Line | Contains | svchost.exe -k netsvcs | exclude


4. Select Apply, OK

5. Select Crtl+X or Clear

6. Start collections.

7. Examine the Logfile.PML over a several day period for any activity not executed by the eDiscovery product.


***************
STEP B:
- Determine if any other process is scanning the destination folders during the Collection Task.

WHAT:
1. Download ProcMon to the Destination Server.

2. Obtain the paths to the remote destination location
BOTH: Universal Naming Convention(UNC) and the logical drive letter (example D:\)

For the UNC path:
A. Copy the UNC from the Destination Tab from the eDiscovery GUI
B. DO NOT INCLUDE the beginning slashes
Example: If the path is ...\\DestServer01\EVCollections\ only use DestServer01\EVCollections

For the logical path:
A. Exchange the UNC with the absolute path including drive letter
Example: If the path is ...\\Destination01\EVCollections\, use the logical equivalent F:\Collections\EVCollections

3. Set up but do not start the collection.

4. Start up ProcMon, select Filter | Filter..., set up the four filters:

Path | Contains | | include
Path | Contains | | include

Note: Apply the above filters now. ProcMon should have entries if a collection is running... If not, the filters are not correct.

5. Continue to apply the rest of the filters

Process | is | cwjava.exe | exclude
Process | is | EVSearcher.exe | exclude

6. Select Apply, OK

7. Select Crtl+X or Clear

8. Start collections.

9. Examine the Logfile.PML over a several day period for any activity not executed by the eDiscovery product.

Issue/Introduction

An eDiscovery Collection fails validation on certain items during the aggregation phase.
The failure is recorded in the Validation Log.

Error Message

Additional Information

JIRA: ESA-36920
Powered by Wolken Software