[sleuthkit-users] R: Newbie question on autopsy3

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Brian, thanks very much for your help. I fill your tips with more data.

> > 3-      If i go on view three and select deleted files all seems to be
freeze,
> and even if I know that are present many deleted files i do not find noone
of
> them.
> 
> Meaning that the entire system freezes?  I haven't seen that yet, but can
> certainly make some test images to stress that feature. If you select
"Deleted
> Files", it should show two child entries (File System and All). What are
the
> numbers next to those?

Let me explain more about my lab of analysis
I have autopy on Windows 2003 virtual machine with 4GB Ram and 2 Processor.
I am using vmware server 2.0 running on linux; and I connect to windows 2003
to use autopsy with terminal server using administator user; a bit
complitated scenario? :-)
The image on witch I am working is on original image of 36GB that police
have duplicated to lawyer  on 500GB disk via dd or logicube, not a dd raw
image file  but dd output on disk device of 500 GB, and when I made raw
image  from this disk I get an image of 500GB, the one on witch I am
working. Something mistake in the process?   

Now I will try to explai more about the problem 
The system is ok i notice a fixed use of 50% of cpu from autopsy. everyhing
I choose on menu and view of autopsy is too slow and many times i cannot
change view.
 Furthermore if I iconize autopys it doesnt return to full windows. If I try
to kill processi t goes on state "not responding" 

On deleted files view autopsy report:
File System 883162
All 883162 
But I am not able to vew the list of files

Looking into event viewer I have found this, only one occurence,  if can
help

Application: 
Event Type:	Error
Event Source:	Application Hang
Event Category:	(101)
Event ID:	1002
Date:		28/08/2013
Time:		23.30.36
User:		N/A
Computer:	LABORATORIO
Description:
Hanging application autopsy.exe, version 0.0.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74   Applicat
0008: 69 6f 6e 20 48 61 6e 67   ion Hang
0010: 20 20 61 75 74 6f 70 73     autops
0018: 79 2e 65 78 65 20 30 2e   y.exe 0.
0020: 30 2e 30 2e 30 20 69 6e   0.0.0 in
0028: 20 68 75 6e 67 61 70 70    hungapp
0030: 20 30 2e 30 2e 30 2e 30    0.0.0.0
0038: 20 61 74 20 6f 66 66 73    at offs
0040: 65 74 20 30 30 30 30 30   et 00000
0048: 30 30 30                  000     

I have used autopy 2 on linux and found this new versioni  very good more
intuitive and better for general view of the case. The only two things could
be of help, for me, should be a log of what is doing with a marker of
activity, and a dialog box telling to wait for process to complete,
sometimes the user things that all was completed even if it's going on.

Sorry for my bad english, and thanks very much for your help.

Alessandro Fiorenzi