Re: [sleuthkit-users] R: Newbie question on autopsy3

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

883162 files is probably more files than we have tried to send to the table area at a single time.   We'll run some tests.  Does it hang only when you try to view all deleted files?  We've certainly analyzed images that are larger than 36GB before. 

That being said, the scenario you describe below is a bit confusing.  If the image that you want to analyze is only 36GB and that is a file inside of the 500GB image, then you may not get the results that you expect because it will be analyzing the 500GB drive and not the 36GB drive.  Autopsy does not currently have the functionality to detect a disk image inside of a disk image and process it. 

thanks,
brian

On Sep 4, 2013, at 5:25 PM, Netexpress wrote:

> Hi Brian, thanks very much for your help. I fill your tips with more data.
> 
>>> 3-      If i go on view three and select deleted files all seems to be
> freeze,
>> and even if I know that are present many deleted files i do not find noone
> of
>> them.
>> 
>> Meaning that the entire system freezes?  I haven't seen that yet, but can
>> certainly make some test images to stress that feature. If you select
> "Deleted
>> Files", it should show two child entries (File System and All). What are
> the
>> numbers next to those?
> 
> Let me explain more about my lab of analysis
> I have autopy on Windows 2003 virtual machine with 4GB Ram and 2 Processor.
> I am using vmware server 2.0 running on linux; and I connect to windows 2003
> to use autopsy with terminal server using administator user; a bit
> complitated scenario? :-)
> The image on witch I am working is on original image of 36GB that police
> have duplicated to lawyer  on 500GB disk via dd or logicube, not a dd raw
> image file  but dd output on disk device of 500 GB, and when I made raw
> image  from this disk I get an image of 500GB, the one on witch I am
> working. Something mistake in the process?   
> 
> Now I will try to explai more about the problem 
> The system is ok i notice a fixed use of 50% of cpu from autopsy. everyhing
> I choose on menu and view of autopsy is too slow and many times i cannot
> change view.
> Furthermore if I iconize autopys it doesnt return to full windows. If I try
> to kill processi t goes on state "not responding" 
> 
> On deleted files view autopsy report:
> File System 883162
> All 883162 
> But I am not able to vew the list of files
> 
> 
> Looking into event viewer I have found this, only one occurence,  if can
> help
> 
> Application: 
> Event Type:	Error
> Event Source:	Application Hang
> Event Category:	(101)
> Event ID:	1002
> Date:		28/08/2013
> Time:		23.30.36
> User:		N/A
> Computer:	LABORATORIO
> Description:
> Hanging application autopsy.exe, version 0.0.0.0, hang module hungapp,
> version 0.0.0.0, hang address 0x00000000.
> 
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 41 70 70 6c 69 63 61 74   Applicat
> 0008: 69 6f 6e 20 48 61 6e 67   ion Hang
> 0010: 20 20 61 75 74 6f 70 73     autops
> 0018: 79 2e 65 78 65 20 30 2e   y.exe 0.
> 0020: 30 2e 30 2e 30 20 69 6e   0.0.0 in
> 0028: 20 68 75 6e 67 61 70 70    hungapp
> 0030: 20 30 2e 30 2e 30 2e 30    0.0.0.0
> 0038: 20 61 74 20 6f 66 66 73    at offs
> 0040: 65 74 20 30 30 30 30 30   et 00000
> 0048: 30 30 30                  000     
> 
> 
> I have used autopy 2 on linux and found this new versioni  very good more
> intuitive and better for general view of the case. The only two things could
> be of help, for me, should be a log of what is doing with a marker of
> activity, and a dialog box telling to wait for process to complete,
> sometimes the user things that all was completed even if it's going on.
> 
> Sorry for my bad english, and thanks very much for your help.
> 
> Alessandro Fiorenzi
> 
> 
> 
> ------------------------------------------------------------------------------
> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
> Discover the easy way to master current and previous Microsoft technologies
> and advance your career. Get an incredible 1,500+ hours of step-by-step
> tutorial videos with LearnDevNow. Subscribe today and save!
> http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org