[sleuthkit-users] R: R: Newbie question on autopsy3
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] R: R: Newbie question on autopsy3
|
From: Netexpress <Net...@ti...> - 2013-09-06 16:19:18
|
> -----Messaggio originale----- > Da: Brian Carrier [mailto:ca...@sl...] > Inviato: venerdì 6 settembre 2013 03.27 > A: Netexpress > Cc: sle...@li... > Oggetto: Re: [sleuthkit-users] R: Newbie question on autopsy3 > > 883162 files is probably more files than we have tried to send to the table > area at a single time. We'll run some tests. Does it hang only when you try > to view all deleted files? We've certainly analyzed images that are larger than > 36GB before. [Fiorenzi Alessandro] Yes it hangs and I have never seen the list of deleted files > > That being said, the scenario you describe below is a bit confusing. If the > image that you want to analyze is only 36GB and that is a file inside of the > 500GB image, then you may not get the results that you expect because it > will be analyzing the 500GB drive and not the 36GB drive. Autopsy does not > currently have the functionality to detect a disk image inside of a disk image > and process it. [Fiorenzi Alessandro] Policy have do dd from originale device of 36GB to a destination drive of 500GB dd if=/dev/sdc(36GB) of=/dev/sdd(500GB) > > thanks, > brian > > > On Sep 4, 2013, at 5:25 PM, Netexpress wrote: > > > Hi Brian, thanks very much for your help. I fill your tips with more data. > > > >>> 3- If i go on view three and select deleted files all seems to be > > freeze, > >> and even if I know that are present many deleted files i do not find > >> noone > > of > >> them. > >> > >> Meaning that the entire system freezes? I haven't seen that yet, but > >> can certainly make some test images to stress that feature. If you > >> select > > "Deleted > >> Files", it should show two child entries (File System and All). What > >> are > > the > >> numbers next to those? > > > > Let me explain more about my lab of analysis I have autopy on Windows > > 2003 virtual machine with 4GB Ram and 2 Processor. > > I am using vmware server 2.0 running on linux; and I connect to > > windows 2003 to use autopsy with terminal server using administator > > user; a bit complitated scenario? :-) The image on witch I am working > > is on original image of 36GB that police have duplicated to lawyer on > > 500GB disk via dd or logicube, not a dd raw image file but dd output > > on disk device of 500 GB, and when I made raw image from this disk I > > get an image of 500GB, the one on witch I am > > working. Something mistake in the process? > > > > Now I will try to explai more about the problem The system is ok i > > notice a fixed use of 50% of cpu from autopsy. everyhing I choose on > > menu and view of autopsy is too slow and many times i cannot change > > view. > > Furthermore if I iconize autopys it doesnt return to full windows. If > > I try to kill processi t goes on state "not responding" > > > > On deleted files view autopsy report: > > File System 883162 > > All 883162 > > But I am not able to vew the list of files > > > > > > Looking into event viewer I have found this, only one occurence, if > > can help > > > > Application: > > Event Type: Error > > Event Source: Application Hang > > Event Category: (101) > > Event ID: 1002 > > Date: 28/08/2013 > > Time: 23.30.36 > > User: N/A > > Computer: LABORATORIO > > Description: > > Hanging application autopsy.exe, version 0.0.0.0, hang module hungapp, > > version 0.0.0.0, hang address 0x00000000. > > > > For more information, see Help and Support Center at > > http://go.microsoft.com/fwlink/events.asp. > > Data: > > 0000: 41 70 70 6c 69 63 61 74 Applicat > > 0008: 69 6f 6e 20 48 61 6e 67 ion Hang > > 0010: 20 20 61 75 74 6f 70 73 autops > > 0018: 79 2e 65 78 65 20 30 2e y.exe 0. > > 0020: 30 2e 30 2e 30 20 69 6e 0.0.0 in > > 0028: 20 68 75 6e 67 61 70 70 hungapp > > 0030: 20 30 2e 30 2e 30 2e 30 0.0.0.0 > > 0038: 20 61 74 20 6f 66 66 73 at offs > > 0040: 65 74 20 30 30 30 30 30 et 00000 > > 0048: 30 30 30 000 > > > > > > I have used autopy 2 on linux and found this new versioni very good > > more intuitive and better for general view of the case. The only two > > things could be of help, for me, should be a log of what is doing with > > a marker of activity, and a dialog box telling to wait for process to > > complete, sometimes the user things that all was completed even if it's > going on. > > > > Sorry for my bad english, and thanks very much for your help. > > > > Alessandro Fiorenzi > > > > > > > > ---------------------------------------------------------------------- > > -------- Learn the latest--Visual Studio 2012, SharePoint 2013, SQL > > 2012, more! > > Discover the easy way to master current and previous Microsoft > > technologies and advance your career. Get an incredible 1,500+ hours > > of step-by-step tutorial videos with LearnDevNow. Subscribe today and > save! > > http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.c > > lktrk _______________________________________________ > > sleuthkit-users mailing list > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > http://www.sleuthkit.org |
