Re: [sleuthkit-users] Multiple Images
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Multiple Images
|
From: Ketil F. <ke...@fr...> - 2015-03-26 09:16:40
|
I agree with Derrick. I think each image should finish processing before continuing. I have seen images take a long time to add, if I could just queue more images that's not a problem. Or even multiprocessing, my workstation has 16 cores and a big NAS backing my disk images, so if autopsy's database can handle it, I'm all for having several workers in parallel. :) But I also think this should cover ingest modules. Running ingests also has to be done manually after the image is added, and unless I'm mistaken, running ingest on multiple images at the same time is probably not a good idea. If I could set up a sort of "ingest profile" for my case, then all the images could be ingested with my case options as soon as each image is added and ingest resources are ready, and I can just fire up a big load/ingest and walk away until it's all done. I figure that if I add several images, I'm not in a great big rush to see the results of the fifth image. Regards, Ketil On 26 March 2015 at 06:51, Derrick Karpo <dk...@gm...> wrote: > Hi Brian. > > I would like to see a version of #1 where images can be added to the > queue at any time without waiting for ingest to occur. I often find > myself adding an image and then thinking, "Doh! I should have also > added image X!", and then I have to wait. I then get consumed by > something else since I have a few minutes to spare but then don't get > back to adding the other image for an hour, or two, or eight. So, I > think Autopsy should be changed to cater to my poor multitasking > abilities. :) > > The current prioritization approach works for getting usable results > faster to the user and I don't think changing that is beneficial. If > we could just have the ability to queue images at any time in the > Autopsy processing chain that would be slick. > > Derrick > > > On Wed, Mar 25, 2015 at 9:15 PM, Brian Carrier <ca...@sl...> wrote: >> Starting a new thread for one of the topics brought up today. A couple of people mentioned variations on queueing up multiple images into Autopsy or processing multiple images. >> >> The current behavior is: >> - A single case can be opened at a time. >> - You can add multiple data sources to a case (which is a process to scan the media to enumerate the files - no content analysis is performed), though only one is added at a time. You'll need to wait several minutes before you can add the next one though. >> - After a data source has been added, the ingest modules are kicked off and you can add a 2nd data source. >> - Because of the prioritization methods in Autopsy, processing of the first data source may stop for a while after the 2nd data source is added. This is because there is a prioritized list of folders and folders in the 2nd data source may have a higher priority than the remaining folders in data source 1. >> >> So, what do you want to change / expand? There seem to be two ideas that I could infer from the comments: >> >> 1) While you are waiting for the file system structure of data source one to finish, you can browse to additional data sources so that they are immediately added after the first one is and the rest of the process is as it is now. You just don't need to wait around for a few minutes. >> >> 2) Or we change the prioritization approach so that the first data source finishes sooner than it will with the current approach. >> >> Or, is it something else that is wanted? >> >> thanks, >> brian >> >> >> >> >> ------------------------------------------------------------------------------ >> Dive into the World of Parallel Programming The Go Parallel Website, sponsored >> by Intel and developed in partnership with Slashdot Media, is your hub for all >> things parallel software development, from weekly thought leadership blogs to >> news, videos, case studies, tutorials and more. Take a look and join the >> conversation now. http://goparallel.sourceforge.net/ >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming The Go Parallel Website, sponsored > by Intel and developed in partnership with Slashdot Media, is your hub for all > things parallel software development, from weekly thought leadership blogs to > news, videos, case studies, tutorials and more. Take a look and join the > conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org -- -Ketil |
