Re: [sleuthkit-users] Some guidance required
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Some guidance required
|
From: Simson G. <si...@ac...> - 2015-06-10 17:36:55
|
Hi, Owen. You didn't say how big your hard drives that you are ingesting, or how much storage you have on your analysis system. However, from the sounds of it, your analysis system is under powered. What kind of computer are you running on --- laptop or desktop --- how far can you expand the RAM, and how big is your storage? On Wed, Jun 10, 2015 at 11:49 AM, Owen O' Shaughnessy < owe...@gm...> wrote: > Hi, > > I have a job to do, got 15 hard disks from an office and need to find out > who wrote a nasty letter. My initial thought was to copy the live files > from each disk, then carve out unallocated with blkls and then run foremost > on the unallocated, index the lot and search for my keywords. > > Decided instead to give autopsy a go, so I cranked up a windows host, > inputted my keywords and got it to ingest the first disk. > > Left it overnight, but in reality, it hadn't progressed, as autopsy had > already run out of resources and was non responsive when I left it. There > was a red dot in the bottom right that I couldn't get info out of, a > console with a message saying image was no longer accessible and read > error, a status bar on the bottom saying analyzing image 19% complete, and > 8 hours later, the status of all was still the same. > > Autopsy had used all available RAM on the pc, which is a Corei7 pc running > windows 8.1 pro 64bit with 4GB ram. > > When I restarted autopsy, the red dot revealed an error that my security > software might be blocking the search server, ok that'll be easy to sort, > but my questions are: > > 1) Exactly how much ram should I wedge into this system for Autopsy to run > comfortably? > 2) How can I verify if autopsy successfully ingested the full hard disk? > 3) By clicking all the options on the ingest, am I safe to assume that it > is looking for my keywords in unallocated? > 4) This is disk 1 of 15, am I ok to keep ingesting disks into this case, > or for resource management should I be giving each disk its own case? > 5) I assume, if ingesting all disks into this one case, i can name the > individual disks after I ingest so that if get a keyword hit that I can > determine who the culprit was? > > Would appreciate some guidance before I go much further. I'd like to > evaluate autopsy on this simple exercise, so don't really want to switch > back to the linux command line just yet. > > Thanks, > > Owen. > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > |
