Re: [sleuthkit-users] Autopsy 4: Add data source wizard Question
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Autopsy 4: Add data source wizard Question
|
From: K M. <km...@ci...> - 2016-01-19 14:11:28
|
Your description is what I thought it was doing. I'll answer your questions below. > Where is the disk image stored, is it on network storage, a USB drive, etc? I've tried two different things: 1) I originally shared out the drive images via NFS to my Windows machine. Autopsy had no issues doing three of the six drives. 2) I put the largest image on a drive and connected it directly to the machine via usb3. Monitoring both situations, for is very little activity either through the network (option 1 from above) or drive (option 2). > Where is your autopsy case directory stored, and can you see how big the > file autopsy.db is? Stored off on another usb3 drive in one case. I got another machine with Autopsy going (same issues) where the case is stored on the C: drive. The current size is 138,948 KB of the autopsy.db stored directly on the C: drive. > What is the filesystem on the disk image? Both drives that have been going for days are EXT3/4. Both drives are filled with archives (of archives of archives), ISOs, and virtual machine drives. It seems to me that is where it is getting hung up at. Thoughts? Regards, K Murphy Quoting Ketil Froyn <ke...@fr...>: > 5 days sounds excessive. Autopsy parses the file system(s), traversing all > files and folders it can find, and stores info about this in an sqlite > database (unless you've set up a postgresql environment). > > Where is the disk image stored, is it on network storage, a USB drive, etc? > Where is your autopsy case directory stored, and can you see how big the > file autopsy.db is? What is the filesystem on the disk image? > > Cheers, Ketil > On 14 Jan 2016 20:57, "K Murphy" <km...@ci...> wrote: > >> >> Hello, >> >> How long should the Add Data Source Wizard (Step 3 of 3) take to run? >> >> I got a 3 TB drive that has been running for 5 days now. I see in the >> progress bar in the pop window it changes directories every now an then. >> >> Also what is Autopsy doing during this time frame? I ask because the I >> turned all of the ingest modules off except for keyword searches. I've seen >> that kick off after Wizard is complete. >> >> Thanks, >> K Murphy >> >> >> >> ------------------------------------------------------------------------------ >> Site24x7 APM Insight: Get Deep Visibility into Application Performance >> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month >> Monitor end-to-end web transactions and take corrective actions now >> Troubleshoot faster and improve end-user experience. Signup Now! >> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org >> >> |
