Re: [sleuthkit-users] Autopsy 4: Add data source wizard Question

[Brian C. <ca...@sl...>]

That time does seem way excessive and the SQLite DB has gotten quite big. 

Is the DB getting bigger or staying the same? 

I can’t think of an easy way to debug this…  It maybe easiest to run the tsk_gettimes command from TSK on the image, which will produce a big text file of the files.  After an hour or so, that output may show some insight about what it is spending so much time on….



> On Jan 19, 2016, at 9:11 AM, K Murphy <km...@ci...> wrote:
> 
> Your description is what I thought it was doing. I'll answer your questions below.
> 
> 
>> Where is the disk image stored, is it on network storage, a USB drive, etc?
> I've tried two different things:
> 1) I originally shared out the drive images via NFS to my Windows machine. Autopsy had no issues doing three of the six drives.
> 2) I put the largest image on a drive and connected it directly to the machine via usb3.
> 
> Monitoring both situations, for is very little activity either through the network (option 1 from above) or drive (option 2).
> 
>> Where is your autopsy case directory stored, and can you see how big the
>> file autopsy.db is?
> Stored off on another usb3 drive in one case. I got another machine with Autopsy going (same issues) where the case is stored on the C: drive.
> 
> The current size is 138,948 KB of the autopsy.db stored directly on the C: drive.
> 
>> What is the filesystem on the disk image?
> Both drives that have been going for days are EXT3/4.
> 
> 
> Both drives are filled with archives (of archives of archives), ISOs, and virtual machine drives. It seems to me that is where it is getting hung up at.
> 
> 
> Thoughts?
> 
> Regards,
> K Murphy
> 
> 
> Quoting Ketil Froyn <ke...@fr...>:
> 
>> 5 days sounds excessive. Autopsy parses the file system(s), traversing all
>> files and folders it can find, and stores info about this in an sqlite
>> database (unless you've set up a postgresql environment).
>> 
>> Where is the disk image stored, is it on network storage, a USB drive, etc?
>> Where is your autopsy case directory stored, and can you see how big the
>> file autopsy.db is? What is the filesystem on the disk image?
>> 
>> Cheers, Ketil
>> On 14 Jan 2016 20:57, "K Murphy" <km...@ci...> wrote:
>> 
>>> 
>>> Hello,
>>> 
>>> How long should the Add Data Source Wizard (Step 3 of 3) take to run?
>>> 
>>> I got a 3 TB drive that has been running for 5 days now. I see in the
>>> progress bar in the pop window it changes directories every now an then.
>>> 
>>> Also what is Autopsy doing during this time frame? I ask because the I
>>> turned all of the ingest modules off except for keyword searches. I've seen
>>> that kick off after Wizard is complete.
>>> 
>>> Thanks,
>>> K Murphy
>>> 
>>> 
>>> 
>>> ------------------------------------------------------------------------------
>>> Site24x7 APM Insight: Get Deep Visibility into Application Performance
>>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>>> Monitor end-to-end web transactions and take corrective actions now
>>> Troubleshoot faster and improve end-user experience. Signup Now!
>>> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
>>> _______________________________________________
>>> sleuthkit-users mailing list
>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>> http://www.sleuthkit.org
>>> 
>>> 
> 
> 
> <Mail Attachment>------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org