Re: [sleuthkit-users] Autopsy 4: Add data source wizard Question
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Autopsy 4: Add data source wizard Question
|
From: K M. <km...@ci...> - 2016-01-27 21:43:11
|
It did get bigger over time. But it took days for it to increase. I eventually killed it and went to Bulk Extract. I was just using Autopsy to do keyword searches. If there is something you'd like me to try, I still have access to the images. I'll try the tsk_gettimes with the verbose option and see what happens. Then post back. It would be nice to see exactly what file it is working on during the ingest. I can see the directories but no file names. K Murphy Quoting Brian Carrier <ca...@sl...>: > That time does seem way excessive and the SQLite DB has gotten quite big. > > Is the DB getting bigger or staying the same? > > I can?t think of an easy way to debug this? It maybe easiest to run > the tsk_gettimes command from TSK on the image, which will produce a > big text file of the files. After an hour or so, that output may > show some insight about what it is spending so much time on?. > > > >> On Jan 19, 2016, at 9:11 AM, K Murphy <km...@ci...> wrote: >> >> Your description is what I thought it was doing. I'll answer your >> questions below. >> >> >>> Where is the disk image stored, is it on network storage, a USB drive, etc? >> I've tried two different things: >> 1) I originally shared out the drive images via NFS to my Windows >> machine. Autopsy had no issues doing three of the six drives. >> 2) I put the largest image on a drive and connected it directly to >> the machine via usb3. >> >> Monitoring both situations, for is very little activity either >> through the network (option 1 from above) or drive (option 2). >> >>> Where is your autopsy case directory stored, and can you see how big the >>> file autopsy.db is? >> Stored off on another usb3 drive in one case. I got another machine >> with Autopsy going (same issues) where the case is stored on the C: >> drive. >> >> The current size is 138,948 KB of the autopsy.db stored directly on >> the C: drive. >> >>> What is the filesystem on the disk image? >> Both drives that have been going for days are EXT3/4. >> >> >> Both drives are filled with archives (of archives of archives), >> ISOs, and virtual machine drives. It seems to me that is where it >> is getting hung up at. >> >> >> Thoughts? >> >> Regards, >> K Murphy >> >> >> Quoting Ketil Froyn <ke...@fr...>: >> >>> 5 days sounds excessive. Autopsy parses the file system(s), traversing all >>> files and folders it can find, and stores info about this in an sqlite >>> database (unless you've set up a postgresql environment). >>> >>> Where is the disk image stored, is it on network storage, a USB drive, etc? >>> Where is your autopsy case directory stored, and can you see how big the >>> file autopsy.db is? What is the filesystem on the disk image? >>> >>> Cheers, Ketil >>> On 14 Jan 2016 20:57, "K Murphy" <km...@ci...> wrote: >>> >>>> >>>> Hello, >>>> >>>> How long should the Add Data Source Wizard (Step 3 of 3) take to run? >>>> >>>> I got a 3 TB drive that has been running for 5 days now. I see in the >>>> progress bar in the pop window it changes directories every now an then. >>>> >>>> Also what is Autopsy doing during this time frame? I ask because the I >>>> turned all of the ingest modules off except for keyword searches. >>>> I've seen >>>> that kick off after Wizard is complete. >>>> >>>> Thanks, >>>> K Murphy >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Site24x7 APM Insight: Get Deep Visibility into Application Performance >>>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month >>>> Monitor end-to-end web transactions and take corrective actions now >>>> Troubleshoot faster and improve end-user experience. Signup Now! >>>> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 >>>> _______________________________________________ >>>> sleuthkit-users mailing list >>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>>> http://www.sleuthkit.org >>>> >>>> >> >> >> <Mail >> Attachment>------------------------------------------------------------------------------ >> Site24x7 APM Insight: Get Deep Visibility into Application Performance >> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month >> Monitor end-to-end web transactions and take corrective actions now >> Troubleshoot faster and improve end-user experience. Signup Now! >> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140_______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org |
