Re: [sleuthkit-users] Autopsy 4: Add data source wizard Question
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Autopsy 4: Add data source wizard Question
|
From: K M. <km...@ci...> - 2016-01-28 18:54:46
|
Well tsk_gettimes worked fine. Got through the entire 3 TB drive in about 1.5 hours under Linux. I replicated my environment on the windows side. Linux exporting the dd image via nfs to a Windows 10 box. No issues with tsk_gettimes using Sleuthkit 4.1.3-win32. Is there something you would like me to try with Autopsy? Regards, K Murphy Quoting K Murphy <km...@ci...>: > It did get bigger over time. But it took days for it to increase. > > I eventually killed it and went to Bulk Extract. I was just using > Autopsy to do keyword searches. > > If there is something you'd like me to try, I still have access to > the images. > > I'll try the tsk_gettimes with the verbose option and see what > happens. Then post back. > > It would be nice to see exactly what file it is working on during > the ingest. I can see the directories but no file names. > > K Murphy > > > Quoting Brian Carrier <ca...@sl...>: > >> That time does seem way excessive and the SQLite DB has gotten quite big. >> >> Is the DB getting bigger or staying the same? >> >> I can?t think of an easy way to debug this? It maybe easiest to >> run the tsk_gettimes command from TSK on the image, which will >> produce a big text file of the files. After an hour or so, that >> output may show some insight about what it is spending so much time >> on?. >> >> >> >>> On Jan 19, 2016, at 9:11 AM, K Murphy <km...@ci...> wrote: >>> >>> Your description is what I thought it was doing. I'll answer your >>> questions below. >>> >>> >>>> Where is the disk image stored, is it on network storage, a USB >>>> drive, etc? >>> I've tried two different things: >>> 1) I originally shared out the drive images via NFS to my Windows >>> machine. Autopsy had no issues doing three of the six drives. >>> 2) I put the largest image on a drive and connected it directly to >>> the machine via usb3. >>> >>> Monitoring both situations, for is very little activity either >>> through the network (option 1 from above) or drive (option 2). >>> >>>> Where is your autopsy case directory stored, and can you see how big the >>>> file autopsy.db is? >>> Stored off on another usb3 drive in one case. I got another >>> machine with Autopsy going (same issues) where the case is stored >>> on the C: drive. >>> >>> The current size is 138,948 KB of the autopsy.db stored directly >>> on the C: drive. >>> >>>> What is the filesystem on the disk image? >>> Both drives that have been going for days are EXT3/4. >>> >>> >>> Both drives are filled with archives (of archives of archives), >>> ISOs, and virtual machine drives. It seems to me that is where it >>> is getting hung up at. >>> >>> >>> Thoughts? >>> >>> Regards, >>> K Murphy >>> >>> >>> Quoting Ketil Froyn <ke...@fr...>: >>> >>>> 5 days sounds excessive. Autopsy parses the file system(s), traversing all >>>> files and folders it can find, and stores info about this in an sqlite >>>> database (unless you've set up a postgresql environment). >>>> >>>> Where is the disk image stored, is it on network storage, a USB >>>> drive, etc? >>>> Where is your autopsy case directory stored, and can you see how big the >>>> file autopsy.db is? What is the filesystem on the disk image? >>>> >>>> Cheers, Ketil >>>> On 14 Jan 2016 20:57, "K Murphy" <km...@ci...> wrote: >>>> >>>>> >>>>> Hello, >>>>> >>>>> How long should the Add Data Source Wizard (Step 3 of 3) take to run? >>>>> >>>>> I got a 3 TB drive that has been running for 5 days now. I see in the >>>>> progress bar in the pop window it changes directories every now an then. >>>>> >>>>> Also what is Autopsy doing during this time frame? I ask because the I >>>>> turned all of the ingest modules off except for keyword >>>>> searches. I've seen >>>>> that kick off after Wizard is complete. >>>>> >>>>> Thanks, >>>>> K Murphy >>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Site24x7 APM Insight: Get Deep Visibility into Application Performance >>>>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month >>>>> Monitor end-to-end web transactions and take corrective actions now >>>>> Troubleshoot faster and improve end-user experience. Signup Now! >>>>> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 >>>>> _______________________________________________ >>>>> sleuthkit-users mailing list >>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>>>> http://www.sleuthkit.org >>>>> >>>>> >>> >>> >>> <Mail >>> Attachment>------------------------------------------------------------------------------ >>> Site24x7 APM Insight: Get Deep Visibility into Application Performance >>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month >>> Monitor end-to-end web transactions and take corrective actions now >>> Troubleshoot faster and improve end-user experience. Signup Now! >>> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140_______________________________________________ >>> sleuthkit-users mailing list >>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>> http://www.sleuthkit.org |
