Re: [sleuthkit-users] Autopsy re-ingesting
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Autopsy re-ingesting
|
From: Richard C. <rco...@ba...> - 2016-12-05 15:28:38
|
There currently is no documentation of module dependencies, but I can sum it up simply for the core modules that ship with Autopsy: run the hash lookup and file type identification modules first, and always run the file type identification module. The reason is that other modules can be configured to skip known files and several modules need to know file types. In fact, some modules will run file type detection if it has not already been done. Also, running these modules tends to load file content into cache memory. I agree that it would be nice to have finer-grained control of the ingest process and prevention of artifact duplication. However, please be aware that although Basis Technology donates resources to Autopsy development, major features are generally added when Basis customers paying for Autopsy customization request them. Often these funded features go to directly into open source Autopsy, to the benefit of the entire community. The features we are discussing are not currently being developed, but they are reasonably high on the list of potential future enhancements. Richard Cordovano Autopsy and Autopsy Customization Team Leads Basis Technology On Mon, Dec 5, 2016 at 9:55 AM, Alessandro Fiorenzi < ale...@al...> wrote: > Sorry have the same problem of Nanni, and believe a resume function should > be appreciate for tow reason: > - it do not duplicate data > - it safe time of analysis > > instead of warning of previous ingest module x session, I think should be > better to have a resume funtion o if it is impossible clear all data to do > not have duplicates > > > Is there a flow diagram of ingest module dipendencies? so to start befeore > some task and later the other,; this becasuse I have expericenced with > analysis time of 48/72 hours on disk grather than 500GB/1TB and doing > modular execution could safe time. > > Alessandro Fiorenzi > > > [image: Studio Fiorenzi] <http://www.studiofiorenzi.it/> > > Dott. Alessandro Fiorenzi > af...@st... / +39 3487920172 <+39%20348%20792%200172> > > Studio Fiorenzi > 0550351263 > Vai Daniele Manin, 50 50019 Sesto Fiorentino > http://www.studiofiorenzi.it > > IMPORTANTE: questa e-mail (inclusi tutti gli allegati) è inviata dallo > Studio Informatica Forense Fiorenzi Alessandro e può contenere informazioni > riservate soggette a segreto professionale. Essa può essere letta, copiata > e usata solo dal destinatario indicato e non deve essere ritrasmessa con > modifiche senza il nostro consenso. Se l'avete ricevuta per errore, Vi > preghiamo di contattarci per e-mail o telefono e, quindi, di distruggerla > senza mostrarla ad alcun estraneo. La sicurezza e l'affidabilità delle > e-mail non è garantita. Noi adottiamo programmi anti virus, ma decliniamo > ogni responsabilità in ordine alla prevenzione degli eventuali virus. > > 2016-12-05 15:22 GMT+01:00 Richard Cordovano <rco...@ba...>: > >> It is not currently possible to stop an ingest job (i.e., a data source >> [e.g., an image], a set of ingest modules, and the settings for those >> modules) or an individual ingest module and later start again where you >> left off. Instead, you will have an incomplete set of results (artifacts, >> carved files, etc.). On a related note, if you run the same ingest modules >> on the same inputs, duplicate results (artifacts, carved files, etc.) will >> be generated. However, we have recently implemented an ingest history >> feature, which among other things, warns users if a particular module is >> about to be used to analyze the same input data source. This feature uses >> case database tables that relate ingest modules by version to data sources, >> and is a first step towards more comprehensive tracking of what has been >> executed by Autopsy. >> >> Richard Cordovano >> Autopsy and Autopsy Customization Teams Lead >> Basis Technology >> >> On Sun, Dec 4, 2016 at 7:22 AM, Nanni Bassetti <dig...@gm...> >> wrote: >> >>> Hi all, >>> it seems that if you stop some ingesting engines, when you restart them, >>> they start again from the beginning...why? >>> Is it possible to restart them from the breaking point? >>> Thanks >>> >>> -- >>> Dott. Nanni Bassetti >>> http://www.nannibassetti.com >>> CAINE project manager - http://www.caine-live.net >>> >>> ------------------------------------------------------------ >>> ------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> sleuthkit-users mailing list >>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>> http://www.sleuthkit.org >>> >>> >> >> ------------------------------------------------------------ >> ------------------ >> >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org >> >> > |
