Re: [sleuthkit-users] Errors with Autopsy

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

The browser shouldn't be refreshing on its own.

The hard disk drive image and the sleuthkit evidence locker are on an
external hard disk drive connected via firewire.  Is it possible that
there is a latency issue?

I ask that because the drive is connected to a Windows 2003 Server,
and the server has Diskeeper on it, and Diskeeper was set with its
'Set it and forget settings' and was trying to defrag the drive at the
same time I was extracting strings.

The once an hour time frame would fit with Diskeeper being the culprit
as it tries to run approximately every hour.

The external drive is low on disk space, so I am moving my disk image
files from a 300 GB external drive to a 1 TB external drive and I will
hopefully try the extraction again tomorrow after disabling Diskeeper.

-Jason

On 3/16/06, Brian Carrier <> wrote:
> That is strange.  It looks they they are starting every hour.  Is your
> web browser refreshing somehow and starting a new process.  Every time
> the page loads the extraction will start again (kind of like how
> refreshing a web page can cause your credit card to be charged twice).
>
> brian
>
> DePriest, Jason R. wrote:
> > While I am not getting the error with Caseman.pm, I am still having
> > strange issues.  It continues to spawn multiple sets of perl, dls, and
> > srch_strings.  And it continues to create multiple output files.
> > The extraction I started yesterday is still running and here is what
> > the running programs and file system look like.
> > -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-
> > A70067@ebizsrvb ~
> > $ ps -s
> >     PID TTY     STIME COMMAND
> >     300   0  16:56:56 /usr/bin/rxvt
> >    2452   1  16:56:57 /usr/bin/bash
> >    3680   1  17:02:52 /usr/bin/perl
> >    6128   1  17:03:55 /usr/bin/perl
> >    4648   1  17:03:56 /usr/bin/sh
> >    3756   1  17:03:56 /sleuthkit/sleuthkit-2.03/bin/dls
> >    4484   1  17:03:57 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    4772   1  18:03:58 /usr/bin/perl
> >    3064   1  18:04:04 /usr/bin/sh
> >    3304   1  18:04:06 /sleuthkit/sleuthkit-2.03/bin/dls
> >    3860   1  18:04:07 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    4844   1  19:04:03 /usr/bin/perl
> >    6036   1  19:04:06 /usr/bin/sh
> >     664   1  19:04:07 /sleuthkit/sleuthkit-2.03/bin/dls
> >    4984   1  19:04:08 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    5000   1  20:04:08 /usr/bin/perl
> >    2344   1  20:04:16 /usr/bin/sh
> >    5840   1  20:04:17 /sleuthkit/sleuthkit-2.03/bin/dls
> >    5272   1  20:04:18 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    5548   1  21:04:16 /usr/bin/perl
> >    5480   1  21:04:27 /usr/bin/sh
> >    4656   1  21:04:33 /sleuthkit/sleuthkit-2.03/bin/dls
> >     660   1  21:04:33 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    6136   1  22:04:22 /usr/bin/perl
> >     824   1  22:04:27 /usr/bin/sh
> >    3720   1  22:04:31 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    1904   1  22:04:31 /sleuthkit/sleuthkit-2.03/bin/dls
> >    2360   1  23:04:27 /usr/bin/perl
> >    1484   1  23:04:30 /usr/bin/sh
> >    1296   1  23:04:31 /sleuthkit/sleuthkit-2.03/bin/dls
> >    5980   1  23:04:33 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    5668   1  00:04:28 /usr/bin/perl
> >     420   1  00:04:32 /usr/bin/sh
> >    4572   1  00:04:35 /sleuthkit/sleuthkit-2.03/bin/dls
> >    4904   1  00:04:38 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    4124   1  01:04:29 /usr/bin/perl
> >    4820   1  01:04:35 /usr/bin/sh
> >    3416   1  01:04:38 /sleuthkit/sleuthkit-2.03/bin/dls
> >    5924   1  01:04:39 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    6112   1  02:04:30 /usr/bin/perl
> >    4360   1  02:04:33 /usr/bin/sh
> >    5908   1  02:04:34 /sleuthkit/sleuthkit-2.03/bin/dls
> >    4796   1  02:04:35 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    5788   1  03:04:32 /usr/bin/perl
> >    6072   1  03:04:34 /usr/bin/sh
> >    4288   1  03:04:35 /sleuthkit/sleuthkit-2.03/bin/dls
> >    5776   1  03:04:36 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    1412   1  04:04:33 /usr/bin/perl
> >    3244   1  04:04:34 /usr/bin/sh
> >    5440   1  04:04:37 /sleuthkit/sleuthkit-2.03/bin/dls
> >    5208   1  04:04:38 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    5536   1  05:04:34 /usr/bin/perl
> >    4512   1  05:04:38 /usr/bin/sh
> >    5180   1  05:04:39 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    3256   1  05:04:39 /sleuthkit/sleuthkit-2.03/bin/dls
> >    5996   1  06:04:37 /usr/bin/perl
> >    4528   1  06:04:38 /usr/bin/sh
> >    4540   1  06:04:40 /sleuthkit/sleuthkit-2.03/bin/dls
> >    5604   1  06:04:42 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    1924   1  07:04:38 /usr/bin/perl
> >    4472   1  07:04:41 /usr/bin/sh
> >    3984   1  07:04:42 /sleuthkit/sleuthkit-2.03/bin/dls
> >    5052   1  07:04:42 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    5828   1  08:04:40 /usr/bin/perl
> >     228   1  08:04:43 /usr/bin/sh
> >    5756   1  08:04:44 /sleuthkit/sleuthkit-2.03/bin/dls
> >    4160   1  08:04:45 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    5820   1  09:04:42 /usr/bin/perl
> >    2748   1  09:04:43 /usr/bin/sh
> >    5912   1  09:04:45 /sleuthkit/sleuthkit-2.03/bin/dls
> >    3900   1  09:04:46 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    5560   2  10:00:33 /usr/bin/rxvt
> >    4188   3  10:00:38 /usr/bin/bash
> >    4208   1  10:04:46 /usr/bin/perl
> >    6108   1  10:04:48 /usr/bin/sh
> >    4448   1  10:04:50 /sleuthkit/sleuthkit-2.03/bin/dls
> >    3652   1  10:04:51 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    4548   3  10:05:20 /usr/bin/ps
> > -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-
> > F:\sleuthkit-evidence\2006-013\MMA4-T-23GR6\output>dir
> >  Volume in drive F is Store01
> >  Volume Serial Number is E8EA-BBB0
> >
> >  Directory of F:\sleuthkit-evidence\2006-013\MMA4-T-23GR6\output
> >
> > 03/16/2006  10:04 AM    <DIR>          .
> > 03/16/2006  10:04 AM    <DIR>          ..
> > 03/15/2006  06:04 PM     1,273,554,944 hdd.raw-0-0-ntfs-1.asc
> > 03/16/2006  03:04 AM       294,304,768 hdd.raw-0-0-ntfs-10.asc
> > 03/16/2006  04:04 AM       228,928,512 hdd.raw-0-0-ntfs-11.asc
> > 03/16/2006  05:04 AM       159,662,080 hdd.raw-0-0-ntfs-12.asc
> > 03/16/2006  06:04 AM       114,588,672 hdd.raw-0-0-ntfs-13.asc
> > 03/16/2006  07:04 AM     1,130,283,008 hdd.raw-0-0-ntfs-14.asc
> > 03/16/2006  08:04 AM        59,233,280 hdd.raw-0-0-ntfs-15.asc
> > 03/16/2006  09:04 AM         9,054,208 hdd.raw-0-0-ntfs-16.asc
> > 03/16/2006  10:04 AM            18,432 hdd.raw-0-0-ntfs-17.asc
> > 03/15/2006  07:04 PM       952,222,720 hdd.raw-0-0-ntfs-2.asc
> > 03/15/2006  08:04 PM       651,894,784 hdd.raw-0-0-ntfs-3.asc
> > 03/15/2006  09:04 PM    10,184,050,688 hdd.raw-0-0-ntfs-4.asc
> > 03/15/2006  10:04 PM       425,999,360 hdd.raw-0-0-ntfs-5.asc
> > 03/15/2006  11:04 PM       393,921,536 hdd.raw-0-0-ntfs-6.asc
> > 03/16/2006  12:04 AM       374,238,208 hdd.raw-0-0-ntfs-7.asc
> > 03/16/2006  01:04 AM       345,949,184 hdd.raw-0-0-ntfs-8.asc
> > 03/16/2006  02:04 AM       323,683,328 hdd.raw-0-0-ntfs-9.asc
> > 03/15/2006  05:03 PM     2,038,089,728 hdd.raw-0-0-ntfs.asc
> >               18 File(s) 18,959,677,440 bytes
> >                2 Dir(s)  71,763,845,120 bytes free
> > -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-
> >
> > Is this normal, expected behavior?
> >
> > -Jason
> >
> >
>