Re: [sleuthkit-users] Errors with Autopsy

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

It is still creating new files every hour.
I will give the details of the environment so you can understand what
is going on.

I have a Windows 2003 Server with Service Pack 1.  This server has two
external hard disk drives connected via a FireWire PCI card.  One of
them is about two years old; it is a Maxtor OneTouch with 300 GB of
space.  The other is a relatively new La Cie drive with 1 TB of space.
I used to do all of my investigations on my laptop with the 300 GB
drive.  As hard disk drives have gotten larger, I found myself having
to leave my laptop cable-locked to my desk overnight and over weekends
just to work with the gigantic images.
The server was an attempt to let things run as long as they needed to
without keeping me from doing other things.

The server runs Cygwin which is what I compiled sleuthkit and
configured autopsy under.  I have to make a slight change to the
autopsy launcher to include some paths in the environment, but other
than that, I get no errors or problems.  I was using the same set up
on my laptop for the last two years.

I disabled Diskeeper, set exceptions in the anti-virus software for
all directories involved, and turned off the ISS server sensor.

Every hour after I start a scan, it kicks off new processes (while
keeping the old ones running) and starts writing to a new file (while
still writing to the old one, as well).

I have tried linking to the image as a raw disk image with three
volume images, and as a single large partition image.

Both lead to the same problem.

I am open to suggestions, as I did not have this problem when I was
using my laptop as the investigation platform.  My laptop is running
Windows XP Professional with SP1 and I used a PCMCIA FireWire card.=20
Other than that, the setups are similar.  If anything I have more junk
software installed on my laptop than I do on the server.

On 3/16/06, DePriest, Jason R. <> wrote:
> The browser shouldn't be refreshing on its own.
>
> The hard disk drive image and the sleuthkit evidence locker are on an
> external hard disk drive connected via firewire.  Is it possible that
> there is a latency issue?
>
> I ask that because the drive is connected to a Windows 2003 Server,
> and the server has Diskeeper on it, and Diskeeper was set with its
> 'Set it and forget settings' and was trying to defrag the drive at the
> same time I was extracting strings.
>
> The once an hour time frame would fit with Diskeeper being the culprit
> as it tries to run approximately every hour.
>
> The external drive is low on disk space, so I am moving my disk image
> files from a 300 GB external drive to a 1 TB external drive and I will
> hopefully try the extraction again tomorrow after disabling Diskeeper.
>
> -Jason
>
> On 3/16/06, Brian Carrier <> wrote:
> > That is strange.  It looks they they are starting every hour.  Is your
> > web browser refreshing somehow and starting a new process.  Every time
> > the page loads the extraction will start again (kind of like how
> > refreshing a web page can cause your credit card to be charged twice).
> >
> > brian
> >
> > DePriest, Jason R. wrote:
> > > While I am not getting the error with Caseman.pm, I am still having
> > > strange issues.  It continues to spawn multiple sets of perl, dls, an=
d
> > > srch_strings.  And it continues to create multiple output files.
> > > The extraction I started yesterday is still running and here is what
> > > the running programs and file system look like.
> > > -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-
> > > A70067@ebizsrvb ~
> > > $ ps -s
> > >     PID TTY     STIME COMMAND
> > >     300   0  16:56:56 /usr/bin/rxvt
> > >    2452   1  16:56:57 /usr/bin/bash
> > >    3680   1  17:02:52 /usr/bin/perl
> > >    6128   1  17:03:55 /usr/bin/perl
> > >    4648   1  17:03:56 /usr/bin/sh
> > >    3756   1  17:03:56 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    4484   1  17:03:57 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    4772   1  18:03:58 /usr/bin/perl
> > >    3064   1  18:04:04 /usr/bin/sh
> > >    3304   1  18:04:06 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    3860   1  18:04:07 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    4844   1  19:04:03 /usr/bin/perl
> > >    6036   1  19:04:06 /usr/bin/sh
> > >     664   1  19:04:07 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    4984   1  19:04:08 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    5000   1  20:04:08 /usr/bin/perl
> > >    2344   1  20:04:16 /usr/bin/sh
> > >    5840   1  20:04:17 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    5272   1  20:04:18 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    5548   1  21:04:16 /usr/bin/perl
> > >    5480   1  21:04:27 /usr/bin/sh
> > >    4656   1  21:04:33 /sleuthkit/sleuthkit-2.03/bin/dls
> > >     660   1  21:04:33 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    6136   1  22:04:22 /usr/bin/perl
> > >     824   1  22:04:27 /usr/bin/sh
> > >    3720   1  22:04:31 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    1904   1  22:04:31 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    2360   1  23:04:27 /usr/bin/perl
> > >    1484   1  23:04:30 /usr/bin/sh
> > >    1296   1  23:04:31 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    5980   1  23:04:33 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    5668   1  00:04:28 /usr/bin/perl
> > >     420   1  00:04:32 /usr/bin/sh
> > >    4572   1  00:04:35 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    4904   1  00:04:38 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    4124   1  01:04:29 /usr/bin/perl
> > >    4820   1  01:04:35 /usr/bin/sh
> > >    3416   1  01:04:38 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    5924   1  01:04:39 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    6112   1  02:04:30 /usr/bin/perl
> > >    4360   1  02:04:33 /usr/bin/sh
> > >    5908   1  02:04:34 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    4796   1  02:04:35 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    5788   1  03:04:32 /usr/bin/perl
> > >    6072   1  03:04:34 /usr/bin/sh
> > >    4288   1  03:04:35 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    5776   1  03:04:36 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    1412   1  04:04:33 /usr/bin/perl
> > >    3244   1  04:04:34 /usr/bin/sh
> > >    5440   1  04:04:37 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    5208   1  04:04:38 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    5536   1  05:04:34 /usr/bin/perl
> > >    4512   1  05:04:38 /usr/bin/sh
> > >    5180   1  05:04:39 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    3256   1  05:04:39 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    5996   1  06:04:37 /usr/bin/perl
> > >    4528   1  06:04:38 /usr/bin/sh
> > >    4540   1  06:04:40 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    5604   1  06:04:42 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    1924   1  07:04:38 /usr/bin/perl
> > >    4472   1  07:04:41 /usr/bin/sh
> > >    3984   1  07:04:42 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    5052   1  07:04:42 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    5828   1  08:04:40 /usr/bin/perl
> > >     228   1  08:04:43 /usr/bin/sh
> > >    5756   1  08:04:44 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    4160   1  08:04:45 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    5820   1  09:04:42 /usr/bin/perl
> > >    2748   1  09:04:43 /usr/bin/sh
> > >    5912   1  09:04:45 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    3900   1  09:04:46 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    5560   2  10:00:33 /usr/bin/rxvt
> > >    4188   3  10:00:38 /usr/bin/bash
> > >    4208   1  10:04:46 /usr/bin/perl
> > >    6108   1  10:04:48 /usr/bin/sh
> > >    4448   1  10:04:50 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    3652   1  10:04:51 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    4548   3  10:05:20 /usr/bin/ps
> > > -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-
> > > F:\sleuthkit-evidence\2006-013\MMA4-T-23GR6\output>dir
> > >  Volume in drive F is Store01
> > >  Volume Serial Number is E8EA-BBB0
> > >
> > >  Directory of F:\sleuthkit-evidence\2006-013\MMA4-T-23GR6\output
> > >
> > > 03/16/2006  10:04 AM    <DIR>          .
> > > 03/16/2006  10:04 AM    <DIR>          ..
> > > 03/15/2006  06:04 PM     1,273,554,944 hdd.raw-0-0-ntfs-1.asc
> > > 03/16/2006  03:04 AM       294,304,768 hdd.raw-0-0-ntfs-10.asc
> > > 03/16/2006  04:04 AM       228,928,512 hdd.raw-0-0-ntfs-11.asc
> > > 03/16/2006  05:04 AM       159,662,080 hdd.raw-0-0-ntfs-12.asc
> > > 03/16/2006  06:04 AM       114,588,672 hdd.raw-0-0-ntfs-13.asc
> > > 03/16/2006  07:04 AM     1,130,283,008 hdd.raw-0-0-ntfs-14.asc
> > > 03/16/2006  08:04 AM        59,233,280 hdd.raw-0-0-ntfs-15.asc
> > > 03/16/2006  09:04 AM         9,054,208 hdd.raw-0-0-ntfs-16.asc
> > > 03/16/2006  10:04 AM            18,432 hdd.raw-0-0-ntfs-17.asc
> > > 03/15/2006  07:04 PM       952,222,720 hdd.raw-0-0-ntfs-2.asc
> > > 03/15/2006  08:04 PM       651,894,784 hdd.raw-0-0-ntfs-3.asc
> > > 03/15/2006  09:04 PM    10,184,050,688 hdd.raw-0-0-ntfs-4.asc
> > > 03/15/2006  10:04 PM       425,999,360 hdd.raw-0-0-ntfs-5.asc
> > > 03/15/2006  11:04 PM       393,921,536 hdd.raw-0-0-ntfs-6.asc
> > > 03/16/2006  12:04 AM       374,238,208 hdd.raw-0-0-ntfs-7.asc
> > > 03/16/2006  01:04 AM       345,949,184 hdd.raw-0-0-ntfs-8.asc
> > > 03/16/2006  02:04 AM       323,683,328 hdd.raw-0-0-ntfs-9.asc
> > > 03/15/2006  05:03 PM     2,038,089,728 hdd.raw-0-0-ntfs.asc
> > >               18 File(s) 18,959,677,440 bytes
> > >                2 Dir(s)  71,763,845,120 bytes free
> > > -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-
> > >
> > > Is this normal, expected behavior?
> > >
> > > -Jason
> > >
> > >
> >
>