Re: [sleuthkit-users] Errors with Autopsy

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

I may have found my problem.

After lots of experimenting with shutting down services and moving
files to different drives, it looks like it was the web browser after
all.

I have no idea why, but it does "something" every hour that kicks off
a new set of apps to extract the strings.  Maybe if the page being
displayed doesn't change for an hour, it automatically refreshes it or
something.

I just closed IE after the extraction started.  It has been 1 hour and
10 minutes, and I still only have one set of processes and one file of
extracted strings.

-Jason

On 3/17/06, DePriest, Jason R. <> wrote:
> It is still creating new files every hour.
> I will give the details of the environment so you can understand what
> is going on.
>
> I have a Windows 2003 Server with Service Pack 1.  This server has two
> external hard disk drives connected via a FireWire PCI card.  One of
> them is about two years old; it is a Maxtor OneTouch with 300 GB of
> space.  The other is a relatively new La Cie drive with 1 TB of space.
> I used to do all of my investigations on my laptop with the 300 GB
> drive.  As hard disk drives have gotten larger, I found myself having
> to leave my laptop cable-locked to my desk overnight and over weekends
> just to work with the gigantic images.
> The server was an attempt to let things run as long as they needed to
> without keeping me from doing other things.
>
> The server runs Cygwin which is what I compiled sleuthkit and
> configured autopsy under.  I have to make a slight change to the
> autopsy launcher to include some paths in the environment, but other
> than that, I get no errors or problems.  I was using the same set up
> on my laptop for the last two years.
>
> I disabled Diskeeper, set exceptions in the anti-virus software for
> all directories involved, and turned off the ISS server sensor.
>
> Every hour after I start a scan, it kicks off new processes (while
> keeping the old ones running) and starts writing to a new file (while
> still writing to the old one, as well).
>
> I have tried linking to the image as a raw disk image with three
> volume images, and as a single large partition image.
>
> Both lead to the same problem.
>
> I am open to suggestions, as I did not have this problem when I was
> using my laptop as the investigation platform.  My laptop is running
> Windows XP Professional with SP1 and I used a PCMCIA FireWire card.
> Other than that, the setups are similar.  If anything I have more junk
> software installed on my laptop than I do on the server.
>
> On 3/16/06, DePriest, Jason R. <> wrote:
> > The browser shouldn't be refreshing on its own.
> >
> > The hard disk drive image and the sleuthkit evidence locker are on an
> > external hard disk drive connected via firewire.  Is it possible that
> > there is a latency issue?
> >
> > I ask that because the drive is connected to a Windows 2003 Server,
> > and the server has Diskeeper on it, and Diskeeper was set with its
> > 'Set it and forget settings' and was trying to defrag the drive at the
> > same time I was extracting strings.
> >
> > The once an hour time frame would fit with Diskeeper being the culprit
> > as it tries to run approximately every hour.
> >
> > The external drive is low on disk space, so I am moving my disk image
> > files from a 300 GB external drive to a 1 TB external drive and I will
> > hopefully try the extraction again tomorrow after disabling Diskeeper.
> >
> > -Jason
> >
> > On 3/16/06, Brian Carrier <> wrote:
> > > That is strange.  It looks they they are starting every hour.  Is you=
r
> > > web browser refreshing somehow and starting a new process.  Every tim=
e
> > > the page loads the extraction will start again (kind of like how
> > > refreshing a web page can cause your credit card to be charged twice)=
.
> > >
> > > brian
> > >
> > > DePriest, Jason R. wrote:
> > > > While I am not getting the error with Caseman.pm, I am still having
> > > > strange issues.  It continues to spawn multiple sets of perl, dls, =
and
> > > > srch_strings.  And it continues to create multiple output files.
> > > > The extraction I started yesterday is still running and here is wha=
t
> > > > the running programs and file system look like.
> > > > -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-
> > > > A70067@ebizsrvb ~
> > > > $ ps -s
> > > >     PID TTY     STIME COMMAND
> > > >     300   0  16:56:56 /usr/bin/rxvt
> > > >    2452   1  16:56:57 /usr/bin/bash
> > > >    3680   1  17:02:52 /usr/bin/perl
> > > >    6128   1  17:03:55 /usr/bin/perl
> > > >    4648   1  17:03:56 /usr/bin/sh
> > > >    3756   1  17:03:56 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    4484   1  17:03:57 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    4772   1  18:03:58 /usr/bin/perl
> > > >    3064   1  18:04:04 /usr/bin/sh
> > > >    3304   1  18:04:06 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    3860   1  18:04:07 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    4844   1  19:04:03 /usr/bin/perl
> > > >    6036   1  19:04:06 /usr/bin/sh
> > > >     664   1  19:04:07 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    4984   1  19:04:08 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    5000   1  20:04:08 /usr/bin/perl
> > > >    2344   1  20:04:16 /usr/bin/sh
> > > >    5840   1  20:04:17 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    5272   1  20:04:18 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    5548   1  21:04:16 /usr/bin/perl
> > > >    5480   1  21:04:27 /usr/bin/sh
> > > >    4656   1  21:04:33 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >     660   1  21:04:33 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    6136   1  22:04:22 /usr/bin/perl
> > > >     824   1  22:04:27 /usr/bin/sh
> > > >    3720   1  22:04:31 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    1904   1  22:04:31 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    2360   1  23:04:27 /usr/bin/perl
> > > >    1484   1  23:04:30 /usr/bin/sh
> > > >    1296   1  23:04:31 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    5980   1  23:04:33 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    5668   1  00:04:28 /usr/bin/perl
> > > >     420   1  00:04:32 /usr/bin/sh
> > > >    4572   1  00:04:35 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    4904   1  00:04:38 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    4124   1  01:04:29 /usr/bin/perl
> > > >    4820   1  01:04:35 /usr/bin/sh
> > > >    3416   1  01:04:38 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    5924   1  01:04:39 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    6112   1  02:04:30 /usr/bin/perl
> > > >    4360   1  02:04:33 /usr/bin/sh
> > > >    5908   1  02:04:34 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    4796   1  02:04:35 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    5788   1  03:04:32 /usr/bin/perl
> > > >    6072   1  03:04:34 /usr/bin/sh
> > > >    4288   1  03:04:35 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    5776   1  03:04:36 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    1412   1  04:04:33 /usr/bin/perl
> > > >    3244   1  04:04:34 /usr/bin/sh
> > > >    5440   1  04:04:37 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    5208   1  04:04:38 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    5536   1  05:04:34 /usr/bin/perl
> > > >    4512   1  05:04:38 /usr/bin/sh
> > > >    5180   1  05:04:39 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    3256   1  05:04:39 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    5996   1  06:04:37 /usr/bin/perl
> > > >    4528   1  06:04:38 /usr/bin/sh
> > > >    4540   1  06:04:40 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    5604   1  06:04:42 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    1924   1  07:04:38 /usr/bin/perl
> > > >    4472   1  07:04:41 /usr/bin/sh
> > > >    3984   1  07:04:42 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    5052   1  07:04:42 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    5828   1  08:04:40 /usr/bin/perl
> > > >     228   1  08:04:43 /usr/bin/sh
> > > >    5756   1  08:04:44 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    4160   1  08:04:45 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    5820   1  09:04:42 /usr/bin/perl
> > > >    2748   1  09:04:43 /usr/bin/sh
> > > >    5912   1  09:04:45 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    3900   1  09:04:46 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    5560   2  10:00:33 /usr/bin/rxvt
> > > >    4188   3  10:00:38 /usr/bin/bash
> > > >    4208   1  10:04:46 /usr/bin/perl
> > > >    6108   1  10:04:48 /usr/bin/sh
> > > >    4448   1  10:04:50 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    3652   1  10:04:51 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    4548   3  10:05:20 /usr/bin/ps
> > > > -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-
> > > > F:\sleuthkit-evidence\2006-013\MMA4-T-23GR6\output>dir
> > > >  Volume in drive F is Store01
> > > >  Volume Serial Number is E8EA-BBB0
> > > >
> > > >  Directory of F:\sleuthkit-evidence\2006-013\MMA4-T-23GR6\output
> > > >
> > > > 03/16/2006  10:04 AM    <DIR>          .
> > > > 03/16/2006  10:04 AM    <DIR>          ..
> > > > 03/15/2006  06:04 PM     1,273,554,944 hdd.raw-0-0-ntfs-1.asc
> > > > 03/16/2006  03:04 AM       294,304,768 hdd.raw-0-0-ntfs-10.asc
> > > > 03/16/2006  04:04 AM       228,928,512 hdd.raw-0-0-ntfs-11.asc
> > > > 03/16/2006  05:04 AM       159,662,080 hdd.raw-0-0-ntfs-12.asc
> > > > 03/16/2006  06:04 AM       114,588,672 hdd.raw-0-0-ntfs-13.asc
> > > > 03/16/2006  07:04 AM     1,130,283,008 hdd.raw-0-0-ntfs-14.asc
> > > > 03/16/2006  08:04 AM        59,233,280 hdd.raw-0-0-ntfs-15.asc
> > > > 03/16/2006  09:04 AM         9,054,208 hdd.raw-0-0-ntfs-16.asc
> > > > 03/16/2006  10:04 AM            18,432 hdd.raw-0-0-ntfs-17.asc
> > > > 03/15/2006  07:04 PM       952,222,720 hdd.raw-0-0-ntfs-2.asc
> > > > 03/15/2006  08:04 PM       651,894,784 hdd.raw-0-0-ntfs-3.asc
> > > > 03/15/2006  09:04 PM    10,184,050,688 hdd.raw-0-0-ntfs-4.asc
> > > > 03/15/2006  10:04 PM       425,999,360 hdd.raw-0-0-ntfs-5.asc
> > > > 03/15/2006  11:04 PM       393,921,536 hdd.raw-0-0-ntfs-6.asc
> > > > 03/16/2006  12:04 AM       374,238,208 hdd.raw-0-0-ntfs-7.asc
> > > > 03/16/2006  01:04 AM       345,949,184 hdd.raw-0-0-ntfs-8.asc
> > > > 03/16/2006  02:04 AM       323,683,328 hdd.raw-0-0-ntfs-9.asc
> > > > 03/15/2006  05:03 PM     2,038,089,728 hdd.raw-0-0-ntfs.asc
> > > >               18 File(s) 18,959,677,440 bytes
> > > >                2 Dir(s)  71,763,845,120 bytes free
> > > > -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-
> > > >
> > > > Is this normal, expected behavior?
> > > >
> > > > -Jason
> > > >
> > > >
> > >
> >
>