sleuthkit-users Mailing List for The Sleuth Kit (Page 14)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

It looks like you are overtaxing your system with too many file ingest
threads.The error notifications you are getting should not be considered to
be typical and look to be symptomatic of a system struggling with out of
memory errors. Based on your ingest progress snapshot, all file level
analysis has been completed except keyword search, which is the most memory
intensive aspect of Autopsy data source ingest.

>> The system has dual Xeon x5550 2.66 quad core processors...I’ve set
number of threads to 12 as suggested by the Options dialog.

We generally recommend at most one file ingest thread per core, and the
code for the Autopsy options dialog is even more conservative. For the
system you describe, I would expect the Java library we use to detect the
available processors (java.lang.Runtime.getRuntime().availableProcessors())
would return eight (
http://ark.intel.com/products/37106/Intel-Xeon-Processor-X5550-8M-Cache-2_66-GHz-6_40-GTs-Intel-QPI),
which would indeed give you a recommendation of only six file ingest
threads! However, it appears that the Java lib is reporting the
"hyperthreads" (sixteen) rather than the cores, which would indeed result
in a recommendation of twelve threads. We will need to look into this
further! In the mean time, the best advice I can give you is back way off
on file ingest threads.

Sincerely,
Richard Cordovano
Basis Technology

On Wed, Sep 14, 2016 at 6:04 PM, MATT PIERCE <mat...@ad...> wrote:

> I’m working a case and again have issues with performance using Autopsy.
> I have setup a dedicated server for running Autopsy.  In two days of ingest
> I’m at 45%.  In 8 hours it has only progressed 7%. I was hoping someone can
> spot where my bottle neck is?
>
>
>
> The system has dual Xeon x5550 2.66 quad core processors.  24 GB RAM.
> Windows 2012 R2 x64.   The case drive is an OCZ Revo 350 PCIe SSD.  Autopsy
> is loaded on a Raid0 15k SAS volume.
>
>
>
> Autopsy Load.
>
> Product Version: Autopsy 4.1.1 (RELEASE) Sleuth Kit Version: 4.2.0
> Netbeans RCP Build: 201510222201 Java: 1.8.0_92; Java HotSpot(TM) 64-Bit
> Server VM 25.92-b14 System: Windows Server 2012 R2 version 6.3 running on
> amd64; Cp1252; en_US (autopsy)
>
>
>
> The image is from a Windows 7 workstation.  FTKimager took the disk image
> in E01 format.  I have the NSRL known good hash database loaded.  I’ve set
> number of threads to 12 as suggested by the Options dialog.  I’m running
> the default ingest process with no 3rd party modules.
>
>
>
> Performance Diagnostics
>
>
>
> Ingest Progress Snapshot
>
>
>
> 1              IDLE                                       Wed Sep 14
> 01:10:44 CDT 2016   15:49:08.024       0
>
> 2              Keyword Search               2016-08-31-1-1.E01
> image1.emf        Wed Sep 14 16:59:26 CDT 2016   0:00:25.759
> 2
>
> 3              IDLE                                       Wed Sep 14
> 16:59:26 CDT 2016   0:00:25.758         0
>
> 4              Keyword Search               2016-08-31-1-1.E01
> image1.emf        Wed Sep 14 16:59:26 CDT 2016   0:00:25.798
> 2
>
> 5              IDLE                                       Wed Sep 14
> 16:59:26 CDT 2016   0:00:25.764         0
>
> 6              Keyword Search               2016-08-31-1-1.E01
> image1.emf        Wed Sep 14 16:59:26 CDT 2016   0:00:25.759
> 2
>
> 7              Keyword Search               2016-08-31-1-1.E01
> image1.emf        Wed Sep 14 16:59:26 CDT 2016   0:00:26.155
> 2
>
> 8              Keyword Search               2016-08-31-1-1.E01
> image1.emf        Wed Sep 14 16:59:26 CDT 2016   0:00:26.132
> 2
>
> 9              IDLE                                       Wed Sep 14
> 16:59:26 CDT 2016   0:00:25.742         0
>
> 10           IDLE                                       Wed Sep 14
> 16:59:26 CDT 2016   0:00:25.812         0
>
> 11           Keyword Search               2016-08-31-1-1.E01
> image1.emf        Wed Sep 14 16:59:26 CDT 2016   0:00:26.120
> 2
>
> 12           IDLE                                       Wed Sep 14
> 16:59:26 CDT 2016   0:00:25.811         0
>
> 13           Keyword Search               2016-08-31-1-1.E01
> image1.emf        Wed Sep 14 16:59:26 CDT 2016   0:00:26.155
> 2
>
>
>
> 2              2016-08-31-1-1.E01          15:23:00               193034
> 2.0938940654524942       84           2              36
> 34           0
>
>
>
> Keyword Search               155:52:59.626 (36%)
>
> File Type Identification  139:55:17.562 (32%)
>
> Hash Lookup      48:49:44.445 (11%)
>
> Embedded File Extractor              46:01:20.323 (10%)
>
> Email Parser       28:37:58.461 (6%)
>
> Extension Mismatch Detector    4:51:51.763 (1%)
>
> Exif Parser           1:41:39.597 (0%)
>
> PhotoRec Carver              0:00:04.762 (0%)
>
> Interesting Files Identifier            0:00:00.105 (0%)
>
>
>
> I get a bunch of errors but that is pretty typical.
>
>
>
>
> ------------------------------------------------------------
> ------------------
>
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
>

2002	Jan	Feb	Mar	Apr	May	Jun	Jul (6)	Aug	Sep (11)	Oct (5)	Nov (4)	Dec
2003	Jan (1)	Feb (20)	Mar (60)	Apr (40)	May (24)	Jun (28)	Jul (18)	Aug (27)	Sep (6)	Oct (14)	Nov (15)	Dec (22)
2004	Jan (34)	Feb (13)	Mar (28)	Apr (23)	May (27)	Jun (26)	Jul (37)	Aug (19)	Sep (20)	Oct (39)	Nov (17)	Dec (9)
2005	Jan (45)	Feb (43)	Mar (66)	Apr (36)	May (19)	Jun (64)	Jul (10)	Aug (11)	Sep (35)	Oct (6)	Nov (4)	Dec (13)
2006	Jan (52)	Feb (34)	Mar (39)	Apr (39)	May (37)	Jun (15)	Jul (13)	Aug (48)	Sep (9)	Oct (10)	Nov (47)	Dec (13)
2007	Jan (25)	Feb (4)	Mar (2)	Apr (29)	May (11)	Jun (19)	Jul (13)	Aug (15)	Sep (30)	Oct (12)	Nov (10)	Dec (13)
2008	Jan (2)	Feb (54)	Mar (58)	Apr (43)	May (10)	Jun (27)	Jul (25)	Aug (27)	Sep (48)	Oct (69)	Nov (55)	Dec (43)
2009	Jan (26)	Feb (36)	Mar (28)	Apr (27)	May (55)	Jun (9)	Jul (19)	Aug (16)	Sep (15)	Oct (17)	Nov (70)	Dec (21)
2010	Jan (56)	Feb (59)	Mar (53)	Apr (32)	May (25)	Jun (31)	Jul (36)	Aug (11)	Sep (37)	Oct (19)	Nov (23)	Dec (6)
2011	Jan (21)	Feb (20)	Mar (30)	Apr (30)	May (74)	Jun (50)	Jul (34)	Aug (34)	Sep (12)	Oct (33)	Nov (10)	Dec (8)
2012	Jan (23)	Feb (57)	Mar (26)	Apr (14)	May (27)	Jun (27)	Jul (60)	Aug (88)	Sep (13)	Oct (36)	Nov (97)	Dec (85)
2013	Jan (60)	Feb (24)	Mar (43)	Apr (32)	May (22)	Jun (38)	Jul (51)	Aug (50)	Sep (76)	Oct (65)	Nov (25)	Dec (30)
2014	Jan (19)	Feb (41)	Mar (43)	Apr (28)	May (61)	Jun (12)	Jul (10)	Aug (37)	Sep (76)	Oct (31)	Nov (41)	Dec (12)
2015	Jan (33)	Feb (28)	Mar (53)	Apr (22)	May (29)	Jun (20)	Jul (15)	Aug (17)	Sep (52)	Oct (3)	Nov (18)	Dec (21)
2016	Jan (20)	Feb (8)	Mar (21)	Apr (7)	May (13)	Jun (35)	Jul (34)	Aug (11)	Sep (14)	Oct (22)	Nov (31)	Dec (23)
2017	Jan (20)	Feb (7)	Mar (5)	Apr (6)	May (6)	Jun (22)	Jul (11)	Aug (16)	Sep (8)	Oct (1)	Nov (1)	Dec (1)
2018	Jan	Feb	Mar (16)	Apr (2)	May (6)	Jun (5)	Jul	Aug (2)	Sep (4)	Oct	Nov (16)	Dec (13)
2019	Jan	Feb (1)	Mar (25)	Apr (9)	May (2)	Jun (1)	Jul (1)	Aug	Sep	Oct	Nov	Dec
2020	Jan (2)	Feb	Mar (1)	Apr	May (1)	Jun (3)	Jul (2)	Aug	Sep	Oct (5)	Nov	Dec
2021	Jan	Feb	Mar (1)	Apr	May	Jun (4)	Jul (1)	Aug	Sep (1)	Oct	Nov (1)	Dec
2022	Jan	Feb (2)	Mar	Apr	May (2)	Jun	Jul (3)	Aug	Sep	Oct	Nov	Dec
2023	Jan (2)	Feb	Mar (1)	Apr	May	Jun	Jul	Aug	Sep	Oct (1)	Nov	Dec
2024	Jan	Feb (3)	Mar	Apr (1)	May	Jun	Jul	Aug	Sep	Oct	Nov	Dec
2025	Jan	Feb	Mar	Apr	May	Jun	Jul (1)	Aug	Sep	Oct	Nov	Dec

sleuthkit-users Mailing List for The Sleuth Kit (Page 14)

sleuthkit-users — List to discuss Autopsy and The Sleuth Kit.