Thread: [sleuthkit-users] Autopsy 4: Add data source wizard Question
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users
|
From: K M. <km...@ci...> - 2016-01-14 19:56:55
|
Hello, How long should the Add Data Source Wizard (Step 3 of 3) take to run? I got a 3 TB drive that has been running for 5 days now. I see in the progress bar in the pop window it changes directories every now an then. Also what is Autopsy doing during this time frame? I ask because the I turned all of the ingest modules off except for keyword searches. I've seen that kick off after Wizard is complete. Thanks, K Murphy |
|
From: Ketil F. <ke...@fr...> - 2016-01-14 21:14:10
|
5 days sounds excessive. Autopsy parses the file system(s), traversing all files and folders it can find, and stores info about this in an sqlite database (unless you've set up a postgresql environment). Where is the disk image stored, is it on network storage, a USB drive, etc? Where is your autopsy case directory stored, and can you see how big the file autopsy.db is? What is the filesystem on the disk image? Cheers, Ketil On 14 Jan 2016 20:57, "K Murphy" <km...@ci...> wrote: > > Hello, > > How long should the Add Data Source Wizard (Step 3 of 3) take to run? > > I got a 3 TB drive that has been running for 5 days now. I see in the > progress bar in the pop window it changes directories every now an then. > > Also what is Autopsy doing during this time frame? I ask because the I > turned all of the ingest modules off except for keyword searches. I've seen > that kick off after Wizard is complete. > > Thanks, > K Murphy > > > > ------------------------------------------------------------------------------ > Site24x7 APM Insight: Get Deep Visibility into Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > |
|
From: K M. <km...@ci...> - 2016-01-19 14:11:28
|
Your description is what I thought it was doing. I'll answer your questions below. > Where is the disk image stored, is it on network storage, a USB drive, etc? I've tried two different things: 1) I originally shared out the drive images via NFS to my Windows machine. Autopsy had no issues doing three of the six drives. 2) I put the largest image on a drive and connected it directly to the machine via usb3. Monitoring both situations, for is very little activity either through the network (option 1 from above) or drive (option 2). > Where is your autopsy case directory stored, and can you see how big the > file autopsy.db is? Stored off on another usb3 drive in one case. I got another machine with Autopsy going (same issues) where the case is stored on the C: drive. The current size is 138,948 KB of the autopsy.db stored directly on the C: drive. > What is the filesystem on the disk image? Both drives that have been going for days are EXT3/4. Both drives are filled with archives (of archives of archives), ISOs, and virtual machine drives. It seems to me that is where it is getting hung up at. Thoughts? Regards, K Murphy Quoting Ketil Froyn <ke...@fr...>: > 5 days sounds excessive. Autopsy parses the file system(s), traversing all > files and folders it can find, and stores info about this in an sqlite > database (unless you've set up a postgresql environment). > > Where is the disk image stored, is it on network storage, a USB drive, etc? > Where is your autopsy case directory stored, and can you see how big the > file autopsy.db is? What is the filesystem on the disk image? > > Cheers, Ketil > On 14 Jan 2016 20:57, "K Murphy" <km...@ci...> wrote: > >> >> Hello, >> >> How long should the Add Data Source Wizard (Step 3 of 3) take to run? >> >> I got a 3 TB drive that has been running for 5 days now. I see in the >> progress bar in the pop window it changes directories every now an then. >> >> Also what is Autopsy doing during this time frame? I ask because the I >> turned all of the ingest modules off except for keyword searches. I've seen >> that kick off after Wizard is complete. >> >> Thanks, >> K Murphy >> >> >> >> ------------------------------------------------------------------------------ >> Site24x7 APM Insight: Get Deep Visibility into Application Performance >> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month >> Monitor end-to-end web transactions and take corrective actions now >> Troubleshoot faster and improve end-user experience. Signup Now! >> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org >> >> |
|
From: Brian C. <ca...@sl...> - 2016-01-22 02:09:07
|
That time does seem way excessive and the SQLite DB has gotten quite big. Is the DB getting bigger or staying the same? I can’t think of an easy way to debug this… It maybe easiest to run the tsk_gettimes command from TSK on the image, which will produce a big text file of the files. After an hour or so, that output may show some insight about what it is spending so much time on…. > On Jan 19, 2016, at 9:11 AM, K Murphy <km...@ci...> wrote: > > Your description is what I thought it was doing. I'll answer your questions below. > > >> Where is the disk image stored, is it on network storage, a USB drive, etc? > I've tried two different things: > 1) I originally shared out the drive images via NFS to my Windows machine. Autopsy had no issues doing three of the six drives. > 2) I put the largest image on a drive and connected it directly to the machine via usb3. > > Monitoring both situations, for is very little activity either through the network (option 1 from above) or drive (option 2). > >> Where is your autopsy case directory stored, and can you see how big the >> file autopsy.db is? > Stored off on another usb3 drive in one case. I got another machine with Autopsy going (same issues) where the case is stored on the C: drive. > > The current size is 138,948 KB of the autopsy.db stored directly on the C: drive. > >> What is the filesystem on the disk image? > Both drives that have been going for days are EXT3/4. > > > Both drives are filled with archives (of archives of archives), ISOs, and virtual machine drives. It seems to me that is where it is getting hung up at. > > > Thoughts? > > Regards, > K Murphy > > > Quoting Ketil Froyn <ke...@fr...>: > >> 5 days sounds excessive. Autopsy parses the file system(s), traversing all >> files and folders it can find, and stores info about this in an sqlite >> database (unless you've set up a postgresql environment). >> >> Where is the disk image stored, is it on network storage, a USB drive, etc? >> Where is your autopsy case directory stored, and can you see how big the >> file autopsy.db is? What is the filesystem on the disk image? >> >> Cheers, Ketil >> On 14 Jan 2016 20:57, "K Murphy" <km...@ci...> wrote: >> >>> >>> Hello, >>> >>> How long should the Add Data Source Wizard (Step 3 of 3) take to run? >>> >>> I got a 3 TB drive that has been running for 5 days now. I see in the >>> progress bar in the pop window it changes directories every now an then. >>> >>> Also what is Autopsy doing during this time frame? I ask because the I >>> turned all of the ingest modules off except for keyword searches. I've seen >>> that kick off after Wizard is complete. >>> >>> Thanks, >>> K Murphy >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Site24x7 APM Insight: Get Deep Visibility into Application Performance >>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month >>> Monitor end-to-end web transactions and take corrective actions now >>> Troubleshoot faster and improve end-user experience. Signup Now! >>> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 >>> _______________________________________________ >>> sleuthkit-users mailing list >>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>> http://www.sleuthkit.org >>> >>> > > > <Mail Attachment>------------------------------------------------------------------------------ > Site24x7 APM Insight: Get Deep Visibility into Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: K M. <km...@ci...> - 2016-01-27 21:43:11
|
It did get bigger over time. But it took days for it to increase. I eventually killed it and went to Bulk Extract. I was just using Autopsy to do keyword searches. If there is something you'd like me to try, I still have access to the images. I'll try the tsk_gettimes with the verbose option and see what happens. Then post back. It would be nice to see exactly what file it is working on during the ingest. I can see the directories but no file names. K Murphy Quoting Brian Carrier <ca...@sl...>: > That time does seem way excessive and the SQLite DB has gotten quite big. > > Is the DB getting bigger or staying the same? > > I can?t think of an easy way to debug this? It maybe easiest to run > the tsk_gettimes command from TSK on the image, which will produce a > big text file of the files. After an hour or so, that output may > show some insight about what it is spending so much time on?. > > > >> On Jan 19, 2016, at 9:11 AM, K Murphy <km...@ci...> wrote: >> >> Your description is what I thought it was doing. I'll answer your >> questions below. >> >> >>> Where is the disk image stored, is it on network storage, a USB drive, etc? >> I've tried two different things: >> 1) I originally shared out the drive images via NFS to my Windows >> machine. Autopsy had no issues doing three of the six drives. >> 2) I put the largest image on a drive and connected it directly to >> the machine via usb3. >> >> Monitoring both situations, for is very little activity either >> through the network (option 1 from above) or drive (option 2). >> >>> Where is your autopsy case directory stored, and can you see how big the >>> file autopsy.db is? >> Stored off on another usb3 drive in one case. I got another machine >> with Autopsy going (same issues) where the case is stored on the C: >> drive. >> >> The current size is 138,948 KB of the autopsy.db stored directly on >> the C: drive. >> >>> What is the filesystem on the disk image? >> Both drives that have been going for days are EXT3/4. >> >> >> Both drives are filled with archives (of archives of archives), >> ISOs, and virtual machine drives. It seems to me that is where it >> is getting hung up at. >> >> >> Thoughts? >> >> Regards, >> K Murphy >> >> >> Quoting Ketil Froyn <ke...@fr...>: >> >>> 5 days sounds excessive. Autopsy parses the file system(s), traversing all >>> files and folders it can find, and stores info about this in an sqlite >>> database (unless you've set up a postgresql environment). >>> >>> Where is the disk image stored, is it on network storage, a USB drive, etc? >>> Where is your autopsy case directory stored, and can you see how big the >>> file autopsy.db is? What is the filesystem on the disk image? >>> >>> Cheers, Ketil >>> On 14 Jan 2016 20:57, "K Murphy" <km...@ci...> wrote: >>> >>>> >>>> Hello, >>>> >>>> How long should the Add Data Source Wizard (Step 3 of 3) take to run? >>>> >>>> I got a 3 TB drive that has been running for 5 days now. I see in the >>>> progress bar in the pop window it changes directories every now an then. >>>> >>>> Also what is Autopsy doing during this time frame? I ask because the I >>>> turned all of the ingest modules off except for keyword searches. >>>> I've seen >>>> that kick off after Wizard is complete. >>>> >>>> Thanks, >>>> K Murphy >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Site24x7 APM Insight: Get Deep Visibility into Application Performance >>>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month >>>> Monitor end-to-end web transactions and take corrective actions now >>>> Troubleshoot faster and improve end-user experience. Signup Now! >>>> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 >>>> _______________________________________________ >>>> sleuthkit-users mailing list >>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>>> http://www.sleuthkit.org >>>> >>>> >> >> >> <Mail >> Attachment>------------------------------------------------------------------------------ >> Site24x7 APM Insight: Get Deep Visibility into Application Performance >> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month >> Monitor end-to-end web transactions and take corrective actions now >> Troubleshoot faster and improve end-user experience. Signup Now! >> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140_______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org |
|
From: K M. <km...@ci...> - 2016-01-28 18:54:46
|
Well tsk_gettimes worked fine. Got through the entire 3 TB drive in about 1.5 hours under Linux. I replicated my environment on the windows side. Linux exporting the dd image via nfs to a Windows 10 box. No issues with tsk_gettimes using Sleuthkit 4.1.3-win32. Is there something you would like me to try with Autopsy? Regards, K Murphy Quoting K Murphy <km...@ci...>: > It did get bigger over time. But it took days for it to increase. > > I eventually killed it and went to Bulk Extract. I was just using > Autopsy to do keyword searches. > > If there is something you'd like me to try, I still have access to > the images. > > I'll try the tsk_gettimes with the verbose option and see what > happens. Then post back. > > It would be nice to see exactly what file it is working on during > the ingest. I can see the directories but no file names. > > K Murphy > > > Quoting Brian Carrier <ca...@sl...>: > >> That time does seem way excessive and the SQLite DB has gotten quite big. >> >> Is the DB getting bigger or staying the same? >> >> I can?t think of an easy way to debug this? It maybe easiest to >> run the tsk_gettimes command from TSK on the image, which will >> produce a big text file of the files. After an hour or so, that >> output may show some insight about what it is spending so much time >> on?. >> >> >> >>> On Jan 19, 2016, at 9:11 AM, K Murphy <km...@ci...> wrote: >>> >>> Your description is what I thought it was doing. I'll answer your >>> questions below. >>> >>> >>>> Where is the disk image stored, is it on network storage, a USB >>>> drive, etc? >>> I've tried two different things: >>> 1) I originally shared out the drive images via NFS to my Windows >>> machine. Autopsy had no issues doing three of the six drives. >>> 2) I put the largest image on a drive and connected it directly to >>> the machine via usb3. >>> >>> Monitoring both situations, for is very little activity either >>> through the network (option 1 from above) or drive (option 2). >>> >>>> Where is your autopsy case directory stored, and can you see how big the >>>> file autopsy.db is? >>> Stored off on another usb3 drive in one case. I got another >>> machine with Autopsy going (same issues) where the case is stored >>> on the C: drive. >>> >>> The current size is 138,948 KB of the autopsy.db stored directly >>> on the C: drive. >>> >>>> What is the filesystem on the disk image? >>> Both drives that have been going for days are EXT3/4. >>> >>> >>> Both drives are filled with archives (of archives of archives), >>> ISOs, and virtual machine drives. It seems to me that is where it >>> is getting hung up at. >>> >>> >>> Thoughts? >>> >>> Regards, >>> K Murphy >>> >>> >>> Quoting Ketil Froyn <ke...@fr...>: >>> >>>> 5 days sounds excessive. Autopsy parses the file system(s), traversing all >>>> files and folders it can find, and stores info about this in an sqlite >>>> database (unless you've set up a postgresql environment). >>>> >>>> Where is the disk image stored, is it on network storage, a USB >>>> drive, etc? >>>> Where is your autopsy case directory stored, and can you see how big the >>>> file autopsy.db is? What is the filesystem on the disk image? >>>> >>>> Cheers, Ketil >>>> On 14 Jan 2016 20:57, "K Murphy" <km...@ci...> wrote: >>>> >>>>> >>>>> Hello, >>>>> >>>>> How long should the Add Data Source Wizard (Step 3 of 3) take to run? >>>>> >>>>> I got a 3 TB drive that has been running for 5 days now. I see in the >>>>> progress bar in the pop window it changes directories every now an then. >>>>> >>>>> Also what is Autopsy doing during this time frame? I ask because the I >>>>> turned all of the ingest modules off except for keyword >>>>> searches. I've seen >>>>> that kick off after Wizard is complete. >>>>> >>>>> Thanks, >>>>> K Murphy >>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Site24x7 APM Insight: Get Deep Visibility into Application Performance >>>>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month >>>>> Monitor end-to-end web transactions and take corrective actions now >>>>> Troubleshoot faster and improve end-user experience. Signup Now! >>>>> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 >>>>> _______________________________________________ >>>>> sleuthkit-users mailing list >>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>>>> http://www.sleuthkit.org >>>>> >>>>> >>> >>> >>> <Mail >>> Attachment>------------------------------------------------------------------------------ >>> Site24x7 APM Insight: Get Deep Visibility into Application Performance >>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month >>> Monitor end-to-end web transactions and take corrective actions now >>> Troubleshoot faster and improve end-user experience. Signup Now! >>> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140_______________________________________________ >>> sleuthkit-users mailing list >>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>> http://www.sleuthkit.org |
|
From: Simson G. <si...@ac...> - 2016-02-12 12:19:42
|
How does one view the full email header in Autopsy of an email message that was found in an Outlook PST file? It is not obvious to me from the user interface. Thanks. |
|
From: Brian C. <ca...@sl...> - 2016-02-17 10:32:29
|
Hi Simson, At this point, you can’t. Though, we could do like we do for HTML files and save the raw headers at the bottom of the message. I’ll make a story to do that. thanks, brian > On Feb 12, 2016, at 7:19 AM, Simson Garfinkel <si...@ac...> wrote: > > How does one view the full email header in Autopsy of an email message that was found in an Outlook PST file? It is not obvious to me from the user interface. > > Thanks. > ------------------------------------------------------------------------------ > Site24x7 APM Insight: Get Deep Visibility into Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X