Autopsy 4.14.0 Ingestion always blocked at 86%

Hello.
I am a new user of Autopsy.
I installed Autopsy 4.14.0 on Windows 7 Pro.
Before using it, I upadated Java (JRE) to 8.update241 (8.0.2410) (build 1.8.0_241_b07).

For a new case, the ingestion starts well and runs until 86%. It stays at 86%, waiting a very large time :14 hours, for a small image of 60 Gb. After this time, I close it by the menu Case > Exit.

Clicking on the forbidden sense, I obtained the list of one warning and 40 errors. All the errors are about Java.
I can give this list of errors that I noted, but perhaps there is a log of errors.

I tried 4 times, with the same situation : blocked at 86% and the same Java errors.

Thank you in advance for your help.

Kindly.

You can access the case logs through Help->Open Log Folder. Look for recent/large autopsy.log.N files and see if there are errors in there. If so, cut and paste the first five or so stack traces for us to look at.

What ingest modules were you running? What does it say if you click on the progress bar in the bottom right?

ingestStatus718×215 9.36 KB

Thank you, Apriestman, for your answer.

The tree for the logs I have is
[myself]\AppData\Roaming\autospy\var\log.
I have not the directory “recent”.

During the ingestion, I have not the “Analyzing file from …”, and nor “RecentActivity for …”
I have only one line as those you show (with (1 more), and the 86%).

I use autopsy 4.14.0 for Windows 64 bits.

I shall desisntall Autopsy and reinstall it. And test again, for better situation. And I come back to you afer this.

Kindly.

No there’s no folder named “recent”. I just meant that it would have been modified recently. You can also look in your individual case logs, which are stored under the “logs” folder in your case directory. That might be the easiest place to find the “autopsy.log.0” file.

Hello Apriestman.
I come back to you after a new test, with the same result : Autopsy 4.14.0 64 bits blocked at 86%.

I have a file CopyLogs.zip which contains all the logs at each step. But I can’t add to the post (the forum only accept .jpg files ; I try renaming the .zip in .jpg, but it was not accepted). Can you give me a possibility to send you the Copylogs.zip ? This file is necessary.

I uninstalled Autopsy and reinstalled Autopsy 4.14.0 for Windows 64 bits.
The version of Java is…

All the test was done on 15th (february)

I run Autopsy a first time without creating case.
The logs are in the directory 1-Logs_FirstExecStoppedWithoutCreatingCase

Please, see the CopyLogs.zip file.

I run it again (Exec 2) and I copied the logs in 2-Logs_Exec2BeforeCreatingCase
Before creating the Case ; I stopped my antivirus (Avast) and my firewall (Comodo).
I created the case (at 14:57).
I selected lhe following ingest modules : Recent activity, File type identification, Extension mismatch detection, Exif parser, Keyword search, Email Parser, Encryption detection, Interesting files identifier, Correlation Engine, Virtual Machine Extractor, Data source integrity.
Not selected : Hash lookup, Photorec carver, Plaso, Android analyser.
Run ingest on : Allfiles, directories, and unallocated space.

The source image is a dd image of a MacBook disk (only 60 Gb).

The “Analysing files from image…” began at 14:57. At this beginning, I copied the logs, in 3-Logs_Exec2AfterCreationCaseAtBeginning,
logs of [myself]\AppData\Roaming\autopsy\var\log in the directory FromVar-log
The logs of the case, in the directory FromTheCase.

When the progression was blocked at 86%, I copied the logs in 4-Logs_Exec2WhenBlocquedAt86percent, in the subdirectories FromVar-log and FromTheCase.

After, I quitted Autopsy, by the menu Case > Exit.
The “Solr Keyword Search Service” (Closing Case Ressorces ; Preparing) ran a long time and after Autopsy failed.
I copied the logs in 5-Logs_Exec2WhenExit (FromVar-log and FromTheCase)

About 1-Logs_FirstExecStoppedWithoutCreatingCase
in autopsy.log.o, no error, no warning.
In messages.log, line 22 “J2KImageReader not loaded. JPEG2000 files will not be processed.”
and 15 warnings in lines 25 to 27, 117 and 118, 154 to 158, 160 to 162, 169, 184 (the end of this line is in French ; translation : the marking of the document following the root element must have a correct format.

About 2-Logs_Exec2BeforeCreatingCase
in autopsy.log.o, no error, no warning.
In messages.log, 12 warning in lines 25 to 27, 117 and 118, 154 to 158, 160 and 161.

About 3-Logs_Exec2AfterCreationCaseAtBeginning
in the directory FromTheCase, in autopsy.log.0, there are 21 warning (with error) which seem mainly problems with character sets.
In the directory FromVar-log, in autopsy.log.0, no warning no error ; in Messages.log, the same 12 warnings as in 2-Logs_Exec2BeforeCreatingCase.

About 4-Logs_Exec2WhenBlocquedAt86percent
in the directory FromTheCase, in the autopys.log.0, there are the 40 errors reported in the screen when clicking on the forbidden sense symbol at the right end of the line "Analyzing files from image … ". See, in the same directory, the fle “The40errors.txt” and the ScreenCopy.jpg. These errors occured at the beginning, 28 minutes after beginnng, and all occured in 5 seconds. Other errors in the same autopys.log.0 after the last 40th error (line 3442), see OtherErrorsAfter.txt.
In the directory FromVar-log, no warning no error in the autopsy.log.0. In messages.log, the same 12 warnings as in 3-Logs_Exec2AfterCreationCaseAtBeginning and 2 new Warnings in lines 1699 and 1700. In Tika.log.0, 803 Warnings (Avertissement, in French) including 786 “Caused by: java…”. In solr.log.stderr 1 line, 1 warning. In solr.log.stdout22 lines, 21 WARN.

About 5-Logs_Exec2WhenExit
in the directory FromCase, the new records begin in line 5385, about actions to close Autopsy. It crashed at 18:22 14".
In the Directoria FromVar-log, in autopsy.log.0, the last record is at 18:23 33".In messages.log, there are 7 new records (beginning at line 1701).In monitor.log.0, the new records begin at line 569.The tika.log.0 is the same as this of 4- above.

I am sorry for so many work to you and I thank you very much.

Kindly.

I sent you a message with my email address. You can send the logs there.

Thank you for the logs. Unfortunately I don’t see anything obvious in them (we’ll keep looking). Meanwhile, here are two tests to run:

• Disable keyword search and see if it finishes.
• Run on a different data source with the same ingest modules and see if it finishes. If you don’t have another images you can use the Logical Files option to run on a folder on your computer.

Hello Apriestman.

I did the first test : without enabling Keyword search.
And Autopsy finished normaly.

But the results are bad:

• deleted files : only one. None of the many deleted PDF has been found.
• none email (when there are many)
  And, of course, no research on key words.

Why this bad results on deleted files and emails ?

Why this blocking when using the function Keyword Search for ingestion ?

Do you want the log files ?

Thank you in advance for your answers.

Ok I have no idea what would be causing that. You can forward me the logs.

(Attachment autopsy.log.1 is missing)

(Attachment autopsy.log.2 is missing)

(Attachment autopsy.log.3 is missing)

(Attachment messages.log.1 is missing)

(Attachment monitor.log.1 is missing)

I am out of ideas. I don’t see any problems in the logs. And it doesn’t make any sense that deleted files or emails would be dependent on KW search.

Ok, Ann. In spite of this, I thank you again for your search.

I would know what version of autopsy you use. I would test it.

Thank you in advance for this.

Kindly.

I’m a developer so I tend to build my own from the most recent github code but I also test all the released versions. But yes trying older versions is a good idea. Let me know if any help.