Greetings everyone, I’ve tried to search for this topic as well as Google it so if I’ve missed it I apologise and could you please direct me to the appropriate thread.
I’m running the latest Autopsy 4.19.1 on a Windows 10 machine with 24 Xeon E5-2680 v3 CPUs and 32 gig of ram with Oracle JDK 1.8.0_221 (Check that! - I discovered autopsy on windows comes bundled with its own OpenJDK).
I’m also trying to run the ingest on an SSD. I’m finding the ingest is extremely slow to the point it is taken more than 24 hours to run an is still running. I’ve tried to tune it as best as I know how at this stage by increasing the number of ingest threads to 4 but alas it is still slow, and I mean extremely slow.
I can see that it’s still running but the rate in which it is progressing means it will probably run for another day or two.
Is there a way to get additional debug as to what is currently happening, or is anyone aware of this issue and knows of a suitable work around?
Any help would be greatly appreciated.
Thank you
Update: I built an Ubuntu Virtual Machine and installed Autopsy 4.19.1 within. The ingest was an order of magnitude faster than Windows. Ideally, I would like this running in Windows natively.
What analysis modules/features do you have enabled during ingest? One reason for the performance difference between Windows and Linux could be that there are Windows only features that can be quite expensive to run, e.g., OCR, which naturally will not be running on Ubuntu.
Okay, I know this might be something you have done but disable any antivirus, especially windows defender shut it completely off. I was using a usb 3.1 external drive adapter for a drive I was running. It took days, and days.
Check on upgrading Python for windows. Then you can run msconfig and prevent certain programs from running in the background on startup which I’ll help. Run task manager and disable any bloat ware like windows 10 store and my phone. Then while you are in task manager you can and be careful but you can elevate the program resources but do not use highest, or on demand/live. You have to reboot in safe mode to fix that problem and it’s a pain. Definitely not worth it.
Oh, run the clone function first and only that. Then after that run the program after that on the clone or, the physical drive. It’ll save time and resources.
We have a similar build. I hope I have helped you, and let me know if I missed anything or, if you found something that worked better.
Hi Richard,
Thanks for your reply. I was running the following modules
Hi Brian,
Thanks for your reply.These are all excellent points to try and I appreciate you taking the time to provide such a lengthy response. I’ll try what you recommend and report back. At this stage, my only work around was to create a Linux VM and ingest the drive in Linux, then open the case back up again in Windows after ingest. I’ll check your suggestions out one by one and see if it makes any difference.
Many thanks
Darren
Hi Darren,
The Recent Activity module has Windows-only analysis components. You might try turning that off on Windows and see if that accounts for the time difference.
I think that the advice from @Brian_Eckley is sound.
The next step would be to do profiling, but I’m assuming, perhaps incorrectly, that you are not a software engineer versed in Java software development tools.
Sorry I don’t have more to contribute.
Best,
Richard
