VM Ingestion: Using Autopsy Forensics version 4.2.0 (module: Keyword Search).
Windows 11 Antivirus appeared to slow down (and possibly lead to a crash) during ingest. It also caused the computer to use alot of RAM. Not Autopsy’s fault.
Windows Defender:“Virus:WM/MDMA.A” … Antivirus quarantined / unable to remediate: C:\Users{username}\AppData\Local\Temp\apache-tika-261955409054394012.tmp (I am not exactly sure which ingested file caused this alert. I am guessing it may have been part of the GovDocs1 collection files (uncompressed) which was stored within the VM).
Rather than disable antivirus completely, I applied a broad exclusion to “AppData\Local\Temp”. potentially unsafe, but it worked. For future versions, can Autopsy Forensic be configured to store Apache Tika temp files to a subdir for localised antivirus exclusion? (e.g., “AppData\Local\Temp\tika”)
Many thanks.