Having been trained on FTK, I absolutely love the new iteration of Autopsy.
I have built a new “High End” 16 core AMD box hoping to cut time on searches and discovered that Autopsy is not “Multi Processor/Multi-Threading”. It does use different cores, but only 1 at a time.
Is this a feature that is in dev or is there a tweak that can be applied to make it multi-threading? I’d hate to think that I went overkill for naught…
As far as I can tell the only multi-threaded ingest module is the “keyword search”, which typically is the one that takes longer to run. I was able to use it with 6 cores (on an AMD Ryzen 7 2700X with Eight-Core Processor + 32 GB of RAM), but only after increasing the solr JVM memory to 4 GB.
I guess the developers thought it wasn’t worth the effort to develop more multi-threaded modules given that you can run multiple modules at the same time. But in my experience running many modules at once can make Autopsy unstable on large data sources.
Have you taken a look at this?
http://sleuthkit.org/autopsy/docs/user-docs/4.11.0/performance_page.html
Autopsy is multi-threaded. It will setup several analysis pipelines and analyze files in parallel. However, there are a couple of bottle necks:
The database. SQLite is limited by how many threads can write at the same time, so some threads will block while waiting for the ability to update the database. Having a multi-user setup with a PostgreSQL database can improve database performance because it allows multiple writers. At some point this calendar year, we’ll likely be looking at an alternative to SQLite that allows multiple writers (such as H2).
Keyword Search Server. In most setups, the Solr server is the bottle neck. No matter how many analysis threads you throw at it, they all block waiting for Solr to sort and keep track of the words in the file. This is also a theme in the coming year to revisit our Solr setup and consider upgrading to a newer version.
Currently Autopsy 64 bits for windows comes with the 32 bits version of photorec. However, in my tests, the 64 bits version of photorec can be more than 20% faster than the 32 bits version. Is it possible to fix this on the next release of Autopsy?