I have recently started using Autopsy on Windows Server 2019 VM. I have taken an image of another VMs hard disk (75GB) using FTK Imager and then with default settings, I created a case, added the image as a data source. The image was initially on a shared drive on the network.
The Analyze process took many hours. However, I think it did eventually complete.
Initially I had 8GB Memory and 2 CPUs on the scanning VM. I then got the memory increased to 16GB and the CPUs to 4. Reran, however, still extremely slow…took like 11 hours to get to 30%.
I thought it was the network traffic causing an issue, so I added another drive on the scanning VM and copied the Image to it. Re-added the data source and the analyze…still super slow.
I played around with the memory options in Options->Applications and the threads in the Options->Ingest Section. Increased them based on the increase in RAM and CPU on the VM. Re-ran the Analyze…still…seems to be crawling.
I even unchecked all the Ingest modules besides the keyword search and particularly the search items i am interested in.
I even got the memory to be increased to 32GB and CPU to 8…Re-ran, still seems to be as slow.
I tried Autopsy 4.17.0 and 4.18.0 on my Dell PowerEdge T410 with two (2) Xeon processors and 16 GB memory running Server 2016: both were too slow to use on real world size drive images of .5 to 1 TB. My OptiPlex 3060 Micro PC with one (1) i3 processor and four GB memory running Ubuntu 20.04 is many times faster. My guess is a hardware configuration to boost performance using Windows.
I made a Hyper-V Win 10 Ent 64 bit VM to see if a Win Server OS was incompatible, but the Win 10 Ent VM wasn’t any faster. Try a Linux VM on your server and you will see an order of magnitude improvement.
Autopsy on Linux can be a bear to configure without errors. It is not a simplistic click next, next, next like on Windows and I have not seen any error messages using on Win OS.
I have not seen any indication that Autopsy itself installs on Linux; Once extracted, it loads from CLI with “sh unix_setup.sh” and launches with “sudo ./autopsy”. The individual apps have to be installed and compiled first, as well as the dependencies.
Once configured correctly on Linux, it is the gold standard.