No Ingest Modules are being executed

Hi,

I have installed Autopsy 4.19.3 on Windows 11 and also downloaded the markmckinnon autopsy-plugins into the Python plugin folder.

When creating a new case and after adding evidences, the files are added to the case, but no ingestion module is run, even though various are selected during the case setup. I have attached the logs and the thread dump. To my understanding, the logs do not contain an error. But Autopsy doesn’t consume an IO, CPU after these log entries. The GUI is still responsive.

I have performed various tests and all yield the same results.

Can anybody help me on this matter?

2022-08-30 16:34:06.043 org.sleuthkit.autopsy.centralrepository.datamodel.RdbmsCentralRepo upgradeSchema
INFO: Central Repository is up to date
2022-08-30 16:34:06.365 org.sleuthkit.autopsy.keywordsearch.Server startLocalSolr
INFO: Starting local Solr SOLR8 server
2022-08-30 16:34:06.387 org.sleuthkit.autopsy.keywordsearch.Server isLocalSolrRunning
INFO: Solr server is running
2022-08-30 16:34:06.387 org.sleuthkit.autopsy.keywordsearch.Server startLocalSolr
INFO: Local Solr SOLR8 server is already running
2022-08-30 16:34:06.411 org.sleuthkit.autopsy.keywordsearch.Server isLocalSolrRunning
INFO: Solr server is running
2022-08-30 16:34:09.226 org.sleuthkit.autopsy.keywordsearch.Server$Collection <init>
INFO: Using Solr document queue size = 30
2022-08-30 16:34:09.986 org.sleuthkit.autopsy.imagegallery.PerCaseProperties getConfigSetting
INFO: File did not exist. Created file [Image Gallery.properties]
2022-08-30 16:34:10.16 org.sleuthkit.autopsy.imagegallery.datamodel.DrawableDB setPragmas
INFO: sqlite-jdbc version 3.25.2 loaded in native mode
2022-08-30 16:34:10.523 org.sleuthkit.autopsy.casemodule.Case openAsCurrentCase
INFO: Opened iOS3 (ios3_20220830_163358) in C:\Case\iOS3 as the current case
2022-08-30 16:34:11.509 org.sleuthkit.autopsy.corecomponents.DataContentViewerHex <init>
INFO: Created HexView instance: org.sleuthkit.autopsy.corecomponents.DataContentViewerHex[,0,0,0x0,invalid,layout=javax.swing.GroupLayout,alignmentX=0.0,alignmentY=0.0,border=,flags=9,maximumSize=,minimumSize=,preferredSize=java.awt.Dimension[width=100,height=58]]
2022-08-30 16:34:13.083 org.sleuthkit.autopsy.contentviewers.MediaFileViewer <init>
INFO: Created MediaView instance: org.sleuthkit.autopsy.contentviewers.MediaFileViewer[,0,0,0x0,invalid,layout=java.awt.CardLayout,alignmentX=0.0,alignmentY=0.0,border=,flags=9,maximumSize=,minimumSize=,preferredSize=]
2022-08-30 16:34:15.184 org.sleuthkit.autopsy.contentviewers.FileViewer <init>
INFO: Created ApplicationContentViewer instance: org.sleuthkit.autopsy.contentviewers.FileViewer[,0,0,0x0,invalid,layout=javax.swing.OverlayLayout,alignmentX=0.0,alignmentY=0.0,border=,flags=9,maximumSize=,minimumSize=,preferredSize=]
2022-08-30 16:34:16.691 org.sleuthkit.autopsy.corecomponents.DataContentTopComponent <init>
INFO: Created DataContentTopComponent instance: org.sleuthkit.autopsy.corecomponents.DataContentTopComponent[Data Content,0,0,0x0,invalid,layout=javax.swing.BoxLayout,alignmentX=0.0,alignmentY=0.0,border=,flags=256,maximumSize=,minimumSize=,preferredSize=]
2022-08-30 16:34:18.066 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Central Repository, version = 4.19.3
2022-08-30 16:34:18.158 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Data Source Integrity, version = 4.19.3
2022-08-30 16:34:18.268 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = DJI Drone Analyzer, version = 4.19.3
2022-08-30 16:34:18.371 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Embedded File Extractor, version = 4.19.3
2022-08-30 16:34:18.372 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Encryption Detection, version = 4.19.3
2022-08-30 16:34:18.472 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Extension Mismatch Detector, version = 4.19.3
2022-08-30 16:34:18.577 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = File Type Identification, version = 4.19.3
2022-08-30 16:34:18.675 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Hash Lookup, version = 4.19.3
2022-08-30 16:34:18.675 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Interesting Files Identifier, version = 4.19.3
2022-08-30 16:34:18.768 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Android Analyzer (aLEAPP), version = 4.19.3
2022-08-30 16:34:18.768 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = iOS Analyzer (iLEAPP), version = 4.19.3
2022-08-30 16:34:18.864 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = PhotoRec Carver, version = 7.0
2022-08-30 16:34:18.976 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Picture Analyzer, version = 4.19.3
2022-08-30 16:34:19.074 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Plaso, version = 4.19.3
2022-08-30 16:34:19.188 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Virtual Machine Extractor, version = 4.19.3
2022-08-30 16:34:19.314 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = YARA Analyzer, version = 4.19.3
2022-08-30 16:34:19.341 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Keyword Search, version = 4.19.3
2022-08-30 16:34:19.385 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Email Parser, version = 4.19.3
2022-08-30 16:34:19.407 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Recent Activity, version = 4.19.3
2022-08-30 16:34:43.258 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Facebook_Chat, version = 1.0
2022-08-30 16:34:43.258 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Mac OSX FSEvents Module, version = 1.0
2022-08-30 16:34:43.259 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Parse SQLite Del Rec, version = 1.0
2022-08-30 16:34:43.259 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = ClamAv Hashset Module, version = 1.0
2022-08-30 16:34:43.259 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Parse MACOS Recents, version = 1.0
2022-08-30 16:34:43.26 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = RingCentral Meeting Chats, version = 1.0
2022-08-30 16:34:43.26 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = AD1 Extractor, version = 1.0
2022-08-30 16:34:43.261 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Create Preview Data Container, version = 1.3
2022-08-30 16:34:43.261 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = LevelDB Parser, version = 1.0
2022-08-30 16:34:43.262 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Mass Export By Extension, version = 1.0
2022-08-30 16:34:43.263 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Thumbs.db Parser Module, version = 1.1
2022-08-30 16:34:43.264 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Process/Extract Volume Shadow, version = 1.0
2022-08-30 16:34:43.265 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Windows Internals, version = 1.0
2022-08-30 16:34:43.266 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Teracopy, version = 1.0
2022-08-30 16:34:43.266 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Thumbscache Parser Module, version = 1.1
2022-08-30 16:34:43.266 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Mac_Mail, version = 1.0
2022-08-30 16:34:43.267 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Spotlight Parser, version = 1.0
2022-08-30 16:34:43.268 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Volatility Module, version = 1.2
2022-08-30 16:34:43.268 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Volatility Convert Hiber/Crash Module, version = 1.0
2022-08-30 16:34:43.269 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Volatility Dump File Module, version = 1.2
2022-08-30 16:34:43.269 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = GUI Test with Settings, version = 1.0
2022-08-30 16:34:43.27 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = ActivitiesCache, version = 1.0
2022-08-30 16:34:43.27 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Parse File History, version = 1.0
2022-08-30 16:34:43.27 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Parse Plists, version = 1.0
2022-08-30 16:34:43.271 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Appxreg_Programs, version = 1.0
2022-08-30 16:34:43.271 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Atomic_Wallet, version = 1.0
2022-08-30 16:34:43.272 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = iOS sysdiagnose, version = 1.0
2022-08-30 16:34:43.272 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Parse WebCache, version = 1.0
2022-08-30 16:34:43.273 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = iTunes Backup Module, version = 1.0
2022-08-30 16:34:43.273 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Appx_Programs, version = 1.0
2022-08-30 16:34:43.274 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Amazon Echosystem Parser, version = 1.0
2022-08-30 16:34:43.274 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = UAL Parser, version = 1.0
2022-08-30 16:34:43.274 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Parse QNX Image, version = 1.0
2022-08-30 16:34:43.275 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = USN Parser, version = 1.0
2022-08-30 16:34:43.275 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Windows_Mail, version = 1.0
2022-08-30 16:34:43.275 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = GPX Parser, version = 1.2
2022-08-30 16:34:43.276 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Timesketch Module, version = 1.0
2022-08-30 16:34:43.276 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Parse Amcache, version = 1.3
2022-08-30 16:34:43.276 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Parse MACOSX Safari, version = 1.0
2022-08-30 16:34:43.278 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Plaso Module, version = 1.0
2022-08-30 16:34:43.278 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Plaso Import Module, version = 1.0
2022-08-30 16:34:43.279 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = ShimcacheParser, version = 1.0
2022-08-30 16:34:43.28 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = ParseEvtx, version = 1.5
2022-08-30 16:34:43.281 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Create_Datasource_Hashset, version = 1.0
2022-08-30 16:34:43.282 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Google Takeout, version = 1.0
2022-08-30 16:34:43.282 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Hash_Images, version = 1.0
2022-08-30 16:34:43.283 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = DJI_Phantom_Drone, version = 1.0
2022-08-30 16:34:43.283 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Android Analyzer, version = 4.19.3
2022-08-30 16:34:43.284 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = ParseEvtxByEventID, version = 1.0
2022-08-30 16:34:43.284 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Parse SQLite DB, version = 1.0
2022-08-30 16:34:43.284 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = GUI Test, version = 1.0
2022-08-30 16:34:43.285 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Remove Artifacts/Attributes, version = 1.2
2022-08-30 16:34:43.285 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Parse CCM Recently Used Apps, version = 1.0
2022-08-30 16:34:43.286 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Cuckoo Module, version = 1.0
2022-08-30 16:39:34.521 org.sleuthkit.autopsy.ingest.IngestMonitor$MonitorTimerAction logMonitoredRootDirectory
INFO: Monitoring disk space of C:\
2022-08-30 16:39:34.522 org.sleuthkit.autopsy.ingest.IngestManager startIngestJob
INFO: Starting ingest job 0
2022-08-30 16:39:34.529 org.sleuthkit.autopsy.ingest.IngestPipelinesConfiguration getInstance
INFO: Creating ingest module loader instance
2022-08-30 16:39:34.613 org.python.core.PyReflectedFunction __call__
SEVERE: Starting of plugin
2022-08-30 16:39:34.615 org.python.core.PyReflectedFunction __call__
SEVERE: Starting of plugin
2022-08-30 16:39:34.616 org.python.core.PyReflectedFunction __call__
SEVERE: Starting of plugin

BugCheck

Those last couple lines make it looks like some of the python modules aren’t starting up correctly. Can you try running with just the built-in modules enabled and see if ingest runs?

Ann is being nice here, it is one of the python plugins that is causing the issue. Which one I could not tell you. Which plugins did you have checked to run? If you don’t need to run a plugin then don’t run it. Some of the python plugins are looking for very specific data and if you do not have it then do not run it, ie: If you have a windows is image then you don’t need to run any MacOS plugins.

True, and don’t forget to disable your antivirus…

Hi,

sorry that I forgot to reply. The unnamed error was caused by some module that I can’t identify. While just running ileap on an iOS image, everything is fine.

Thanks for the help!

Great Stuff, thanks for sharing