Hey Guys.
For the online training, while running ingest modules (section 6), I get 42% on 24h+ of processing the laptop image.
My system is 16GB RAM, i7@2.60GHz, SSD and no other proccess consuming system resources.
The ingest progress snapshop is attached. I see an idle thread and two others working on the files.
I have no idea on why this is happening. Any advice will be apreciated. Autopsy is on latest version.
Thank you!
update: after 29h, the ingestion was interrupted, for no reason. No messages or alerts.
another update:
on another machine, sames specs, same fresh instalation and configure, the files/sec jumped from 2.01 to 41.62 working with the same files.
Hi @blackbeard . I’ve also has disappointing slow performance (https://sleuthkit.discourse.group/t/autopsy-disk-read-metrics-are-a-fraction-of-other-forensics-non-forensics-tools/2368) and was wondering if you ever figured out a way to improve ingest performance with Autopsy?
The new version 4.18 definitely improved ingest times a lot, but in my testing Autopsy is still far behind other tools.
Hey @honor_the_data.
Have’nt tested 4.18 yet, but running Autopsy with local files (target image on external media) is a LOT faster than processing the target image on a gigabit NAS. It seems to me that database updates are the cause of slowdown on my cases, but to be honest, I have no idea on why the processing is so slow on some cases even with the same configuration and hardware specs. During this week I’ll work on another case with 4.18. I’ll report back if I figure out what can cause this issues.
I’ve been doing some testing on 4.18- https://sleuthkit.discourse.group/t/performance-testing-and-tuning-for-autopsy-4-18/2536?u=honor_the_data
Its been much faster than 4.17 but still much slower that Axiom.
If you are using a single user case then one thing you can try and test with to see if there is a performance improvement is to change the SQLite database journal mode from delete to WAL. You can do this by creating a case and then closing it before you add any data sources. Once closed open the SQLite database file in a SQLite editor/browser. It is located in your case folder and named autopsy.db. Issue the following command “Pragma journal_mode='wal” (minus double quotes). This will change the journal mode. Close the SQLite database and then reopen the case in Autopsy. If you look in the case directory you should see a Autopsy.db-wal file and well as a Autopsy.db-shm file. If you see those 2 extra files then you know you did it correctly. Now try adding a data source and running ingest modules and see if that speeds up the ingest process (Sorry will not do anything for keyword search). Hope this makes sense.
Mark
