Plaso hangs in Multi-User Autopsy

Autopsy Help
1

Multi-User Setup (Virtual Machines)

  • VM1 (Win10): PostgreSQL / ActiveMQ
  • VM2 (WinSvr2019): Solr / Zookeeper(embedded)
  • VM3 (Win10): Autopsy
  • Disk Image: 43GB, Windows 10

Difficulty: Ingesting image utilizing Plaso plugin. Partway through Plaso analysis, it appears to hang and ingest also hangs at that point. Files/Sec is starts at ~50+ and then continues to decrease. Please see below pictures (two different ingests).

plaso_hang_1
plaso_hang_11813×608 120 KB

plaso_hang_2

If you need any specifics on our setup, please bug me. I don’t currently have an ingest running, but I can re-ingest that particular image :slight_smile:

2

The below is the log. If there is a better way to post logs, please let me know, I will change. I took a look at the SEVERE section. I wonder, is it losing connection to the postgresql database?

2022-02-19 07:51:51.099 org.sleuthkit.autopsy.keywordsearch.Server connectToSolrServer
INFO: Connected to Solr server 
2022-02-19 07:51:51.11 org.sleuthkit.autopsy.keywordsearch.Server createMultiUserCollection
INFO: numShardsToUse: 1
2022-02-19 07:51:52.021 org.sleuthkit.autopsy.keywordsearch.Server createMultiUserCollection
INFO: Collection plaso_test_20220219_075149_20220219_075151 successfully created.
2022-02-19 07:51:54.269 org.sleuthkit.autopsy.keywordsearch.Server getCloudSolrClient
INFO: Using Solr server: asolr:8983_solr
2022-02-19 07:51:54.27 org.sleuthkit.autopsy.keywordsearch.Server getCloudSolrClient
INFO: Creating new CloudSolrClient
2022-02-19 07:51:55.305 org.sleuthkit.autopsy.keywordsearch.Server$Collection <init>
INFO: Using Solr document queue size = 30
2022-02-19 07:51:55.418 org.sleuthkit.autopsy.centralrepository.datamodel.RdbmsCentralRepo upgradeSchema
INFO: Central Repository is up to date
2022-02-19 07:51:55.621 org.sleuthkit.autopsy.imagegallery.PerCaseProperties getConfigSetting
INFO: File did not exist. Created file [Image Gallery.properties]
2022-02-19 07:51:55.708 org.sleuthkit.autopsy.imagegallery.datamodel.DrawableDB setPragmas
INFO: sqlite-jdbc version 3.25.2 loaded in native mode
2022-02-19 07:51:55.9 org.sleuthkit.autopsy.casemodule.Case openAsCurrentCase
INFO: Opened plaso_test (plaso_test_20220219_075149) in Z:\CASES\plaso_test as the current case
2022-02-19 07:51:56.108 org.sleuthkit.autopsy.ingest.IngestMonitor$MonitorTimerAction logMonitoredRootDirectory
INFO: Monitoring disk space of Z:\
2022-02-19 07:51:56.155 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Central Repository, version = 4.19.3
2022-02-19 07:51:56.156 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Data Source Integrity, version = 4.19.3
2022-02-19 07:51:56.157 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = DJI Drone Analyzer, version = 4.19.3
2022-02-19 07:51:56.158 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Embedded File Extractor, version = 4.19.3
2022-02-19 07:51:56.158 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Encryption Detection, version = 4.19.3
2022-02-19 07:51:56.159 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Extension Mismatch Detector, version = 4.19.3
2022-02-19 07:51:56.16 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = File Type Identification, version = 4.19.3
2022-02-19 07:51:56.16 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Hash Lookup, version = 4.19.3
2022-02-19 07:51:56.161 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Interesting Files Identifier, version = 4.19.3
2022-02-19 07:51:56.162 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Android Analyzer (aLEAPP), version = 4.19.3
2022-02-19 07:51:56.162 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = iOS Analyzer (iLEAPP), version = 4.19.3
2022-02-19 07:51:56.163 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = PhotoRec Carver, version = 7.0
2022-02-19 07:51:56.163 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Picture Analyzer, version = 4.19.3
2022-02-19 07:51:56.164 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Plaso, version = 4.19.3
2022-02-19 07:51:56.165 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Virtual Machine Extractor, version = 4.19.3
2022-02-19 07:51:56.165 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = YARA Analyzer, version = 4.19.3
2022-02-19 07:51:56.166 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Keyword Search, version = 4.19.3
2022-02-19 07:51:56.167 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Email Parser, version = 4.19.3
2022-02-19 07:51:56.168 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Recent Activity, version = 4.19.3
2022-02-19 07:51:56.498 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = GPX Parser, version = 1.2
2022-02-19 07:51:56.499 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Android Analyzer, version = 4.19.3
2022-02-19 07:52:18.846 org.sleuthkit.autopsy.ingest.IngestManager startIngestJob
INFO: Starting ingest job 15
2022-02-19 07:52:18.865 org.sleuthkit.autopsy.ingest.IngestJobPipeline logInfoMessage
INFO: Starting first stage analysis in streaming mode (data source = diskimage.001, objId = 1, pipeline id = 15, ingest job id = 1)
2022-02-19 07:52:19.578 org.sleuthkit.autopsy.casemodule.IngestJobInfoPanel$1 done
INFO: The refreshing of the IngestJobInfoPanel was cancelled
2022-02-19 07:52:19.579 org.sleuthkit.autopsy.casemodule.IngestJobInfoPanel$1 done
INFO: The refreshing of the IngestJobInfoPanel was cancelled
2022-02-19 08:03:52.81 org.sleuthkit.autopsy.keywordsearch.Server connectToSolrServer
INFO: Connected to Solr server 
2022-02-19 08:09:53.805 org.sleuthkit.autopsy.ingest.IngestJobPipeline logInfoMessage
INFO: Starting full first stage analysis in streaming mode (data source = diskimage.001, objId = 1, pipeline id = 15, ingest job id = 1)
2022-02-19 08:09:53.821 org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline$DataSourcePipelineModule executeTask
INFO: Plaso analysis of diskimage.001 starting
2022-02-19 08:09:53.844 org.sleuthkit.autopsy.modules.plaso.PlasoIngestModule process
INFO: Starting Plaso Run.
2022-02-19 08:09:53.884 org.sleuthkit.autopsy.imagegallery.gui.Toolbar lambda$syncDataSources$24
SEVERE: Unable to get datasources for current case.
org.sleuthkit.datamodel.TskCoreException: Error getting case database connection - case is closed
	org.sleuthkit.datamodel.SleuthkitCase$ConnectionPool.getConnection(SleuthkitCase.java:12981)
	org.sleuthkit.datamodel.SleuthkitCase.getDataSources(SleuthkitCase.java:3303)
	org.sleuthkit.autopsy.imagegallery.gui.Toolbar.lambda$syncDataSources$22(Toolbar.java:317)
	com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly(TrustedListenableFutureTask.java:108)
	com.google.common.util.concurrent.InterruptibleTask.run(InterruptibleTask.java:41)
	com.google.common.util.concurrent.TrustedListenableFutureTask.run(TrustedListenableFutureTask.java:77)
	java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	java.lang.Thread.run(Thread.java:748)
2022-02-19 08:18:52.874 org.sleuthkit.autopsy.keywordsearch.Server connectToSolrServer
INFO: Connected to Solr server 
2022-02-19 08:33:52.925 org.sleuthkit.autopsy.keywordsearch.Server connectToSolrServer
INFO: Connected to Solr server 
2022-02-19 08:48:52.981 org.sleuthkit.autopsy.keywordsearch.Server connectToSolrServer
INFO: Connected to Solr server 
2022-02-19 09:03:53.037 org.sleuthkit.autopsy.keywordsearch.Server connectToSolrServer
INFO: Connected to Solr server 
2022-02-19 09:18:53.11 org.sleuthkit.autopsy.keywordsearch.Server connectToSolrServer
INFO: Connected to Solr server 
2022-02-19 09:33:53.166 org.sleuthkit.autopsy.keywordsearch.Server connectToSolrServer
INFO: Connected to Solr server 
2022-02-19 09:48:53.222 org.sleuthkit.autopsy.keywordsearch.Server connectToSolrServer
INFO: Connected to Solr server 
2022-02-19 10:03:53.287 org.sleuthkit.autopsy.keywordsearch.Server connectToSolrServer
INFO: Connected to Solr server 
2022-02-19 10:18:53.353 org.sleuthkit.autopsy.keywordsearch.Server connectToSolrServer
INFO: Connected to Solr server 
2022-02-19 10:33:53.437 org.sleuthkit.autopsy.keywordsearch.Server connectToSolrServer
INFO: Connected to Solr server 
2022-02-19 10:48:53.5 org.sleuthkit.autopsy.keywordsearch.Server connectToSolrServer
INFO: Connected to Solr server 
2022-02-19 11:03:53.568 org.sleuthkit.autopsy.keywordsearch.Server connectToSolrServer
INFO: Connected to Solr server 
2022-02-19 11:18:53.63 org.sleuthkit.autopsy.keywordsearch.Server connectToSolrServer
INFO: Connected to Solr server 
2022-02-19 11:33:53.71 org.sleuthkit.autopsy.keywordsearch.Server connectToSolrServer
INFO: Connected to Solr server 
2022-02-19 11:48:53.779 org.sleuthkit.autopsy.keywordsearch.Server connectToSolrServer
INFO: Connected to Solr server 
2022-02-19 12:03:53.848 org.sleuthkit.autopsy.keywordsearch.Server connectToSolrServer
INFO: Connected to Solr server 
2022-02-19 12:18:53.911 org.sleuthkit.autopsy.keywordsearch.Server connectToSolrServer
INFO: Connected to Solr server 
2022-02-19 12:33:53.973 org.sleuthkit.autopsy.keywordsearch.Server connectToSolrServer
INFO: Connected to Solr server
3

Ignore the postgresql database comment above, looks like Plaso output is saved in /{SHARE}/{HOSTNAME-ingest-node}/ModuleOutput/plaso/{date-run}, not in PostgreSQL (sorry if I’m wrong).

Ran the same case in Single User Mode, it completed with the exception of PSort which returned error code -1.

If I figure this out, I’ll post here (in case someone else has the same issue).