Hi there! I’ve got a massive project that I am working on. I’m running into trouble left and right. I am investing a lot of time and, I am learning a lot about Autopsy.
I’ve let it run for days. Seems like it never progresses or it does so very slowly. I’ve let it run for 48 hours before.
I’ve uninstalled autopsy and then searched my drive for ‘autopsy’ and nuked everything what was left behind. rebooted, reinstalled autopsy and plugins.
Here are the log entries from the beginning and end of my most recent attempt.
i9-10900
32GB ram
980 evo m.2 C:\ (autopsy install and case file location)
Data Sources are being ingested over USB.
I have ingest set to 6 cores. 8 ran my system too hard. I made many attempts with it at 4.
When I only run the recent activity ingest module and monitor system activity, it looks like nothing is running.
Is the Recent Activity module just naturally a lengthy module to run? What can I do to speed it up?
2021-11-13 16:15:43.275 org.sleuthkit.autopsy.ingest.IngestMonitor$MonitorTimerAction logMonitoredRootDirectory
INFO: Monitoring disk space of C:\
2021-11-13 16:15:43.275 org.sleuthkit.autopsy.ingest.IngestManager startIngestJob
INFO: Starting ingest job 0
2021-11-13 16:15:43.277 org.sleuthkit.autopsy.ingest.IngestPipelinesConfiguration getInstance
INFO: Creating ingest module loader instance
2021-11-13 16:15:43.389 org.sleuthkit.autopsy.recentactivity.SearchEngineURLQueryAnalyzer loadConfigFile
INFO: Load successful
2021-11-13 16:15:43.582 org.sleuthkit.autopsy.ingest.IngestJobPipeline logInfoMessage
INFO: Starting first stage analysis in batch mode (data source = I:, objId = 1, pipeline id = 0, ingest job id = 1)
2021-11-13 16:15:43.583 org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline$DataSourcePipelineModule executeTask
INFO: Recent Activity analysis of I: starting
2021-11-13 16:15:45.771 org.sleuthkit.autopsy.recentactivity.ExtractRecycleBin processIFile
WARNING: Unable to parse iFile /$Recycle.Bin/S-1-5-21-487293567-1139568291-3142500734-1001/$IQHJJIK.4
java.io.IOException: Error parsing $I File, file is corrupt or not a valid I$ file
org.sleuthkit.autopsy.recentactivity.ExtractRecycleBin.parseIFile(ExtractRecycleBin.java:325)
org.sleuthkit.autopsy.recentactivity.ExtractRecycleBin.processIFile(ExtractRecycleBin.java:179)
org.sleuthkit.autopsy.recentactivity.ExtractRecycleBin.process(ExtractRecycleBin.java:148)
org.sleuthkit.autopsy.recentactivity.Extract.process(Extract.java:108)
org.sleuthkit.autopsy.recentactivity.RAImageIngestModule.process(RAImageIngestModule.java:139)
org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline$DataSourcePipelineModule.executeTask(DataSourceIngestPipeline.java:93)
org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline$DataSourcePipelineModule.executeTask(DataSourceIngestPipeline.java:72)
org.sleuthkit.autopsy.ingest.IngestTaskPipeline.executeTask(IngestTaskPipeline.java:220)
org.sleuthkit.autopsy.ingest.IngestJobPipeline.execute(IngestJobPipeline.java:1085)
org.sleuthkit.autopsy.ingest.DataSourceIngestTask.execute(DataSourceIngestTask.java:41)
org.sleuthkit.autopsy.ingest.IngestManager$ExecuteIngestJobTasksTask.run(IngestManager.java:1019)
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
java.util.concurrent.FutureTask.run(FutureTask.java:266)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
java.lang.Thread.run(Thread.java:748)
java.nio.BufferUnderflowException
org.sleuthkit.autopsy.recentactivity.ExtractRecycleBin.parseIFile(ExtractRecycleBin.java:325)
org.sleuthkit.autopsy.recentactivity.ExtractRecycleBin.processIFile(ExtractRecycleBin.java:179)
org.sleuthkit.autopsy.recentactivity.ExtractRecycleBin.process(ExtractRecycleBin.java:148)
org.sleuthkit.autopsy.recentactivity.Extract.process(Extract.java:108)
org.sleuthkit.autopsy.recentactivity.RAImageIngestModule.process(RAImageIngestModule.java:139)
org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline$DataSourcePipelineModule.executeTask(DataSourceIngestPipeline.java:93)
org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline$DataSourcePipelineModule.executeTask(DataSourceIngestPipeline.java:72)
org.sleuthkit.autopsy.ingest.IngestTaskPipeline.executeTask(IngestTaskPipeline.java:220)
org.sleuthkit.autopsy.ingest.IngestJobPipeline.execute(IngestJobPipeline.java:1085)
org.sleuthkit.autopsy.ingest.DataSourceIngestTask.execute(DataSourceIngestTask.java:41)
org.sleuthkit.autopsy.ingest.IngestManager$ExecuteIngestJobTasksTask.run(IngestManager.java:1019)
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
java.util.concurrent.FutureTask.run(FutureTask.java:266)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
java.lang.Thread.run(Thread.java:748)
2021-11-13 16:22:57.534 org.sleuthkit.autopsy.recentactivity.ExtractJumpLists extractLnkFiles
WARNING: No such document, or the Entry represented by documentName is not a DocumentEntry link file is C:\Users\redacted\AppData\Local\Temp\Autopsy\thor_20211113_155532\Temp\RecentActivity\jumplists_0\cd281d8d569a7706.automaticDestinations-ms_597144
org.sleuthkit.autopsy.coreutils.JLnkParserException: java.nio.BufferUnderflowException
org.sleuthkit.autopsy.coreutils.JLnkParser.parse(JLnkParser.java:212)
org.sleuthkit.autopsy.recentactivity.ExtractJumpLists.extractLnkFiles(ExtractJumpLists.java:197)
org.sleuthkit.autopsy.recentactivity.ExtractJumpLists.process(ExtractJumpLists.java:118)
org.sleuthkit.autopsy.recentactivity.Extract.process(Extract.java:108)
org.sleuthkit.autopsy.recentactivity.RAImageIngestModule.process(RAImageIngestModule.java:139)
org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline$DataSourcePipelineModule.executeTask(DataSourceIngestPipeline.java:93)
org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline$DataSourcePipelineModule.executeTask(DataSourceIngestPipeline.java:72)
org.sleuthkit.autopsy.ingest.IngestTaskPipeline.executeTask(IngestTaskPipeline.java:220)
org.sleuthkit.autopsy.ingest.IngestJobPipeline.execute(IngestJobPipeline.java:1085)
org.sleuthkit.autopsy.ingest.DataSourceIngestTask.execute(DataSourceIngestTask.java:41)
org.sleuthkit.autopsy.ingest.IngestManager$ExecuteIngestJobTasksTask.run(IngestManager.java:1019)
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
java.util.concurrent.FutureTask.run(FutureTask.java:266)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
java.lang.Thread.run(Thread.java:748)
java.nio.BufferUnderflowException
org.sleuthkit.autopsy.coreutils.JLnkParser.parse(JLnkParser.java:212)
org.sleuthkit.autopsy.recentactivity.ExtractJumpLists.extractLnkFiles(ExtractJumpLists.java:197)
org.sleuthkit.autopsy.recentactivity.ExtractJumpLists.process(ExtractJumpLists.java:118)
org.sleuthkit.autopsy.recentactivity.Extract.process(Extract.java:108)
org.sleuthkit.autopsy.recentactivity.RAImageIngestModule.process(RAImageIngestModule.java:139)
org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline$DataSourcePipelineModule.executeTask(DataSourceIngestPipeline.java:93)
org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline$DataSourcePipelineModule.executeTask(DataSourceIngestPipeline.java:72)
org.sleuthkit.autopsy.ingest.IngestTaskPipeline.executeTask(IngestTaskPipeline.java:220)
org.sleuthkit.autopsy.ingest.IngestJobPipeline.execute(IngestJobPipeline.java:1085)
org.sleuthkit.autopsy.ingest.DataSourceIngestTask.execute(DataSourceIngestTask.java:41)
org.sleuthkit.autopsy.ingest.IngestManager$ExecuteIngestJobTasksTask.run(IngestManager.java:1019)
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
java.util.concurrent.FutureTask.run(FutureTask.java:266)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
java.lang.Thread.run(Thread.java:748)
2021-11-13 16:37:48.364 org.sleuthkit.autopsy.recentactivity.RecentDocumentsByLnk getRecentDocuments
WARNING: Error lnk parsing the file to get recent files AbstractContent [ objId 0000593585 name This PC (2).lnk parentId -1 checkedHasChildren false hasChildren false childrenCount -1uniquePath null] AbstractFile [ fileType FS ctime 1634852470 crtime 1488223434 mtime 1488223434 atime 1615046718 attrId 3 attrType TSK_FS_ATTR_TYPE_NTFS_DATA dirFlag Allocated dirType REG uid 0 gid 0 metaAddr 579643 metaSeq 12 metaFlags [Allocated, Used] metaType r modes [TSK_FS_META_MODE_IRUSR, TSK_FS_META_MODE_IWUSR, TSK_FS_META_MODE_IXUSR, TSK_FS_META_MODE_IRGRP, TSK_FS_META_MODE_IWGRP, TSK_FS_META_MODE_IXGRP, TSK_FS_META_MODE_IROTH, TSK_FS_META_MODE_IWOTH, TSK_FS_META_MODE_IXOTH] parentPath /Users/redacted/AppData/Roaming/Microsoft/Windows/Recent/ size 104 knownState UNKNOWN md5Hash null sha256Hash null localPathSet false localPath null localAbsPath null localFile null] FsContent [ fsObjId 2 uniquePath null fileHandle 926221728] File [ ]
2021-11-13 16:37:48.366 org.sleuthkit.autopsy.recentactivity.RecentDocumentsByLnk getRecentDocuments
WARNING: Error lnk parsing the file to get recent files AbstractContent [ objId 0000593587 name This PC (3).lnk parentId -1 checkedHasChildren false hasChildren false childrenCount -1uniquePath null] AbstractFile [ fileType FS ctime 1634852470 crtime 1494277493 mtime 1494277493 atime 1615046718 attrId 3 attrType TSK_FS_ATTR_TYPE_NTFS_DATA dirFlag Allocated dirType REG uid 0 gid 0 metaAddr 120553 metaSeq 34 metaFlags [Allocated, Used] metaType r modes [TSK_FS_META_MODE_IRUSR, TSK_FS_META_MODE_IWUSR, TSK_FS_META_MODE_IXUSR, TSK_FS_META_MODE_IRGRP, TSK_FS_META_MODE_IWGRP, TSK_FS_META_MODE_IXGRP, TSK_FS_META_MODE_IROTH, TSK_FS_META_MODE_IWOTH, TSK_FS_META_MODE_IXOTH] parentPath /Users/redacted/AppData/Roaming/Microsoft/Windows/Recent/ size 104 knownState UNKNOWN md5Hash null sha256Hash null localPathSet false localPath null localAbsPath null localFile null] FsContent [ fsObjId 2 uniquePath null fileHandle 926221760] File [ ]
2021-11-13 16:37:48.367 org.sleuthkit.autopsy.recentactivity.RecentDocumentsByLnk getRecentDocuments
WARNING: Error lnk parsing the file to get recent files AbstractContent [ objId 0000593589 name This PC (4).lnk parentId -1 checkedHasChildren false hasChildren false childrenCount -1uniquePath null] AbstractFile [ fileType FS ctime 1634852470 crtime 1512169948 mtime 1512169948 atime 1615046718 attrId 3 attrType TSK_FS_ATTR_TYPE_NTFS_DATA dirFlag Allocated dirType REG uid 0 gid 0 metaAddr 41129 metaSeq 350 metaFlags [Allocated, Used] metaType r modes [TSK_FS_META_MODE_IRUSR, TSK_FS_META_MODE_IWUSR, TSK_FS_META_MODE_IXUSR, TSK_FS_META_MODE_IRGRP, TSK_FS_META_MODE_IWGRP, TSK_FS_META_MODE_IXGRP, TSK_FS_META_MODE_IROTH, TSK_FS_META_MODE_IWOTH, TSK_FS_META_MODE_IXOTH] parentPath /Users/redacted/AppData/Roaming/Microsoft/Windows/Recent/ size 104 knownState UNKNOWN md5Hash null sha256Hash null localPathSet false localPath null localAbsPath null localFile null] FsContent [ fsObjId 2 uniquePath null fileHandle 926221888] File [ ]
2021-11-13 16:37:48.368 org.sleuthkit.autopsy.recentactivity.RecentDocumentsByLnk getRecentDocuments
WARNING: Error lnk parsing the file to get recent files AbstractContent [ objId 0000593591 name This PC (5).lnk parentId -1 checkedHasChildren false hasChildren false childrenCount -1uniquePath null] AbstractFile [ fileType FS ctime 1634852470 crtime 1536587890 mtime 1536587890 atime 1615046718 attrId 3 attrType TSK_FS_ATTR_TYPE_NTFS_DATA dirFlag Allocated dirType REG uid 0 gid 0 metaAddr 12654 metaSeq 22 metaFlags [Allocated, Used] metaType r modes [TSK_FS_META_MODE_IRUSR, TSK_FS_META_MODE_IWUSR, TSK_FS_META_MODE_IXUSR, TSK_FS_META_MODE_IRGRP, TSK_FS_META_MODE_IWGRP, TSK_FS_META_MODE_IXGRP, TSK_FS_META_MODE_IROTH, TSK_FS_META_MODE_IWOTH, TSK_FS_META_MODE_IXOTH] parentPath /Users/redacted/AppData/Roaming/Microsoft/Windows/Recent/ size 104 knownState UNKNOWN md5Hash null sha256Hash null localPathSet false localPath null localAbsPath null localFile null] FsContent [ fsObjId 2 uniquePath null fileHandle 926220288] File [ ]
2021-11-13 16:37:48.369 org.sleuthkit.autopsy.recentactivity.RecentDocumentsByLnk getRecentDocuments
WARNING: Error lnk parsing the file to get recent files AbstractContent [ objId 0000593593 name This PC (6).lnk parentId -1 checkedHasChildren false hasChildren false childrenCount -1uniquePath null] AbstractFile [ fileType FS ctime 1634852470 crtime 1539871380 mtime 1539871380 atime 1615046718 attrId 3 attrType TSK_FS_ATTR_TYPE_NTFS_DATA dirFlag Allocated dirType REG uid 0 gid 0 metaAddr 568488 metaSeq 139 metaFlags [Allocated, Used] metaType r modes [TSK_FS_META_MODE_IRUSR, TSK_FS_META_MODE_IWUSR, TSK_FS_META_MODE_IXUSR, TSK_FS_META_MODE_IRGRP, TSK_FS_META_MODE_IWGRP, TSK_FS_META_MODE_IXGRP, TSK_FS_META_MODE_IROTH, TSK_FS_META_MODE_IWOTH, TSK_FS_META_MODE_IXOTH] parentPath /Users/redacted/AppData/Roaming/Microsoft/Windows/Recent/ size 104 knownState UNKNOWN md5Hash null sha256Hash null localPathSet false localPath null localAbsPath null localFile null] FsContent [ fsObjId 2 uniquePath null fileHandle 926221184] File [ ]
2021-11-13 16:37:48.369 org.sleuthkit.autopsy.recentactivity.RecentDocumentsByLnk getRecentDocuments
WARNING: Error lnk parsing the file to get recent files AbstractContent [ objId 0000593595 name This PC.lnk parentId -1 checkedHasChildren false hasChildren false childrenCount -1uniquePath null] AbstractFile [ fileType FS ctime 1634852470 crtime 1472222062 mtime 1472222062 atime 1615046718 attrId 1 attrType TSK_FS_ATTR_TYPE_NTFS_DATA dirFlag Allocated dirType REG uid 0 gid 0 metaAddr 171844 metaSeq 1 metaFlags [Allocated, Used] metaType r modes [TSK_FS_META_MODE_IRUSR, TSK_FS_META_MODE_IWUSR, TSK_FS_META_MODE_IXUSR, TSK_FS_META_MODE_IRGRP, TSK_FS_META_MODE_IWGRP, TSK_FS_META_MODE_IXGRP, TSK_FS_META_MODE_IROTH, TSK_FS_META_MODE_IWOTH, TSK_FS_META_MODE_IXOTH] parentPath /Users/redacted/AppData/Roaming/Microsoft/Windows/Recent/ size 104 knownState UNKNOWN md5Hash null sha256Hash null localPathSet false localPath null localAbsPath null localFile null] FsContent [ fsObjId 2 uniquePath null fileHandle 926220352] File [ ]
2021-11-13 16:56:38.021 org.sleuthkit.autopsy.recentactivity.RAImageIngestModule process
INFO: Recent Activity has been canceled, quitting before Registry
2021-11-13 16:56:38.021 org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline$DataSourcePipelineModule executeTask
INFO: Recent Activity analysis of I: finished
2021-11-13 16:56:38.022 org.sleuthkit.autopsy.ingest.IngestJobPipeline logInfoMessage
INFO: Finished first stage analysis (data source = I:, objId = 1, pipeline id = 0, ingest job id = 1)
2021-11-13 16:56:38.022 org.sleuthkit.autopsy.ingest.IngestJobPipeline logInfoMessage
INFO: Finished all tasks (data source = I:, objId = 1, pipeline id = 0, ingest job id = 1)
2021-11-13 16:56:38.024 org.sleuthkit.autopsy.ingest.IngestManager finishIngestJob
INFO: Ingest job 0 completed