Recent Activity - running? hung?

MatyasFulop · November 15, 2021, 1:01pm

Hi there! I’ve got a massive project that I am working on. I’m running into trouble left and right. I am investing a lot of time and, I am learning a lot about Autopsy.

I’ve let it run for days. Seems like it never progresses or it does so very slowly. I’ve let it run for 48 hours before.

I’ve uninstalled autopsy and then searched my drive for ‘autopsy’ and nuked everything what was left behind. rebooted, reinstalled autopsy and plugins.

Here are the log entries from the beginning and end of my most recent attempt.

i9-10900
32GB ram
980 evo m.2 C:\ (autopsy install and case file location)
Data Sources are being ingested over USB.
I have ingest set to 6 cores. 8 ran my system too hard. I made many attempts with it at 4.

When I only run the recent activity ingest module and monitor system activity, it looks like nothing is running.

Is the Recent Activity module just naturally a lengthy module to run? What can I do to speed it up?

2021-11-13 16:15:43.275 org.sleuthkit.autopsy.ingest.IngestMonitor$MonitorTimerAction logMonitoredRootDirectory
INFO: Monitoring disk space of C:\
2021-11-13 16:15:43.275 org.sleuthkit.autopsy.ingest.IngestManager startIngestJob
INFO: Starting ingest job 0
2021-11-13 16:15:43.277 org.sleuthkit.autopsy.ingest.IngestPipelinesConfiguration getInstance
INFO: Creating ingest module loader instance
2021-11-13 16:15:43.389 org.sleuthkit.autopsy.recentactivity.SearchEngineURLQueryAnalyzer loadConfigFile
INFO: Load successful
2021-11-13 16:15:43.582 org.sleuthkit.autopsy.ingest.IngestJobPipeline logInfoMessage
INFO: Starting first stage analysis in batch mode (data source = I:, objId = 1, pipeline id = 0, ingest job id = 1)
2021-11-13 16:15:43.583 org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline$DataSourcePipelineModule executeTask
INFO: Recent Activity analysis of I: starting
2021-11-13 16:15:45.771 org.sleuthkit.autopsy.recentactivity.ExtractRecycleBin processIFile
WARNING: Unable to parse iFile /$Recycle.Bin/S-1-5-21-487293567-1139568291-3142500734-1001/$IQHJJIK.4
java.io.IOException: Error parsing $I File, file is corrupt or not a valid I$ file
	org.sleuthkit.autopsy.recentactivity.ExtractRecycleBin.parseIFile(ExtractRecycleBin.java:325)
	org.sleuthkit.autopsy.recentactivity.ExtractRecycleBin.processIFile(ExtractRecycleBin.java:179)
	org.sleuthkit.autopsy.recentactivity.ExtractRecycleBin.process(ExtractRecycleBin.java:148)
	org.sleuthkit.autopsy.recentactivity.Extract.process(Extract.java:108)
	org.sleuthkit.autopsy.recentactivity.RAImageIngestModule.process(RAImageIngestModule.java:139)
	org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline$DataSourcePipelineModule.executeTask(DataSourceIngestPipeline.java:93)
	org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline$DataSourcePipelineModule.executeTask(DataSourceIngestPipeline.java:72)
	org.sleuthkit.autopsy.ingest.IngestTaskPipeline.executeTask(IngestTaskPipeline.java:220)
	org.sleuthkit.autopsy.ingest.IngestJobPipeline.execute(IngestJobPipeline.java:1085)
	org.sleuthkit.autopsy.ingest.DataSourceIngestTask.execute(DataSourceIngestTask.java:41)
	org.sleuthkit.autopsy.ingest.IngestManager$ExecuteIngestJobTasksTask.run(IngestManager.java:1019)
	java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
	java.util.concurrent.FutureTask.run(FutureTask.java:266)
	java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	java.lang.Thread.run(Thread.java:748)
java.nio.BufferUnderflowException
	org.sleuthkit.autopsy.recentactivity.ExtractRecycleBin.parseIFile(ExtractRecycleBin.java:325)
	org.sleuthkit.autopsy.recentactivity.ExtractRecycleBin.processIFile(ExtractRecycleBin.java:179)
	org.sleuthkit.autopsy.recentactivity.ExtractRecycleBin.process(ExtractRecycleBin.java:148)
	org.sleuthkit.autopsy.recentactivity.Extract.process(Extract.java:108)
	org.sleuthkit.autopsy.recentactivity.RAImageIngestModule.process(RAImageIngestModule.java:139)
	org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline$DataSourcePipelineModule.executeTask(DataSourceIngestPipeline.java:93)
	org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline$DataSourcePipelineModule.executeTask(DataSourceIngestPipeline.java:72)
	org.sleuthkit.autopsy.ingest.IngestTaskPipeline.executeTask(IngestTaskPipeline.java:220)
	org.sleuthkit.autopsy.ingest.IngestJobPipeline.execute(IngestJobPipeline.java:1085)
	org.sleuthkit.autopsy.ingest.DataSourceIngestTask.execute(DataSourceIngestTask.java:41)
	org.sleuthkit.autopsy.ingest.IngestManager$ExecuteIngestJobTasksTask.run(IngestManager.java:1019)
	java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
	java.util.concurrent.FutureTask.run(FutureTask.java:266)
	java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	java.lang.Thread.run(Thread.java:748)

2021-11-13 16:22:57.534 org.sleuthkit.autopsy.recentactivity.ExtractJumpLists extractLnkFiles
WARNING: No such document, or the Entry represented by documentName is not a DocumentEntry link file is C:\Users\redacted\AppData\Local\Temp\Autopsy\thor_20211113_155532\Temp\RecentActivity\jumplists_0\cd281d8d569a7706.automaticDestinations-ms_597144
org.sleuthkit.autopsy.coreutils.JLnkParserException: java.nio.BufferUnderflowException
	org.sleuthkit.autopsy.coreutils.JLnkParser.parse(JLnkParser.java:212)
	org.sleuthkit.autopsy.recentactivity.ExtractJumpLists.extractLnkFiles(ExtractJumpLists.java:197)
	org.sleuthkit.autopsy.recentactivity.ExtractJumpLists.process(ExtractJumpLists.java:118)
	org.sleuthkit.autopsy.recentactivity.Extract.process(Extract.java:108)
	org.sleuthkit.autopsy.recentactivity.RAImageIngestModule.process(RAImageIngestModule.java:139)
	org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline$DataSourcePipelineModule.executeTask(DataSourceIngestPipeline.java:93)
	org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline$DataSourcePipelineModule.executeTask(DataSourceIngestPipeline.java:72)
	org.sleuthkit.autopsy.ingest.IngestTaskPipeline.executeTask(IngestTaskPipeline.java:220)
	org.sleuthkit.autopsy.ingest.IngestJobPipeline.execute(IngestJobPipeline.java:1085)
	org.sleuthkit.autopsy.ingest.DataSourceIngestTask.execute(DataSourceIngestTask.java:41)
	org.sleuthkit.autopsy.ingest.IngestManager$ExecuteIngestJobTasksTask.run(IngestManager.java:1019)
	java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
	java.util.concurrent.FutureTask.run(FutureTask.java:266)
	java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	java.lang.Thread.run(Thread.java:748)
java.nio.BufferUnderflowException
	org.sleuthkit.autopsy.coreutils.JLnkParser.parse(JLnkParser.java:212)
	org.sleuthkit.autopsy.recentactivity.ExtractJumpLists.extractLnkFiles(ExtractJumpLists.java:197)
	org.sleuthkit.autopsy.recentactivity.ExtractJumpLists.process(ExtractJumpLists.java:118)
	org.sleuthkit.autopsy.recentactivity.Extract.process(Extract.java:108)
	org.sleuthkit.autopsy.recentactivity.RAImageIngestModule.process(RAImageIngestModule.java:139)
	org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline$DataSourcePipelineModule.executeTask(DataSourceIngestPipeline.java:93)
	org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline$DataSourcePipelineModule.executeTask(DataSourceIngestPipeline.java:72)
	org.sleuthkit.autopsy.ingest.IngestTaskPipeline.executeTask(IngestTaskPipeline.java:220)
	org.sleuthkit.autopsy.ingest.IngestJobPipeline.execute(IngestJobPipeline.java:1085)
	org.sleuthkit.autopsy.ingest.DataSourceIngestTask.execute(DataSourceIngestTask.java:41)
	org.sleuthkit.autopsy.ingest.IngestManager$ExecuteIngestJobTasksTask.run(IngestManager.java:1019)
	java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
	java.util.concurrent.FutureTask.run(FutureTask.java:266)
	java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	java.lang.Thread.run(Thread.java:748)
2021-11-13 16:37:48.364 org.sleuthkit.autopsy.recentactivity.RecentDocumentsByLnk getRecentDocuments
WARNING: Error lnk parsing the file to get recent files AbstractContent [	objId 0000593585	name This PC (2).lnk	parentId -1		checkedHasChildren false	hasChildren false	childrenCount -1uniquePath null]	AbstractFile [		fileType FS	ctime 1634852470	crtime 1488223434	mtime 1488223434	atime 1615046718	attrId 3	attrType TSK_FS_ATTR_TYPE_NTFS_DATA	dirFlag Allocated	dirType REG	uid 0	gid 0	metaAddr 579643	metaSeq 12	metaFlags [Allocated, Used]	metaType r	modes [TSK_FS_META_MODE_IRUSR, TSK_FS_META_MODE_IWUSR, TSK_FS_META_MODE_IXUSR, TSK_FS_META_MODE_IRGRP, TSK_FS_META_MODE_IWGRP, TSK_FS_META_MODE_IXGRP, TSK_FS_META_MODE_IROTH, TSK_FS_META_MODE_IWOTH, TSK_FS_META_MODE_IXOTH]	parentPath /Users/redacted/AppData/Roaming/Microsoft/Windows/Recent/	size 104	knownState UNKNOWN	md5Hash null	sha256Hash null	localPathSet false	localPath null	localAbsPath null	localFile null]	FsContent [	fsObjId 2	uniquePath null	fileHandle 926221728]	File [	]	
2021-11-13 16:37:48.366 org.sleuthkit.autopsy.recentactivity.RecentDocumentsByLnk getRecentDocuments
WARNING: Error lnk parsing the file to get recent files AbstractContent [	objId 0000593587	name This PC (3).lnk	parentId -1		checkedHasChildren false	hasChildren false	childrenCount -1uniquePath null]	AbstractFile [		fileType FS	ctime 1634852470	crtime 1494277493	mtime 1494277493	atime 1615046718	attrId 3	attrType TSK_FS_ATTR_TYPE_NTFS_DATA	dirFlag Allocated	dirType REG	uid 0	gid 0	metaAddr 120553	metaSeq 34	metaFlags [Allocated, Used]	metaType r	modes [TSK_FS_META_MODE_IRUSR, TSK_FS_META_MODE_IWUSR, TSK_FS_META_MODE_IXUSR, TSK_FS_META_MODE_IRGRP, TSK_FS_META_MODE_IWGRP, TSK_FS_META_MODE_IXGRP, TSK_FS_META_MODE_IROTH, TSK_FS_META_MODE_IWOTH, TSK_FS_META_MODE_IXOTH]	parentPath /Users/redacted/AppData/Roaming/Microsoft/Windows/Recent/	size 104	knownState UNKNOWN	md5Hash null	sha256Hash null	localPathSet false	localPath null	localAbsPath null	localFile null]	FsContent [	fsObjId 2	uniquePath null	fileHandle 926221760]	File [	]	
2021-11-13 16:37:48.367 org.sleuthkit.autopsy.recentactivity.RecentDocumentsByLnk getRecentDocuments
WARNING: Error lnk parsing the file to get recent files AbstractContent [	objId 0000593589	name This PC (4).lnk	parentId -1		checkedHasChildren false	hasChildren false	childrenCount -1uniquePath null]	AbstractFile [		fileType FS	ctime 1634852470	crtime 1512169948	mtime 1512169948	atime 1615046718	attrId 3	attrType TSK_FS_ATTR_TYPE_NTFS_DATA	dirFlag Allocated	dirType REG	uid 0	gid 0	metaAddr 41129	metaSeq 350	metaFlags [Allocated, Used]	metaType r	modes [TSK_FS_META_MODE_IRUSR, TSK_FS_META_MODE_IWUSR, TSK_FS_META_MODE_IXUSR, TSK_FS_META_MODE_IRGRP, TSK_FS_META_MODE_IWGRP, TSK_FS_META_MODE_IXGRP, TSK_FS_META_MODE_IROTH, TSK_FS_META_MODE_IWOTH, TSK_FS_META_MODE_IXOTH]	parentPath /Users/redacted/AppData/Roaming/Microsoft/Windows/Recent/	size 104	knownState UNKNOWN	md5Hash null	sha256Hash null	localPathSet false	localPath null	localAbsPath null	localFile null]	FsContent [	fsObjId 2	uniquePath null	fileHandle 926221888]	File [	]	
2021-11-13 16:37:48.368 org.sleuthkit.autopsy.recentactivity.RecentDocumentsByLnk getRecentDocuments
WARNING: Error lnk parsing the file to get recent files AbstractContent [	objId 0000593591	name This PC (5).lnk	parentId -1		checkedHasChildren false	hasChildren false	childrenCount -1uniquePath null]	AbstractFile [		fileType FS	ctime 1634852470	crtime 1536587890	mtime 1536587890	atime 1615046718	attrId 3	attrType TSK_FS_ATTR_TYPE_NTFS_DATA	dirFlag Allocated	dirType REG	uid 0	gid 0	metaAddr 12654	metaSeq 22	metaFlags [Allocated, Used]	metaType r	modes [TSK_FS_META_MODE_IRUSR, TSK_FS_META_MODE_IWUSR, TSK_FS_META_MODE_IXUSR, TSK_FS_META_MODE_IRGRP, TSK_FS_META_MODE_IWGRP, TSK_FS_META_MODE_IXGRP, TSK_FS_META_MODE_IROTH, TSK_FS_META_MODE_IWOTH, TSK_FS_META_MODE_IXOTH]	parentPath /Users/redacted/AppData/Roaming/Microsoft/Windows/Recent/	size 104	knownState UNKNOWN	md5Hash null	sha256Hash null	localPathSet false	localPath null	localAbsPath null	localFile null]	FsContent [	fsObjId 2	uniquePath null	fileHandle 926220288]	File [	]	
2021-11-13 16:37:48.369 org.sleuthkit.autopsy.recentactivity.RecentDocumentsByLnk getRecentDocuments
WARNING: Error lnk parsing the file to get recent files AbstractContent [	objId 0000593593	name This PC (6).lnk	parentId -1		checkedHasChildren false	hasChildren false	childrenCount -1uniquePath null]	AbstractFile [		fileType FS	ctime 1634852470	crtime 1539871380	mtime 1539871380	atime 1615046718	attrId 3	attrType TSK_FS_ATTR_TYPE_NTFS_DATA	dirFlag Allocated	dirType REG	uid 0	gid 0	metaAddr 568488	metaSeq 139	metaFlags [Allocated, Used]	metaType r	modes [TSK_FS_META_MODE_IRUSR, TSK_FS_META_MODE_IWUSR, TSK_FS_META_MODE_IXUSR, TSK_FS_META_MODE_IRGRP, TSK_FS_META_MODE_IWGRP, TSK_FS_META_MODE_IXGRP, TSK_FS_META_MODE_IROTH, TSK_FS_META_MODE_IWOTH, TSK_FS_META_MODE_IXOTH]	parentPath /Users/redacted/AppData/Roaming/Microsoft/Windows/Recent/	size 104	knownState UNKNOWN	md5Hash null	sha256Hash null	localPathSet false	localPath null	localAbsPath null	localFile null]	FsContent [	fsObjId 2	uniquePath null	fileHandle 926221184]	File [	]	
2021-11-13 16:37:48.369 org.sleuthkit.autopsy.recentactivity.RecentDocumentsByLnk getRecentDocuments
WARNING: Error lnk parsing the file to get recent files AbstractContent [	objId 0000593595	name This PC.lnk	parentId -1		checkedHasChildren false	hasChildren false	childrenCount -1uniquePath null]	AbstractFile [		fileType FS	ctime 1634852470	crtime 1472222062	mtime 1472222062	atime 1615046718	attrId 1	attrType TSK_FS_ATTR_TYPE_NTFS_DATA	dirFlag Allocated	dirType REG	uid 0	gid 0	metaAddr 171844	metaSeq 1	metaFlags [Allocated, Used]	metaType r	modes [TSK_FS_META_MODE_IRUSR, TSK_FS_META_MODE_IWUSR, TSK_FS_META_MODE_IXUSR, TSK_FS_META_MODE_IRGRP, TSK_FS_META_MODE_IWGRP, TSK_FS_META_MODE_IXGRP, TSK_FS_META_MODE_IROTH, TSK_FS_META_MODE_IWOTH, TSK_FS_META_MODE_IXOTH]	parentPath /Users/redacted/AppData/Roaming/Microsoft/Windows/Recent/	size 104	knownState UNKNOWN	md5Hash null	sha256Hash null	localPathSet false	localPath null	localAbsPath null	localFile null]	FsContent [	fsObjId 2	uniquePath null	fileHandle 926220352]	File [	]	
2021-11-13 16:56:38.021 org.sleuthkit.autopsy.recentactivity.RAImageIngestModule process
INFO: Recent Activity has been canceled, quitting before Registry
2021-11-13 16:56:38.021 org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline$DataSourcePipelineModule executeTask
INFO: Recent Activity analysis of I: finished
2021-11-13 16:56:38.022 org.sleuthkit.autopsy.ingest.IngestJobPipeline logInfoMessage
INFO: Finished first stage analysis (data source = I:, objId = 1, pipeline id = 0, ingest job id = 1)
2021-11-13 16:56:38.022 org.sleuthkit.autopsy.ingest.IngestJobPipeline logInfoMessage
INFO: Finished all tasks (data source = I:, objId = 1, pipeline id = 0, ingest job id = 1)
2021-11-13 16:56:38.024 org.sleuthkit.autopsy.ingest.IngestManager finishIngestJob
INFO: Ingest job 0 completed

sifter · December 4, 2021, 1:05am

How did you set it to six cores? The user guide says it can only use four. Thanks for any tips you can share.

I’m running autopsy on a 24core/48thread system with 256G ram and an 8-spindle RAID – and wishing it was using more of the available compute.

Topic		Replies	Views
Recent Activity Autopsy Help	1	450	April 20, 2020
Recent activity ingest stops every single time Autopsy Help	1	42	April 16, 2024
Performance Issues (Ingest Modules) Autopsy Help	6	1791	March 31, 2021
Autopsy performance issues Online Training	0	665	April 26, 2020
Section 8: Can't find Recent activity module Online Training	2	992	May 5, 2020

Recent Activity - running? hung?

Related Topics