Hello, I am working on section 10 and am having troubles running ingest modules a second time after the first time had an error with the correlation engine not having a central repository defined.
-I added the new media device2 image to the data source.
-This prompted me to run ingest modules.
-Followed instructions to add only “Hash lookup”, “Exif parser” and “Correlation engine”
-Had an issue with correlation engine because the central repository wasn’t setup.
-Setup correlation engine with sqlite database
-Attempted to run ingest modules again by right clicking on the device2 and click “run ingest modules”
-“Hash lookup”, “Exif parser” and “Correlation engine” now have the yellow triangles beside them indicating they have already been run.
-When I click “Finish” after selecting these modules, I don’t see any status bars to indicate any processing has been done.
It might have just run really fast. The ingest progress bar appears in the lower right of the screen - the “Status Area” in the first screenshot on this page: http://sleuthkit.org/autopsy/docs/user-docs/4.15.0/uilayout_page.html . When you add a data source and run ingest, the progress bar in the dialog is only showing the progress of adding the data source.
You can check if hash lookup ran by selecting any file in the data source and seeing if it has a hash value listed in the MD5 column in the result viewer. Exif Parser may have generated some Exif artifacts.
Actually I’m having the exact same issue. The there was no central repository selected, (I don’t remember the course asking me to do this, maybe I’m wrong). Nothing shows up in the interesting files section, but the media card has been imported.
Do you know what’s supposed to show up under Interesting Files? Previous notable items? Devices seen? I’ve never looked at the training.
I’d suggest making a new case and trying again. The correlation engine module doesn’t do anything on its own; it just handles data created by the other ingest modules. So if you run other modules without the correlation engine it may be impossible to get some data into the central repo due in part to de-duping of certain artifacts even if you run everything correctly later.
I believe there is an issue because of the first quiz question
Was an Interesting Item created because a file on the media card was previously marked as notable?
I didn’t have an interesting item created, although I had an image marked notable from the laptop image.
When looking at the notable image, the “other occurrences” tab shows the occurrences of the notable image on the laptop and two on the media card image.
Hmm I’m not sure why you wouldn’t be getting an interesting item. A few things to verify - when you select the file from the laptop data source in the other occurrences tab, is the known status shown as “notable” in red?
