Section 8 - Recent Activity. Missing "Installed Programs"

Trying to complete Section 8 Quiz a question asks if MPlayer3 is installed on analyzed system.

“Installed Programs” doesn’t appear in the tree below Extracted Concent and Logs show this errors. It seems like a problem related to date format:

2020-05-06 12:00:47.369 org.sleuthkit.autopsy.recentactivity.ExtractRegistry parseAutopsyPluginOutput
*WARNING: RegRipper::Conversion on DateTime -> *
java.text.ParseException: Unparseable date: “Tue Oct 29 16:54:05 2019”

• java.text.DateFormat.parse(DateFormat.java:366)*
• org.sleuthkit.autopsy.recentactivity.ExtractRegistry.parseAutopsyPluginOutput(ExtractRegistry.java:562)*
• org.sleuthkit.autopsy.recentactivity.ExtractRegistry.analyzeRegistryFiles(ExtractRegistry.java:319)*
• org.sleuthkit.autopsy.recentactivity.ExtractRegistry.process(ExtractRegistry.java:1840)*
• org.sleuthkit.autopsy.recentactivity.RAImageIngestModule.process(RAImageIngestModule.java:127)*
• org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline$PipelineModule.process(DataSourceIngestPipeline.java:200)*
• org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline.process(DataSourceIngestPipeline.java:113)*
• org.sleuthkit.autopsy.ingest.DataSourceIngestJob.process(DataSourceIngestJob.java:744)*
• org.sleuthkit.autopsy.ingest.DataSourceIngestTask.execute(DataSourceIngestTask.java:30)*
• org.sleuthkit.autopsy.ingest.IngestManager$ExecuteIngestJobTasksTask.run(IngestManager.java:926)*
• java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)*
• java.util.concurrent.FutureTask.run(FutureTask.java:266)*
• java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)*
• java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)*
• java.lang.Thread.run(Thread.java:748)*
  2020-05-06 12:00:47.38 org.sleuthkit.autopsy.recentactivity.ExtractRegistry parseAutopsyPluginOutput
  SEVERE: Failed to parse epoch time for installed program artifact.
  java.text.ParseException: Unparseable date: “Tue Mar 19 06:23:27 2019”
• java.text.DateFormat.parse(DateFormat.java:366)*
• org.sleuthkit.autopsy.recentactivity.ExtractRegistry.parseAutopsyPluginOutput(ExtractRegistry.java:741)*
• org.sleuthkit.autopsy.recentactivity.ExtractRegistry.analyzeRegistryFiles(ExtractRegistry.java:319)*
• org.sleuthkit.autopsy.recentactivity.ExtractRegistry.process(ExtractRegistry.java:1840)*
• org.sleuthkit.autopsy.recentactivity.RAImageIngestModule.process(RAImageIngestModule.java:127)*
• org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline$PipelineModule.process(DataSourceIngestPipeline.java:200)*
• org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline.process(DataSourceIngestPipeline.java:113)*
• org.sleuthkit.autopsy.ingest.DataSourceIngestJob.process(DataSourceIngestJob.java:744)*
• org.sleuthkit.autopsy.ingest.DataSourceIngestTask.execute(DataSourceIngestTask.java:30)*
• org.sleuthkit.autopsy.ingest.IngestManager$ExecuteIngestJobTasksTask.run(IngestManager.java:926)*
• java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)*
• java.util.concurrent.FutureTask.run(FutureTask.java:266)*
• java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)*
• java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)*
• java.lang.Thread.run(Thread.java:748)*
  2020-05-06 12:00:47.395 org.sleuthkit.autopsy.recentactivity.RAImageIngestModule process
  SEVERE: Exception occurred in Registry
  java.lang.NullPointerException
• org.sleuthkit.autopsy.recentactivity.ExtractRegistry.parseAutopsyPluginOutput(ExtractRegistry.java:750)*
• org.sleuthkit.autopsy.recentactivity.ExtractRegistry.analyzeRegistryFiles(ExtractRegistry.java:319)*
• org.sleuthkit.autopsy.recentactivity.ExtractRegistry.process(ExtractRegistry.java:1840)*
• org.sleuthkit.autopsy.recentactivity.RAImageIngestModule.process(RAImageIngestModule.java:127)*
• org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline$PipelineModule.process(DataSourceIngestPipeline.java:200)*
• org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline.process(DataSourceIngestPipeline.java:113)*
• org.sleuthkit.autopsy.ingest.DataSourceIngestJob.process(DataSourceIngestJob.java:744)*
• org.sleuthkit.autopsy.ingest.DataSourceIngestTask.execute(DataSourceIngestTask.java:30)*
• org.sleuthkit.autopsy.ingest.IngestManager$ExecuteIngestJobTasksTask.run(IngestManager.java:926)*
• java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)*
• java.util.concurrent.FutureTask.run(FutureTask.java:266)*
• java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)*
• java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)*
• java.lang.Thread.run(Thread.java:748)*
  2020-05-06 12:01:02.268 org.sleuthkit.autopsy.recentactivity.SearchEngineURLQueryAnalyzer complete
  INFO: Search Engine URL Query Analyzer has completed.
  2020-05-06 12:01:02.268 org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline process
  INFO: Recent Activity analysis of device1_laptop.e01 (jobId=1) finished
  2020-05-06 12:01:02.269 org.sleuthkit.autopsy.ingest.DataSourceIngestJob logInfoMessage
  INFO: Finished first stage analysis (data source = device1_laptop.e01, objId = 1, jobId = 1)
  2020-05-06 12:01:02.27 org.sleuthkit.autopsy.ingest.DataSourceIngestJob logInfoMessage
  INFO: Finished analysis (data source = device1_laptop.e01, objId = 1, jobId = 1)
  2020-05-06 12:01:02.276 org.sleuthkit.autopsy.ingest.IngestManager finishIngestJob

Hello,

Did you try closing the Autopsy program and reopening it? We know that on some systems the UI is not refreshing. Based off of your log, it looks like everything ran, it just looks like your UI may not be refreshing properly.

Hello,

Thanks for your answer.

Yes I did it! I ran Recent Activity ingest yesterday and since then I restarted Autopsy several times.

For me, the log seems to say there is a problem parsing the date and hour due to unexpected format (Windows system is in Spanish).

Yes, we understand that, but not being able to read one date should not cause the ingest module to fail.

It looks like something else is happening on your system that is causing either your UI to not refresh, or the ingest modules are not running, or maybe even some aspect of Autopsy itself is being sandboxed by antivirus/EDR/etc.

Can you please share screenshots of your UI, and the Ingest Module interface?

image1366×728 63.4 KB

Thanks for your help.

image848×611 25.8 KB

Is this enough?

Yes, that is perfect. Thank you. Can you also send the full logs to support[@]autopsy[.]com? We will submit this as a bug, and pass that on to the development team and see if we can figure out why this is happening. Everything else is populating as it should, but for some reason, the Installed Applications is not.

Hello Briamñ,
This problem also happens in OS in Portuguese.
it is a problem I have with Autopsy several summers.
If you need a log to test the problem, let me know.

Thank you

Problem apears on Polish OS too, also with analizing Edge history .

I have same problem, “Installed Programs” doesn’t appear after run Recent Activity ingest.

Due to a bug with some foreign language sets not being able to view some data from Ingest Modules, this question has changed.

Thank you for identifying it as a bug.