Section 9 Lab Question #2

I’m lost as to where the answer came from for Question 2 of Lab #9.

How many hits are there for “Renzik” in NTUSER.DAT?

Can someone please explain where they found that answer please?

1 Like

Search hits are found in the left panel under Results --> Keyword Hits. If you followed the training, you created a Training group and a renzik keyword.

Clicking the renzik keyword in the Training group populates the top right panel with files containing the keyword. Navigate to NTUSER.DAT (remember, you can click any filename and type ntuser as a shortcut to finding the file. When you select the file in the upper right panel (Listing), the lower right panel (Data Content) will display the search hits (under Text --> Intexed Text). Use the arrows to navigate through the hits.

I must have missed a step along the way so I re-did all the labs and I was able to find it how you explained. Thanks!

I had the same question. John Lehr is right that you can see the hits in the Data Content pane but I found that if I clicked on the Match right arrow to see the 4 hits on Page 11 then clicked the right arrow again it jumped to Page 12, where there are 6 more hits, so I think the correct answer is that there are 10 hits on “renzik” in NTUSER.dat. I think it would be a useful enhancement to add a Total Hits column to the UI to make it easier to get this information (Or is it already available and I just haven’t found where?)

renzik_hits_in_NTUSER_page_12

Hello.

I have 2 problems about Keyword Search module running:

  1. The Analysing files task is very slow : it reached 20% after 18 hours !
  2. At this time (18 hours), it did not found matching file ; and I have a warning message (obtained by clicking on the orange-yellow circle at the right down corner of the window) : “CEST No keyword in Keyword list”.
    But, I perfectly defined a new Keyword list, with the word renzik inside, and I did Apply and OK.

See the screen copy.

I hope for your indications about this.

I am having the same issue too. What could be the problem? Any assistance?

Hello, dnjora.
So, we are 2 wtih this problem, and probably more !
I hope somebody will answer about a solution.

Best regards.

Hi
please check only ingest with “Keyword Search” is enabled.if any other ingest module is running deselect it

Thank you, Chakradhar, for your answer.

I ran Ingest with only Keyword Search. It’s not the problem.
I know now why it occured : I had not ticked the keyword list in the keyword ingest module settings (see the screen copy ; the name of my keyword list is “Pour cours”).
I thought the definition of the list (by Tool > Options > Keywxord Search and List) was suffisant.

dnjora, have you ticked your Keyword list ?

But I have now another problem: the ingestion stops at 64%. It runs normaly during 2 hours, reaching 63%, and after, no progression (always 64%) The error, which appeared 1h1/2 after beginning and repeated until I stopped, is:
Server refused connection at: http://localhost:23232/solr/case1_20200516_09456_2020516_09459

How to fix this error ?

Based off what you are describing from the “Server refused connection”, I would guess (its hard to say for sure) that something on your system, is being put to sleep after not being used for XX minutes. Maybe its your hard disk, maybe its the network adapter, something seems to be interfering with it running. Check to make sure no power settings are on. Also check to make sure that you has disk space, because while although that should be a different looking error, that could also be causing what you are seeing.

Thank you, Brian, four your answer.

Unfortunatly, I think your hypthesises are not the good ones.

  • I have enough space : 250 Gb on the disk where the case is in.
  • There is no setting for sleeping. The computer is a desktop (not a noetbook). The unique setting for sleep was for the disks at 20 minutes ; I put it à 1160’ (19 hours).
  • No other sleep settings.

Afeter the modification, I rebooted the computer and retested the Keyword Search module. It was awful ! It stopped at 1%, 5 mintes alter starting, with exactly the same repeated error : http://localhost:23232/solr/case1_20200516_09456_2020516_09459

In my previous post, I forgot to indicate : I obtained 210 hits for the keyword search.

I can’t know what is the cause of this problem.

From your response, your hard disk did likely go to sleep after a set period of time (you said you changed the settings afterwards) and that may have ended up causing a corruption in your case database. Completely starting a new case may yield the results you are looking for, but it is possible that your Autopsy installation (and user settings, preference, etc) may also have been corrupted with disk access being halted due to the original settings, which according to your statement, have been changed, but it is possible that the corruption issue is already present and nothing short of a completely clean re-installation will fix it.

Again, its hard to say for certain, but based off a quick search for a couple other results of what you are seeing, it looks Autopsy data corruption, due to the original settings of your disks going to sleep after a period of time, is most likely the cause. (A search for “http://localhost:23232/solr” on Google will yield plenty of similar results, but I only listed two below)

https://sourceforge.net/p/sleuthkit/mailman/message/35509888/

Thank you Brian for the research you did.

So, I uninstall Autopsy (4.15.0). I deleted the directory of the case and the central_repository. I reinstalled Autopsy 4.15.0. I created again the case, with the same source of data.
I setted the Keyword Searching with the list including the word renzic.
I setted the ingest modules, selecting only the Keyword Search module. I verificated that the list I created was ticked.

This Keyword search was the first and the alone ingest module I ran.

Unfortunatly, the result is bad.
32 minutes after starting the ingestion, the same error appeared, at 21% :
Error performing query renzik. Server refused connection at http: //localhost:23232/solr/case1_20200532 11549 20200523 11 502.
The number of hits for renzik was 35, less than the first time (210).

The computer was rebooted several times after the modification of the hard disk stopping time, and I verificated the new amount of minutes is always 1160 minutes.

So the problem is not a stop of the hard disk.

The problem remains. It’s a pity !

Have a good evening.

Do you have some kind of firewall or AV rule running that is preventing the communication from happening on that port?

These two links might be able to help you walk through what others with a similar issue did:

Yes, Brian, I use the firewall Comodo and the antivirus AVAST (free version).
Do you want I test again desactiving Comodo and Avast ?
If yes, is it necessary to desinstall Autopsy 4.15.0 ?

For security, does Autopsy running ingestion need Internet acces ? If yes, I shall keep off the net plug.

Thank you very much for your help.

Brian, I tested without firewall (Comodo stopped) and without antivirus (Avast).
I obtained exactly the same error, after 4 minutes.

Do you want I uninstall Antopsy, if its configuration would be corrupted ?

Good night.

Hello, Brian.

I tried again, in a clean situation : the case deleted, Autopsy uninstaled, directrory autopsy in users\my self\appData\Roaming deleted, directory of the case deleted, Autopsy reinstalled, running only the keyword search ingest module, with firewall and antivirus stopped (network plug off).

It’s better, but not perfect.

The progression reached 83% with a good speed. But, after staying more time at 83%, the ingestion stopped by itself (not stopped by me after blocking), as finished but with the symbol of forbidden sense which gave the error :
“Keyword indexing error : Keyword index service had errors indexing”, without more about the error.
245 hits, from 45’(at 17%) after starting and until 83%.
The result is good enough, but the ingest finished with this error before completion.

The autopsy.log.0 (in the case directory) is big : 1,39 Gb, so I can’t open it with Notepad++.

What do you think of this result ?

It sounds like you got it working with a fresh install, the application does not need network connectivity, however, it does “send data” over port 23232, and while that is an internal communication, you still have to ensure that your firewall isnt blocking the application or that port (or allow communication from your source to destination IP, or however youd like to ensure the firewall is allowing the data to flow if it is indeed blocking something).

It still sounds like the keyword searching is not fully completing, and even if it does, I don’t know why you are getting errors. It is always possible that there is a bug of some sort, that is always possible with any software used by any user. But I would probably say the small number individuals like yourself that are having problems probably share something hardware/software/network/application wise that is had in common, but thats just a slightly educated guess based on the steps that you’ve taken and the information you shared.

You can send in a bug report to the support email address, and include the logs and screenshots, and maybe we will be able to find out what it was with the detailed log information, but its honestly hard to say without it, and might even be with the log, and since it seem to work better as you made changes in your software and hardware configuration, it looks more like its something there that is causing issues, rather than the Autopsy application itself.