Due to difficulties in finding the file from the previous session, I have started the ingest module several times, which means that in the view of the last activity - extracted content I have the results doubled. This doesn’t have a major impact on the entire training, however, I would like to know how to undo this process? We can run ingest module during the investigation several times, so in my opinion it should’t duplicate displayed results.
There’s no way to undo it through Autopsy. Some artifact types do prevent duplicates but those are primarily on the modules that it might make sense to run more than once. For example, you might add an Interesting File rule and want to run again. There’s no reason to run Recent Activity more than once on a data source and checking for duplicates before creating each artifact leads to a fairly significant performance hit.
Ok, so if i good understand when i done recent activity ant another ingest module i can uncheck those options when I lounch next ingest module again, yes? For Example:
Unchecking previously performed operations will not affect the next search result?
Yes in general you can run each ingest module separately and expect to see the same results, and there’s no reason to run an ingest module twice unless you’ve changed the settings. There are a few exceptions:
- If you’re using a central repository, you should always run Correlation Engine. Otherwise new artifacts found in that ingest session will not be added to the central repo.
- If you’re running Embedded File Extractor or PhotoRec Carver for the first time you’ll also need to enable any modules that should be run on the files being extracted. I don’t think there’s any reason to run those two more than once, so as long as you run them the first time with everything else you shouldn’t need to worry about that.
Also since it might be your next question, we do not de-dupe keyword hits coming from the ingest module. We tried, but determining if two keyword hits are the same ended up being a very time consuming process.
I am grateful for your help and extensive explanation
So there is no way to remove duplicated artifacts?
No there is no way to remove them short of editing the case database manually.