Hi there,
I have an image that I am trying to generate a timeline of activity for - in this particular case, there are a spectacular number of deleted files that I am not in the least bit interested in. Every time I try to add a data source it ‘hangs’ on adding $OrphanFiles - I can see that there is a low level of disk activity continuing (around 100-200kb/s) but even after running for hours there is no sign of any progress. nothing more logged.
As I am really not that interested in the deleted files, is there any config flag etc. to set that will stop Autopsy form ingesting these? It’s an NTFS volume, not FAT, so the tick box isn’t effective.
edit: checking with Process Monitor, the process is still reading sectors, just mind-numbingly slowly; it’s reading about 96k per second (and this is from a vmdk on an SSD) - at that rate, it looks like it would take nearly 9 days to process the 61Gb partition… it seems incredible that such a long running, slow process would be forced, with no means to bypass?
