I am a student working on creating a project image for other students to analyze. I am using an HP Pavilion laptop running WIN10 as the target machine. It has a 250gb hard drive with about 220 of that usable to Windows. I backdated the BIOS, installed the OS, did some Edge browsing (the only browser to let you surf with time backdated a year), and then took an image of the drive with dc3dd on to a portable SSD. Took that image and put it on my workstation (Dell Precision 7740, i7-9850H, 32 Gigs of RAM) and ran Autopsy 4.16.0 against it. Started it at 11 pm last night and then when I checked on it 10 hours later, I was stuck at 50% on the Recent Activity ingest module. This is the second time I had run it and got to the same place with 10+ hours. The only thing logged when I canceled the module was * Failure processing Microsoft Edge WebCacheV01.dat file.
So took an alternate path to see if I would get another result. I downloaded TSURUGI acquire and booted with that, ran Guymager to do the acquisition, and put them in E01 form this time. The crazy thing is it gets to the exact same spot. I let it run this time from 1 pm to now (almost 17 hours) and its stopped where it reached in roughly 25 min.
Having this same issue with ingest module ‘Recent Activity’ freezing at 53%. When cancelled I receive the same error as OP ‘Failure processing Microsoft Edge WebCacheV01.dat’.
There has been a recent fix put in which will go into the next version of Autopsy that does address an infinite loop that is occurring in one of the RegRipper modules that is run as part of the Recent Activity Module in Autopsy. I also was getting this hang so that is how I know about it. If you would like to try and see if this will fix your issue then you can do the following, this should be ok to do on the last few versions of Autopsy.
Go to the following directory C:\Program Files\Autopsy-4.xx.0\autopsy\rr-full\plugins and rename the file shellactivities.pl to shellactivities.old.
Copy the file from #2 to the directory C:\Program Files\Autopsy-4.xx.0\autopsy\rr-full\plugins.
Restart Autopsy and try running the Recent Activity ingest module and see if it goes past 50%
The error I was running into was that the registry entry that shellactivities was reading created a infinite loop where it read past the end of the data and kept going. If that does not fix the issue then some more debugging will need to be done. If you have any questions let me know.
I also gave this a try (I just copied the code from the Github page - I can never find how to download files!) and saved it using notepad and it still stuck on 53%.
Is there anything I can check to see if I’m getting the error this should be addressing specifically?
Did you just right click Mark’s hyperlink and save as? Because I initially did that and it actually saved the website as the file - once I opened the file, it was a bunch of HTML and something like 15KB whereas the original code is about 6KB
Can you post here or send me a DM with the autopsy.log file when it your hang happens. I should be able to tell you what file is causing the issue. If you could then share that file it will help greatly in figuring out what the issue is.
Hi Mark - here’s the log data. Assuming it’s UsrClass.dat you would want to look at, unfortunately while this is labelled as “Test Laptop” it’s actually one our investigators use and there’s a bunch of confidential names etc in ShellBags that I can’t release. Probably doesn’t help much!
2020-12-18 09:00:01.802 org.sleuthkit.autopsy.recentactivity.ExtractRegistry analyzeRegistryFiles
INFO: Registry- Now getting registry information from C:\Users\Occas\AppData\Local\Temp\Autopsy\Case\test_laptop_20201215_135736\RecentActivity\reg\UsrClass.dat
2020-12-18 09:00:01.802 org.sleuthkit.autopsy.recentactivity.ExtractRegistry ripRegistryFile
INFO: Writing Full RegRipper results to: D:\Autopsy Cases\Test laptop\ModuleOutput\RecentActivity\reg\UsrClass.dat-regripper-17949-full.txt
2020-12-18 09:24:36.879 org.sleuthkit.autopsy.recentactivity.RAImageIngestModule process
INFO: Recent Activity has been canceled, quitting before
2020-12-18 09:24:36.879 org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline process
INFO: Recent Activity analysis of TestLaptop-Liteon.E01 (pipeline=0) finished
2020-12-18 09:24:36.88 org.sleuthkit.autopsy.ingest.IngestJobPipeline logInfoMessage
INFO: Finished first stage analysis (data source = TestLaptop-Liteon.E01, objId = 1, pipeline id = 0, ingest job id = 12)
2020-12-18 09:24:36.88 org.sleuthkit.autopsy.ingest.IngestJobPipeline logInfoMessage
INFO: Finished analysis (data source = TestLaptop-Liteon.E01, objId = 1, pipeline id = 0, ingest job id = 12)
2020-12-18 09:24:36.883 org.sleuthkit.autopsy.ingest.IngestManager finishIngestJob
INFO: Ingest job 0 completed
