Hi
When I request a timeline, Autopsy displays “Too many files in DB … timeline will be disabled” message.
Is it possible to force this analysis or even to give selective criteria to carry out this analysis ?
Thanks
Marc
The timeline has three views: Counts, Details, and List. Is it giving you this message before you see the UI and can choose one of those views? Or, only after you pick a certain one?
This message appears very quickly without any options being presented
@ML62 Is the error you’re seeing “There are too many files in the DB to ensure reasonable performance. Timeline will be disabled.” ? It looks like Timeline won’t open if the database has more than six million entries. Do you think that’s the case for your database?
Yes, that’s exactly the message displayed. On the other hand, I only have 2,242 million files deleted and a maximum of 34 miles of “normal” files. I am therefore quite far from the 6 million mentioned.
Do you have any ideas to unlock the situation?
I haven’t read anything about it for several days. Your opinion is important because I have to start my analysis in a few days. If we can’t find a solution with Autopsy, can you recommend an alternative for a disk analysis? My primary goal is to understand the past activity of 2TB USB disks, especially with regard to deleted files.
By the way, how to find a history of the USB connections of these disks (W2016 system)?
There’s currently no way around the limit. If you’re building Autopsy yourself you could remove it but I’m not sure how well Timeline will work with 35+ million files.
I have trouble expressing myself in one of my answers (16/07). To clarify…
Disk size: 2TB
Files deleted: 2.242.000 'files/ophan entries"
Files : 34.000
And so, the announced limits are far from being reached!
Thank you for your follow-up and advice
Hello,
No reaction? I can’t believe I’m the only one with this (simple) problem! But maybe I made a wrong manipulation or configuration.
Thank you for sharing your impressions and experiences.
So the actual count is from a query of the tsk_files table in autopsy.db. It ends up being:
SELECT COUNT(*) AS count FROM tsk_files WHERE (1 = 1)
You could check the size of your tsk_files table. It tends to be larger than the actual number of files in your case since there can be entries for slack space and the parent and current folders (“.” and “…”).
We could change that error to allow the user to continue anyway. We’d need to do some testing first, though. It’s been a while but I seem to remember Timeline just being unusable with that number of files.
To add to what Ann has already stated:
In the current timeline database there will more then likely be at least 3-4 entries for each file making the total number of entries it looks at be larger then what you think it should be based on file count. The reason for the 3-4 more entries is based on the timestamps that each file may have (crtime, mtime, atime and ctime). There may also be entries in there for extracted content as well.
As an example I have an image that was loaded in Autopsy and it has 118 files in it. Each file has 4 timestamps associated with them. This will then turn in 472 files in the timeline database so you can see where the 6 million files will be easily met.
Good morning.
Several years later, same issue here. I run Autopsy on a disk image, activating only the “PhotoRec Carver”. I need to display the timeline on a specific date, but when I click the “Timeline” icon I get this message “There are too many files in the DB to ensure reasonable performance. Timeline will be disabled.”. The message appears immediately so it’s not possible in advance to set a specific date and avoid this error. Do you have any suggestion?