search

sleuthkit / autopsy

Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It can be used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.
http://www.sleuthkit.org/autopsy/
2.41k stars 595 forks source link

Problem showing system32 folder in 3.1.0Beta? #819

Open kefir- opened 10 years ago

kefir- commented 10 years ago

I'm analyzing a single drive image from a Windows 8.1 computer in Autopsy 3.1.0Beta, and I've been browsing various images and other results while ingest has been running. I was going to browse to the image's C:\Windows\system32\ntoskrnl.exe file, but after browsing to the system32 folder (which has over 4000 entries), the GUI started "acting up". In the tree view, the Data Source tree kept closing and then reopening at the system32 level, even though I stopped doing anything. It also seemed to have trouble sorting the entries in the folder. When doing this, it would display file icons in the tree view, which it normally seems to filter away and only show in the directory listing. The directory listing also kept resetting and jumping to the top, which was troublesome since the entry I was looking for was probably about 2000 entries down on the list, so I never got there before the list jumped back up to the top. I was able to select a different folder in the tree view, and then everything acted normal again. If I try to open the system32 folder once more, the same problem reappears. Locating the file with "Tools" -> "File Search by Attributes" worked fine.

Could this perhaps be a memory issue? When I noticed this initially Autopsy had 3.4GB memory allocated. Currently it is at 4.2GB memory allocated, as displayed by Windows Task Manager -> Processes -> Memory (Private Working Set). I have not changed any configuration files from the install (yet). Ingest is still running, both "E01 Verifier" and "Analyzing files from ...."

bcarrier commented 10 years ago

I think you are seeing two things: 1) The UI in 3.1 beta can be unresponsive in larger folders while ingest is going on because it is waiting to get database locks (3.1 added more background ingest threads). This is mentioned in another issue. 2) The tree refresh is clunky when a ZIP file is exploded by an ingest module. It flickers and resets. We fixed this behavior in some parts of the tree for 3.1, but not everywhere. The directory tree still suffers from this problem

kefir- commented 10 years ago

OK, I guess it could be a combination of the two. I'll try again when the ingest is done, but "Analyzing files..." is only at 38% now about 20 hours after I loaded the image, so I don't think it'll be done before the weekend. The "Periodic Keyword Search" is still scheduled to run, presumably when other ingests are complete.

kefir- commented 10 years ago

Ingest is still stuck at 38% and working on the same file, which is C:\System Volume Information{guid-1}{guid-2} and is 2.3GB. But nothing much is happening to the GUI while this is working, so now I can open large folders like the Windows\System32 folder without any issues.

kefir- commented 10 years ago

I'm trying this again with 3.1.0, and I haven't been able to navigate as far as the system32 folder yet. I open a folder or two, and then Autopsy simply collapses the entire directory structure, so all I see is the entry under Data Sources. I've tried several times, and it closes each time.

Ingest is currently running, and is running archive extraction, so I'm guessing Autopsy is busy populating the folder tree structure, and closes it because it is being written to. Or something like that?