Autopsy 4.2.0 keywords ingest module crashes every time the first time

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Autopsy 4.2.0 keywords ingest module crashes every time the first time

Nanni Bassetti
I tried to run Autopsy 4.2.0 working 2 times directly with 2 pendrives and 1 time with an EWF disk image.
Everytime, after to have create the case, Autopsy said that I must disable keyword ingest module, but if I close all and re-run it opening the same case, already created, the problem disappeared.

I attach the log file of one test of mine.

--
Dott. Nanni Bassetti
CAINE project manager - http://www.caine-live.net

------------------------------------------------------------------------------

_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org

Log.7z (41K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Autopsy 4.2.0 keywords ingest module crashes every time the first time

Richard Cordovano
Nanni, thank you for sending the autopsy logs from the case folder. Autopsy was failing to connect to the Solr server that it starts up in jetty on your machine. Will you kindly also send me the entire contents (all log files) of the ~/Users/[your user name]/AppData/roaming/autopsy/var/log folder?

Thanks,

Richard Cordovano
Autopsy Team Lead
Basis Technology

On Wed, Nov 23, 2016 at 2:35 AM, Nanni Bassetti <[hidden email]> wrote:
I tried to run Autopsy 4.2.0 working 2 times directly with 2 pendrives and 1 time with an EWF disk image.
Everytime, after to have create the case, Autopsy said that I must disable keyword ingest module, but if I close all and re-run it opening the same case, already created, the problem disappeared.

I attach the log file of one test of mine.

--
Dott. Nanni Bassetti
CAINE project manager - http://www.caine-live.net

------------------------------------------------------------------------------

_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org



------------------------------------------------------------------------------

_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Autopsy 4.2.0 keywords ingest module crashes every time the first time

Nanni Bassetti
no problem....see the attachment.

2016-11-23 18:20 GMT+01:00 Richard Cordovano <[hidden email]>:
Nanni, thank you for sending the autopsy logs from the case folder. Autopsy was failing to connect to the Solr server that it starts up in jetty on your machine. Will you kindly also send me the entire contents (all log files) of the ~/Users/[your user name]/AppData/roaming/autopsy/var/log folder?

Thanks,

Richard Cordovano
Autopsy Team Lead
Basis Technology

On Wed, Nov 23, 2016 at 2:35 AM, Nanni Bassetti <[hidden email]> wrote:
I tried to run Autopsy 4.2.0 working 2 times directly with 2 pendrives and 1 time with an EWF disk image.
Everytime, after to have create the case, Autopsy said that I must disable keyword ingest module, but if I close all and re-run it opening the same case, already created, the problem disappeared.

I attach the log file of one test of mine.

--
Dott. Nanni Bassetti
CAINE project manager - http://www.caine-live.net

------------------------------------------------------------------------------

_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org





--
Dott. Nanni Bassetti
CAINE project manager - http://www.caine-live.net

------------------------------------------------------------------------------

_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org

var_log.7z (18K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Autopsy 4.2.0 keywords ingest module crashes every time the first time

Richard Cordovano
Nanni, I have combed through the logs you sent. The local Solr server process appears to be starting normally. However, when Autopsy sends a core (index) creation request to the Solr process during case creation, Autopsy is unable to connect. It is not clear whether this is because the process has shut down shortly after starting, or is just refusing the connection request. Then, when you try to run ingest, the keyword search module tries to open the core (index) for the case and fails, because it does not exist. The module does not start, and when a module does not start, ingest is aborted and you get the message to disable the ingest module that would not start, in this case the keyword search module. 

It looks like you closed Autopsy altogether to get the case to open and the ingest to run, which means that the misbehaving Solr process (if it was still running) was terminated and a new process was started. Unfortunately, this means that the solr.stdout.log file was deleted and recreated, so I have no trace of any error messages that the Solr server may have written. The interesting thing is that this new Solr process appears to experience no unexpected errors, as evidenced by both your success and the solr.stdout.log file you sent me.

Are you able to reproduce this problem? If so, here are a few things you could do to help me to help you:

- When Autopsy is started, but before you try to open a case, open a browser and got to the Solr Admin web page at:
 http://localhost:23232/solr/#. Look to see if there are any error messages on the logging page (push the Logging button) and send me a screenshot if there are.
- After you open the case, go back to the Solr Admin page and check to see if you can use the Core Selector button to choose the core for the case, which will be a core with a name that looks like your case name with a time/data stamp suffix. Also, check the logging page again.
- After you shut down Autopsy, but before you restart, collect a copy of ~/Users/[your user name]/AppData/roaming/autopsy/var/log/solr.stdout.log for me. This should actually agree with the logging page snapshots from the Solr Admin page.

Thanks,
Richard
  

On Wed, Nov 23, 2016 at 12:39 PM, Nanni Bassetti <[hidden email]> wrote:
no problem....see the attachment.

2016-11-23 18:20 GMT+01:00 Richard Cordovano <[hidden email]>:
Nanni, thank you for sending the autopsy logs from the case folder. Autopsy was failing to connect to the Solr server that it starts up in jetty on your machine. Will you kindly also send me the entire contents (all log files) of the ~/Users/[your user name]/AppData/roaming/autopsy/var/log folder?

Thanks,

Richard Cordovano
Autopsy Team Lead
Basis Technology

On Wed, Nov 23, 2016 at 2:35 AM, Nanni Bassetti <[hidden email]> wrote:
I tried to run Autopsy 4.2.0 working 2 times directly with 2 pendrives and 1 time with an EWF disk image.
Everytime, after to have create the case, Autopsy said that I must disable keyword ingest module, but if I close all and re-run it opening the same case, already created, the problem disappeared.

I attach the log file of one test of mine.

--
Dott. Nanni Bassetti
CAINE project manager - http://www.caine-live.net

------------------------------------------------------------------------------

_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org





--
Dott. Nanni Bassetti
CAINE project manager - http://www.caine-live.net


------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Autopsy 4.2.0 keywords ingest module crashes every time the first time

Richard Cordovano
Thanks!

On Tue, Dec 6, 2016 at 4:24 AM, Nanni Bassetti <[hidden email]> wrote:
Done! :-)

2016-12-06 0:38 GMT+01:00 Richard Cordovano <[hidden email]>:
Nanni, I have combed through the logs you sent. The local Solr server process appears to be starting normally. However, when Autopsy sends a core (index) creation request to the Solr process during case creation, Autopsy is unable to connect. It is not clear whether this is because the process has shut down shortly after starting, or is just refusing the connection request. Then, when you try to run ingest, the keyword search module tries to open the core (index) for the case and fails, because it does not exist. The module does not start, and when a module does not start, ingest is aborted and you get the message to disable the ingest module that would not start, in this case the keyword search module. 

It looks like you closed Autopsy altogether to get the case to open and the ingest to run, which means that the misbehaving Solr process (if it was still running) was terminated and a new process was started. Unfortunately, this means that the solr.stdout.log file was deleted and recreated, so I have no trace of any error messages that the Solr server may have written. The interesting thing is that this new Solr process appears to experience no unexpected errors, as evidenced by both your success and the solr.stdout.log file you sent me.

Are you able to reproduce this problem? If so, here are a few things you could do to help me to help you:

- When Autopsy is started, but before you try to open a case, open a browser and got to the Solr Admin web page at:
 http://localhost:23232/solr/#. Look to see if there are any error messages on the logging page (push the Logging button) and send me a screenshot if there are.
- After you open the case, go back to the Solr Admin page and check to see if you can use the Core Selector button to choose the core for the case, which will be a core with a name that looks like your case name with a time/data stamp suffix. Also, check the logging page again.
- After you shut down Autopsy, but before you restart, collect a copy of ~/Users/[your user name]/AppData/roaming/autopsy/var/log/solr.stdout.log for me. This should actually agree with the logging page snapshots from the Solr Admin page.

Thanks,
Richard
  

On Wed, Nov 23, 2016 at 12:39 PM, Nanni Bassetti <[hidden email]> wrote:
no problem....see the attachment.

2016-11-23 18:20 GMT+01:00 Richard Cordovano <[hidden email]>:
Nanni, thank you for sending the autopsy logs from the case folder. Autopsy was failing to connect to the Solr server that it starts up in jetty on your machine. Will you kindly also send me the entire contents (all log files) of the ~/Users/[your user name]/AppData/roaming/autopsy/var/log folder?

Thanks,

Richard Cordovano
Autopsy Team Lead
Basis Technology

On Wed, Nov 23, 2016 at 2:35 AM, Nanni Bassetti <[hidden email]> wrote:
I tried to run Autopsy 4.2.0 working 2 times directly with 2 pendrives and 1 time with an EWF disk image.
Everytime, after to have create the case, Autopsy said that I must disable keyword ingest module, but if I close all and re-run it opening the same case, already created, the problem disappeared.

I attach the log file of one test of mine.

--
Dott. Nanni Bassetti
CAINE project manager - http://www.caine-live.net

------------------------------------------------------------------------------

_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org





--
Dott. Nanni Bassetti
CAINE project manager - http://www.caine-live.net




--
Dott. Nanni Bassetti
CAINE project manager - http://www.caine-live.net


------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Autopsy 4.2.0 keywords ingest module crashes every time the first time

Richard Cordovano
The solr.log.stdout file looks like it has some clues in it. If you can, when you get the error shown in error2.jpg, it would be helpful if you would click on the hyperlink and send a screen shot of the full message (assuming it has more detail). Thanks!

On Tue, Dec 6, 2016 at 9:20 AM, Richard Cordovano <[hidden email]> wrote:
Thanks!

On Tue, Dec 6, 2016 at 4:24 AM, Nanni Bassetti <[hidden email]> wrote:
Done! :-)

2016-12-06 0:38 GMT+01:00 Richard Cordovano <[hidden email]>:
Nanni, I have combed through the logs you sent. The local Solr server process appears to be starting normally. However, when Autopsy sends a core (index) creation request to the Solr process during case creation, Autopsy is unable to connect. It is not clear whether this is because the process has shut down shortly after starting, or is just refusing the connection request. Then, when you try to run ingest, the keyword search module tries to open the core (index) for the case and fails, because it does not exist. The module does not start, and when a module does not start, ingest is aborted and you get the message to disable the ingest module that would not start, in this case the keyword search module. 

It looks like you closed Autopsy altogether to get the case to open and the ingest to run, which means that the misbehaving Solr process (if it was still running) was terminated and a new process was started. Unfortunately, this means that the solr.stdout.log file was deleted and recreated, so I have no trace of any error messages that the Solr server may have written. The interesting thing is that this new Solr process appears to experience no unexpected errors, as evidenced by both your success and the solr.stdout.log file you sent me.

Are you able to reproduce this problem? If so, here are a few things you could do to help me to help you:

- When Autopsy is started, but before you try to open a case, open a browser and got to the Solr Admin web page at:
 http://localhost:23232/solr/#. Look to see if there are any error messages on the logging page (push the Logging button) and send me a screenshot if there are.
- After you open the case, go back to the Solr Admin page and check to see if you can use the Core Selector button to choose the core for the case, which will be a core with a name that looks like your case name with a time/data stamp suffix. Also, check the logging page again.
- After you shut down Autopsy, but before you restart, collect a copy of ~/Users/[your user name]/AppData/roaming/autopsy/var/log/solr.stdout.log for me. This should actually agree with the logging page snapshots from the Solr Admin page.

Thanks,
Richard
  

On Wed, Nov 23, 2016 at 12:39 PM, Nanni Bassetti <[hidden email]> wrote:
no problem....see the attachment.

2016-11-23 18:20 GMT+01:00 Richard Cordovano <[hidden email]>:
Nanni, thank you for sending the autopsy logs from the case folder. Autopsy was failing to connect to the Solr server that it starts up in jetty on your machine. Will you kindly also send me the entire contents (all log files) of the ~/Users/[your user name]/AppData/roaming/autopsy/var/log folder?

Thanks,

Richard Cordovano
Autopsy Team Lead
Basis Technology

On Wed, Nov 23, 2016 at 2:35 AM, Nanni Bassetti <[hidden email]> wrote:
I tried to run Autopsy 4.2.0 working 2 times directly with 2 pendrives and 1 time with an EWF disk image.
Everytime, after to have create the case, Autopsy said that I must disable keyword ingest module, but if I close all and re-run it opening the same case, already created, the problem disappeared.

I attach the log file of one test of mine.

--
Dott. Nanni Bassetti
CAINE project manager - http://www.caine-live.net

------------------------------------------------------------------------------

_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org





--
Dott. Nanni Bassetti
CAINE project manager - http://www.caine-live.net




--
Dott. Nanni Bassetti
CAINE project manager - http://www.caine-live.net



------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Loading...