Autopsy re-ingesting

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Autopsy re-ingesting

Nanni Bassetti
Hi all,
it seems that if you stop some ingesting engines, when you restart them, they start again from the beginning...why?
Is it possible to restart them from the breaking point?
Thanks

--
Dott. Nanni Bassetti
CAINE project manager - http://www.caine-live.net

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Autopsy re-ingesting

Richard Cordovano
It is not currently possible to stop an ingest job (i.e., a data source [e.g., an image], a set of ingest modules, and the settings for those modules) or an individual ingest module and later start again where you left off. Instead, you will have an incomplete set of results (artifacts, carved files, etc.). On a related note, if you run the same ingest modules on the same inputs, duplicate results (artifacts, carved files, etc.) will be generated. However, we have recently implemented an ingest history feature, which among other things, warns users if a particular module is about to be used to analyze the same input data source. This feature uses case database tables that relate ingest modules by version to data sources, and is a first step towards more comprehensive tracking of what has been executed by Autopsy.    

Richard Cordovano
Autopsy and Autopsy Customization Teams Lead
Basis Technology

On Sun, Dec 4, 2016 at 7:22 AM, Nanni Bassetti <[hidden email]> wrote:
Hi all,
it seems that if you stop some ingesting engines, when you restart them, they start again from the beginning...why?
Is it possible to restart them from the breaking point?
Thanks

--
Dott. Nanni Bassetti
CAINE project manager - http://www.caine-live.net

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org



------------------------------------------------------------------------------

_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Autopsy re-ingesting

Alessandro Fiorenzi
Sorry have the same problem of Nanni, and believe a resume function should be appreciate for tow reason:
- it do not duplicate data
- it safe time of analysis

instead of warning of previous ingest module x session, I think should be better to have a resume funtion o if it is impossible clear all data to do not have duplicates 


Is there a flow diagram of ingest module dipendencies? so to start befeore some task and later the other,; this becasuse I have expericenced with analysis time of 48/72 hours on  disk grather than 500GB/1TB and doing modular execution could safe time.

Alessandro Fiorenzi


Studio Fiorenzi

Dott. Alessandro Fiorenzi
[hidden email] / +39 3487920172

Studio Fiorenzi
0550351263
Vai Daniele Manin, 50 50019 Sesto Fiorentino
http://www.studiofiorenzi.it

IMPORTANTE: questa e-mail (inclusi tutti gli allegati) è inviata dallo Studio Informatica Forense Fiorenzi Alessandro e può contenere informazioni riservate soggette a segreto professionale. Essa può essere letta, copiata e usata solo dal destinatario indicato e non deve essere ritrasmessa con modifiche senza il nostro consenso. Se l'avete ricevuta per errore, Vi preghiamo di contattarci per e-mail o telefono e, quindi, di distruggerla senza mostrarla ad alcun estraneo. La sicurezza e l'affidabilità  delle e-mail non è garantita. Noi adottiamo programmi anti virus, ma decliniamo ogni responsabilità  in ordine alla prevenzione degli eventuali virus.


2016-12-05 15:22 GMT+01:00 Richard Cordovano <[hidden email]>:
It is not currently possible to stop an ingest job (i.e., a data source [e.g., an image], a set of ingest modules, and the settings for those modules) or an individual ingest module and later start again where you left off. Instead, you will have an incomplete set of results (artifacts, carved files, etc.). On a related note, if you run the same ingest modules on the same inputs, duplicate results (artifacts, carved files, etc.) will be generated. However, we have recently implemented an ingest history feature, which among other things, warns users if a particular module is about to be used to analyze the same input data source. This feature uses case database tables that relate ingest modules by version to data sources, and is a first step towards more comprehensive tracking of what has been executed by Autopsy.    

Richard Cordovano
Autopsy and Autopsy Customization Teams Lead
Basis Technology

On Sun, Dec 4, 2016 at 7:22 AM, Nanni Bassetti <[hidden email]> wrote:
Hi all,
it seems that if you stop some ingesting engines, when you restart them, they start again from the beginning...why?
Is it possible to restart them from the breaking point?
Thanks

--
Dott. Nanni Bassetti
CAINE project manager - http://www.caine-live.net

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org



------------------------------------------------------------------------------

_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org



------------------------------------------------------------------------------

_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Autopsy re-ingesting

Richard Cordovano
There currently is no documentation of module dependencies, but I can sum it up simply for the core modules that ship with Autopsy: run the hash lookup and file type identification modules first, and always run the file type identification module. The reason is that other modules can be configured to skip known files and several modules need to know file types. In fact, some modules will run file type detection if it has not already been done. Also, running these modules tends to load file content into cache memory.

I agree that it would be nice to have finer-grained control of the ingest process and prevention of artifact duplication. However, please be aware that although Basis Technology donates resources to Autopsy development, major features are generally added when Basis customers paying for Autopsy customization request them. Often these funded features go to directly into open source Autopsy, to the benefit of the entire community. The features we are discussing are not currently being developed, but they are reasonably high on the list of potential future enhancements.

Richard Cordovano
Autopsy and Autopsy Customization Team Leads
Basis Technology 
     

On Mon, Dec 5, 2016 at 9:55 AM, Alessandro Fiorenzi <[hidden email]> wrote:
Sorry have the same problem of Nanni, and believe a resume function should be appreciate for tow reason:
- it do not duplicate data
- it safe time of analysis

instead of warning of previous ingest module x session, I think should be better to have a resume funtion o if it is impossible clear all data to do not have duplicates 


Is there a flow diagram of ingest module dipendencies? so to start befeore some task and later the other,; this becasuse I have expericenced with analysis time of 48/72 hours on  disk grather than 500GB/1TB and doing modular execution could safe time.

Alessandro Fiorenzi


Studio Fiorenzi

Dott. Alessandro Fiorenzi
[hidden email] / <a href="tel:+39%20348%20792%200172" value="+393487920172" target="_blank">+39 3487920172

Studio Fiorenzi
0550351263
Vai Daniele Manin, 50 50019 Sesto Fiorentino
http://www.studiofiorenzi.it

IMPORTANTE: questa e-mail (inclusi tutti gli allegati) è inviata dallo Studio Informatica Forense Fiorenzi Alessandro e può contenere informazioni riservate soggette a segreto professionale. Essa può essere letta, copiata e usata solo dal destinatario indicato e non deve essere ritrasmessa con modifiche senza il nostro consenso. Se l'avete ricevuta per errore, Vi preghiamo di contattarci per e-mail o telefono e, quindi, di distruggerla senza mostrarla ad alcun estraneo. La sicurezza e l'affidabilità  delle e-mail non è garantita. Noi adottiamo programmi anti virus, ma decliniamo ogni responsabilità  in ordine alla prevenzione degli eventuali virus.


2016-12-05 15:22 GMT+01:00 Richard Cordovano <[hidden email]>:
It is not currently possible to stop an ingest job (i.e., a data source [e.g., an image], a set of ingest modules, and the settings for those modules) or an individual ingest module and later start again where you left off. Instead, you will have an incomplete set of results (artifacts, carved files, etc.). On a related note, if you run the same ingest modules on the same inputs, duplicate results (artifacts, carved files, etc.) will be generated. However, we have recently implemented an ingest history feature, which among other things, warns users if a particular module is about to be used to analyze the same input data source. This feature uses case database tables that relate ingest modules by version to data sources, and is a first step towards more comprehensive tracking of what has been executed by Autopsy.    

Richard Cordovano
Autopsy and Autopsy Customization Teams Lead
Basis Technology

On Sun, Dec 4, 2016 at 7:22 AM, Nanni Bassetti <[hidden email]> wrote:
Hi all,
it seems that if you stop some ingesting engines, when you restart them, they start again from the beginning...why?
Is it possible to restart them from the breaking point?
Thanks

--
Dott. Nanni Bassetti
CAINE project manager - http://www.caine-live.net

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org



------------------------------------------------------------------------------

_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org




------------------------------------------------------------------------------

_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Loading...