VSS plugin hangs on 4.5

Question

VSS plugin hangs on 4.5

user31415 opened this issue 7 years ago · 8 comments

I tried your new VSS plugin with Autopsy 4.5

Unfortunately after nearly 3 days, it showed no progress and no CPU or Disk activity. I had to kill Autopsy via the Task Manager to get out.

Answer 1 · 2017-10-24T00:12:30.000Z

If you look in the Module directory there should be a VSS directory. In there you should have a sqlite database named vss_extract_info.db3 if you go into the database using a sqlite database editor can you select from any of the tables and see results? Send me an email at Mark dot McKinnon at Davenport dot edu if you would like to talk more about this offline.

Answer 2 · 2017-10-26T00:24:13.000Z

Yes, the .db3 file is about 1.2 GB in size and I can browse the contents with a DB editor. It looks reasonable.

The badfiles.log (5K) has a half dozen "Phase_token Past end of Block" entries.

I was running on Windows 7, parsing a Windows 10 VM image.
Unfortunately I cannot paste any content.

Answer 3 · 2017-10-26T00:51:49.000Z

Can you run the following sql statement select tbl_name from sqlite_master; and post the results? You should also potentially see directories in the ModuleOutput\vss directory that have the VSS0...X. If you look at the count of files in those directories do they match the vssx_diff table counts? One thought occurred to me is that when it writes out the files to the directories and anti-virus is enabled then that may cause a slow down.

Answer 4 · 2017-10-28T03:11:38.000Z

I re-ran everything from a Windows 10 VM, processing a Windows 10 .vmdk to see if there was some kind of Win 7 issue, but I got the same result again.

The vss_extract_info.db3 file is 1.2 GB. There are directories for VSS0...2 and for _diff .

There are matching directories for the 9 "select tbl_name" entries of: vss_info, mft, vss0..2, vss, vss0..2_diff

The file counts of the directories do not match the vssx_diff row counts.

Directories:
VSS0: 2530 files in 979 folders, vss0_diff table contains 3051 rows
VSS1: 4663 files in 1757 folders, vss1_diff table contains 6059 rows
VSS2: 1651 files in 712 folders, vss2_diff table contains 2105 rows

Answer 5 · 2017-10-28T03:53:30.000Z

Would it be possible to get a copy of the vss_extract_info.db3 database that I can take a look at?

Answer 6 · 2017-10-29T14:15:38.000Z

Unfortunately it's not a personal system and I cannot export any data from it.

I assume that you are not encountering the same issue in your testing?

The only possibly difference I can think of is that it is a standalone system with no network connections. Is it possible there is a buried network call in there somewhere that hangs everything up?

Answer 7 · 2017-10-29T14:50:12.000Z

                      **********   Doh!   ***********

I went to take a quick look at "Process_Extract_VS.py" for network attempts and found HTML not Python.

I'm so embarrassed!

Answer 8 · 2017-10-29T14:52:20.000Z

The system I was testing on did not have a network connection as it was a VM with networking disconnected. Let me check a few things out and I will get back with you soon.