autopsy
autopsy copied to clipboard
sleuthkit
Recent Activity module hangs on Windows 10
Autopsy Version: 4.17.0 OS: Windows 10 Enterprise 20H2 19042.630
Recent Activity module freezes at 53% specifically during Analyzing Registry. When cancelled the error Failure processing Microsoft Edge WebCacheV01.dat is presented. Others seem to be having the same issue: https://sleuthkit.discourse.group/t/stopped-at-analyzing-registry/2210/7.
I have run all other ingest modules successfully leaving 'Recent Activity' unticked initially. Once the ingest modules have completed I then run the 'Recent Activity' module on it's own. It gets stuck at 53% every time without fail. Have deleted and recreated the case a few times and uninstalled/reinstalled autopsy to ensure the issue is consistent. Task Manager shows autopsy using a significant amount of memory and cpu usage throughout.
The log: autopsy.log.0.txt
Related error:
SEVERE: Error processing WebCacheV01.dat files for Microsoft Edge java.io.FileNotFoundException: C:\Users\user\AppData\Local\Temp\Autopsy\Case\case_files-001_20201121_134309\RecentActivity\Edge\results711742\Containers.csv (The system cannot find the file specified)
Hangs at:
INFO: Writing Full RegRipper results to: C:\Forensics\Case-001\autopsy\Case_Files-001\ModuleOutput\RecentActivity\reg\UsrClass.dat-regripper-8012-full.txt
Looking in UsrClass.dat-regripper-8012-full.txt it is specifically hanging at:
shellbags_test v.20130528 (USRCLASS.DAT) Shell/BagMRU traversal in XP/Win7 user hives
Last input into UsrClass.dat-regripper-8012-full.err.txt:
Launching shellbags_test v.20130528
Did you try @markmckinnon 's suggestion to the question you posted here: https://sleuthkit.discourse.group/t/stopped-at-analyzing-registry/2210/7
@esaunders unfortunately @markmckinnon 's suggestion did not work for me.
Ok. It's possible that one of the other RegRipper plugins has a similar issue to the one found in shellactivities.pl. Given that shellbags_test seems to be the last plugin run, can you try editing the 'usrclass' file in the RegRipper plugins folder and removing the shellbags_test entry? Note that it is possible to test this outside of Autopsy by manually running RegRipper against the extracted hive file.
Thanks for your help. Without shellbags_test I got regripper to run through from the command line and then also when running the Recent Activity ingest module:
As you can see the results are much better.
What are the repercussions of not running shellbags_test?
The error: Failure processing Microsoft Edge WebCacheV01.dat still persists however:
SEVERE: Error processing 'WebCacheV01.dat' files for Microsoft Edge
java.io.FileNotFoundException: C:\Users\user\AppData\Local\Temp\Autopsy\Case\001_20201126_102916\RecentActivity\Edge\results711742\Containers.csv (The system cannot find the file specified)
There are also other errors but are only warnings seeming unrelated to Edge:
WARNING: Regripper file C:\Forensics\Case-001\autopsy\001\ModuleOutput\RecentActivity\reg\NTUSER.DAT-regripper-5226-full.err.txt contains errors from run
WARNING: Regripper file C:\Forensics\Case-001\autopsy\001\ModuleOutput\RecentActivity\reg\NTUSER.DAT-regripper-37111-full.err.txt contains errors from run
All with the same error:
Error in comdlg32: Global symbol "%str" requires explicit package name at C:\Program Files\Autopsy-4.17.0\autopsy\rr-full\plugins\comdlg32.pl line 435.
Compilation failed in require at C:\Program Files\Autopsy-4.17.0\autopsy\rr-full\rip.exe line 186.
I am not sure if there is just an issue with WebCacheV01.dat in the image but if you have any further ideas on this error it would be greatly appreciated!
I don't have any additional insight into the WebCacheV01.dat issue. It looks like comdlg32.pl has been changed in RegRipper 3.0 so hopefully the "Global symbol..." error messages will go away when Autopsy upgrades to that version.
