[Github Issue #413] Missing deleted files

Discuss new features that you would like to see in Autopsy. Consider creating a github issue instead of this forum, as we review those more when adding features and many of the discussions ultimately end up as github issues.

https://github.com/sleuthkit/autopsy/issues

Moderator: carrier

[Github Issue #413] Missing deleted files

Postby giuseppe » Sun Jul 31, 2016 1:50 pm

Hi.
I have found this issue both in Autopsy 4.0 and 4.1
When I select "Views/Deleted Files/All" or "Views/Deleted Files/File System", a message says that "There are more Deleted Files than can be displayed. Only first 10000 Deleted Files will be shown."
Please find attached the screenshot.
Image

Thank you
giuseppe
 
Posts: 5
Joined: Sun Jul 31, 2016 10:04 am

Re: [Github Issue #413] Missing deleted files

Postby giuseppe » Wed Nov 22, 2017 9:36 am

Good morning.
Over one year ago I created this post because there was the issue I reported.
In the new release of Autopsy, 4.5.0, there still is the problem.

I hope it should be soved as soon as possible
Kind regards
giuseppe
 
Posts: 5
Joined: Sun Jul 31, 2016 10:04 am

Re: [Github Issue #413] Missing deleted files

Postby giuseppe » Sat May 05, 2018 11:28 am

Hello.
As you can see, the problem persists also in the 4.6.0 version of the program.
Image
I don't understand why there is not the same problem for the other kind of files. In fact, in the "Images" section there are more then 10000 files too, but they are normally shown divided into several pages. As it should be for deleted files.

Giuseppe
giuseppe
 
Posts: 5
Joined: Sun Jul 31, 2016 10:04 am

Re: [Github Issue #413] Missing deleted files

Postby Hoyt » Wed May 09, 2018 9:32 pm

What could you do by seeing all the deleted files listed that you can't do now? What do you need Autopsy to do that it doesn't do, besides display more deleted files?

I looked at GitHub issue #413. This has been closed and Brian made the following comment:

We've expanded the maximum and done more to reduce the memory limits that originally caused this. It is in the next release.


The original poster of that issue attached a screenshot showing the limitation at 2,000, which has since been expanded now to 10,000. I'm not sure about that specific module, but if it's relying on file descriptors (fd) as handles for those files, then that's the reason for the limitation. Your operating system will impose a limit on the number of fds that can be open at any given time since RAM must be allocated for those descriptors. For example, on my workstation (Linux), my limit is:

Code: Select all
$ cat /proc/sys/fs/file-max
1632933


That's a lot, but all applications, including the operating system itself, must share that memory. Programmers typically use a much smaller allocation than this for individual programs. My system with nothing but Chrome and a terminal open is using:

Code: Select all
$ lsof | wc -l
117921


The deleted files will be obvious in Result Viewer (top left of the Autopsy UI) and marked with a red "X". Most of the files under Views > Deleted Files in Tree Viewer (Left side UI) will be system files that Windows deletes as a matter of course.

Think about the problem you're trying to solve and come up with a way to explain what you need Autopsy to do and why. Post that as a new issue here using the "Feature Request" label. The developers just made a new release 18 hours ago and there are already another 453 commits. I think a feature request posted there will get more attention than here.

Hoyt
Hoyt Harness, CFCE
Hoyt
 
Posts: 74
Joined: Thu Dec 11, 2014 4:02 am
Location: Little Rock, AR


Return to Autopsy Feature Requests

Who is online

Users browsing this forum: No registered users and 1 guest