The amount of time it takes from start to completion

[christy porter]

I have been running numerous tests, to attempt to troubleshoot the amount of time a image is taking from start to finish to process and just want to ensure that I am correctly interpreting all the research I have been working on.  

Resources:

Windows 2k8

16 CPU

32 GB Ram

VM

Plaso local

image copied local

So running the following (ensuring they are copied local and logged locally to remove the network factor):

log2timeline.exe --hashers md5 --logfile F:\Image1_l2t.log F:\Image1_l2t.dump F:\Image1.E01

43 GB = [Start]: 2/2/18 @ 03:00 PM UTC / [Complete]: 2/2/18 @ 19:07 PM UTC ~  5 hrs (Ran latest windows 64amd version pulled down on 2/2/18)

117 GB = [Start]: 2/2/18 @ 09:01 PM UTC / [Complete]: TBD (Running latest windows 64amd version pulled down on 2/2/18)

255 GB = [Start]: 1/18/18 @ 12:33 PM UTC / [Complete]: 1/27/18 @ 05:29 PM UTC (Ran older version pulled in Oct 2017) ~ 9 days 5 hours completion time. 

There are several different issues that are present, and reading over issues and blogs. 

My take on interpretation is as follows.  Primary reason for the delayed results, is due to how the tool number one normalizes the data, then secondly compresses it and thirdly storing it in sqllite db.  I also understand that unless you can specify certain parsing criterias, this is something that will continue to remain present. For us, we won't be able to define things such as workers, etc, because we need to pull any and all data.  Essentially, that time it takes to run the log2timeline against necessary artifacts, is by design and while the tool may recieve updates and tweaks, the time it takes to pull using the normal syntax : 

log2timeline.exe --hashers md5 --logfile F:\Image1_l2t.log F:\Image1_l2t.dump F:\Image1.E01

Will continue to remain.

Please advise.