Upgrade to sleuthkit-4.12.0 #1340
Comments
lfcnassif
changed the title
lfcnassif
changed the title
|
They added Linux LVM support (by @joachimmetz) and lots of fixes. |
lfcnassif
changed the title
|
TSK-4.12.0 was released yesterday with the new Linux LVM support and many fixes. As it is a sensitive upgrade, I'll wait some time before we upgrade our fork, so the community could test it a bit for regressions. |
|
@lfcnassif make sure to apply additional patches when you do upgrade to 4.12.0 e.g. sleuthkit/sleuthkit#2803 |
|
Thank you for pointing it out @joachimmetz! |
|
Applied our patches (https://github.com/sepinf-inc/sleuthkit/commits/4.12.0_iped_patch) + sleuthkit/sleuthkit#2803 + sleuthkit/sleuthkit#2808 Running some tests now... If all looks good, I'll update TSK and release IPED-4.1 tomorrow. |
|
Reverting sleuthkit/sleuthkit#2803, it caused a regression in APFS decoding. |
|
Edited: TSK-4.12 seems to have made a memory leak while processing a specific APFS image to be gone. In previous versions, image decoding used to consume tons of memory and abort with OOM. Now external image reading processes goes to 4GB but then decrease to a few hundred MB very quickly, oscillating, but without leak. |
|
All 5 APFS images tested seems good. Still need to test some NTFS samples. |
|
Maybe this helps wit NTFS sample files https://github.com/dfirlabs/ntfs-specimens |
|
Also note that oscillating memory usage, probably hints at caching or delayed garbage collection, less likely a leak. For a leak you would see continuous memory usage growth. |
Great, thank you @joachimmetz! |
Just fixed my comment to be more clear, thank you! |
|
Tests seem good, I'll proceed. |
lfcnassif
changed the title
lfcnassif
changed the title
This seems an important fix:
sleuthkit/sleuthkit#2764
And we have to apply all our patches over it again and test...
The text was updated successfully, but these errors were encountered: