Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NPE in SleuthkitClient when generating report with a virtual disk #1870

Closed
aberenguel opened this issue Sep 11, 2023 · 11 comments · Fixed by #1871
Closed

NPE in SleuthkitClient when generating report with a virtual disk #1870

aberenguel opened this issue Sep 11, 2023 · 11 comments · Fixed by #1871
Assignees
@aberenguel @lfcnassif
Labels
bug

Comments

@aberenguel
Copy link
Contributor

Using master branch (f6eae92).

The exception is:

java.lang.Exception: Worker-0 Error while processing /item02.E01/vol_vol7/Windows/System32/config/SECURITY (32768bytes)
	at iped.engine.core.Worker.process(Worker.java:186)
	at iped.engine.core.Worker.run(Worker.java:265)
Caused by: java.lang.NullPointerException
	at iped.engine.sleuthkit.SleuthkitClient.get(SleuthkitClient.java:127)
	at iped.engine.sleuthkit.SleuthkitInputStreamFactory.getSeekableInputStream(SleuthkitInputStreamFactory.java:124)
	at iped.engine.data.Item.getSeekableInputStream(Item.java:562)
	at iped.engine.data.Item.getBufferedInputStream(Item.java:281)
	at iped.engine.data.Item.getTikaStream(Item.java:647)
	at iped.engine.task.ParsingTask.safeProcess(ParsingTask.java:380)
	at iped.engine.task.ParsingTask.process(ParsingTask.java:329)
	at iped.engine.task.AbstractTask.processMonitorTimeout(AbstractTask.java:277)
	at iped.engine.task.AbstractTask.processAndSendToNextTask(AbstractTask.java:192)
	at iped.engine.task.AbstractTask.sendToNextTask(AbstractTask.java:225)
	at iped.engine.task.AbstractTask.processAndSendToNextTask(AbstractTask.java:205)
	at iped.engine.task.AbstractTask.sendToNextTask(AbstractTask.java:225)
	at iped.engine.task.AbstractTask.processAndSendToNextTask(AbstractTask.java:205)
	at iped.engine.task.AbstractTask.sendToNextTask(AbstractTask.java:225)
	at iped.engine.task.AbstractTask.processAndSendToNextTask(AbstractTask.java:205)
	at iped.engine.task.AbstractTask.sendToNextTask(AbstractTask.java:225)
	at iped.engine.task.AbstractTask.processAndSendToNextTask(AbstractTask.java:205)
	at iped.engine.task.AbstractTask.sendToNextTask(AbstractTask.java:225)
	at iped.engine.task.AbstractTask.processAndSendToNextTask(AbstractTask.java:205)
	at iped.engine.task.AbstractTask.sendToNextTask(AbstractTask.java:225)
	at iped.engine.task.AbstractTask.processAndSendToNextTask(AbstractTask.java:205)
	at iped.engine.task.AbstractTask.sendToNextTask(AbstractTask.java:225)
	at iped.engine.task.AbstractTask.processAndSendToNextTask(AbstractTask.java:205)
	at iped.engine.task.AbstractTask.sendToNextTask(AbstractTask.java:225)
	at iped.engine.task.AbstractTask.processAndSendToNextTask(AbstractTask.java:205)
	at iped.engine.task.AbstractTask.sendToNextTask(AbstractTask.java:225)
	at iped.engine.task.AbstractTask.processAndSendToNextTask(AbstractTask.java:205)
	at iped.engine.task.AbstractTask.sendToNextTask(AbstractTask.java:225)
	at iped.engine.task.AbstractTask.processAndSendToNextTask(AbstractTask.java:205)
	at iped.engine.task.AbstractTask.sendToNextTask(AbstractTask.java:225)
	at iped.engine.task.AbstractTask.processAndSendToNextTask(AbstractTask.java:205)
	at iped.engine.task.AbstractTask.sendToNextTask(AbstractTask.java:225)
	at iped.engine.task.AbstractTask.processAndSendToNextTask(AbstractTask.java:205)
	at iped.engine.core.Worker.process(Worker.java:177)
	... 1 more

Debugging the code, I checkout out none of SleuthkitClient instances were created when the method SleuthkitClient.get() was called. Maybe this happened due to slowness in my computer.

I created a patch that uses conditional variables in to be verified in SleuthkitClient.get() and signalized in initSleuthkitServers().

Pushing soon.
aberenguel added a commit to aberenguel/IPED that referenced this issue Sep 11, 2023
@aberenguel
sepinf-inc#1870: check if SleuthkitClient instances were created in S…
98a983d 
…leuthkitClient.get()
@aberenguel aberenguel mentioned this issue Sep 11, 2023
Merged
@lfcnassif
Copy link
Member

Thanks for reporting and debugging @aberenguel! Could you detail how the report was being created? Not sure, but I think SleuthkitClient.get() shouldn't be called when creating reports because the first clause of if below should pass:

IPED/iped-engine/src/main/java/iped/engine/sleuthkit/SleuthkitInputStreamFactory.java

Line 121 in f6eae92

if (SleuthkitReader.sleuthCase == null || !fsConfig.isRobustImageReading()) {

Unless you are processing a new evidence together with report creation from command line, are you?

@aberenguel
Copy link
Contributor Author

I'm using the GUI to generate the report.
I'll try to check why the flow is not entering in the "if".

@lfcnassif
Copy link
Member

lfcnassif commented Sep 11, 2023
edited

Maybe an embedded disk was processed during report generation, that would call SleuthkitReader.read(...) and populate SleuthkitReader.sleuthCase. Is there any virtual disk (or other kind of embedded disk) in your bookmarks included in the report? If yes, I think we should disable embedded disk expansion in report creation, like we do for ordinary containers...

@aberenguel
Copy link
Contributor Author

aberenguel commented Sep 11, 2023
edited

Maybe an embedded disk was processed during report generation, that would call SleuthkitReader.read(...) and populate SleuthkitReader.sleuthCase. Is there any virtual disk (or other kind of embedded disk) in your bookmarks included in the report? If yes, I think we should disable embedded disk expansion in report creation, like we do for ordinary containers...

I think that is the answer. I my case I have two Android emulators related to some VMDK files. I exported the VMDK files, processed in PA and appended the UFDR in the case.
My idea was to add the VMDK in the report but without expand it.

@lfcnassif
Copy link
Member

Great! Try to turn processEmbeddedDisks off in IPEDConfig.txt into your case and to generate the report again, I think it should also fix the issue (without the patch) and it won't expand the VMDKs into the report.

@aberenguel
Copy link
Contributor Author

I just analyzed the VMDK files again.
In the original processing, there were 6 files with extension vmdk.

One of them was not recognized by Sleuthkit.
image

@aberenguel
Copy link
Contributor Author

aberenguel commented Sep 11, 2023
edited

The above VMDK file was detected like that by file command in Linux

./MEmu/MemuHyperv VMs/MEmu/MEmu71-2022012700003FFF-disk2.vmdk: VMware4 disk image

@aberenguel
Copy link
Contributor Author

Is there any way to disable the split of large binaries?
I've seen enableSplitLargeBinary = false in profiles triage and fastmode, but it seems it is not being used.

@lfcnassif
Copy link
Member

Is there any way to disable the split of large binaries?
I've seen enableSplitLargeBinary = false in profiles triage and fastmode, but it seems it is not being used.

It is not possible anymore, it is always enabled to avoid #1281. We should remove the enableSplitLargeBinary option from all places if it still exists...

@lfcnassif
Copy link
Member

lfcnassif commented Sep 11, 2023
edited

The above VMDK file was detected like that by file command in Linux

Is it a single segment VMDK? Maybe it is just a VMDK part and IPED wasn't able to detect all its parts before exporting them and sending to TSK for decoding...

@lfcnassif
Copy link
Member

I've seen enableSplitLargeBinary = false in profiles triage and fastmode, but it seems it is not being used.

Just removed them in commit af66ce9

lfcnassif added a commit to aberenguel/IPED that referenced this issue Sep 18, 2023
@lfcnassif
Revert "sepinf-inc#1870: check if SleuthkitClient instances were crea…
89ee389 
…ted in SleuthkitClient.get() "

This reverts commit 98a983d.
lfcnassif added a commit to aberenguel/IPED that referenced this issue Sep 18, 2023
@lfcnassif
'sepinf-inc#1870: fix by disabling embedded disk expansion if generat…
7f7d9bb 
…ing report
lfcnassif added a commit that referenced this issue Oct 4, 2023
@lfcnassif
'#1870: fix by disabling embedded disk expansion if generating report
9f7d7b7
@lfcnassif lfcnassif changed the title NPE in SleuthkitClient when generating report NPE in SleuthkitClient when generating report with a virtual disk Oct 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aberenguel aberenguel

@lfcnassif lfcnassif

Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

#1870: check if SleuthkitClient instances were created in get() aberenguel/IPED
2 participants
@aberenguel @lfcnassif