Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

File sleuth.db is modified when opening the case #2198

Open
mbichara opened this issue May 6, 2024 · 4 comments
Open

File sleuth.db is modified when opening the case #2198

mbichara opened this issue May 6, 2024 · 4 comments
Labels
need info

Comments

@mbichara
Copy link
Contributor

mbichara commented May 6, 2024

I believe that the modifications in the case were only made to IPED-SearchApp.log.
But I noticed that the file sleuth.db is being modified when opening the case for the first time with multicase option.
@wladimirleite
Copy link
Member

wladimirleite commented May 6, 2024
edited

Hi @mbichara!
Can you elaborate a bit more?
I just tested opening two cases with the -multicases option, and later compared the sleuth.db of each case with a backup copy I made before, and there were no changes.
How is your folder structure? Are the cases and the processed evidence files in the same volume?
What is the command used to open the multicase (and multicases file, if used)?

@lfcnassif
Copy link
Member

TSK stores absolute image paths in sleuth.db. At the end of processing, if --portable is used, we update image paths to be relative, when possible (image and case in the same volume)

IPED/iped-engine/src/main/java/iped/engine/core/Manager.java

Lines 726 to 732 in 468a2bf

private void updateImagePaths() {
if (args.isPortable()) { // $NON-NLS-1$
IPEDSource ipedCase = new IPEDSource(output.getParentFile());
ipedCase.updateImagePathsToRelative();
ipedCase.close();
}
}

I think above code could be execute always, not just with --portable. But if the image is in a volume different than the case, and if the image is moved, paths should be updated... When the case folder is ready only, we create a temp sleuth.db and update image paths into it, one option would be to always copy sleuth.db to temp, but it could have GBs of size and it could take a reasonable time when case opens...

Anyway, answers to @wladimirleite questions would help. And a step by step to reproduce would be even better. This week I'm giving a training and won't have time to look into this in the next days...

@mbichara
Copy link
Contributor Author

mbichara commented May 8, 2024
edited

Hi @wladimirleite

For me the issue happens when using IpedBot (blind profile, exporting the case files), which I believe it process the case and then moves it to a storage folder.

When opening the case (single or multicase), sleuth.db gets modified. It is not related only to multicase, then.
The file sleuth.db might be updating the relative path or something related, as @lfcnassif said.

I am not sure exactly how the Ipedbot works, so the exact reproducing steps require further investigation.

I also could not reproduce the issue in a local processing case.

Best

@mbichara mbichara changed the title File sleuth.db is modified when opening the case with multicase. File sleuth.db is modified when opening the case May 8, 2024
@wladimirleite
Copy link
Member

If it just updating the evidence path when the case is opened for the first time, it is not an issue, right?!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
need info
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@wladimirleite @lfcnassif @mbichara