search

sepinf-inc / IPED

IPED Digital Forensic Tool. It is an open source software that can be used to process and analyze digital evidence, often seized at crime scenes by law enforcement or in a corporate investigation by private examiners.
Other
924 stars 217 forks source link

Error processing embedded VMDK #1894

Closed DeveloperNamedMax closed 11 months ago

DeveloperNamedMax commented 11 months ago

Version: 4.1.4

I am processing image which has embedded VMDK file inside with size ~50GB. IPED keeps erroring each time processing it, it might be corrupted, is there any way to skip VMDK files, does commenting ISO disks inside conf/CategoriesToExpand.txt ignores it?

The error i keep getting (been running ~20 times and everytime it gets stuck on the same error on the VMDK image):

java.lang.RuntimeException: Error starting Neo4j database server at \\vmware-host\Shared Folders\Indexing_output\iped\neo4j\data\databases
    at org.neo4j.graphdb.facade.DatabaseManagementServiceFactory.startDatabaseServer(DatabaseManagementServiceFactory.java:228)
    at org.neo4j.graphdb.facade.DatabaseManagementServiceFactory.build(DatabaseManagementServiceFactory.java:181)
    at org.neo4j.dbms.api.DatabaseManagementServiceBuilder.newDatabaseManagementService(DatabaseManagementServiceBuilder.java:101)
    at org.neo4j.dbms.api.DatabaseManagementServiceBuilder.build(DatabaseManagementServiceBuilder.java:94)
    at iped.engine.graph.GraphServiceImpl.start(GraphServiceImpl.java:43)
    at iped.engine.graph.GraphGenerator.runPostImportOps(GraphGenerator.java:47)
    at iped.engine.graph.GraphGenerator.generate(GraphGenerator.java:37)
    at iped.engine.graph.GraphGenerator.generate(GraphGenerator.java:30)
    at iped.engine.graph.GraphTask.finishGraphGeneration(GraphTask.java:162)
    at iped.engine.graph.GraphTask.finish(GraphTask.java:191)
    at iped.engine.core.Worker.finishTasks(Worker.java:135)
    at iped.engine.core.Worker.run(Worker.java:300)
Caused by: org.neo4j.kernel.lifecycle.LifecycleException: Component 'org.neo4j.dbms.database.DefaultSystemGraphInitializer@7ba518ae' was successfully initialized, but failed to start. Please see the attached cause exception "Incorrect function.
".
    at org.neo4j.kernel.lifecycle.LifeSupport$LifecycleInstance.start(LifeSupport.java:463)
    at org.neo4j.kernel.lifecycle.LifeSupport.start(LifeSupport.java:110)
    at org.neo4j.graphdb.facade.DatabaseManagementServiceFactory.startDatabaseServer(DatabaseManagementServiceFactory.java:219)
    ... 11 more
Caused by: org.neo4j.graphdb.DatabaseShutdownException: This database is shutdown.
    at org.neo4j.kernel.availability.DatabaseAvailabilityGuard.assertDatabaseAvailable(DatabaseAvailabilityGuard.java:172)
    at org.neo4j.kernel.impl.factory.GraphDatabaseFacade.beginKernelTransaction(GraphDatabaseFacade.java:197)
    at org.neo4j.kernel.impl.factory.GraphDatabaseFacade.beginTransactionInternal(GraphDatabaseFacade.java:176)
    at org.neo4j.kernel.impl.factory.GraphDatabaseFacade.beginTransaction(GraphDatabaseFacade.java:122)
    at org.neo4j.kernel.impl.factory.GraphDatabaseFacade.beginTransaction(GraphDatabaseFacade.java:116)
    at org.neo4j.kernel.impl.factory.GraphDatabaseFacade.beginTransaction(GraphDatabaseFacade.java:104)
    at org.neo4j.kernel.impl.factory.GraphDatabaseFacade.beginTx(GraphDatabaseFacade.java:99)
    at org.neo4j.dbms.database.SystemGraphComponents.initializeSystemGraph(SystemGraphComponents.java:97)
    at org.neo4j.dbms.database.DefaultSystemGraphInitializer.initializeSystemGraph(DefaultSystemGraphInitializer.java:41)
    at org.neo4j.dbms.database.SystemGraphInitializer.start(SystemGraphInitializer.java:29)
    at org.neo4j.kernel.lifecycle.LifeSupport$LifecycleInstance.start(LifeSupport.java:442)
    ... 13 more
Caused by: org.neo4j.kernel.lifecycle.LifecycleException: Component 'org.neo4j.io.fs.watcher.DatabaseLayoutWatcher@75022e4c' was successfully initialized, but failed to start. Please see the attached cause exception "Incorrect function.
".
    at org.neo4j.kernel.lifecycle.LifeSupport$LifecycleInstance.start(LifeSupport.java:463)
    at org.neo4j.kernel.lifecycle.LifeSupport.start(LifeSupport.java:110)
    at org.neo4j.kernel.database.Database.start(Database.java:514)
    at org.neo4j.dbms.database.AbstractDatabaseManager.startDatabase(AbstractDatabaseManager.java:238)
    at org.neo4j.dbms.database.DefaultDatabaseManager.startDatabase(DefaultDatabaseManager.java:145)
    at org.neo4j.dbms.database.DefaultDatabaseManager.startDatabase(DefaultDatabaseManager.java:34)
    at org.neo4j.dbms.database.AbstractDatabaseManager.forEachDatabase(AbstractDatabaseManager.java:216)
    at org.neo4j.dbms.database.AbstractDatabaseManager.startAllDatabases(AbstractDatabaseManager.java:123)
    at org.neo4j.dbms.database.AbstractDatabaseManager.start(AbstractDatabaseManager.java:117)
    ... 14 more
Caused by: java.io.UncheckedIOException: java.io.IOException: Incorrect function.

    at org.neo4j.io.fs.watcher.DefaultFileSystemWatcher.uncheckedRegister(DefaultFileSystemWatcher.java:160)
    at org.neo4j.io.fs.watcher.DefaultFileSystemWatcher.lambda$watch$1(DefaultFileSystemWatcher.java:73)
    at java.base/java.util.concurrent.ConcurrentHashMap.compute(Unknown Source)
    at org.neo4j.io.fs.watcher.DefaultFileSystemWatcher.watch(DefaultFileSystemWatcher.java:71)
    at org.neo4j.io.fs.watcher.DatabaseLayoutWatcher.watchFile(DatabaseLayoutWatcher.java:118)
    at org.neo4j.io.fs.watcher.DatabaseLayoutWatcher.startWatching(DatabaseLayoutWatcher.java:110)
    at org.neo4j.io.fs.watcher.DatabaseLayoutWatcher.watchDirectories(DatabaseLayoutWatcher.java:85)
    at org.neo4j.io.fs.watcher.DatabaseLayoutWatcher.start(DatabaseLayoutWatcher.java:65)
    at org.neo4j.kernel.lifecycle.LifeSupport$LifecycleInstance.start(LifeSupport.java:442)
    ... 22 more
Caused by: java.io.IOException: Incorrect function.

    at java.base/sun.nio.fs.WindowsWatchService$Poller.implRegister(Unknown Source)
    at java.base/sun.nio.fs.AbstractPoller.processRequests(Unknown Source)
    at java.base/sun.nio.fs.WindowsWatchService$Poller.run(Unknown Source)
    at java.base/java.lang.Thread.run(Unknown Source)
2023-09-24 23:15:11 [INFO]  [engine.graph.GraphTask]            Finishing graph CSVs...
2023-09-24 23:15:11 [INFO]  [engine.graph.GraphTask]            Finishing graph CSVs...
2023-09-24 23:15:11 [INFO]  [engine.graph.GraphTask]            Finishing graph CSVs...
2023-09-24 23:15:11 [INFO]  [engine.core.Worker]            Worker-10 finished.
2023-09-24 23:15:11 [INFO]  [engine.core.Worker]            Worker-3 finished.
2023-09-24 23:15:11 [INFO]  [engine.core.Worker]            Worker-7 finished.
2023-09-24 23:15:11 [INFO]  [engine.core.Worker]            Worker-5 finished.
2023-09-24 23:15:11 [INFO]  [engine.core.Worker]            Worker-1 finished.
2023-09-24 23:15:11 [INFO]  [engine.core.Worker]            Worker-6 finished.
2023-09-24 23:15:11 [INFO]  [engine.core.Worker]            Worker-8 finished.
2023-09-24 23:15:11 [INFO]  [engine.core.Worker]            Worker-2 finished.
2023-09-24 23:15:11 [INFO]  [engine.core.Worker]            Worker-11 finished.
2023-09-24 23:15:11 [INFO]  [engine.core.Worker]            Worker-9 finished.
2023-09-24 23:15:11 [INFO]  [engine.core.Worker]            Worker-4 finished.
2023-09-24 23:15:11 [ERROR] [app.processing.Main]           Processing Error: 
java.lang.RuntimeException: Error starting Neo4j database server at \\vmware-host\Shared Folders\Indexing_output\iped\neo4j\data\databases
    at org.neo4j.graphdb.facade.DatabaseManagementServiceFactory.startDatabaseServer(DatabaseManagementServiceFactory.java:228) ~[neo4j-4.4.4.jar:4.4.4]
    at org.neo4j.graphdb.facade.DatabaseManagementServiceFactory.build(DatabaseManagementServiceFactory.java:181) ~[neo4j-4.4.4.jar:4.4.4]
    at org.neo4j.dbms.api.DatabaseManagementServiceBuilder.newDatabaseManagementService(DatabaseManagementServiceBuilder.java:101) ~[neo4j-4.4.4.jar:4.4.4]
    at org.neo4j.dbms.api.DatabaseManagementServiceBuilder.build(DatabaseManagementServiceBuilder.java:94) ~[neo4j-4.4.4.jar:4.4.4]
    at iped.engine.graph.GraphServiceImpl.start(GraphServiceImpl.java:43) ~[iped-engine-4.1.4.jar:?]
    at iped.engine.graph.GraphGenerator.runPostImportOps(GraphGenerator.java:47) ~[iped-engine-4.1.4.jar:?]
    at iped.engine.graph.GraphGenerator.generate(GraphGenerator.java:37) ~[iped-engine-4.1.4.jar:?]
    at iped.engine.graph.GraphGenerator.generate(GraphGenerator.java:30) ~[iped-engine-4.1.4.jar:?]
    at iped.engine.graph.GraphTask.finishGraphGeneration(GraphTask.java:162) ~[iped-engine-4.1.4.jar:?]
    at iped.engine.graph.GraphTask.finish(GraphTask.java:191) ~[iped-engine-4.1.4.jar:?]
    at iped.engine.core.Worker.finishTasks(Worker.java:135) ~[iped-engine-4.1.4.jar:?]
    at iped.engine.core.Worker.run(Worker.java:300) ~[iped-engine-4.1.4.jar:?]
Caused by: org.neo4j.kernel.lifecycle.LifecycleException: Component 'org.neo4j.dbms.database.DefaultSystemGraphInitializer@7ba518ae' was successfully initialized, but failed to start. Please see the attached cause exception "Incorrect function.
".
    at org.neo4j.kernel.lifecycle.LifeSupport$LifecycleInstance.start(LifeSupport.java:463) ~[neo4j-common-4.4.4.jar:4.4.4]
    at org.neo4j.kernel.lifecycle.LifeSupport.start(LifeSupport.java:110) ~[neo4j-common-4.4.4.jar:4.4.4]
    at org.neo4j.graphdb.facade.DatabaseManagementServiceFactory.startDatabaseServer(DatabaseManagementServiceFactory.java:219) ~[neo4j-4.4.4.jar:4.4.4]
    ... 11 more
Caused by: org.neo4j.graphdb.DatabaseShutdownException: This database is shutdown.
    at org.neo4j.kernel.availability.DatabaseAvailabilityGuard.assertDatabaseAvailable(DatabaseAvailabilityGuard.java:172) ~[neo4j-kernel-4.4.4.jar:4.4.4]
    at org.neo4j.kernel.impl.factory.GraphDatabaseFacade.beginKernelTransaction(GraphDatabaseFacade.java:197) ~[neo4j-kernel-4.4.4.jar:4.4.4]
    at org.neo4j.kernel.impl.factory.GraphDatabaseFacade.beginTransactionInternal(GraphDatabaseFacade.java:176) ~[neo4j-kernel-4.4.4.jar:4.4.4]
    at org.neo4j.kernel.impl.factory.GraphDatabaseFacade.beginTransaction(GraphDatabaseFacade.java:122) ~[neo4j-kernel-4.4.4.jar:4.4.4]
    at org.neo4j.kernel.impl.factory.GraphDatabaseFacade.beginTransaction(GraphDatabaseFacade.java:116) ~[neo4j-kernel-4.4.4.jar:4.4.4]
    at org.neo4j.kernel.impl.factory.GraphDatabaseFacade.beginTransaction(GraphDatabaseFacade.java:104) ~[neo4j-kernel-4.4.4.jar:4.4.4]
    at org.neo4j.kernel.impl.factory.GraphDatabaseFacade.beginTx(GraphDatabaseFacade.java:99) ~[neo4j-kernel-4.4.4.jar:4.4.4]
    at org.neo4j.dbms.database.SystemGraphComponents.initializeSystemGraph(SystemGraphComponents.java:97) ~[neo4j-kernel-4.4.4.jar:4.4.4]
    at org.neo4j.dbms.database.DefaultSystemGraphInitializer.initializeSystemGraph(DefaultSystemGraphInitializer.java:41) ~[neo4j-4.4.4.jar:4.4.4]
    at org.neo4j.dbms.database.SystemGraphInitializer.start(SystemGraphInitializer.java:29) ~[neo4j-kernel-4.4.4.jar:4.4.4]
    at org.neo4j.kernel.lifecycle.LifeSupport$LifecycleInstance.start(LifeSupport.java:442) ~[neo4j-common-4.4.4.jar:4.4.4]
    at org.neo4j.kernel.lifecycle.LifeSupport.start(LifeSupport.java:110) ~[neo4j-common-4.4.4.jar:4.4.4]
    at org.neo4j.graphdb.facade.DatabaseManagementServiceFactory.startDatabaseServer(DatabaseManagementServiceFactory.java:219) ~[neo4j-4.4.4.jar:4.4.4]
    ... 11 more
Caused by: org.neo4j.kernel.lifecycle.LifecycleException: Component 'org.neo4j.io.fs.watcher.DatabaseLayoutWatcher@75022e4c' was successfully initialized, but failed to start. Please see the attached cause exception "Incorrect function.
".
    at org.neo4j.kernel.lifecycle.LifeSupport$LifecycleInstance.start(LifeSupport.java:463) ~[neo4j-common-4.4.4.jar:4.4.4]
    at org.neo4j.kernel.lifecycle.LifeSupport.start(LifeSupport.java:110) ~[neo4j-common-4.4.4.jar:4.4.4]
    at org.neo4j.kernel.database.Database.start(Database.java:514) ~[neo4j-kernel-4.4.4.jar:4.4.4]
    at org.neo4j.dbms.database.AbstractDatabaseManager.startDatabase(AbstractDatabaseManager.java:238) ~[neo4j-4.4.4.jar:4.4.4]
    at org.neo4j.dbms.database.DefaultDatabaseManager.startDatabase(DefaultDatabaseManager.java:145) ~[neo4j-4.4.4.jar:4.4.4]
    at org.neo4j.dbms.database.DefaultDatabaseManager.startDatabase(DefaultDatabaseManager.java:34) ~[neo4j-4.4.4.jar:4.4.4]
    at org.neo4j.dbms.database.AbstractDatabaseManager.forEachDatabase(AbstractDatabaseManager.java:216) ~[neo4j-4.4.4.jar:4.4.4]
    at org.neo4j.dbms.database.AbstractDatabaseManager.startAllDatabases(AbstractDatabaseManager.java:123) ~[neo4j-4.4.4.jar:4.4.4]
    at org.neo4j.dbms.database.AbstractDatabaseManager.start(AbstractDatabaseManager.java:117) ~[neo4j-4.4.4.jar:4.4.4]
    at org.neo4j.kernel.lifecycle.LifeSupport$LifecycleInstance.start(LifeSupport.java:442) ~[neo4j-common-4.4.4.jar:4.4.4]
    at org.neo4j.kernel.lifecycle.LifeSupport.start(LifeSupport.java:110) ~[neo4j-common-4.4.4.jar:4.4.4]
    at org.neo4j.graphdb.facade.DatabaseManagementServiceFactory.startDatabaseServer(DatabaseManagementServiceFactory.java:219) ~[neo4j-4.4.4.jar:4.4.4]
    ... 11 more
Caused by: java.io.UncheckedIOException: java.io.IOException: Incorrect function.

    at org.neo4j.io.fs.watcher.DefaultFileSystemWatcher.uncheckedRegister(DefaultFileSystemWatcher.java:160) ~[neo4j-io-4.4.4.jar:4.4.4]
    at org.neo4j.io.fs.watcher.DefaultFileSystemWatcher.lambda$watch$1(DefaultFileSystemWatcher.java:73) ~[neo4j-io-4.4.4.jar:4.4.4]
    at java.util.concurrent.ConcurrentHashMap.compute(Unknown Source) ~[?:?]
    at org.neo4j.io.fs.watcher.DefaultFileSystemWatcher.watch(DefaultFileSystemWatcher.java:71) ~[neo4j-io-4.4.4.jar:4.4.4]
    at org.neo4j.io.fs.watcher.DatabaseLayoutWatcher.watchFile(DatabaseLayoutWatcher.java:118) ~[neo4j-layout-4.4.4.jar:4.4.4]
    at org.neo4j.io.fs.watcher.DatabaseLayoutWatcher.startWatching(DatabaseLayoutWatcher.java:110) ~[neo4j-layout-4.4.4.jar:4.4.4]
    at org.neo4j.io.fs.watcher.DatabaseLayoutWatcher.watchDirectories(DatabaseLayoutWatcher.java:85) ~[neo4j-layout-4.4.4.jar:4.4.4]
    at org.neo4j.io.fs.watcher.DatabaseLayoutWatcher.start(DatabaseLayoutWatcher.java:65) ~[neo4j-layout-4.4.4.jar:4.4.4]
    at org.neo4j.kernel.lifecycle.LifeSupport$LifecycleInstance.start(LifeSupport.java:442) ~[neo4j-common-4.4.4.jar:4.4.4]
    at org.neo4j.kernel.lifecycle.LifeSupport.start(LifeSupport.java:110) ~[neo4j-common-4.4.4.jar:4.4.4]
    at org.neo4j.kernel.database.Database.start(Database.java:514) ~[neo4j-kernel-4.4.4.jar:4.4.4]
    at org.neo4j.dbms.database.AbstractDatabaseManager.startDatabase(AbstractDatabaseManager.java:238) ~[neo4j-4.4.4.jar:4.4.4]
    at org.neo4j.dbms.database.DefaultDatabaseManager.startDatabase(DefaultDatabaseManager.java:145) ~[neo4j-4.4.4.jar:4.4.4]
    at org.neo4j.dbms.database.DefaultDatabaseManager.startDatabase(DefaultDatabaseManager.java:34) ~[neo4j-4.4.4.jar:4.4.4]
    at org.neo4j.dbms.database.AbstractDatabaseManager.forEachDatabase(AbstractDatabaseManager.java:216) ~[neo4j-4.4.4.jar:4.4.4]
    at org.neo4j.dbms.database.AbstractDatabaseManager.startAllDatabases(AbstractDatabaseManager.java:123) ~[neo4j-4.4.4.jar:4.4.4]
    at org.neo4j.dbms.database.AbstractDatabaseManager.start(AbstractDatabaseManager.java:117) ~[neo4j-4.4.4.jar:4.4.4]
    at org.neo4j.kernel.lifecycle.LifeSupport$LifecycleInstance.start(LifeSupport.java:442) ~[neo4j-common-4.4.4.jar:4.4.4]
    at org.neo4j.kernel.lifecycle.LifeSupport.start(LifeSupport.java:110) ~[neo4j-common-4.4.4.jar:4.4.4]
    at org.neo4j.graphdb.facade.DatabaseManagementServiceFactory.startDatabaseServer(DatabaseManagementServiceFactory.java:219) ~[neo4j-4.4.4.jar:4.4.4]
    ... 11 more
Caused by: java.io.IOException: Incorrect function.

    at sun.nio.fs.WindowsWatchService$Poller.implRegister(Unknown Source) ~[?:?]
    at sun.nio.fs.AbstractPoller.processRequests(Unknown Source) ~[?:?]
    at sun.nio.fs.WindowsWatchService$Poller.run(Unknown Source) ~[?:?]
    at java.lang.Thread.run(Unknown Source) ~[?:?]
lfcnassif commented 11 months ago

I can't see any error related to VMDK processing above. All messages seem related to the graph module that uses Neo4j library.

If you are running processing inside a virtual machine using "shared folders" as the case output, try to avoid it and redirect the case output to a virtual disk, shared folders can cause issues with some modules, since they use network shares and those shares aren't reliable for concurrent access.

About disabling embedded disk processing, that can be done into IPEDConfig.txt -> processEmbeddedDisks = false, but as I said, errors above don't seem related to it.

lfcnassif commented 11 months ago

Are you able to provide a sample and a step by step to reproduce errors above?

DeveloperNamedMax commented 11 months ago

I am running 4.1.4 version of IPED inside VMWare virtual machine. Case output and case images to process are on HDD which i share using VMWare "Shared Folders" feature. The settings to run are default of profile "forensics".Inside my image is a VMDK virtual machine (embedded virtual disk).

Also i would like to mention that i did a batch script to run IPED each time it fails/errors to check whether it was one time thing, but after running 10+ times each time i get the same error. But i think you are right that it might be Shared Folders feature and it isn't stable.

Therefore I am going to try and use Virtual Disk option instead of Shared folders like you recommended. Since processing takes a while i will give you an update once it finishes or if the problem arises again.

Thanks for reply!

DeveloperNamedMax commented 11 months ago

@lfcnassif Finished processing without any errors! Thanks for the advice, the problem was the "Shared Folders" function in VMWare which as you said wasn't stable enough.

I fixed it by adding "Hard Disk" linking physical disk instead in VMWare.

Thank you for help !

lfcnassif commented 11 months ago

You're welcome, thanks for the feedback.

PS: I think you can use shared folders to share the images to be processed/read, but not as output folder or temp, where a lot of data is written to.