search

sepinf-inc / IPED

IPED Digital Forensic Tool. It is an open source software that can be used to process and analyze digital evidence, often seized at crime scenes by law enforcement or in a corporate investigation by private examiners.
Other
884 stars 209 forks source link

Exception caused by empty linkedItems hashes in Telegram chats preview (master) #2157

Closed wladimirleite closed 2 months ago

wladimirleite commented 2 months ago

When clicking on some internally parsed Telegram chats, I am getting the following exception:

java.lang.RuntimeException: iped.exception.QueryNodeException: INVALID_SYNTAX_CANNOT_PARSE: Syntax Error, cannot parse (hash:):
at iped.engine.search.IPEDSearcher.setQuery(IPEDSearcher.java:107) at iped.engine.search.IPEDSearcher.(IPEDSearcher.java:77) at iped.app.ui.ReferencingTableModel.listItems(ReferencingTableModel.java:93) at iped.app.ui.FileProcessor.process(FileProcessor.java:193) at iped.app.ui.FileProcessor.doInBackground(FileProcessor.java:133) at iped.app.ui.FileProcessor.doInBackground(FileProcessor.java:1) at java.desktop/javax.swing.SwingWorker$1.call(Unknown Source) at java.base/java.util.concurrent.FutureTask.run(Unknown Source) at java.desktop/javax.swing.SwingWorker.run(Unknown Source) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.base/java.lang.Thread.run(Unknown Source)

It seems to be cause by empty media hashes that were incorrectly added by the parser.

wladimirleite commented 2 months ago

There are also medias with "hashes of byte[0]" (like MD5 "hash:d41d8cd98f00b204e9800998ecf8427e"), which could also be discarded.

image

lfcnassif commented 2 months ago

There are also medias with "hashes of byte[0]" (like MD5 "hash:d41d8cd98f00b204e9800998ecf8427e"), which could also be discarded.

image

We discard search results for medias with up to 2 bytes AFAIK in WhatsAppParser, to ignore empty files or files with just a newline.

wladimirleite commented 2 months ago

We discard search results for medias with up to 2 bytes AFAIK in WhatsAppParser, to ignore empty files or files with just a newline.

Good observation! Just checked WhatsAppParser's code. I will try to add a similar verification to TelegramParser.

wladimirleite commented 2 months ago

I will try to add a similar verification to TelegramParser.

Unfortunately it didn't work, as it also filtered out valid linked medias that have length 0 (in the decoded database). I am testing an alternative solution, that just ignores empty hashes (a trivial check) and media hashes that match one of the pre-calculated zero length hashes.