search

sepinf-inc / IPED

IPED Digital Forensic Tool. It is an open source software that can be used to process and analyze digital evidence, often seized at crime scenes by law enforcement or in a corporate investigation by private examiners.
Other
884 stars 209 forks source link

EmbeddedDiskProcessTask doesn't work on paths with alternate data streams #2158

Closed its5Q closed 2 months ago

its5Q commented 2 months ago

I've tried to test this toolkit with a disk image from a recently finished competition BelkaCTF 6, and it appears there are problems with several plugins that depend on the getCanonicalFile() function to canonicalize paths. In my case, IPED completely crashes on processing a file called desktop.ini:vault.vhdx, which is a BitLocker vault hidden inside an alternate data stream. The plugin calls getCanonicalFile on that path and crashes, because it seems like Java's native library doesn't support canonicalization for ADS paths.

The stacktrace:

2024-04-10 01:27:33 [ERROR] [app.processing.Main]           Processing Error: 
java.lang.Exception: Worker-3 Error while processing /BelkaCTF_6_CASE240405_LAPTOP.E01/vol_vol6/Users/phorger/Documents/desktop.ini:vault.vhdx (608174080bytes)
    at iped.engine.core.Worker.process(Worker.java:186) ~[iped-engine-4.1.6.jar:?]
    at iped.engine.core.Worker.run(Worker.java:265) ~[iped-engine-4.1.6.jar:?]
Caused by: java.io.IOException: The filename, directory name, or volume label syntax is incorrect
    at java.io.WinNTFileSystem.canonicalize0(Native Method) ~[?:?]
    at java.io.WinNTFileSystem.canonicalize(Unknown Source) ~[?:?]
    at java.io.File.getCanonicalPath(Unknown Source) ~[?:?]
    at java.io.File.getCanonicalFile(Unknown Source) ~[?:?]
    at iped.engine.task.EmbeddedDiskProcessTask.exportItem(EmbeddedDiskProcessTask.java:240) ~[iped-engine-4.1.6.jar:?]
    at iped.engine.task.EmbeddedDiskProcessTask.process(EmbeddedDiskProcessTask.java:205) ~[iped-engine-4.1.6.jar:?]
    at iped.engine.task.EmbeddedDiskProcessTask.process(EmbeddedDiskProcessTask.java:128) ~[iped-engine-4.1.6.jar:?]
    at iped.engine.task.AbstractTask.processMonitorTimeout(AbstractTask.java:277) ~[iped-engine-4.1.6.jar:?]
    at iped.engine.task.AbstractTask.processAndSendToNextTask(AbstractTask.java:192) ~[iped-engine-4.1.6.jar:?]
    at iped.engine.task.AbstractTask.sendToNextTask(AbstractTask.java:225) ~[iped-engine-4.1.6.jar:?]
    at iped.engine.task.AbstractTask.processAndSendToNextTask(AbstractTask.java:205) ~[iped-engine-4.1.6.jar:?]
    at iped.engine.task.AbstractTask.sendToNextTask(AbstractTask.java:225) ~[iped-engine-4.1.6.jar:?]
    ...
lfcnassif commented 2 months ago

Thanks for reporting. We do support alternate data streams. There was a specific issue with the embedded virtual disk specific module, because of the colon in the file name. Please share your test image, so we can reproduce the issue and test a possible fix on your whole test image, looking for other potential issues.

PS: You can also disable processEmbeddedDisks option in IPEDConfig.txt to disable the problematic module.

its5Q commented 2 months ago

The image is available here: https://dl.ctf.do/BelkaCTF_6_CASE240405_FILE2.zip Password: RJtWAZfsB1wMCNDebVWY

lfcnassif commented 2 months ago

Thanks.

Actually I anticipated this issue when #2099 was fixed by PR sent by a contributor. My fault for accepting an incomplete fix.

lfcnassif commented 2 months ago

Fixed by commit 91a23ba.

A snapshot with the fix will be created in 10min here: https://github.com/sepinf-inc/IPED/actions/runs/8636057320