search

sepinf-inc / IPED

IPED Digital Forensic Tool. It is an open source software that can be used to process and analyze digital evidence, often seized at crime scenes by law enforcement or in a corporate investigation by private examiners.
Other
884 stars 209 forks source link

File sleuth.db is modified when opening the case #2198

Open mbichara opened 1 month ago

mbichara commented 1 month ago

I believe that the modifications in the case were only made to IPED-SearchApp.log. But I noticed that the file sleuth.db is being modified when opening the case for the first time with multicase option.

wladimirleite commented 1 month ago

Hi @mbichara! Can you elaborate a bit more? I just tested opening two cases with the -multicases option, and later compared the sleuth.db of each case with a backup copy I made before, and there were no changes. How is your folder structure? Are the cases and the processed evidence files in the same volume? What is the command used to open the multicase (and multicases file, if used)?

lfcnassif commented 1 month ago

TSK stores absolute image paths in sleuth.db. At the end of processing, if --portable is used, we update image paths to be relative, when possible (image and case in the same volume) https://github.com/sepinf-inc/IPED/blob/468a2bfb92a93e28745c152476bdad833f20d9f6/iped-engine/src/main/java/iped/engine/core/Manager.java#L726-L732

I think above code could be execute always, not just with --portable. But if the image is in a volume different than the case, and if the image is moved, paths should be updated... When the case folder is ready only, we create a temp sleuth.db and update image paths into it, one option would be to always copy sleuth.db to temp, but it could have GBs of size and it could take a reasonable time when case opens...

Anyway, answers to @wladimirleite questions would help. And a step by step to reproduce would be even better. This week I'm giving a training and won't have time to look into this in the next days...

mbichara commented 1 month ago

Hi @wladimirleite

For me the issue happens when using IpedBot (blind profile, exporting the case files), which I believe it process the case and then moves it to a storage folder.

When opening the case (single or multicase), sleuth.db gets modified. It is not related only to multicase, then. The file sleuth.db might be updating the relative path or something related, as @lfcnassif said.

I am not sure exactly how the Ipedbot works, so the exact reproducing steps require further investigation.

I also could not reproduce the issue in a local processing case.

Best

wladimirleite commented 1 month ago

If it just updating the evidence path when the case is opened for the first time, it is not an issue, right?!