search

sepinf-inc / IPED

IPED Digital Forensic Tool. It is an open source software that can be used to process and analyze digital evidence, often seized at crime scenes by law enforcement or in a corporate investigation by private examiners.
Other
982 stars 220 forks source link

Sleuthkit loaded jar location in linux #2303

Closed aberenguel closed 3 months ago

aberenguel commented 3 months ago

I noticed that the loaded Sleuthkit class was loaded from jar inside iped, not the one loaded set in tskJarPath in LocalConfig.

Originally (command line java -cp /xxx/iped-4.2-snapshot/iped.jar:/usr/local/share/java/sleuthkit-4.12.0.jar:...)

org.sleuthkit.datamodel.SleuthkitCase.class.getProtectionDomain().getCodeSource().getLocation()
// returns "/xxx/iped-4.2-snapshot/lib/sleuthkit-4.12.0.p1.jar"

Changing the order, the jar is correct (command line java -cp /usr/local/share/java/sleuthkit-4.12.0.jar:/xxx/iped-4.2-snapshot/iped.jar:...):

org.sleuthkit.datamodel.SleuthkitCase.class.getProtectionDomain().getCodeSource().getLocation()
// returns "/usr/local/share/java/sleuthkit-4.12.0.jar"
lfcnassif commented 3 months ago

Hi @aberenguel. AFAIK class loading order can't be guaranteed... But those classes should be equal, or have you changed or patched your local sleuthkit version?

aberenguel commented 3 months ago

The classes are equals. I was testing to upgrade sqlite library and I had to make a fix um SleuthkitCase class. So I detected this fact.

Btw, sometimes occurs "Caused by: org.sqlite.SQLiteException: [SQLITE_CORRUPT] The database disk image is malformed (database disk image is malformed)" when parsing whatsapp database (in extractChatList). The database is not corrupt. When I process again it works. I was trying to upgrade sqlite to check if solves, but it fails sometimes as well. Anyway, this is another issue.

lfcnassif commented 3 months ago

Fine. So can we close this?

lfcnassif commented 3 months ago

I'm closing this. If it triggers a practical issue, please reopen.