search

sleuthkit / autopsy

Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It can be used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.
http://www.sleuthkit.org/autopsy/
2.4k stars 595 forks source link

Keyword search out of memory error v4.9.1 #4451

Open h3ph4est7s opened 5 years ago

h3ph4est7s commented 5 years ago

Im getting the following error when i try to search a very large case database for keywords

Product version: 4.9.1 System Memory: 84GB VM Heap size: 72GB (Also tried with 8GB) Total indexed files: 5.501.250 Total chunks in index: 9.175.626

SEVERE [org.openide.util.RequestProcessor]: Error in RequestProcessor org.openide.nodes.AsynchChildren
org.apache.solr.client.solrj.impl.HttpSolrServer$RemoteSolrException: java.lang.OutOfMemoryError: Java heap space
        at org.apache.solr.client.solrj.impl.HttpSolrServer.executeMethod(HttpSolrServer.java:554)
        at org.apache.solr.client.solrj.impl.HttpSolrServer.request(HttpSolrServer.java:210)
        at org.apache.solr.client.solrj.impl.HttpSolrServer.request(HttpSolrServer.java:206)
        at org.apache.solr.client.solrj.request.QueryRequest.process(QueryRequest.java:91)
        at org.apache.solr.client.solrj.SolrServer.query(SolrServer.java:310)
        at org.sleuthkit.autopsy.keywordsearch.Server$Core.query(Server.java:1441)
        at org.sleuthkit.autopsy.keywordsearch.Server$Core.access$1200(Server.java:1376)
        at org.sleuthkit.autopsy.keywordsearch.Server.query(Server.java:1181)
        at org.sleuthkit.autopsy.keywordsearch.LuceneQuery.performQuery(LuceneQuery.java:139)
        at org.sleuthkit.autopsy.keywordsearch.AdHocSearchChildFactory.createFlatKeys(AdHocSearchChildFactory.java:157)
        at org.sleuthkit.autopsy.keywordsearch.AdHocSearchChildFactory.createKeys(AdHocSearchChildFactory.java:130)
        at org.openide.nodes.AsynchChildren.run(AsynchChildren.java:215)
        at org.openide.util.RequestProcessor$Task.run(RequestProcessor.java:1443)
        at org.netbeans.modules.openide.util.GlobalLookup.execute(GlobalLookup.java:68)
        at org.openide.util.lookup.Lookups.executeWith(Lookups.java:303)
        at org.openide.util.RequestProcessor$Processor.run(RequestProcessor.java:2058)
Caused: org.openide.util.RequestProcessor$SlowItem: task failed due to
        at org.openide.util.RequestProcessor$Task.schedule(RequestProcessor.java:1484)
        at org.openide.nodes.AsynchChildren.addNotify(AsynchChildren.java:89)
        at org.openide.nodes.Children.callAddNotify(Children.java:575)
        at org.openide.nodes.EntrySupportDefault.getArray(EntrySupportDefault.java:650)
        at org.openide.nodes.EntrySupportDefault.getNodes(EntrySupportDefault.java:121)
        at org.openide.nodes.EntrySupportDefault.getNodes(EntrySupportDefault.java:172)
        at org.openide.nodes.Children.getNodes(Children.java:469)
        at org.openide.nodes.FilterNode$Children$DefaultSupport.updateKeys(FilterNode.java:1721)
        at org.openide.nodes.FilterNode$Children$DefaultSupport.update(FilterNode.java:1708)
        at org.openide.nodes.FilterNode$Children.addNotifyImpl(FilterNode.java:1499)
        at org.openide.nodes.FilterNode$Children.addNotify(FilterNode.java:1492)
        at org.openide.nodes.Children.callAddNotify(Children.java:575)
        at org.openide.nodes.EntrySupportDefault.getArray(EntrySupportDefault.java:650)
        at org.openide.nodes.EntrySupportDefault.getNodes(EntrySupportDefault.java:121)
        at org.openide.nodes.EntrySupportDefault.getNodes(EntrySupportDefault.java:172)
        at org.openide.nodes.EntrySupportDefault.getNodesCount(EntrySupportDefault.java:176)
        at org.openide.nodes.Children.getNodesCount(Children.java:509)
        at org.sleuthkit.autopsy.corecomponents.DataResultViewerTable.setNode(DataResultViewerTable.java:253)
        at org.sleuthkit.autopsy.corecomponents.DataResultPanel.setupTabs(DataResultPanel.java:481)
        at org.sleuthkit.autopsy.corecomponents.DataResultPanel.setNode(DataResultPanel.java:387)
        at org.sleuthkit.autopsy.corecomponents.DataResultTopComponent.setNode(DataResultTopComponent.java:357)
        at org.sleuthkit.autopsy.corecomponents.DataResultTopComponent.initInstance(DataResultTopComponent.java:164)
        at org.sleuthkit.autopsy.keywordsearch.AdHocSearchDelegator.execute(AdHocSearchDelegator.java:109)
        at org.sleuthkit.autopsy.keywordsearch.AdHocSearchPanel.search(AdHocSearchPanel.java:143)
        at org.sleuthkit.autopsy.keywordsearch.DropdownListSearchPanel.searchAction(DropdownListSearchPanel.java:345)
        at org.sleuthkit.autopsy.keywordsearch.DropdownListSearchPanel.access$800(DropdownListSearchPanel.java:52)
        at org.sleuthkit.autopsy.keywordsearch.DropdownListSearchPanel$3.actionPerformed(DropdownListSearchPanel.java:147)
        at javax.swing.AbstractButton.fireActionPerformed(Unknown Source)
        at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source)
        at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source)
        at javax.swing.DefaultButtonModel.setPressed(Unknown Source)
        at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(Unknown Source)
        at java.awt.AWTEventMulticaster.mouseReleased(Unknown Source)
        at java.awt.Component.processMouseEvent(Unknown Source)
        at javax.swing.JComponent.processMouseEvent(Unknown Source)
        at java.awt.Component.processEvent(Unknown Source)
        at java.awt.Container.processEvent(Unknown Source)
        at java.awt.Component.dispatchEventImpl(Unknown Source)
        at java.awt.Container.dispatchEventImpl(Unknown Source)
        at java.awt.Component.dispatchEvent(Unknown Source)
        at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source)
        at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source)
        at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source)
        at java.awt.Container.dispatchEventImpl(Unknown Source)
        at java.awt.Window.dispatchEventImpl(Unknown Source)
        at java.awt.Component.dispatchEvent(Unknown Source)
        at java.awt.EventQueue.dispatchEventImpl(Unknown Source)
        at java.awt.EventQueue.access$500(Unknown Source)
        at java.awt.EventQueue$3.run(Unknown Source)
        at java.awt.EventQueue$3.run(Unknown Source)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)
        at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)
        at java.awt.EventQueue$4.run(Unknown Source)
        at java.awt.EventQueue$4.run(Unknown Source)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)
        at java.awt.EventQueue.dispatchEvent(Unknown Source)
        at org.netbeans.core.TimableEventQueue.dispatchEvent(TimableEventQueue.java:159)
        at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
        at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
        at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
        at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
        at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
[catch] at java.awt.EventDispatchThread.run(Unknown Source)
rcordovano commented 5 years ago

@h3ph4est7s, do you have a Java heap dump file (.hprof) from the JVM that you could share with me? The stack trace shows me exactly what code was executing when we ran out of memory, but it does not tell me what was actually using the memory the way a heap dump would.

h3ph4est7s commented 5 years ago

@rcordovano unfortunately this is a production machine and currently contains evidence so i cannot transfer any kind of sensitive data outside of this environment. I believe this error is related to an effort of loading indexed entries to memory for speed but not sure if this is greater than 72GB. Btw, thank you for your interest. Also the system never allocated all 72GB of heap memory, usually it throws after the button is pressed.

rcordovano commented 5 years ago

@h3ph4est7s, I would love to help you but please don't give me too much credit for my interest because I am the tech lead for Autopsy development here at Basis Technology. Unfortunately, the stack trace and the other information you have provided so far is just not enough for me to go on - it's the nature of the beast when heap memory is exhausted.

Your last remark is, however, intriguing. When you speak of "loading indexed entries to memory for speed" what are you doing, exactly? Based on the stack trace, perhaps you defined a keyword search that would return hits for most / all of the content in the case using the UI widgets in the upper right hand corner and then pressed the search button and the exception occurred? I.e., maybe "loading all the indexed entries into memory" means you wanted all of the files in the case that were indexed for search to appear in a single tab in the right hand side of the window so that you could scroll through them looking at the text in the Indexed Text tab? Just speculating here...and leaving the office for the day.

h3ph4est7s commented 5 years ago

oh i see, sorry for my ignorance and congratulations for the amazing job with this platform. Let me give you some insight about this case. It's comprised of 4 data sources of 500GB each. I have run the keyword search module with a keyword list for every data source. The problem began when i disabled the periodic search for speed purposes and the show keyword preview option. When i was done with the ingestion process after many days i noticed that the search results didn't appear under Results - Keyword Hits as usual. When i realized that i tried to run a manual search using the Keyword Lists drop down search. And i ended up with this error 😢

h3ph4est7s commented 5 years ago

I believe i found out what is wrong here. This error is originated from solr server. The aforementioned claim can be verified by using 10gb max heap size in start.jar initial execution. This mitigate the OutOfMemoryError and during observation with VisualVM the heap steadily grows in start.jar around 650mb +/-. The feature of dinamically setting this value is not yet implemented. Solr arguments are hardcoded and in the TODO list as observed here https://github.com/sleuthkit/autopsy/blob/5964efb5b53c826065151145b42637cdeb108c73/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/Server.java#L185 and here https://github.com/sleuthkit/autopsy/blob/5964efb5b53c826065151145b42637cdeb108c73/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/Server.java#L364

rcordovano commented 5 years ago

@h3ph4est7s, thank you very much, your analysis is very helpful. I am going to write this up in our internal issue tracking system and I will put an engineer on it as soon as I can.

esaunders commented 5 years ago

@h3ph4est7s I find it interesting the Solr encountered an OOME when you were running a query. The advice we've seen suggests keeping the Solr heap small to allow as much of the index to be loaded into file system cache as possible. Can you share some more details with us?

  1. How large is your index? You can get this information by using a web browser to connect to Solr (http://localhost:23232/solr) and selecting your case from the "Core Selector" dropdown. You should see something like this: image
  2. What types of keyword searches were in your list? Were they exact match, substring match, regular expression or a mix of these?
  3. Was there a particular keyword in the list that caused the OOME?

Thanks.

esaunders commented 5 years ago

Changes have been made such that the next version of Autopsy (64 bit) will include the ability to configure the maximum heap size for the embedded Solr server.

mfrade commented 5 years ago

I believe i found out what is wrong here. This error is originated from solr server. The aforementioned claim can be verified by using 10gb max heap size in start.jar initial execution. This mitigate the OutOfMemoryError and during observation with VisualVM the heap steadily grows in start.jar around 650mb +/-. The feature of dinamically setting this value is not yet implemented. Solr arguments are hardcoded and in the TODO list as observed here autopsy/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/Server.java

Line 185 in 5964efb

private static final int MAX_SOLR_MEM_MB = 512; //TODO set dynamically based on avail. system resources

and here autopsy/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/Server.java

Line 364 in 5964efb

private Process runSolrCommand(List solrArguments) throws IOException {

I've had problems with out of memory errors with the keyword search module. After some tests I found out that you can stop the solr server (responsible for the keyword search module) and start it again with different memory parameters. This is what I've done:

  1. start autopsy and open case (without starting any ingest module)
  2. stop solr:
    • change dir to autopsy/solr (that directory should have the file start.jar)
    • type the command: java -DSTOP.PORT=34343 -DSTOP.KEY=jjk#09s -jar start.jar --stop (the port number and stop key are displayed in http://localhost:23232/solr)
    • wait until the port is freed (30 seconds should be enough)
    • restart the solr: java -Xmx4G -DSTOP.PORT=34343 -DSTOP.KEY=jjk#09s -jar start.jar this allocates 4 GB, but you can change the -Xmx4G to whatever value you want
  3. start keyword ingest module. Take a look at http://localhost:23232/solr to check for solr running details (log, stats, used memory, etc)

This procedure also works while autopsy is running the keyword search, but I won't recommend doing it.