search

sleuthkit / autopsy

Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It can be used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.
http://www.sleuthkit.org/autopsy/
2.41k stars 597 forks source link

Autopsy versin 4.11 - filed to read case metadata #4799

Open joakimkavrestad opened 5 years ago

joakimkavrestad commented 5 years ago

Hi, seems like Autopsy 4.11.0 (installed using Windows 64-bit installer on Windows 7) failed to open cases were the case name contains capital letters. The error message is "Failed to read case metadata".

rcordovano commented 5 years ago

@joakimkavrestad, I have been unable to reproduce this. Sample case name I tried: UPPER_CASE-letters-34.

Were the cases created with a different version of Autopsy, and if so, which version?

Do the case names have non-Latin characters as in https://github.com/sleuthkit/autopsy/issues/4422?

I believe the error message should have an exception message after a colon in "Failed to read case metadata:"; if so, will you pass it on? You may also be able to find a stack trace in %APPDATA%\Roaming\autopsy\var\log\autopsylog.0 that would provide even more debugging info. Note that the number on the end of the log file name changes each time you run Autopsy. The "0" suffix indicates the log for the last run.

joakimkavrestad commented 5 years ago

Hi and thank you for the reply,

The case is named “AGAINIT374G”, so no non-latin chars. The exeption message is: Error readin from case metadata file pathtofile. I know this could be due to a corrupt file, but the file looks fine to me. You can find the content below. I can create and work with a case with such a name, but the eror appears when I close and reopen. I made sure to close the case “nicely”. When I do a all-small-letters named case using the same image files and ingest modules it works fine. Also attaching the log file…

[cid:image001.png@01D50BC7.CE320640]

AGAINIT374G.aut: <?xml version="1.0" encoding="UTF-8" standalone="no"?>

5.0 2019/05/14 15:41:46 (CEST) 2019/05/14 15:41:50 (CEST) 4.11.0 4.11.0 againit374g_20190514_154146 AGAINIT374G asd Joakim öjd Single-user case autopsy.db

From: Richard Cordovano [mailto:notifications@github.com] Sent: den 16 maj 2019 00:48 To: sleuthkit/autopsy autopsy@noreply.github.com Cc: Joakim Kävrestad joakim.kavrestad@his.se; Mention mention@noreply.github.com Subject: Re: [sleuthkit/autopsy] Autopsy versin 4.11 - filed to read case metadata (#4799)

@joakimkavrestadhttps://github.com/joakimkavrestad, I have been unable to reproduce this. Sample case name I tried: UPPER_CASE-letters-34.

Were the cases created with a different version of Autopsy, and if so, which version?

Do the case names have non-Latin characters as in #4422https://github.com/sleuthkit/autopsy/issues/4422?

I believe the error message should have an exception message after a colon in "Failed to read case metadata:"; if so, will you pass it on? You may also be able to find a stack trace in %APPDATA%\Roaming\autopsy\var\log\autopsylog.0 that would provide even more debugging info. Note that the number on the end of the log file name changes each time you run Autopsy. The "0" suffix indicates the log for the last run.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/sleuthkit/autopsy/issues/4799?email_source=notifications&email_token=AMCQTXYDVYFFXXGLQA7BSDLPVSHHFA5CNFSM4HNCKP3KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODVQFHKY#issuecomment-492852139, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AMCQTX7H4RL6YUJQZ4BHVSDPVSHHFANCNFSM4HNCKP3A.

cmbrbuild commented 5 years ago

I'm having the same issues. I created a case this time with name on lowercase and the error continues. On my tests on the Examiner name field I have put a word with accents. I edit the .aut file and remove the accents and now is working. I think you can reproduce the error put a word with accents on "Examiner name field". The accents that I use was 'ê'.

rcordovano commented 5 years ago

@joakimkavrestad, thank you for sending the contents of your case metadata file (.aut file). The problem is not the case name at all - it is the umlaut in the ExaminerPhone element. I was unable to reproduce the problem until I noticed this and used an umlaut myself. I suspect that when you made the second case with the lower case case name, you omitted to enter the same examiner phone number.

The inability to use things such as umlauts in the case metadata is a known bug. I hope that we will get it fixed for you in a future release, but I cannot promise it will be in the next release. Sorry for the inconvenience! Hopefully you can work around the issue until we have a fix in place.

rcordovano commented 4 years ago

@joakimkavrestad, we will be including what we believe to be a fix for this issue in Autopsy 4.14.0, due to be released in December 2018 / January 2020.