search

sleuthkit / autopsy

Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It can be used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.
http://www.sleuthkit.org/autopsy/
2.42k stars 596 forks source link

[iLeapp] permission denied during ingest #6950

Closed mammo0 closed 1 year ago

mammo0 commented 3 years ago

Hello,

when starting the ingest module iLeapp it immediately crashes with:

SEVERE: Error when trying to execute iLeapp program getting file paths to search for result is -1

After a look into the source, I saw that before the actual ingest the following method is executed: https://github.com/sleuthkit/autopsy/blob/e6c87a1bea0aac73cb6ca942d092e39e3dc9d375/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/ILeappAnalyzerIngestModule.java#L300-L309

The iLeapp_paths_error.txt in the temp directory contains the actual error

Traceback (most recent call last):
  File "ileapp.py", line 195, in <module>
  File "ileapp.py", line 27, in main
PermissionError: [Errno 13] Permission denied: 'path_list.txt'
[16052] Failed to execute script ileapp

So I looked also into the source of iLeapp: https://github.com/abrignoni/iLEAPP/blob/a3dc2b90e236e02a64112df7520f8ba68922bb1a/ileapp.py#L23-L37 If the -p argument is used, the file path_list.txt is created in the current working directory. In case of Autopsy this working dir is %PROGRAMFILES%\Autopsy-<version>\. Only the admin user has write access to this directory. So I must run Autopsy as admin for this ingest module to work. But I don't want to, because Autopsy works perfectly fine without admin rights.

As a workaround I created the file %PROGRAMFILES%\Autopsy-<version>\path_list.txt and gave write permissions to the normal user to this file. Now the iLeapp ingest module runs without errors.

I know that this might be more an issue of iLeapp than Autopsy, but maybe it helps to just change the working directory for the ProcessBuilder that executes the iLeapp.exe to a temporary directory.

markmckinnon commented 3 years ago

What version of Autopsy are you running? This should be fixed in the next release of Autopsy 4.19, in PR 6803 the iLeapp program was updated in Autopsy so it does not write out the path_list.txt anymore, just to stdout.

TroySchnack commented 3 years ago

Hello,

when starting the ingest module iLeapp it immediately crashes with:

SEVERE: Error when trying to execute iLeapp program getting file paths to search for result is -1

After a look into the source, I saw that before the actual ingest the following method is executed:

https://github.com/sleuthkit/autopsy/blob/e6c87a1bea0aac73cb6ca942d092e39e3dc9d375/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/ILeappAnalyzerIngestModule.java#L300-L309

The iLeapp_paths_error.txt in the temp directory contains the actual error

Traceback (most recent call last):
  File "ileapp.py", line 195, in <module>
  File "ileapp.py", line 27, in main
PermissionError: [Errno 13] Permission denied: 'path_list.txt'
[16052] Failed to execute script ileapp

So I looked also into the source of iLeapp: https://github.com/abrignoni/iLEAPP/blob/a3dc2b90e236e02a64112df7520f8ba68922bb1a/ileapp.py#L23-L37 If the -p argument is used, the file path_list.txt is created in the current working directory. In case of Autopsy this working dir is %PROGRAMFILES%\Autopsy-<version>\. Only the admin user has write access to this directory. So I must run Autopsy as admin for this ingest module to work. But I don't want to, because Autopsy works perfectly fine without admin rights.

As a workaround I created the file %PROGRAMFILES%\Autopsy-<version>\path_list.txt and gave write permissions to the normal user to this file. Now the iLeapp ingest module runs without errors.

I know that this might be more an issue of iLeapp than Autopsy, but maybe it helps to just change the working directory for the ProcessBuilder that executes the iLeapp.exe to a temporary directory.

I can confirm that manually creating the "path_list.txt" file fixes the issue.

mammo0 commented 3 years ago

I'm using 4.18.

I had a look at the mentioned PR. I don't think that is really fixed. Or contains the iLeapp.exe a modfied version of the current master branch of the iLeapp repo? Because as I said, the main problem is that the path_list.txt file is created by iLeapp everytime.

markmckinnon commented 3 years ago

I just tested with what will be in 4.19 and it does work.

On Tue, May 4, 2021 at 1:07 PM mammo0 @.***> wrote:

I'm using 4.18.

I had a look at the mentioned PR. I don't think that is really fixed. Or contains the iLeapp.exe a modfied version of the current master branch of iLeapp? Because as I said, the main problem is that the path_list.txt file is created by iLeapp everytime.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/sleuthkit/autopsy/issues/6950#issuecomment-832100564, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACEVPDEI5H27RK4WGHE7RH3TMASV7ANCNFSM44CH4PLQ .

--

Mark McKinnon, MS, CCE Assistant Professor College of Technology, Digital Forensics and Information Assurance Davenport University Lettinga Campus

mammo0 commented 3 years ago

Ok, will try that tomorrow

mammo0 commented 3 years ago

Ok, the new binary does the job.

But which repo is used to build that binary? Because I noticed that there is also a -w, --wrap_text option that is not present in the current https://github.com/abrignoni/iLEAPP

markmckinnon commented 1 year ago

Closing this as complete. Please reopen if this is still an issue.