search

sleuthkit / autopsy

Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It can be used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.
http://www.sleuthkit.org/autopsy/
2.37k stars 592 forks source link

BSOD Autopsy 4.20 & 4.19.2 #7812

Open steveax79 opened 1 year ago

steveax79 commented 1 year ago

E01 image (Guymager), Size +500Gb Host Windows 11, 32GB Ram, i9900k, 1 TB Nvme GuestOS Windows 10 VM, VM Workstation 17, BSOD.

autopsy

autopsy.log

WARNING: Error with file [id=3094] stream.x64.x-none.dat.cat, see Tika log for details... 2023-07-05 11:12:22.504 org.sleuthkit.autopsy.textextractors.SqliteTextExtractor$SQLiteStreamReader read WARNING: Error attempting to read file table: [SystemIndex_Gthr] for file: [Windows-gather.db] (id=4901). 2023-07-05 11:12:58.99 org.sleuthkit.autopsy.keywordsearch.Ingester indexText WARNING: Error chunking content from 6219: S-1-5-21-1919969824-3850616032-3152681211-1001.pckgdep java.lang.IndexOutOfBoundsException java.io.PushbackReader.read(PushbackReader.java:136) org.sleuthkit.autopsy.keywordsearch.Chunker.readHelper(Chunker.java:277) org.sleuthkit.autopsy.keywordsearch.Chunker.readBaseChunk(Chunker.java:245) org.sleuthkit.autopsy.keywordsearch.Chunker.next(Chunker.java:214) org.sleuthkit.autopsy.keywordsearch.Ingester.indexText(Ingester.java:212) org.sleuthkit.autopsy.keywordsearch.Ingester.indexText(Ingester.java:151) org.sleuthkit.autopsy.keywordsearch.KeywordSearchIngestModule$Indexer.extractTextAndIndex(KeywordSearchIngestModule.java:619) org.sleuthkit.autopsy.keywordsearch.KeywordSearchIngestModule$Indexer.indexFile(KeywordSearchIngestModule.java:818) org.sleuthkit.autopsy.keywordsearch.KeywordSearchIngestModule$Indexer.access$100(KeywordSearchIngestModule.java:565) org.sleuthkit.autopsy.keywordsearch.KeywordSearchIngestModule.process(KeywordSearchIngestModule.java:400) org.sleuthkit.autopsy.ingest.FileIngestPipeline$FileIngestPipelineModule.executeTask(FileIngestPipeline.java:206) org.sleuthkit.autopsy.ingest.FileIngestPipeline$FileIngestPipelineModule.executeTask(FileIngestPipeline.java:180) org.sleuthkit.autopsy.ingest.IngestTaskPipeline.executeTask(IngestTaskPipeline.java:220) org.sleuthkit.autopsy.ingest.IngestJobPipeline.execute(IngestJobPipeline.java:1139) org.sleuthkit.autopsy.ingest.FileIngestTask.execute(FileIngestTask.java:91) org.sleuthkit.autopsy.ingest.IngestManager$ExecuteIngestJobTasksTask.run(IngestManager.java:1019) java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) java.util.concurrent.FutureTask.run(FutureTask.java:266) java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) java.lang.Thread.run(Thread.java:748) 2023-07-05 11:12:59.533 org.sleuthkit.autopsy.textextractors.TikaTextExtractor getReader WARNING: Error with file [id=6250] HpSystemManagement.cat, see Tika log for details...

tika.log

jul 05, 2023 11:11:56 AM org.sleuthkit.autopsy.textextractors.TikaTextExtractor getReader ADVERTENCIA: Exception: Unable to Tika parse the content3094: stream.x64.x-none.dat.cat org.apache.tika.exception.TikaException: Unable to parse pkcs7 signed data at org.apache.tika.parser.crypto.Pkcs7Parser.parse(Pkcs7Parser.java:86) at org.apache.tika.parser.CompositeParser.parse(CompositeParser.java:280) at org.apache.tika.parser.CompositeParser.parse(CompositeParser.java:280) at org.apache.tika.parser.AutoDetectParser.parse(AutoDetectParser.java:143) at org.apache.tika.parser.crypto.Pkcs7Parser.parse(Pkcs7Parser.java:78) at org.apache.tika.parser.CompositeParser.parse(CompositeParser.java:280) at org.apache.tika.parser.CompositeParser.parse(CompositeParser.java:280) at org.apache.tika.parser.AutoDetectParser.parse(AutoDetectParser.java:143) at org.apache.tika.parser.ParsingReader$ParsingTask.run(ParsingReader.java:236) at java.lang.Thread.run(Thread.java:748) Caused by: org.bouncycastle.cms.CMSException: IOException reading content. at org.bouncycastle.cms.CMSContentInfoParser.(Unknown Source) at org.bouncycastle.cms.CMSSignedDataParser.(Unknown Source) at org.bouncycastle.cms.CMSSignedDataParser.(Unknown Source) at org.apache.tika.parser.crypto.Pkcs7Parser.parse(Pkcs7Parser.java:68) ... 9 more Caused by: java.io.IOException: DER length more than 4 bytes: 68 at org.bouncycastle.asn1.ASN1InputStream.readLength(Unknown Source) at org.bouncycastle.asn1.ASN1StreamParser.readObject(Unknown Source) ... 13 more

TDClarke commented 8 months ago

Do you still get this on version 4.21.0? If so have you tried a full uninstall and reinstall of Autopsy? What version of the JRE are you using? in cmd: java -version Are you running a up to date version of VM workstation? (Which version are you using)? does it give you a BSOD if you run your VM on Virtual Box instead?

Could you please give any further information of how to replicate the issue!