Error opening items inside an E01 from an unmounted READ ONLY Windows network share #1782
Comments
|
After struggling during this week, I think I finally found the cause (and a possible solution) of this issue. |
|
Under certain conditions (like sleuth.db is in an unmapped network read-only folder) IPED creates a copy of sleuth.db in the temporary folder and updates evidence location (to use absolute path). This was already implemented and seems to be working fine. However, when accessing the content of an item inside an evidence handled by the sleuth kit (e.g. E01), it uses the original database, which causes an odd exception. |
|
Thank you very much @tc-wleite for spending your time investigating this! Should have taken a while... I will merge the fix shortly. |
Use sleuth.db location from the case (#1782)
It seems that #1407 didn't fully solve #1336 when the network share is read only (which is the usual case here).
This was reported to me by a user.
I thought I tested this situation (read only) when implementing #1407, but it is not working anymore.
I will investigate it in more detail, but I was able to reproduce it today using 4.1.3 and 4.0.7 in a small test case with an E01 image.
It looks like the issue is related to TSK, as it doesn't happen with other evidence types (folders, UFDRs etc).
If the case is in a writeable network share or it is mapped to a letter (i.e. instead of opening from \\server\folder, use X:\mapfolder), then it works fine.
The text was updated successfully, but these errors were encountered: