autopsy icon indicating copy to clipboard operation
autopsy copied to clipboard

Published 20 hours ago verified publisher icon sleuthkit

[iLeapp] permission denied during ingest

Open mammo0 opened this issue 4 years ago • 6 comments

Hello,

when starting the ingest module iLeapp it immediately crashes with:

SEVERE: Error when trying to execute iLeapp program getting file paths to search for result is -1

After a look into the source, I saw that before the actual ingest the following method is executed: https://github.com/sleuthkit/autopsy/blob/e6c87a1bea0aac73cb6ca942d092e39e3dc9d375/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/ILeappAnalyzerIngestModule.java#L300-L309

The iLeapp_paths_error.txt in the temp directory contains the actual error

Traceback (most recent call last):
  File "ileapp.py", line 195, in <module>
  File "ileapp.py", line 27, in main
PermissionError: [Errno 13] Permission denied: 'path_list.txt'
[16052] Failed to execute script ileapp

So I looked also into the source of iLeapp: https://github.com/abrignoni/iLEAPP/blob/a3dc2b90e236e02a64112df7520f8ba68922bb1a/ileapp.py#L23-L37 If the -p argument is used, the file path_list.txt is created in the current working directory. In case of Autopsy this working dir is %PROGRAMFILES%\Autopsy-<version>\. Only the admin user has write access to this directory. So I must run Autopsy as admin for this ingest module to work. But I don't want to, because Autopsy works perfectly fine without admin rights.

As a workaround I created the file %PROGRAMFILES%\Autopsy-<version>\path_list.txt and gave write permissions to the normal user to this file. Now the iLeapp ingest module runs without errors.

I know that this might be more an issue of iLeapp than Autopsy, but maybe it helps to just change the working directory for the ProcessBuilder that executes the iLeapp.exe to a temporary directory.

mammo0 avatar May 04 '21 08:05 mammo0

What version of Autopsy are you running? This should be fixed in the next release of Autopsy 4.19, in PR 6803 the iLeapp program was updated in Autopsy so it does not write out the path_list.txt anymore, just to stdout.

markmckinnon avatar May 04 '21 13:05 markmckinnon

Hello,

when starting the ingest module iLeapp it immediately crashes with:

SEVERE: Error when trying to execute iLeapp program getting file paths to search for result is -1

After a look into the source, I saw that before the actual ingest the following method is executed:

https://github.com/sleuthkit/autopsy/blob/e6c87a1bea0aac73cb6ca942d092e39e3dc9d375/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/ILeappAnalyzerIngestModule.java#L300-L309

The iLeapp_paths_error.txt in the temp directory contains the actual error

Traceback (most recent call last):
  File "ileapp.py", line 195, in <module>
  File "ileapp.py", line 27, in main
PermissionError: [Errno 13] Permission denied: 'path_list.txt'
[16052] Failed to execute script ileapp

So I looked also into the source of iLeapp: https://github.com/abrignoni/iLEAPP/blob/a3dc2b90e236e02a64112df7520f8ba68922bb1a/ileapp.py#L23-L37 If the -p argument is used, the file path_list.txt is created in the current working directory. In case of Autopsy this working dir is %PROGRAMFILES%\Autopsy-<version>\. Only the admin user has write access to this directory. So I must run Autopsy as admin for this ingest module to work. But I don't want to, because Autopsy works perfectly fine without admin rights.

As a workaround I created the file %PROGRAMFILES%\Autopsy-<version>\path_list.txt and gave write permissions to the normal user to this file. Now the iLeapp ingest module runs without errors.

I know that this might be more an issue of iLeapp than Autopsy, but maybe it helps to just change the working directory for the ProcessBuilder that executes the iLeapp.exe to a temporary directory.

I can confirm that manually creating the "path_list.txt" file fixes the issue.

TroySchnack avatar May 04 '21 16:05 TroySchnack

I'm using 4.18.

I had a look at the mentioned PR. I don't think that is really fixed. Or contains the iLeapp.exe a modfied version of the current master branch of the iLeapp repo? Because as I said, the main problem is that the path_list.txt file is created by iLeapp everytime.

mammo0 avatar May 04 '21 17:05 mammo0

I just tested with what will be in 4.19 and it does work.

On Tue, May 4, 2021 at 1:07 PM mammo0 @.***> wrote:

I'm using 4.18.

I had a look at the mentioned PR. I don't think that is really fixed. Or contains the iLeapp.exe a modfied version of the current master branch of iLeapp? Because as I said, the main problem is that the path_list.txt file is created by iLeapp everytime.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/sleuthkit/autopsy/issues/6950#issuecomment-832100564, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACEVPDEI5H27RK4WGHE7RH3TMASV7ANCNFSM44CH4PLQ .

--

Mark McKinnon, MS, CCE Assistant Professor College of Technology, Digital Forensics and Information Assurance Davenport University Lettinga Campus

markmckinnon avatar May 04 '21 17:05 markmckinnon

Ok, will try that tomorrow

mammo0 avatar May 04 '21 18:05 mammo0

Ok, the new binary does the job.

But which repo is used to build that binary? Because I noticed that there is also a -w, --wrap_text option that is not present in the current https://github.com/abrignoni/iLEAPP

mammo0 avatar May 05 '21 08:05 mammo0

Closing this as complete. Please reopen if this is still an issue.

markmckinnon avatar Jan 26 '23 16:01 markmckinnon