IPED icon indicating copy to clipboard operation
IPED copied to clipboard

Published 20 hours ago verified publisher icon sepinf-inc

Improve LocalConfig.txt options loading on different machines

Open lfcnassif opened this issue 2 years ago • 1 comments

@patrickdalla just reported a "Too few available memory per processing thread" warning while generating a report. The issue was: numThreads was fixed as 40 in processing machine, but the analysis machine has much less processing cores. A related issue could happen with hashesDB. indexTemp already has a special handling to be used just if it exists, but maybe that is not desired by the user. But if the same machine is used for processing and analysis, those options should be loaded. Maybe we can store them in local user OS temp like other options.

lfcnassif avatar Jun 08 '22 13:06 lfcnassif

We had the same issue a while ago, with numThreads=60 that came from cases processing in our server.

wladimirleite avatar Jun 08 '22 13:06 wladimirleite

@lfcnassif, I believe we talked about this in the past, and recently I observed again an issue caused by the indexTemp location of a case processed in one machine and acessed by another user/machine.

If the configured indexTemp path can't be acessed, IPED will use the default configuration, right? In the particular case, "G:\TempIPED" was used during processing. When opening the case "G:" was a pen drive, so a "\TempIPED" was created. Everything worked, but much slower that it should be. Probably, it could ran into disk space issues...

Even when the indexTemp point to a folder like "C:\IPED-TEMP", it will work in other machines, but the user may find strange that such folder was created in the root level of his/her C:.

What about reseting some configurations in LocalConfig.txt, when the output is a report or "--portable" parameter is used? I am talking about:

  • indexTemp
  • numThreads
  • hashesDB

wladimirleite avatar Oct 25 '22 20:10 wladimirleite

If the configured indexTemp path can't be acessed, IPED will use the default configuration, right?

Right, that is the current intended behavior.

In the particular case, "G:\TempIPED" was used during processing. When opening the case "G:" was a pen drive, so a "\TempIPED" was created. Everything worked, but much slower that it should be. Probably, it could ran into disk space issues...

Yes, "no space left on device" when opening the case was reported recently to me because of this.

What about reseting some configurations in LocalConfig.txt, when the output is a report or "--portable" parameter is used? I am talking about:

Seems reasonable, I like the reset if report approach. Maybe that won't cover all situations... About the --portable option, I was planning to remove it, since I think it is useless today, the application always try to derivate relative paths to source evidences if they are in the same volume as the case.

Another option would be to save last LocalConfig.txt params used in processing in user.home/.iped folder. If that is found (examiner opening the processed case), use it. If not (investigator opening a case/report), use the defaults.

Maybe that won't cover all situations...

Like sending the complete case to an investigator or if the examiner opens the report.

lfcnassif avatar Oct 25 '22 20:10 lfcnassif

Another option would be to save last LocalConfig.txt params used in processing in user.home/.iped folder. If that is found (examiner opening the processed case), use it. If not (investigator opening a case/report), use the defaults.

Since it is a local machine configuration, saving it in the local machine and trying to reuse it if saved/configured seems good to me. We could even just use the user.home/.iped/ipedRoot.txt file to find the LocalConfig.txt of current IPED "installation" and use it for all opened cases.

lfcnassif avatar Oct 25 '22 21:10 lfcnassif

Another option would be to save last LocalConfig.txt params used in processing in user.home/.iped folder. If that is found (examiner opening the processed case), use it. If not (investigator opening a case/report), use the defaults.

That seems to be a good option.

wladimirleite avatar Oct 25 '22 21:10 wladimirleite

Another option would be to save last LocalConfig.txt params used in processing in user.home/.iped folder. If that is found (examiner opening the processed case), use it. If not (investigator opening a case/report), use the defaults.

Since it is a local machine configuration, saving it in the local machine and trying to reuse it if saved/configured seems good to me. We could even just use the user.home/.iped/ipedRoot.txt file to find the LocalConfig.txt of current IPED "installation" and use it for all opened cases.

Thinking a bit more about this, using the LocalConfig.txt from the current "IPED installation" is a simple/practical solution, but may have some disadvantages. Would LocalConfig.txt still be copied to the processed case folder? I guess having the file there, but using the configuration from another location may be confusing. So, it would be probably better to not copy this file. But that may be inconvenient in situations when you want to change some configuration for a specific case. Another concern about not having the file, would be the 'locale' parameter. Using the default locale in another machine, probably won't be the desired behavior.

wladimirleite avatar Oct 26 '22 20:10 wladimirleite

Seems reasonable, I like the reset if report approach. Maybe that won't cover all situations... About the --portable option, I was planning to remove it, since I think it is useless today, the application always try to derivate relative paths to source evidences if they are in the same volume as the case.

Even in the first case processed it would be useful to restore such properties in LocalConfig.txt. A scenario is where we process the UFDR with --portable flag and deliver the case with UFDR in a media. Another scenario is where the case is delivered in a server.

aberenguel avatar Oct 27 '22 17:10 aberenguel

Even in the first case processed it would be useful to restore such properties in LocalConfig.txt. A scenario is where we process the UFDR with --portable flag and deliver the case with UFDR in a media. Another scenario is where the case is delivered in a server.

Yes, that's why I said the reset if report approach would not cover all cases.

process the UFDR with --portable flag

This has no effect, --portable just applies with evidences processed by TSK, replacing absolute paths in TSK database by relative ones. Even if not used, and if the evidence is not found, IPED already tries to find the evidence (the heuristic in detailed in the Wiki/Manual). For other evidence types, a relative path is already used internally. So I think that option is useless today...

lfcnassif avatar Oct 27 '22 21:10 lfcnassif

So we have 2 approaches for now:

  • keep the --portable option instead of removing it (it is useless today) and reset the LocalConfig.txt (except locale) if it is used or if output is a report;
  • move the locale param to another file (IPEDConfig.txt or a new LocaleConfig.txt), stop copying the LocalConfig.txt to output folder and reuse the LocalConfig.txt from "installation folder" if found or the default values if it doesn't exist;

Is there another solution? Votes?

lfcnassif avatar Feb 26 '23 22:02 lfcnassif

Both options would be great. I vote for the first one.

wladimirleite avatar Feb 26 '23 22:02 wladimirleite

First one too, i think.

rafael844 avatar Feb 27 '23 10:02 rafael844

OK, I'm implementing the first approach.

  • indexTemp
  • numThreads
  • hashesDB

I'll also reset indexTempOnSSD param. What about outputOnSSD, should it also be reseted?

lfcnassif avatar Mar 02 '23 00:03 lfcnassif

And should a blind (profile) data extraction case also reset those params?

lfcnassif avatar Mar 02 '23 00:03 lfcnassif

I'll also reset indexTempOnSSD param. What about outputOnSSD, should it also be reseted?

I think these are less critical, but in my own cases (before sending to someone else) I am resetting both to false.

wladimirleite avatar Mar 02 '23 00:03 wladimirleite

And should a blind (profile) data extraction case also reset those params?

Maybe this is not needed, users could use the --portable option.

lfcnassif avatar Mar 02 '23 01:03 lfcnassif

By the way, just remembered --portable can be used to #863 (in a distant future 5.0.0 version)

lfcnassif avatar Mar 02 '23 01:03 lfcnassif

Just re-tagged this as bug.

lfcnassif avatar Mar 09 '23 02:03 lfcnassif

Shouldnt IPEDConfig be reset too? Or enableAudioTranscription be put in LocalConfig ? We tried to generate a report with few selected itens in other machine and got some python erros because enableAudioTranscription was set true and we have no python modules on that machine.

rafael844 avatar Jun 29 '23 15:06 rafael844

We tried to generate a report with few selected itens in other machine and got some python erros because enableAudioTranscription was set true and we have no python modules on that machine.

What version triggered the error? This should have been fixed on 4.1.1, see #1589

lfcnassif avatar Jun 29 '23 15:06 lfcnassif

4.1.2. Setting false it worked fine. IPED-2023-06-29-11-36-15.log

rafael844 avatar Jun 29 '23 16:06 rafael844

4.1.2. Setting false it worked fine. IPED-2023-06-29-11-36-15.log

Thanks for reporting, I was able to reproduce the issue. Seems it wasn't completely fixed, I'll reopen #1589 and apply the fix there.

lfcnassif avatar Jun 30 '23 21:06 lfcnassif