autopsy
autopsy copied to clipboard
sleuthkit
Autopsy Setup with SMB/CIFS not working
Hi,
my Setup looks as follows:
2x Postgres Docker Container (Central Repo + Main DB) / regular Docker Container 1x Solr (4.10.4) Docker Container - Linux Based / modified Docker Container 1x Autopsy (4.15) Docker Container - Linux Based (https://hub.docker.com/r/bannsec/autopsy) 1x SMB/CIFS Share (https://hub.docker.com/r/dperson/samba)
Solr should be configured correctly:
Now I connect both Solr and Autopsy with the share:
mount -t cifs //192.168.2.116/share /share -o username=root,password=root,file_mode=0666,dir_mode=0777 mount -t cifs //192.168.2.116/share /share -o username=roott,password=roott,file_mode=0666,dir_mode=0777
When I add a file in one container, I can see it in the other..No permission issues.
If I run Autopsy in multi user mode, I choose /share directory as the multi user dir.
However I receive an error message: "Failed to get an shared lock on the case"
I'm lost and cannot figure out why it is not working. Any help would be greatly appreciated.
Thanks!
ok. So it seems like it has nothing to do with docker or multi user mode. I installed Autopsy 4.15 on ubuntu. On ubuntu I mounted a samba share like this
mount -t cifs //192.168.2.116/share /share -o username=roott,password=roott,file_mode=0666,dir_mode=0777
Running Autopsy on singe-user mode gives me this error:
2020-09-08 16:35:41.733 org.sleuthkit.autopsy.casemodule.Case closeAppServiceCaseResources SEVERE: Solr Keyword Search Service service failed to open case resources java.util.concurrent.ExecutionException: java.lang.NullPointerException java.util.concurrent.FutureTask.report(FutureTask.java:122) java.util.concurrent.FutureTask.get(FutureTask.java:192) org.sleuthkit.autopsy.casemodule.Case.closeAppServiceCaseResources(Case.java:2637) org.sleuthkit.autopsy.casemodule.Case.close(Case.java:2585) org.sleuthkit.autopsy.casemodule.Case.create(Case.java:1946) org.sleuthkit.autopsy.casemodule.Case.lambda$doOpenCaseAction$6(Case.java:1847) java.util.concurrent.FutureTask.run(FutureTask.java:266) java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) java.lang.Thread.run(Thread.java:748) java.lang.NullPointerException java.util.concurrent.FutureTask.report(FutureTask.java:122) java.util.concurrent.FutureTask.get(FutureTask.java:192) org.sleuthkit.autopsy.casemodule.Case.closeAppServiceCaseResources(Case.java:2637) org.sleuthkit.autopsy.casemodule.Case.close(Case.java:2585) org.sleuthkit.autopsy.casemodule.Case.create(Case.java:1946) org.sleuthkit.autopsy.casemodule.Case.lambda$doOpenCaseAction$6(Case.java:1847) java.util.concurrent.FutureTask.run(FutureTask.java:266) java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) java.lang.Thread.run(Thread.java:748)
Strange thing is, mounting the same samba share on Windows and running Autopsy on Windows works (single-user mode).
Regarding your original issue...multi user cases only work on Windows.
As for your single user case issue. The Keyword Search NullPointerException is likely just a side-effect of the underlying problem. I suspect that the underlying issue is that SQLite has problems with concurrent locking across a SMB/CIFS share. I just tried the same experiment as you and I see a number of "[SQLITE_BUSY] The database file is locked (database is locked)" messages in the ~/.autopsy/dev/var/log/messages.log file.
"multi user cases only work on Windows." Why do you think this is the case? I had no problems with this setup unless I did not use shares.
Regarding the other issue:
ok thanks, looking through log files I can probably confirm:
org.sleuthkit.datamodel.TskCoreException: Database Error (Error creating tsk_db_info table: database is locked ) java.util.concurrent.FutureTask.report(FutureTask.java:122) java.util.concurrent.FutureTask.get(FutureTask.java:192) javax.swing.SwingWorker.get(SwingWorker.java:602) org.sleuthkit.autopsy.casemodule.NewCaseWizardAction$1.done(NewCaseWizardAction.java:115) javax.swing.SwingWorker$5.run(SwingWorker.java:737) javax.swing.SwingWorker$DoSubmitAccumulativeRunnable.run(SwingWorker.java:832) sun.swing.AccumulativeRunnable.run(AccumulativeRunnable.java:112) javax.swing.SwingWorker$DoSubmitAccumulativeRunnable.actionPerformed(SwingWorker.java:842) javax.swing.Timer.fireActionPerformed(Timer.java:313) javax.swing.Timer$DoPostEvent.run(Timer.java:245) java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:311) java.awt.EventQueue.dispatchEventImpl(EventQueue.java:758) java.awt.EventQueue.access$500(EventQueue.java:97) java.awt.EventQueue$3.run(EventQueue.java:709) java.awt.EventQueue$3.run(EventQueue.java:703) java.security.AccessController.doPrivileged(Native Method) java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:74) java.awt.EventQueue.dispatchEvent(EventQueue.java:728) org.netbeans.core.TimableEventQueue.dispatchEvent(TimableEventQueue.java:159) java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:205) java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116) java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105) java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101) java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93) java.awt.EventDispatchThread.run(EventDispatchThread.java:82)
Any suggestions how to solve this? Thanks ;)
"multi user cases only work on Windows." Why do you think this is the case? I had no problems with this setup unless I did not use shares. Interesting. Perhaps it will work just fine if you are entirely Linux based and you have no need for Windows Autopsy clients to open the case. The scenario I tried a few months back had Solr/ZooKeeper on Windows and Autopsy on both Linux and Windows. In that scenario I could create a multi user case on Linux but could not re-open it on Linux or Windows. This was due to the fact that the string being used to identify case nodes in ZooKeeper contained slash characters that are treated differently depending on which platform Autopsy and Solr/ZK are running on.
Any suggestions how to solve this? Thanks ;) The only thing that currently comes to mind is...if you are entirely Linux based why not use Linux filesystem storage?
Yes, it works if you either enterily Linux or Windows-based. Thanks for your replies.
