Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NTFS USN Journal parsing fails when processing disk images if indexTempOnSSD = false or if journal size > 1GB #669

Closed
lfcnassif opened this issue Jul 17, 2021 · 1 comment
Closed

NTFS USN Journal parsing fails when processing disk images if indexTempOnSSD = false or if journal size > 1GB #669

lfcnassif opened this issue Jul 17, 2021 · 1 comment
Assignees
@lfcnassif
Labels
bug

Comments

@lfcnassif
Copy link
Member

Stacktrace:

org.apache.tika.exception.TikaException: TIKA-198: Illegal IOException from dpf.inc.sepinf.UsnJrnl.UsnJrnlParser@45224d17
	at org.apache.tika.parser.CompositeParser.parse(CompositeParser.java:286) ~[tika-core-1.26.jar:1.26]
	at dpf.sp.gpinf.indexer.parsers.IndexerDefaultParser.parse(IndexerDefaultParser.java:244) [iped-parsers-impl-4.0.0-snapshot.jar:?]
	at dpf.sp.gpinf.indexer.io.ParsingReader$BackgroundParsing.run(ParsingReader.java:247) [iped-engine-4.0.0-snapshot.jar:?]
	at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source) [?:1.8.0_152]
	at java.util.concurrent.FutureTask.run(Unknown Source) [?:1.8.0_152]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) [?:1.8.0_152]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) [?:1.8.0_152]
	at java.lang.Thread.run(Unknown Source) [?:1.8.0_152]
Caused by: java.io.IOException: mark/reset not supported
	at java.io.InputStream.reset(Unknown Source) ~[?:1.8.0_152]
	at dpf.sp.gpinf.indexer.util.SleuthkitInputStream.reset(SleuthkitInputStream.java:82) ~[iped-engine-4.0.0-snapshot.jar:?]
	at dpf.inc.sepinf.UsnJrnl.UsnJrnlParser.findNextEntry(UsnJrnlParser.java:76) ~[iped-parsers-impl-4.0.0-snapshot.jar:?]
	at dpf.inc.sepinf.UsnJrnl.UsnJrnlParser.parse(UsnJrnlParser.java:228) ~[iped-parsers-impl-4.0.0-snapshot.jar:?]
	at org.apache.tika.parser.CompositeParser.parse(CompositeParser.java:280) ~[tika-core-1.26.jar:1.26]
	... 7 more

SleuthkitInputStream just pass some calls to Sleuthkit ReadContentInputStream and it doesn't support mark/reset, but this parser is not checking that with markSupported()
@lfcnassif lfcnassif added the bug label Jul 17, 2021
@lfcnassif lfcnassif self-assigned this Jul 17, 2021
@lfcnassif lfcnassif changed the title USN Journal parsing fails when processing image files NTFS USN Journal parsing fails when processing image files Jul 17, 2021
lfcnassif added a commit that referenced this issue Jul 17, 2021
@lfcnassif
#669: uses seek to avoid mark/reset not supported ioexception
d1c1451
lfcnassif added a commit that referenced this issue Jul 17, 2021
@lfcnassif
#669: uses seek to avoid mark/reset not supported ioexception
e041f17
@lfcnassif
Copy link
Member Author

fixed by d1c1451

@lfcnassif lfcnassif changed the title NTFS USN Journal parsing fails when processing image files NTFS USN Journal parsing fails when processing disk images if indexTempOnSSD = false or if journal size > 1GB Jul 17, 2021
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lfcnassif lfcnassif

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lfcnassif