Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade to sleuthkit-4.12.0 #1340

Closed
lfcnassif opened this issue Sep 28, 2022 · 14 comments
Closed

Upgrade to sleuthkit-4.12.0 #1340

lfcnassif opened this issue Sep 28, 2022 · 14 comments
Assignees
@lfcnassif
Labels
dependencies Pull requests that update a dependency file

Comments

@lfcnassif
Copy link
Member

This seems an important fix:
sleuthkit/sleuthkit#2764

And we have to apply all our patches over it again and test...
@lfcnassif lfcnassif added the dependencies Pull requests that update a dependency file label Sep 28, 2022
@lfcnassif lfcnassif changed the title Upgrade for sleuthkit-4.11.2 when available Upgrade to sleuthkit-4.11.2 when available Sep 28, 2022
@lfcnassif lfcnassif changed the title Upgrade to sleuthkit-4.11.2 when available Upgrade to sleuthkit-4.12.0 when available Dec 24, 2022
@lfcnassif
Copy link
Member Author

They added Linux LVM support (by @joachimmetz) and lots of fixes.

@lfcnassif lfcnassif changed the title Upgrade to sleuthkit-4.12.0 when available Upgrade to sleuthkit-4.12.0 Jan 25, 2023
@lfcnassif
Copy link
Member Author

TSK-4.12.0 was released yesterday with the new Linux LVM support and many fixes. As it is a sensitive upgrade, I'll wait some time before we upgrade our fork, so the community could test it a bit for regressions.

@lfcnassif lfcnassif mentioned this issue Feb 9, 2023
Open
@joachimmetz
Copy link

@lfcnassif make sure to apply additional patches when you do upgrade to 4.12.0 e.g. sleuthkit/sleuthkit#2803

@lfcnassif
Copy link
Member Author

Thank you for pointing it out @joachimmetz!

@lfcnassif
Copy link
Member Author

lfcnassif commented Feb 16, 2023
edited
Loading

Applied our patches (https://github.com/sepinf-inc/sleuthkit/commits/4.12.0_iped_patch) + sleuthkit/sleuthkit#2803 + sleuthkit/sleuthkit#2808

Running some tests now... If all looks good, I'll update TSK and release IPED-4.1 tomorrow.

@lfcnassif
Copy link
Member Author

Reverting sleuthkit/sleuthkit#2803, it caused a regression in APFS decoding.

@lfcnassif
Copy link
Member Author

lfcnassif commented Feb 16, 2023
edited
Loading

Edited: TSK-4.12 seems to have made a memory leak while processing a specific APFS image to be gone. In previous versions, image decoding used to consume tons of memory and abort with OOM. Now external image reading processes goes to 4GB but then decrease to a few hundred MB very quickly, oscillating, but without leak.

@lfcnassif
Copy link
Member Author

All 5 APFS images tested seems good. Still need to test some NTFS samples.

@lfcnassif lfcnassif self-assigned this Feb 17, 2023
@joachimmetz
Copy link

Maybe this helps wit NTFS sample files https://github.com/dfirlabs/ntfs-specimens

@joachimmetz
Copy link

Also note that oscillating memory usage, probably hints at caching or delayed garbage collection, less likely a leak. For a leak you would see continuous memory usage growth.

@lfcnassif
Copy link
Member Author

Maybe this helps wit NTFS sample files https://github.com/dfirlabs/ntfs-specimens

Great, thank you @joachimmetz!

@lfcnassif
Copy link
Member Author

Also note that oscillating memory usage, probably hints at caching or delayed garbage collection, less likely a leak. For a leak you would see continuous memory usage growth.

Just fixed my comment to be more clear, thank you!

@lfcnassif
Copy link
Member Author

lfcnassif commented Feb 17, 2023
edited
Loading

Tests seem good, I'll proceed.

lfcnassif added a commit that referenced this issue Feb 17, 2023
@lfcnassif
'#1340: removes unneeded sleuthkit dependency from iped-api
e0ea0a3
@lfcnassif lfcnassif changed the title Upgrade to sleuthkit-4.12.0 Upgrade to sleuthkit-4.12.0: Linux LVM support Feb 17, 2023
@lfcnassif lfcnassif changed the title Upgrade to sleuthkit-4.12.0: Linux LVM support Upgrade to sleuthkit-4.12.0 Feb 24, 2023
@simsong
Copy link

simsong commented Sep 5, 2024

This seems an important fix: sleuthkit/sleuthkit#2764

And we have to apply all our patches over it again and test...

I'm trying to get the old patches applied. I appreciate the help that you've given up to now and apologize that we were not as aggressive as we should have been about incorporating the old patches.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lfcnassif lfcnassif

Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@simsong @joachimmetz @lfcnassif