Lessons Learned

From truxwiki.com
Jump to navigation Jump to search

This page contains some solutions to situations we've encountered during the life of Truxton

Administrative

Load.exe Disappears From Install Folder

When Truxton is processing incoming media, it may (probably will) encounter malware. When Load.exe (or maybe EMail.exe) writes this malware to the depot file, the process might get quarantined by your virus scanner. When this happens, depending on your settings, the executable files will disappear from the installation folder.

You can prevent this by disabling virus protection on loader machines or configuring them to exempt Truxton's processes and folders from scanning.

Delete Folder Structure

When expanding PST files, sometimes folders can be left behind. Usually, they will contain filenames that Windows thinks doesn't exist. To delete the folder, use the "escaped" name which tells Windows to not think too hard when interpreting the filename.

del /F /S /Q \\?\H:\Trux\Truxton\55E3AF7109F30CA7 >nul
rmdir  /S /Q \\?\H:\Trux\Truxton\55E3AF7109F30CA7

Deleting Folder Structure 2

Sometimes, when expanding archives, folder ownership will be reset. To delete them, you must first take ownership and reset the security.

takeown /a /r /d Y /f D:\Temp
icacls D:\Temp /t /grant administrators:F
del /F /S /Q D:\Temp
rmdir  /S /Q D:\Temp
mkdir D:\Temp

Killing Processes

If you have mistakenly started loading a load list, you can stop the Truxton service but the Load.exe processes will still be running.

taskkill /fi "IMAGENAME eq Load.exe" /F

NIC Teaming

One feature used in the Truxton Forensic Rack is teaming of network cards to improve performance. You can see how a server is teamed using PowerShell:

Get-NetLbfoTeam

Name                   : Team2
Members                : {SLOT 4 Port 2, SLOT 4 Port 1}
TeamNics               : Team2
TeamingMode            : SwitchIndependent
LoadBalancingAlgorithm : Dynamic
Status                 : Up

Name                   : Team1
Members                : {SLOT 3 Port 2, SLOT 3 Port 1}
TeamNics               : Team1
TeamingMode            : SwitchIndependent
LoadBalancingAlgorithm : Dynamic
Status                 : Up

NIC MTU Size

There is a network optimization to use what is known as Jumbo Frames which reduces the ratio of packet overhead to packet payload size. Basically, you send more data bytes per packet. This reduces the number of packets required to send large amounts of data. To enable this optimization, your network interface card (NIC) must support a maximum transmission unit (MTU) greater than 1500. If you tell your NIC to use 9700 bytes per frame but the card can't support it, you will get crazy, unreliable, random networking errors that will drive you absolutely crazy. Once you have figured this problem out, you want to prevent it from ever happening again.

The following PowerShell script will print an error message should the MTU be set to something your NIC cannot support.

function check_nic([string]$card_name, [uint32]$desired_mtu_size)
{
   $n = Get-NetIPInterface | WHERE {($_.interfacealias -EQ $card_name) -AND ($_.AddressFamily -EQ "IPv4") -AND ($_.NlMtu -LT 10000)}
	
   if ( $n -NE $null )
   {
      if ( $n.NlMtu -ne $desired_mtu_size )
      {
         Write-Host -ForegroundColor Red -BackgroundColor Yellow $("The MTU size of " + $card_name + " is " + $n.NlMtu + " when it should be " + $desired_mtu_size)
      }
   }
}

check_nic -card_name "vEthernet (Management)" 1500

Clear the Desktop Cache

The Analyst Desktop will cache files to make the user interface more performant. This PowerShell script will clear the cache leaving only the current log files.

Remove-Item $($env:LOCALAPPDATA + "\Probity\Truxton\Archives.?.log")
Remove-Item $($env:LOCALAPPDATA + "\Probity\Truxton\ContactSheet.?.log")
Remove-Item $($env:LOCALAPPDATA + "\Probity\Truxton\Registry.?.log")
Remove-Item $($env:LOCALAPPDATA + "\Probity\Truxton\RegRipper.?.log")
Remove-Item $($env:LOCALAPPDATA + "\Probity\Truxton\Report.?.log")
Remove-Item $($env:LOCALAPPDATA + "\Probity\Truxton\Truxton Analyst.?.log")
Remove-Item $($env:LOCALAPPDATA + "\Probity\Truxton\TruxtonCLI.?.log")
Remove-Item $($env:LOCALAPPDATA + "\Probity\Truxton\TruxtonClient.?.log")
Remove-Item $($env:LOCALAPPDATA + "\Probity\Truxton\TruxtonStatus.?.log")
Remove-Item $($env:LOCALAPPDATA + "\Probity\Truxton\ImageCache\*.bmp")
Remove-Item $($env:LOCALAPPDATA + "\Probity\Truxton\ImageCache\*.gif")
Remove-Item $($env:LOCALAPPDATA + "\Probity\Truxton\ImageCache\*.jpg")
Remove-Item $($env:LOCALAPPDATA + "\Probity\Truxton\ImageCache\*.png")

Clear ETL Cache

Some ETL processes spawned by the Truxton Service will write log files to the systemprofile folder.

The Analyst Desktop will cache files to make the user interface more performant. This PowerShell script will clear the cache leaving only the current log files.

del /F /S /Q C:\Windows\system32\config\systemprofile\AppData\Local\Probity\Truxton >nul

Debugging PostgreSQL

Sorry, too many clients already

We have seen PostgreSQL run out of connections and die (yes, the entire process tree collapses). It does not matter how many connections it is configured to support. To help debug this, set the following three items in postgresql.conf file:

log_connections = on
log_disconnections = on
log_hostname = off

Debugging ETLs

Application is in Break Mode

"Application is in Break Mode" is Microsoftspeak for "Cannot debug because Just My Code is enabled"

When your ETL goes bonkers, you can right button on the process in Task Manager and choose Create Dump File. This will dump the state of your process to your %appdata% temp folder. You can open your project in Visual Studio, then open the DMP file and it will magically take you to the point where the process was. Well, unless you get the "Application is in break mode" message whereby you can do nothing. To fix this, in Visual Studio, go to Debug->Options->General and uncheck "Enable Just My Code"

Remote Desktop

Who else is logged on?

C:\> query user

PostgreSQL

How can I move the data folder?

If you need to move PostgreSQL's database to another drive or folder, follow these steps:

  1. Stop the PostgreSQL service
  2. Copy/Move the current data folder to the new location
  3. Edit the registry
  4. Restart the PostgreSQL service

While this will move the database, it will not fix missing file contents if you moved the Depot folder. To fix that, you will have to do some SQL magic.

Sample

net stop postgresql-x64-12
mkdir "D:\TruxtonDatabase"
robocopy "C:\Truxton Data\data" "D:\TruxtonDatabase" *.* /E /move

Now start regedt32 as Administrator and go to the key

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\postgresql-x64-12

Edit the ImagePath value. Replace the old path after the -D option with the new path.

From our sample, above, change

"C:\Program Files\PostgreSQL\12\bin\pg_ctl.exe" runservice -N "postgresql-x64-12" -D "C:\Truxton Data\Database" -w

to read

"C:\Program Files\PostgreSQL\12\bin\pg_ctl.exe" runservice -N "postgresql-x64-12" -D "D:\TruxtonDatabase" -w

and save your changes.

net start postgresql-x64-12

Analyst Desktop

Slow Dialog Boxes

When using the desktop to load media, the initial file-open dialog can take a very long time to open. This usually happens when there are disconnected shares on your system. Microsoft attempts to connect to all shares before displaying the dialog box. Unfortunately, we cannot tell Microsoft to stop "helping" us and ignore disconnected shares. One thing you can try to do is shorten the timeout time when connecting to other machines.

netsh interface tcp set global initialRto=300

Links: