Lessons Learned
This page contains some solutions to situations we've encountered during the life of Truxton
Contents
Administrative
Load.exe Disappears From Install Folder
When Truxton is processing incoming media, it may (probably will) encounter malware.
When Load.exe
(or maybe EMail.exe
) writes this malware to the depot file, the process might get quarantined by your virus scanner.
When this happens, depending on your settings, the executable files will disappear from the installation folder.
You can prevent this by disabling virus protection on loader machines or configuring them to exempt Truxton's processes and folders from scanning.
Delete Folder Structure
When expanding PST files, sometimes folders can be left behind. Usually, they will contain filenames that Windows thinks doesn't exist. To delete the folder, use the "escaped" name which tells Windows to not think too hard when interpreting the filename.
del /F /S /Q \\?\H:\Trux\Truxton\55E3AF7109F30CA7 >nul
rmdir /S /Q \\?\H:\Trux\Truxton\55E3AF7109F30CA7
Deleting Folder Structure 2
Sometimes, when expanding archives, folder ownership will be reset. To delete them, you must first take ownership and reset the security.
takeown /a /r /d Y /f D:\Temp
icacls D:\Temp /t /grant administrators:F
del /F /S /Q D:\Temp
rmdir /S /Q D:\Temp
mkdir D:\Temp
Killing Processes
If you have mistakenly started loading a load list, you can stop the Truxton service but the Load.exe
processes will still be running.
taskkill /fi "IMAGENAME eq Load.exe" /F
NIC Teaming
One feature used in the Truxton Forensic Rack is teaming of network cards to improve performance. You can see how a server is teamed using PowerShell:
Get-NetLbfoTeam
Name : Team2
Members : {SLOT 4 Port 2, SLOT 4 Port 1}
TeamNics : Team2
TeamingMode : SwitchIndependent
LoadBalancingAlgorithm : Dynamic
Status : Up
Name : Team1
Members : {SLOT 3 Port 2, SLOT 3 Port 1}
TeamNics : Team1
TeamingMode : SwitchIndependent
LoadBalancingAlgorithm : Dynamic
Status : Up
NIC MTU Size
There is a network optimization to use what is known as Jumbo Frames which reduces the ratio of packet overhead to packet payload size. Basically, you send more data bytes per packet. This reduces the number of packets required to send large amounts of data. To enable this optimization, your network interface card (NIC) must support a maximum transmission unit (MTU) greater than 1500. If you tell your NIC to use 9700 bytes per frame but the card can't support it, you will get crazy, unreliable, random networking errors that will drive you absolutely crazy. Once you have figured this problem out, you want to prevent it from ever happening again.
The following PowerShell script will print an error message should the MTU be set to something your NIC cannot support.
function check_nic([string]$card_name, [uint32]$desired_mtu_size)
{
$n = Get-NetIPInterface | WHERE {($_.interfacealias -EQ $card_name) -AND ($_.AddressFamily -EQ "IPv4") -AND ($_.NlMtu -LT 10000)}
if ( $n -NE $null )
{
if ( $n.NlMtu -ne $desired_mtu_size )
{
Write-Host -ForegroundColor Red -BackgroundColor Yellow $("The MTU size of " + $card_name + " is " + $n.NlMtu + " when it should be " + $desired_mtu_size)
}
}
}
check_nic -card_name "vEthernet (Management)" 1500
Clear the Desktop Cache
The Analyst Desktop will cache files to make the user interface more performant. This PowerShell script will clear the cache leaving only the current log files.
Remove-Item $($env:LOCALAPPDATA + "\Probity\Truxton\Archives.?.log")
Remove-Item $($env:LOCALAPPDATA + "\Probity\Truxton\ContactSheet.?.log")
Remove-Item $($env:LOCALAPPDATA + "\Probity\Truxton\Registry.?.log")
Remove-Item $($env:LOCALAPPDATA + "\Probity\Truxton\RegRipper.?.log")
Remove-Item $($env:LOCALAPPDATA + "\Probity\Truxton\Report.?.log")
Remove-Item $($env:LOCALAPPDATA + "\Probity\Truxton\Truxton Analyst.?.log")
Remove-Item $($env:LOCALAPPDATA + "\Probity\Truxton\TruxtonCLI.?.log")
Remove-Item $($env:LOCALAPPDATA + "\Probity\Truxton\TruxtonClient.?.log")
Remove-Item $($env:LOCALAPPDATA + "\Probity\Truxton\TruxtonStatus.?.log")
Remove-Item $($env:LOCALAPPDATA + "\Probity\Truxton\ImageCache\*.bmp")
Remove-Item $($env:LOCALAPPDATA + "\Probity\Truxton\ImageCache\*.gif")
Remove-Item $($env:LOCALAPPDATA + "\Probity\Truxton\ImageCache\*.jpg")
Remove-Item $($env:LOCALAPPDATA + "\Probity\Truxton\ImageCache\*.png")
Clear ETL Cache
Some ETL processes spawned by the Truxton Service will write log files to the systemprofile
folder.
The Analyst Desktop will cache files to make the user interface more performant. This PowerShell script will clear the cache leaving only the current log files.
del /F /S /Q C:\Windows\system32\config\systemprofile\AppData\Local\Probity\Truxton >nul
Debugging PostgreSQL
Sorry, too many clients already
We have seen PostgreSQL run out of connections and die (yes, the entire process tree collapses).
It does not matter how many connections it is configured to support.
To help debug this, set the following three items in postgresql.conf
file:
log_connections = on log_disconnections = on log_hostname = off
Debugging ETLs
Application is in Break Mode
"Application is in Break Mode" is Microsoftspeak for "Cannot debug because Just My Code is enabled"
When your ETL goes bonkers, you can right button on the process in Task Manager and choose Create Dump File.
This will dump the state of your process to your %appdata%
temp folder.
You can open your project in Visual Studio, then open the DMP file and it will magically take you to the point where the process was.
Well, unless you get the "Application is in break mode" message whereby you can do nothing.
To fix this, in Visual Studio, go to Debug->Options->General and uncheck "Enable Just My Code"
Remote Desktop
Who else is logged on?
C:\> query user
PostgreSQL
How can I move the data folder?
If you need to move PostgreSQL's database to another drive or folder, follow these steps:
- Stop the PostgreSQL service
- Copy/Move the current data folder to the new location
- Edit the registry
- Restart the PostgreSQL service
While this will move the database, it will not fix missing file contents if you moved the Depot folder. To fix that, you will have to do some SQL magic.
Sample
net stop postgresql-x64-12
mkdir "D:\TruxtonDatabase"
robocopy "C:\Truxton Data\data" "D:\TruxtonDatabase" *.* /E /move
Now start regedt32
as Administrator and go to the key
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\postgresql-x64-12
Edit the ImagePath
value.
Replace the old path after the -D
option with the new path.
From our sample, above, change
"C:\Program Files\PostgreSQL\12\bin\pg_ctl.exe" runservice -N "postgresql-x64-12" -D "C:\Truxton Data\Database" -w
to read
"C:\Program Files\PostgreSQL\12\bin\pg_ctl.exe" runservice -N "postgresql-x64-12" -D "D:\TruxtonDatabase" -w
and save your changes.
net start postgresql-x64-12
Analyst Desktop
Slow Dialog Boxes
When using the desktop to load media, the initial file-open dialog can take a very long time to open. This usually happens when there are disconnected shares on your system. Microsoft attempts to connect to all shares before displaying the dialog box. Unfortunately, we cannot tell Microsoft to stop "helping" us and ignore disconnected shares. One thing you can try to do is shorten the timeout time when connecting to other machines.
netsh interface tcp set global initialRto=300
Links: