[sleuthkit-developers] [ sleuthkit-Bugs-3201488 ] NTFS incorrect enforcement of fs_attr->nrd.initsi
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-developers] [ sleuthkit-Bugs-3201488 ] NTFS incorrect enforcement of fs_attr->nrd.initsize
|
From: SourceForge.net <no...@so...> - 2011-03-06 18:55:43
|
Bugs item #3201488, was opened at 2011-03-06 19:55 Message generated for change (Tracker Item Submitted) made by jbmetz You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=3201488&group_id=55685 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: File System Tools Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Joachim Metz (jbmetz) Assigned to: Nobody/Anonymous (nobody) Summary: NTFS incorrect enforcement of fs_attr->nrd.initsize Initial Comment: TSK 3.2.1 on Linux (Fedora Core) When running icat on an unmounted Windows 7 NTFS volume (using a Linux device handle) several files in the "System Volume Information" return 0-byte (or invalid) content. The information istat returns about the corresponding MFT entry is correct; also the data run information. data run: 00000000: 43 2c c9 00 a0 3b 60 01 C,...;`. verbose output of icat: ntfs_make_data_run: Len idx: 0 cur: 44 (2c) tot: 44 (2c) ntfs_make_data_run: Len idx: 1 cur: 201 (c9) tot: 51500 (c92c) ntfs_make_data_run: Len idx: 2 cur: 0 (0) tot: 51500 (c92c) ntfs_make_data_run: Off idx: 0 cur: 160 (a0) tot: 160 (a0) ntfs_make_data_run: Off idx: 1 cur: 59 (3b) tot: 15264 (3ba0) ntfs_make_data_run: Off idx: 2 cur: 96 (60) tot: 6306720 (603ba0) ntfs_make_data_run: Off idx: 3 cur: 1 (1) tot: 23083936 (1603ba0) ntfs_make_data_run: Signed addr_offset: 23083936 Previous address: 0 in tsk_fs_file_walk_nonres() it hits: else if ((off >= fs_attr->nrd.initsize) where initsize = 0; non-resident data: 00000000: 00 00 00 00 00 00 00 00 2b c9 00 00 00 00 00 00 ........ +....... 00000010: 40 00 00 00 00 00 00 00 00 c0 92 0c 00 00 00 00 @....... ........ 00000020: 00 c0 92 0c 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ data first VCN : 0 data last VCN : 51499 data runs offset : 64 compression unit size : 0 padding : 0x00000000 allocated data size : 210944000 data size : 210944000 initialized data size : 0 (0x00000000) The code is acting as designed but the limitation of fs_attr->nrd.initsize does not seem to be a correct one because the file does contain data of size 210944000 at the offset the data run is referring to. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=3201488&group_id=55685 |
