[sleuthkit-users] ifind bombing with max cpu
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] ifind bombing with max cpu
|
From: Nico C. K. <nka...@gm...> - 2005-03-22 20:05:43
|
Good afternoon! I have perused the archives and googled my eyes out but to no avail. I am hoping somebody on here has seen this and knows how to fix it: Problem: ----------- Autopsy file analysis of a disk image remains stuck without listing any files whatsoever while the browser's status bar says "transferring...". "top" on the host shows 99% CPU usage by ifind. I killed Autopsy and proceeded to run ifind directly with the same parameters as Autopsy plus "-v". It ran fine for a few minutes at <10% CPU and then got stuck at an error message (see following) and 99% CPU. Error Message (and 20 preceeding lines from ifind -v output): ------------------- ntfs_mft_lookup: Processing MFT 91425 ntfs_mft_lookup: Found in offset: 19829635 size: 82672 at offset: 38115328 ntfs_mft_lookup: Entry address at: 10190888448 fs_read_random: read byte offs 10190888448 len 1024 (mft read) ntfs_mft_lookup: upd_seq 1 Replacing: 0006 With: 0000 ntfs_mft_lookup: upd_seq 2 Replacing: 0006 With: 1147 ntfs_proc_attrseq: Processing MFT 91425 (maybe) ntfs_proc_attrseq: Resident Attribute in 91425 Type: 16 Id: 0 Name: N/A ntfs_proc_attrseq: Non-Resident Attribute in 91425 Type: 32 Id: 6 Name: N/A Start VCN: 0 ntfs_make_data_run: Len idx: 0 cur: 2 (2) tot: 2 (2) ntfs_make_data_run: Off idx: 0 cur: 38 (26) tot: 38 (26) ntfs_make_data_run: Off idx: 1 cur: 243 (f3) tot: 62246 (f326) ntfs_make_data_run: Off idx: 2 cur: 6 (6) tot: 455462 (6f326) ntfs_make_data_run: Signed offset: 455462 Previous address: 0 ntfs_proc_attrseq: Resident Attribute in 91425 Type: 48 Id: 3 Name: N/A ntfs_proc_attrseq: Resident Attribute in 91425 Type: 48 Id: 2 Name: N/A ntfs_proc_attrlist: MFT 91425 fs_read_block: read block 455462 offs 233196544 len 512 (data block) fs_read_block: read block 7325743 offs 3750780416 len 512 (bmap) ntfs_proc_attrlist: mft: 1174425602 type 1283502595 id 16 VCN: 1342177812 Invalid MFT file reference (1174425602) in the unallocated attribute list of MFT 91425 System specs: ------------------ - x86 - 1GHz CPU - 512MB RAM - Red Hat Enterprise Linux AS4 - Sleuthkit 1.73 - Autopsy 2.03 - Perl 5.8.6 w/64bitint and large file support - Apache 2.x File to be analyzed: ------------------------- 30GB NTFS image from Windows XP laptop Any insight would be greatly appreciated. Thanks! Nico Kalteis |
