Re: [sleuthkit-users] ifind bombing with max cpu
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] ifind bombing with max cpu
|
From: Brian C. <ca...@ce...> - 2005-03-22 20:24:19
|
Try the new version. This looks exactly like a bug that was fixed in 2.00 that occurs when a deleted file with a non-resident attribute list is processed and the attribute list has been overwritten. TSK tries to process the new data as a list and gets stuck in a loop while "advancing" by 0 each time. brian On Mar 22, 2005, at 3:05 PM, Nico C. Kalteis wrote: > Good afternoon! > > I have perused the archives and googled my eyes out but to no avail. > I am hoping somebody on here has seen this and knows how to fix it: > > Problem: > ----------- > Autopsy file analysis of a disk image remains stuck without listing > any files whatsoever while the browser's status bar says > "transferring...". "top" on the host shows 99% CPU usage by ifind. I > killed Autopsy and proceeded to run ifind directly with the same > parameters as Autopsy plus "-v". It ran fine for a few minutes at > <10% CPU and then got stuck at an error message (see following) and > 99% CPU. > > Error Message (and 20 preceeding lines from ifind -v output): > ------------------- > ntfs_mft_lookup: Processing MFT 91425 > ntfs_mft_lookup: Found in offset: 19829635 size: 82672 at offset: > 38115328 > ntfs_mft_lookup: Entry address at: 10190888448 > fs_read_random: read byte offs 10190888448 len 1024 (mft read) > ntfs_mft_lookup: upd_seq 1 Replacing: 0006 With: 0000 > ntfs_mft_lookup: upd_seq 2 Replacing: 0006 With: 1147 > ntfs_proc_attrseq: Processing MFT 91425 (maybe) > ntfs_proc_attrseq: Resident Attribute in 91425 Type: 16 Id: 0 Name: N/A > ntfs_proc_attrseq: Non-Resident Attribute in 91425 Type: 32 Id: 6 > Name: N/A Start VCN: 0 > ntfs_make_data_run: Len idx: 0 cur: 2 (2) tot: 2 (2) > ntfs_make_data_run: Off idx: 0 cur: 38 (26) tot: 38 (26) > ntfs_make_data_run: Off idx: 1 cur: 243 (f3) tot: 62246 (f326) > ntfs_make_data_run: Off idx: 2 cur: 6 (6) tot: 455462 (6f326) > ntfs_make_data_run: Signed offset: 455462 Previous address: 0 > ntfs_proc_attrseq: Resident Attribute in 91425 Type: 48 Id: 3 Name: N/A > ntfs_proc_attrseq: Resident Attribute in 91425 Type: 48 Id: 2 Name: N/A > ntfs_proc_attrlist: MFT 91425 > fs_read_block: read block 455462 offs 233196544 len 512 (data block) > fs_read_block: read block 7325743 offs 3750780416 len 512 (bmap) > ntfs_proc_attrlist: mft: 1174425602 type 1283502595 id 16 VCN: > 1342177812 > Invalid MFT file reference (1174425602) in the unallocated attribute > list of MFT 91425 > > > System specs: > ------------------ > - x86 > - 1GHz CPU > - 512MB RAM > - Red Hat Enterprise Linux AS4 > - Sleuthkit 1.73 > - Autopsy 2.03 > - Perl 5.8.6 w/64bitint and large file support > - Apache 2.x > |
