Re: [sleuthkit-users] ifind bombing with max cpu
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] ifind bombing with max cpu
|
From: Nico C. K. <nka...@gm...> - 2005-03-22 20:43:10
|
Absolutely brilliant! I upgraded to the new versions of TSK and Autopsy and everything runs like a charm. Brian, thank you very much...you're a scholar and a gentleman. Cheers! Nico Brian Carrier wrote: > Try the new version. This looks exactly like a bug that was fixed in > 2.00 that occurs when a deleted file with a non-resident attribute > list is processed and the attribute list has been overwritten. TSK > tries to process the new data as a list and gets stuck in a loop while > "advancing" by 0 each time. > > brian > > > > > On Mar 22, 2005, at 3:05 PM, Nico C. Kalteis wrote: > >> Good afternoon! >> >> I have perused the archives and googled my eyes out but to no avail. >> I am hoping somebody on here has seen this and knows how to fix it: >> >> Problem: >> ----------- >> Autopsy file analysis of a disk image remains stuck without listing >> any files whatsoever while the browser's status bar says >> "transferring...". "top" on the host shows 99% CPU usage by ifind. I >> killed Autopsy and proceeded to run ifind directly with the same >> parameters as Autopsy plus "-v". It ran fine for a few minutes at >> <10% CPU and then got stuck at an error message (see following) and >> 99% CPU. >> >> Error Message (and 20 preceeding lines from ifind -v output): >> ------------------- >> ntfs_mft_lookup: Processing MFT 91425 >> ntfs_mft_lookup: Found in offset: 19829635 size: 82672 at offset: >> 38115328 >> ntfs_mft_lookup: Entry address at: 10190888448 >> fs_read_random: read byte offs 10190888448 len 1024 (mft read) >> ntfs_mft_lookup: upd_seq 1 Replacing: 0006 With: 0000 >> ntfs_mft_lookup: upd_seq 2 Replacing: 0006 With: 1147 >> ntfs_proc_attrseq: Processing MFT 91425 (maybe) >> ntfs_proc_attrseq: Resident Attribute in 91425 Type: 16 Id: 0 Name: N/A >> ntfs_proc_attrseq: Non-Resident Attribute in 91425 Type: 32 Id: 6 >> Name: N/A Start VCN: 0 >> ntfs_make_data_run: Len idx: 0 cur: 2 (2) tot: 2 (2) >> ntfs_make_data_run: Off idx: 0 cur: 38 (26) tot: 38 (26) >> ntfs_make_data_run: Off idx: 1 cur: 243 (f3) tot: 62246 (f326) >> ntfs_make_data_run: Off idx: 2 cur: 6 (6) tot: 455462 (6f326) >> ntfs_make_data_run: Signed offset: 455462 Previous address: 0 >> ntfs_proc_attrseq: Resident Attribute in 91425 Type: 48 Id: 3 Name: N/A >> ntfs_proc_attrseq: Resident Attribute in 91425 Type: 48 Id: 2 Name: N/A >> ntfs_proc_attrlist: MFT 91425 >> fs_read_block: read block 455462 offs 233196544 len 512 (data block) >> fs_read_block: read block 7325743 offs 3750780416 len 512 (bmap) >> ntfs_proc_attrlist: mft: 1174425602 type 1283502595 id 16 VCN: >> 1342177812 >> Invalid MFT file reference (1174425602) in the unallocated attribute >> list of MFT 91425 >> >> >> System specs: >> ------------------ >> - x86 >> - 1GHz CPU >> - 512MB RAM >> - Red Hat Enterprise Linux AS4 >> - Sleuthkit 1.73 >> - Autopsy 2.03 >> - Perl 5.8.6 w/64bitint and large file support >> - Apache 2.x >> > > |
