[sleuthkit-developers] Millions of orphan files found with sleuthkit develop branch
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-developers] Millions of orphan files found with sleuthkit develop branch
|
From: Luís F. N. <lfc...@gm...> - 2014-07-24 01:21:31
|
We tested loaddb of both the released 4.1.3 version and the develop branch of sleuthkit on a NTFS image of a hard disk with a lot of bad blocks, many of them at the beginning of the disk. The 4.1.3 version found ~400.000 allocated files more ~100.000 orphan files, about the same found by other forensic tools. The develop branch found the same ~400.000 allocated files more ~2.500.000 orphan files! Most of these millions of orphans have corrupted names or the name OrphanFile-xxxxxxx and have lengths ranging from 0 to 4.294.967.296 bytes. We think the recent changes to NTFS code are causing this large number of corrupted orphans to be added to the case. Maybe it should be investigated before the final 4.2 release. Luis |
