Re: [sleuthkit-developers] Millions of orphan files found with sleuthkit develop branch
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-developers] Millions of orphan files found with sleuthkit develop branch
|
From: Luís F. N. <lfc...@gm...> - 2014-07-24 12:21:25
|
Another information: the sum of the millions of file sizes resulted in 1,1 petabyte, while the image has only 250 GB. 2014-07-23 22:21 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>: > We tested loaddb of both the released 4.1.3 version and the develop branch > of sleuthkit on a NTFS image of a hard disk with a lot of bad blocks, many > of them at the beginning of the disk. > > The 4.1.3 version found ~400.000 allocated files more ~100.000 orphan > files, about the same found by other forensic tools. The develop branch > found the same ~400.000 allocated files more ~2.500.000 orphan files! Most > of these millions of orphans have corrupted names or the name > OrphanFile-xxxxxxx and have lengths ranging from 0 to 4.294.967.296 bytes. > We think the recent changes to NTFS code are causing this large number of > corrupted orphans to be added to the case. Maybe it should be investigated > before the final 4.2 release. > > Luis > |
