Re: [sleuthkit-users] Millions of orphan files found with sleuthkit develop branch
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Millions of orphan files found with sleuthkit develop branch
|
From: Luís F. N. <lfc...@gm...> - 2014-10-01 00:00:24
|
This problem still happens with 4.2.0 branch. If I can help with some more information, please let me know. Thanks Luis 2014-07-24 9:21 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>: > Another information: the sum of the millions of file sizes resulted in 1,1 > petabyte, while the image has only 250 GB. > > > 2014-07-23 22:21 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>: > >> We tested loaddb of both the released 4.1.3 version and the develop >> branch of sleuthkit on a NTFS image of a hard disk with a lot of bad >> blocks, many of them at the beginning of the disk. >> >> The 4.1.3 version found ~400.000 allocated files more ~100.000 orphan >> files, about the same found by other forensic tools. The develop branch >> found the same ~400.000 allocated files more ~2.500.000 orphan files! Most >> of these millions of orphans have corrupted names or the name >> OrphanFile-xxxxxxx and have lengths ranging from 0 to 4.294.967.296 bytes. >> We think the recent changes to NTFS code are causing this large number of >> corrupted orphans to be added to the case. Maybe it should be investigated >> before the final 4.2 release. >> >> Luis >> > > |
