[sleuthkit-users] tsk_loaddb stuck on HFSJ filesystem
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] tsk_loaddb stuck on HFSJ filesystem
|
From: Ketil F. <ke...@fr...> - 2014-11-04 16:36:12
|
Hi, I'm trying to analyze an HFSJ filesystem with tsk_loaddb (TSK 4.1.3). I compiled tsk myself on Ubuntu 14.04.1, built with libewf 20140608. Other dev libraries are from Ubuntu. My command line is: $ tsk_loaddb -i ewf -h -d /path/to/database.db /path/to/image.E01 The image is of a 465GB (marketed as 500GB) USB drive. There are 2 partitions, the first is a 2MB vfat file system, and the second pretty much fills the rest of the disk with the HFSJ filesystem Right now, tsk_loaddb has been running since last Wednesday (almost one week). According to "top" it has consumed 4650 minutes of CPU time on my Intel Xeon 3.3GHz system. The database file has grown past 18GB in size, and continues growing steadily. I tried opening the DB to look in the tables, but sqlite3 says the DB is locked. I tried copying the DB file and then doing some queries, but in the copy all the tables I checked are empty or have one row. tsk_files was empty, so was tsk_objects. Presumably because of non-commited transactions or something like that, but I thought I'd try anyway. One thing that makes me suspicious is that when I watch the process with strace, it is pretty much doing one thing, and that is seeking and reading from file descriptor 7, which is the E01 file (fd 8 is E02, fd 9 is E03, etc). It sometimes reads a bit in another Exx file as well, but almost all work seems to be reading the E01 file. In one sense, that may be understandable if important file system metadata is stored here, but after I noticed this happening on Thursday, and it still seems to be doing the same today (Tuesday), this seems excessive. :) Another indication that something is wrong is that tsk_loaddb is consuming almost 50GB of memory, 36GB of which is resident. I've run through a bunch of other images with the same command line and the same build of tsk, and haven't seen anything like this. The runs usually take a few hours when I've enabled hashing of all the files on the file system. I can view the file HFSJ file system contents using FTK Imager, so it appears to be OK. But I am unable to mount it from Ubuntu (though I don't think I've mounted HFSJ file systems on Ubuntu before, so I don't know if that's expected to work "out of the box".) Anything I can do to try to debug what is going on? -Ketil |
