Re: [sleuthkit-users] Millions of orphan files found with sleuthkit develop branch
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Millions of orphan files found with sleuthkit develop branch
|
From: Luís F. N. <lfc...@gm...> - 2015-08-13 17:05:15
|
This error have happened again with a colleague's NTFS image, using the develop branch compiled about 1 month ago. Thousands of huge corrupted orphans were added by loaddb, which caused our processing application (and probably Autopsy too) to process indefinitely the evidence. Any help will be appreciated. Regards, Luis Nassif 2014-09-30 21:00 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>: > This problem still happens with 4.2.0 branch. If I can help with some more > information, please let me know. > > Thanks > Luis > > 2014-07-24 9:21 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>: > >> Another information: the sum of the millions of file sizes resulted in >> 1,1 petabyte, while the image has only 250 GB. >> >> >> 2014-07-23 22:21 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>: >> >>> We tested loaddb of both the released 4.1.3 version and the develop >>> branch of sleuthkit on a NTFS image of a hard disk with a lot of bad >>> blocks, many of them at the beginning of the disk. >>> >>> The 4.1.3 version found ~400.000 allocated files more ~100.000 orphan >>> files, about the same found by other forensic tools. The develop branch >>> found the same ~400.000 allocated files more ~2.500.000 orphan files! Most >>> of these millions of orphans have corrupted names or the name >>> OrphanFile-xxxxxxx and have lengths ranging from 0 to 4.294.967.296 bytes. >>> We think the recent changes to NTFS code are causing this large number of >>> corrupted orphans to be added to the case. Maybe it should be investigated >>> before the final 4.2 release. >>> >>> Luis >>> >> >> > |
