Re: [sleuthkit-developers] Millions of orphan files found with sleuthkit develop branch
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-developers] Millions of orphan files found with sleuthkit develop branch
|
From: Stefan P. <ste...@gm...> - 2015-08-13 17:13:23
|
Hi Luis, Could the NTFS image you're looking at be trimmed down and provided as sample input to reproduce the problem ? Best Regards, Stefan On Thu, Aug 13, 2015 at 8:05 PM, Luís Filipe Nassif <lfc...@gm...> wrote: > This error have happened again with a colleague's NTFS image, using the > develop branch compiled about 1 month ago. Thousands of huge corrupted > orphans were added by loaddb, which caused our processing application (and > probably Autopsy too) to process indefinitely the evidence. > > Any help will be appreciated. > > Regards, > Luis Nassif > > > 2014-09-30 21:00 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>: > >> This problem still happens with 4.2.0 branch. If I can help with some >> more information, please let me know. >> >> Thanks >> Luis >> >> 2014-07-24 9:21 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>: >> >>> Another information: the sum of the millions of file sizes resulted in >>> 1,1 petabyte, while the image has only 250 GB. >>> >>> >>> 2014-07-23 22:21 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>: >>> >>>> We tested loaddb of both the released 4.1.3 version and the develop >>>> branch of sleuthkit on a NTFS image of a hard disk with a lot of bad >>>> blocks, many of them at the beginning of the disk. >>>> >>>> The 4.1.3 version found ~400.000 allocated files more ~100.000 orphan >>>> files, about the same found by other forensic tools. The develop branch >>>> found the same ~400.000 allocated files more ~2.500.000 orphan files! Most >>>> of these millions of orphans have corrupted names or the name >>>> OrphanFile-xxxxxxx and have lengths ranging from 0 to 4.294.967.296 bytes. >>>> We think the recent changes to NTFS code are causing this large number of >>>> corrupted orphans to be added to the case. Maybe it should be investigated >>>> before the final 4.2 release. >>>> >>>> Luis >>>> >>> >>> >> > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sleuthkit-developers mailing list > sle...@li... > https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers > > |
