Re: [sleuthkit-users] [sleuthkit-developers] Millions of orphan files found with sleuthkit develop
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] [sleuthkit-developers] Millions of orphan files found with sleuthkit develop branch
|
From: Luís F. N. <lfc...@gm...> - 2015-09-07 15:12:47
|
Sorry for the long delay. I do not have the image with me, I will ask my colleague if trimming the image is possible... We worked around the problem by filtering out orphans with logical size greater than 10 MB before sending them to the processing engine. Thank you, Luis 2015-08-13 14:13 GMT-03:00 Stefan Petrea <ste...@gm...>: > Hi Luis, > > Could the NTFS image you're looking at be trimmed down and provided as > sample input to reproduce the problem ? > > Best Regards, > Stefan > > On Thu, Aug 13, 2015 at 8:05 PM, Luís Filipe Nassif <lfc...@gm...> > wrote: > >> This error have happened again with a colleague's NTFS image, using the >> develop branch compiled about 1 month ago. Thousands of huge corrupted >> orphans were added by loaddb, which caused our processing application (and >> probably Autopsy too) to process indefinitely the evidence. >> >> Any help will be appreciated. >> >> Regards, >> Luis Nassif >> >> >> 2014-09-30 21:00 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>: >> >>> This problem still happens with 4.2.0 branch. If I can help with some >>> more information, please let me know. >>> >>> Thanks >>> Luis >>> >>> 2014-07-24 9:21 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>: >>> >>>> Another information: the sum of the millions of file sizes resulted in >>>> 1,1 petabyte, while the image has only 250 GB. >>>> >>>> >>>> 2014-07-23 22:21 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>: >>>> >>>>> We tested loaddb of both the released 4.1.3 version and the develop >>>>> branch of sleuthkit on a NTFS image of a hard disk with a lot of bad >>>>> blocks, many of them at the beginning of the disk. >>>>> >>>>> The 4.1.3 version found ~400.000 allocated files more ~100.000 orphan >>>>> files, about the same found by other forensic tools. The develop branch >>>>> found the same ~400.000 allocated files more ~2.500.000 orphan files! Most >>>>> of these millions of orphans have corrupted names or the name >>>>> OrphanFile-xxxxxxx and have lengths ranging from 0 to 4.294.967.296 bytes. >>>>> We think the recent changes to NTFS code are causing this large number of >>>>> corrupted orphans to be added to the case. Maybe it should be investigated >>>>> before the final 4.2 release. >>>>> >>>>> Luis >>>>> >>>> >>>> >>> >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sleuthkit-developers mailing list >> sle...@li... >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers >> >> > |
