Re: [sleuthkit-users] Different results between tsk_loaddb and java AddImageProcess

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

We could change the default behavior and add a command line argument to change it. 

Any objections to grouping unallocated space?  

As a side note (and we recently ran into this with some images in Autopsy) is that the current algorithm will break the groups of unallocated space at a sector boundary with an allocated sector. If there is 100GB of contagious unallocated space, the resulting file will be 100GB.   We will probably change the algorithm to do something like try to break it at 500MB at a natural boundary, but definitely stop 10% later if there isn’t one.

> On Dec 8, 2015, at 6:58 AM, Luís Filipe Nassif <lfc...@gm...> wrote:
> 
> Hi,
> 
> Those 2 commands are populating the sqlite database with different number of unallocated entries. Reading the code, the java command was configured to group non adjacent unallocated clusters up to 500 MB, while tsk_loaddb groups only adjacent blocks. Tsk_loaddb produced a sqlite with 26 millions of unallocated entries in a specific case. I think those 2 commands should return the same output, and I prefer the java one, because it makes caving fragmented files easier.
> 
> Regards,
> Luis Nassif
> ------------------------------------------------------------------------------
> Go from Idea to Many App Stores Faster with Intel(R) XDK
> Give your users amazing mobile app experiences with Intel(R) XDK.
> Use one codebase in this all-in-one HTML5 development environment.
> Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org