[sleuthkit-users] Tsk_loaddb generating an inconsistent file system tree
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Tsk_loaddb generating an inconsistent file system tree
|
From: Luís F. N. <lfc...@gm...> - 2016-03-22 16:10:21
|
Hi, A colleague of mine have observed tsk_loaddb 4.2 (so I think Autopsy too) incorrectly decoding the file system tree of some NTFS images. I analysed one sqlite sent by him and tsk_loaddb is putting a number of (very important) files into a deleted directory with the same meta_addr and meta_seq of the true (not deleted) parent directory of those files, according to tsk_objects table. The parent_path of the child files are populated correctly into sqlite. Maybe the parent cache table logic used internally by tsk_loaddb should be updated to handle that situation (NTFS files with same meta_addr and meta_seq)? We will gladly provide any other information to help solve the problem. Thank you very much for your attention, Luis |
