Re: [sleuthkit-users] Tsk_loaddb generating an inconsistent file system tree
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Tsk_loaddb generating an inconsistent file system tree
|
From: Luís F. N. <lfc...@gm...> - 2016-03-23 23:17:24
|
I have just confirmed this issue with 2 (of 3) ntfs images processed with tsk_loaddb I am working right now, so the problem seems quite common. There are a number of allocated files below some deleted directories in the file system tree and the path of those files shows different parents. Looking into the true parent directories (not deleted), there is no children. My colleague observed this behaviour at least in 3 ntfs images. I modified the logic of TskDbSqlite::storeObjId() and TskDbSqlite::findParObjId in db_sqlite.cpp to ignore the NTFS sequence number and to use the file paths when there are multiple items pointing to the same meta_addr, like is already done for other file systems. That change solved the problem, but I not sure if it could cause side effects for NTFS? Best regards, Luis 2016-03-22 13:10 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>: > Hi, > > A colleague of mine have observed tsk_loaddb 4.2 (so I think Autopsy too) > incorrectly decoding the file system tree of some NTFS images. I analysed > one sqlite sent by him and tsk_loaddb is putting a number of (very > important) files into a deleted directory with the same meta_addr and > meta_seq of the true (not deleted) parent directory of those files, > according to tsk_objects table. The parent_path of the child files are > populated correctly into sqlite. > > Maybe the parent cache table logic used internally by tsk_loaddb should be > updated to handle that situation (NTFS files with same meta_addr and > meta_seq)? > > We will gladly provide any other information to help solve the problem. > > Thank you very much for your attention, > Luis > |
