Re: [sleuthkit-users] TSK-4.4 and SlackFiles
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] TSK-4.4 and SlackFiles
|
From: Brian C. <ca...@sl...> - 2017-02-01 16:38:29
|
Ughh. I need to better start documenting these scenarios because I always get confused by them too. I think you've found an issue and I created #756 ( https://github.com/sleuthkit/sleuthkit/issues/756) to address this. The summary of your specific questions are: - VSC is strange because WIndows seems to treat it differently and lies about initsize. It has initsize of 0, but a file size that is equal to the allocsize. - In the log file case, 4096 has been initialized, but the allocated size of the file is 2MB. On Tue, Jan 31, 2017 at 7:26 PM, Luís Filipe Nassif <lfc...@gm...> wrote: > Thank you, Brian, for your explanation! No problem for our application, > just curious to know if it was a bug or, if not, why it is there. > > But, currently, no slack files are created for VSC files and other files > with initsize smaller than allocated size. I thought slack is created only > when allocated > logical size (based on line 1001 of db_sqlite.cpp) > > And is the allocated size 4096 from istat output? I do not know where the > slack size of 2.026.496 bytes came from... > > 2017-01-31 18:05 GMT-02:00 Brian Carrier <ca...@sl...>: > >> Actually, making this decision could incur some significant overhead for >> a step that (at least in Autopsy) we try to keep as fast as possible. Is >> your application impacted by the fact that there is a large and empty slack >> file or were you just curious if it was a bug? >> >> >> >> On Tue, Jan 31, 2017 at 2:54 PM, Brian Carrier <ca...@sl...> >> wrote: >> >>> Yea, this looks like "VDL Slack". Same general idea as in Issue 466 ( >>> https://github.com/sleuthkit/sleuthkit/issues/466), but in this case >>> the file has 1K of initialized size. >>> >>> I suppose this "slack" file is a bit wasted though because no blocks >>> were allocated to it. So, there will be no real content for it. >>> >>> I'll make an internal story to keep track of this and maybe Ann will be >>> able to take a look at not making these if they are going to be all for >>> address 0. >>> >>> >>> >>> On Tue, Jan 31, 2017 at 10:55 AM, Luís Filipe Nassif < >>> lfc...@gm...> wrote: >>> >>>> Hi Brian, >>>> >>>> Thank you very much for your attention. The output of >>>> FsContent.getMetaDataText() (equals to istat right?) is below. The >>>> system.LOG-slack size is 2.026.496 bytes and system.LOG size is 1024 bytes. >>>> >>>> details of /img_PC-HP.dd/vol_vol2/WINDOWS/system32/config/system.LOG-sl >>>> ack >>>> >>>> MFT Entry Header Values: >>>> Entry: 4106 Sequence: 1 >>>> $LogFile Sequence Number: 79246281526 >>>> Allocated File >>>> Links: 1 >>>> >>>> $STANDARD_INFORMATION Attribute Values: >>>> Flags: Hidden, Archive >>>> Owner ID: 0 >>>> Security ID: 281 (S-1-5-32-544) >>>> Last User Journal Update Sequence Number: 105272096 >>>> Created: 2004-09-02 08:00:12.000000000 (Hora oficial do Brasil) >>>> File Modified: 2011-09-16 14:33:38.375000000 (Hora oficial do Brasil) >>>> MFT Modified: 2011-09-16 14:33:38.375000000 (Hora oficial do Brasil) >>>> Accessed: 2011-09-16 14:33:38.187500000 (Hora oficial do Brasil) >>>> >>>> $FILE_NAME Attribute Values: >>>> Flags: Hidden, Archive >>>> Name: system.LOG >>>> Parent MFT Entry: 3982 Sequence: 2 >>>> Allocated Size: 4096 Actual Size: 1024 >>>> Created: 2004-09-02 08:00:12.000000000 (Hora oficial do Brasil) >>>> File Modified: 2004-09-02 08:00:12.000000000 (Hora oficial do Brasil) >>>> MFT Modified: 2004-09-02 08:00:12.000000000 (Hora oficial do Brasil) >>>> Accessed: 2004-09-02 08:00:12.000000000 (Hora oficial do Brasil) >>>> >>>> $ATTRIBUTE_LIST Attribute Values: >>>> Type: 16-0 MFT Entry: 4106 VCN: 0 >>>> Type: 48-4 MFT Entry: 4106 VCN: 0 >>>> Type: 128-0 MFT Entry: 40678 VCN: 0 >>>> >>>> Attributes: >>>> Type: $STANDARD_INFORMATION (16-0) Name: N/A Resident size: 72 >>>> Type: $ATTRIBUTE_LIST (32-5) Name: N/A Resident size: 96 >>>> Type: $FILE_NAME (48-4) Name: N/A Resident size: 86 >>>> Type: $DATA (128-6) Name: N/A Non-Resident size: 1024 init_size: >>>> 1024 >>>> 847844 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 0 >>>> 0 0 0 0 0 0 0 >>>> >>>> 2017-01-31 12:56 GMT-02:00 Brian Carrier <ca...@sl...>: >>>> >>>>> Hi Luis, >>>>> >>>>> My guess is that it's a file that has preallocated a large amount of >>>>> space, but that has not fully used it yet. NTFS allows this. If you read >>>>> the file, TSK will only show you the space that is used. Reading the >>>>> slack, gives you the rest. >>>>> >>>>> If you run 'istat' on one of these files and send it along, we can >>>>> confirm. >>>>> >>>>> thanks, >>>>> brian >>>>> >>>>> >>>>> On Tue, Jan 31, 2017 at 7:04 AM, Luís Filipe Nassif < >>>>> lfc...@gm...> wrote: >>>>> >>>>>> Hi folks, >>>>>> >>>>>> I am upgrading to tsk-4.4 to benefit from the new support to >>>>>> slackfiles from java bindings. But I noticed some slackfiles larger than >>>>>> the cluster size (4k) are created in database. Some of them have megabytes >>>>>> of size and its contents are accessible. Is it expected to have slackfiles >>>>>> larger than cluster size? Could someone explain? >>>>>> >>>>>> Thanks, >>>>>> Luis Nassif >>>>>> >>>>>> ------------------------------------------------------------ >>>>>> ------------------ >>>>>> Check out the vibrant tech community on one of the world's most >>>>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot >>>>>> _______________________________________________ >>>>>> sleuthkit-users mailing list >>>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>>>>> http://www.sleuthkit.org >>>>>> >>>>>> >>>>> >>>> >>> >> > |
