sleuthkit-users

[sleuthkit-users] ifind bombing with max cpu

[Nico C. K. <nka...@gm...>]

Good afternoon!

I have perused the archives and googled my eyes out but to no avail.  I 
am hoping somebody on here has seen this and knows how to fix it:

Problem:
-----------
Autopsy file analysis of a disk image remains stuck without listing any 
files whatsoever while the browser's status bar says "transferring...".  
"top" on the host shows 99% CPU usage by ifind.  I killed Autopsy and 
proceeded to run ifind directly with the same parameters as Autopsy plus 
"-v".  It ran fine for a few minutes at <10% CPU and then got stuck at 
an error message (see following) and 99% CPU.

Error Message (and 20 preceeding lines from ifind -v output):
-------------------
ntfs_mft_lookup: Processing MFT 91425
ntfs_mft_lookup: Found in offset: 19829635  size: 82672 at offset: 38115328
ntfs_mft_lookup: Entry address at: 10190888448
fs_read_random: read byte offs 10190888448 len 1024 (mft read)
ntfs_mft_lookup: upd_seq 1   Replacing: 0006   With: 0000
ntfs_mft_lookup: upd_seq 2   Replacing: 0006   With: 1147
ntfs_proc_attrseq: Processing MFT 91425 (maybe)
ntfs_proc_attrseq: Resident Attribute in 91425 Type: 16 Id: 0 Name: N/A
ntfs_proc_attrseq: Non-Resident Attribute in 91425 Type: 32 Id: 6 Name: 
N/A  Start VCN: 0
ntfs_make_data_run: Len idx: 0 cur: 2 (2) tot: 2 (2)
ntfs_make_data_run: Off idx: 0 cur: 38 (26) tot: 38 (26)
ntfs_make_data_run: Off idx: 1 cur: 243 (f3) tot: 62246 (f326)
ntfs_make_data_run: Off idx: 2 cur: 6 (6) tot: 455462 (6f326)
ntfs_make_data_run: Signed offset: 455462 Previous address: 0
ntfs_proc_attrseq: Resident Attribute in 91425 Type: 48 Id: 3 Name: N/A
ntfs_proc_attrseq: Resident Attribute in 91425 Type: 48 Id: 2 Name: N/A
ntfs_proc_attrlist: MFT 91425
fs_read_block: read block 455462 offs 233196544 len 512 (data block)
fs_read_block: read block 7325743 offs 3750780416 len 512 (bmap)
ntfs_proc_attrlist: mft: 1174425602 type 1283502595 id 16  VCN: 1342177812
Invalid MFT file reference (1174425602) in the unallocated attribute 
list of MFT 91425


System specs:
------------------
- x86
- 1GHz CPU
- 512MB RAM
- Red Hat Enterprise Linux AS4
- Sleuthkit 1.73
- Autopsy 2.03
- Perl 5.8.6 w/64bitint and large file support
- Apache 2.x

File to be analyzed:
-------------------------
30GB NTFS image from Windows XP laptop

Any insight would be greatly appreciated.

Thanks!

Nico Kalteis

Re: [sleuthkit-users] ifind bombing with max cpu

[Brian C. <ca...@ce...>]

Try the new version.  This looks exactly like a bug that was fixed in 
2.00 that occurs when a deleted file with a non-resident attribute list 
is processed and the attribute list has been overwritten.   TSK tries 
to process the new data as a list and gets stuck in a loop while 
"advancing" by 0 each time.

brian




On Mar 22, 2005, at 3:05 PM, Nico C. Kalteis wrote:

> Good afternoon!
>
> I have perused the archives and googled my eyes out but to no avail.  
> I am hoping somebody on here has seen this and knows how to fix it:
>
> Problem:
> -----------
> Autopsy file analysis of a disk image remains stuck without listing 
> any files whatsoever while the browser's status bar says 
> "transferring...".  "top" on the host shows 99% CPU usage by ifind.  I 
> killed Autopsy and proceeded to run ifind directly with the same 
> parameters as Autopsy plus "-v".  It ran fine for a few minutes at 
> <10% CPU and then got stuck at an error message (see following) and 
> 99% CPU.
>
> Error Message (and 20 preceeding lines from ifind -v output):
> -------------------
> ntfs_mft_lookup: Processing MFT 91425
> ntfs_mft_lookup: Found in offset: 19829635  size: 82672 at offset: 
> 38115328
> ntfs_mft_lookup: Entry address at: 10190888448
> fs_read_random: read byte offs 10190888448 len 1024 (mft read)
> ntfs_mft_lookup: upd_seq 1   Replacing: 0006   With: 0000
> ntfs_mft_lookup: upd_seq 2   Replacing: 0006   With: 1147
> ntfs_proc_attrseq: Processing MFT 91425 (maybe)
> ntfs_proc_attrseq: Resident Attribute in 91425 Type: 16 Id: 0 Name: N/A
> ntfs_proc_attrseq: Non-Resident Attribute in 91425 Type: 32 Id: 6 
> Name: N/A  Start VCN: 0
> ntfs_make_data_run: Len idx: 0 cur: 2 (2) tot: 2 (2)
> ntfs_make_data_run: Off idx: 0 cur: 38 (26) tot: 38 (26)
> ntfs_make_data_run: Off idx: 1 cur: 243 (f3) tot: 62246 (f326)
> ntfs_make_data_run: Off idx: 2 cur: 6 (6) tot: 455462 (6f326)
> ntfs_make_data_run: Signed offset: 455462 Previous address: 0
> ntfs_proc_attrseq: Resident Attribute in 91425 Type: 48 Id: 3 Name: N/A
> ntfs_proc_attrseq: Resident Attribute in 91425 Type: 48 Id: 2 Name: N/A
> ntfs_proc_attrlist: MFT 91425
> fs_read_block: read block 455462 offs 233196544 len 512 (data block)
> fs_read_block: read block 7325743 offs 3750780416 len 512 (bmap)
> ntfs_proc_attrlist: mft: 1174425602 type 1283502595 id 16  VCN: 
> 1342177812
> Invalid MFT file reference (1174425602) in the unallocated attribute 
> list of MFT 91425
>
>
> System specs:
> ------------------
> - x86
> - 1GHz CPU
> - 512MB RAM
> - Red Hat Enterprise Linux AS4
> - Sleuthkit 1.73
> - Autopsy 2.03
> - Perl 5.8.6 w/64bitint and large file support
> - Apache 2.x
>

Re: [sleuthkit-users] ifind bombing with max cpu

[Nico C. K. <nka...@gm...>]

Absolutely brilliant! I upgraded to the new versions of TSK and Autopsy 
and everything runs like a charm.
Brian, thank you very much...you're a scholar and a gentleman.

Cheers!

Nico



Brian Carrier wrote:

> Try the new version. This looks exactly like a bug that was fixed in 
> 2.00 that occurs when a deleted file with a non-resident attribute 
> list is processed and the attribute list has been overwritten. TSK 
> tries to process the new data as a list and gets stuck in a loop while 
> "advancing" by 0 each time.
>
> brian
>
>
>
>
> On Mar 22, 2005, at 3:05 PM, Nico C. Kalteis wrote:
>
>> Good afternoon!
>>
>> I have perused the archives and googled my eyes out but to no avail. 
>> I am hoping somebody on here has seen this and knows how to fix it:
>>
>> Problem:
>> -----------
>> Autopsy file analysis of a disk image remains stuck without listing 
>> any files whatsoever while the browser's status bar says 
>> "transferring...". "top" on the host shows 99% CPU usage by ifind. I 
>> killed Autopsy and proceeded to run ifind directly with the same 
>> parameters as Autopsy plus "-v". It ran fine for a few minutes at 
>> <10% CPU and then got stuck at an error message (see following) and 
>> 99% CPU.
>>
>> Error Message (and 20 preceeding lines from ifind -v output):
>> -------------------
>> ntfs_mft_lookup: Processing MFT 91425
>> ntfs_mft_lookup: Found in offset: 19829635 size: 82672 at offset: 
>> 38115328
>> ntfs_mft_lookup: Entry address at: 10190888448
>> fs_read_random: read byte offs 10190888448 len 1024 (mft read)
>> ntfs_mft_lookup: upd_seq 1 Replacing: 0006 With: 0000
>> ntfs_mft_lookup: upd_seq 2 Replacing: 0006 With: 1147
>> ntfs_proc_attrseq: Processing MFT 91425 (maybe)
>> ntfs_proc_attrseq: Resident Attribute in 91425 Type: 16 Id: 0 Name: N/A
>> ntfs_proc_attrseq: Non-Resident Attribute in 91425 Type: 32 Id: 6 
>> Name: N/A Start VCN: 0
>> ntfs_make_data_run: Len idx: 0 cur: 2 (2) tot: 2 (2)
>> ntfs_make_data_run: Off idx: 0 cur: 38 (26) tot: 38 (26)
>> ntfs_make_data_run: Off idx: 1 cur: 243 (f3) tot: 62246 (f326)
>> ntfs_make_data_run: Off idx: 2 cur: 6 (6) tot: 455462 (6f326)
>> ntfs_make_data_run: Signed offset: 455462 Previous address: 0
>> ntfs_proc_attrseq: Resident Attribute in 91425 Type: 48 Id: 3 Name: N/A
>> ntfs_proc_attrseq: Resident Attribute in 91425 Type: 48 Id: 2 Name: N/A
>> ntfs_proc_attrlist: MFT 91425
>> fs_read_block: read block 455462 offs 233196544 len 512 (data block)
>> fs_read_block: read block 7325743 offs 3750780416 len 512 (bmap)
>> ntfs_proc_attrlist: mft: 1174425602 type 1283502595 id 16 VCN: 
>> 1342177812
>> Invalid MFT file reference (1174425602) in the unallocated attribute 
>> list of MFT 91425
>>
>>
>> System specs:
>> ------------------
>> - x86
>> - 1GHz CPU
>> - 512MB RAM
>> - Red Hat Enterprise Linux AS4
>> - Sleuthkit 1.73
>> - Autopsy 2.03
>> - Perl 5.8.6 w/64bitint and large file support
>> - Apache 2.x
>>
>
>