sleuthkit-users

[sleuthkit-users] Allocated clusters where no corresponding inodes found

[Lehr, J. <jl...@sl...>]

Hi everyone,

I'm trying to understand an issue I'm finding frequently in the examination of an NTFS file system with MS Vista installed:

I have keyword hits in particular clusters that blkstat reports to be allocated.  However, ifind cannot determine what inode has allocated the cluster.  Does anyone have an explanation?

     $ blkstat -o63 ../images/image_103358.E* 29113862
     Cluster: 29113862
     Allocated

     $ ifind -o63 ../images/image_103358.E* -d 29113862
     Inode not found

Thank you,
John

TSK 3.1.2, Ubuntu 10.04
______________________________________
John Lehr

Evidence Technician
San Luis Obispo Police Department

Re: [sleuthkit-users] Allocated clusters where no corresponding inodes found

[Theodore P. <te...@gm...>]

I think I've seen this before.  If the cluster in question belongs to
the $MFT (inode 0), then ifind may not report the inode number.

On NTFS, small files are stored resident within the MFT record if they
fit.  So you may end up with a keyword hit inside $MFT's data blocks.

Try running istat against inode 0 and see if your cluster number shows
up allocated to it.


On Mon, May 24, 2010 at 6:02 PM, Lehr, John <jl...@sl...> wrote:
> Hi everyone,
>
> I'm trying to understand an issue I'm finding frequently in the examination
> of an NTFS file system with MS Vista installed:
>
> I have keyword hits in particular clusters that blkstat reports to be
> allocated.  However, ifind cannot determine what inode has allocated the
> cluster.  Does anyone have an explanation?
>
>      $ blkstat -o63 ../images/image_103358.E* 29113862
>      Cluster: 29113862
>      Allocated
>
>      $ ifind -o63 ../images/image_103358.E* -d 29113862
>      Inode not found
>
> Thank you,
> John
>
> TSK 3.1.2, Ubuntu 10.04
> ______________________________________
> John Lehr
>
> Evidence Technician
> San Luis Obispo Police Department
>
>
> ------------------------------------------------------------------------------
>
>
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
>

Re: [sleuthkit-users] Allocated clusters where no corresponding inodesfound

[Lehr, J. <jl...@sl...>]

OK, maybe I have an idea on this one, but I'll need someone to confirm (I don't read C too well).

blkstat may rely on $bitmap for allocation status of a ntfs cluster.  But ifind is searching $mft for the inode that allocates the data.  If the bitmap is allocated, but the mft no longer has a reference, then I get the results I've noted.

Could this be correct?  If so, what conditions allow a file to be deleted but the bitmap to continue to show the cluster allocated?  This partition show 34mb worth of bad clusters in the $BadClus file.  Could drive errors explain this?

Thanks,
John

______________________________________
John Lehr

Evidence Technician
San Luis Obispo Police Department


-----Original Message-----
From: Lehr, John [mailto:jl...@sl...]
Sent: Mon 5/24/2010 3:02 PM
To: sle...@li...
Subject: [sleuthkit-users] Allocated clusters where no corresponding inodesfound
 
Hi everyone,

I'm trying to understand an issue I'm finding frequently in the examination of an NTFS file system with MS Vista installed:

I have keyword hits in particular clusters that blkstat reports to be allocated.  However, ifind cannot determine what inode has allocated the cluster.  Does anyone have an explanation?

     $ blkstat -o63 ../images/image_103358.E* 29113862
     Cluster: 29113862
     Allocated

     $ ifind -o63 ../images/image_103358.E* -d 29113862
     Inode not found

Thank you,
John

TSK 3.1.2, Ubuntu 10.04
______________________________________
John Lehr

Evidence Technician
San Luis Obispo Police Department