Giters

sleuthkit / sleuthkit

The Sleuth Kit® (TSK) is a library and collection of command line digital forensics tools that allow you to investigate volume and file system data. The library can be incorporated into larger digital forensics tools and the command line tools can be directly used to find evidence.

Home Page:http://www.sleuthkit.org/sleuthkit/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

NTFS: Error in metadata structure (fs_attr_idx->nrd.allocsize value out of bounds)

joachimmetz opened this issue · comments

commented

Test file generated with https://github.com/dfirlabs/ntfs-specimens/blob/main/generate-specimens-unicode-windows.bat

Tested with 820b185

fls -o 128 fuse/vhdi1 39-144-11 
Error in metadata structure (fs_attr_idx->nrd.allocsize value out of bounds)

This is caused by a limit to prevent excessive memory allocation

fs_attr_idx->nrd.allocsize is 305659904 maybe the limit should be increased to 512 MiB or an alternative approach to loading the entire $INDEX_ALLOCATION into memory?

isstat -o 128 fuse/vhdi1 39-144-11 
MFT Entry Header Values:
Entry: 39        Sequence: 1
$LogFile Sequence Number: 327427853
Allocated Directory
Links: 1

$STANDARD_INFORMATION Attribute Values:
Flags: 
Owner ID: 0
Security ID: 264  (S-1-5-32-544)
Created:        2023-07-03 11:03:50.192576900 (CEST)
File Modified:  2023-07-03 15:09:30.477646300 (CEST)
MFT Modified:   2023-07-03 15:09:30.477646300 (CEST)
Accessed:       2023-07-03 16:57:55.928274700 (CEST)

$FILE_NAME Attribute Values:
Flags: Directory
Name: testdir1
Parent MFT Entry: 5     Sequence: 5
Allocated Size: 0       Actual Size: 0
Created:        2023-07-03 11:03:50.192576900 (CEST)
File Modified:  2023-07-03 11:03:50.192576900 (CEST)
MFT Modified:   2023-07-03 11:03:50.192576900 (CEST)
Accessed:       2023-07-03 11:03:50.192576900 (CEST)

$ATTRIBUTE_LIST Attribute Values:
Type: 16-0      MFT Entry: 39   VCN: 0
Type: 48-2      MFT Entry: 39   VCN: 0
Type: 144-11    MFT Entry: 39   VCN: 0
Type: 160-1     MFT Entry: 17292        VCN: 0
Type: 176-10    MFT Entry: 39   VCN: 0

Attributes: 
Type: $STANDARD_INFORMATION (16-0)   Name: N/A   Resident   size: 72
Type: $ATTRIBUTE_LIST (32-8)   Name: N/A   Resident   size: 184
Type: $FILE_NAME (48-2)   Name: N/A   Resident   size: 82
Type: $INDEX_ROOT (144-11)   Name: $I30   Resident   size: 56
Type: $BITMAP (176-10)   Name: $I30   Non-Resident   size: 13128  init_size: 13128
8777 8842 41625 453186 
Type: $INDEX_ALLOCATION (160-12)   Name: $I30   Non-Resident   size: 305659904  init_size: 305659904
2118 2119 2120 2121 2122 2123 2124 2125 
...