Parsing problem with NTFS on Windows Server 2012

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Parsing problem with NTFS on Windows Server 2012

Jon Stewart
We've got an evidence file of a Windows Server 2012/NTFS system that's failing to parse with the Sleuthkit. Only a few hundred files are shown on the filesystem.

We are receiving this error message:

"fs_attr_add_run: error adding additional run (84481): No filler entry for 0. Final: 1"

This appears to be from the error-handling block around lines 531-567 of fs_attr.c.

Any ideas?


Jon Stewart
Development Manager

STROZ FRIEDBERG
1150 Connecticut Avenue, NW, Suite 700, Washington, DC 20036

T: +1 202.534.3290
M: +1 202.492.4412
F: +1 202.534.5700
[hidden email]   www.strozfriedberg.com

This message and/or its attachments may contain information that is confidential and/or protected by privilege from disclosure. If you have reason to believe you are not the intended recipient, please immediately notify the sender by reply e-mail or by telephone, then delete this message (and any attachments), as well as all copies, including any printed copies. Thank you.

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|

Re: Parsing problem with NTFS on Windows Server 2012

Simson Garfinkel-3
Try changing the “return 1” to a “return 0”.

> On Jul 19, 2016, at 3:55 PM, Jon Stewart <[hidden email]> wrote:
>
> We've got an evidence file of a Windows Server 2012/NTFS system that's failing to parse with the Sleuthkit. Only a few hundred files are shown on the filesystem.
>
> We are receiving this error message:
>
> "fs_attr_add_run: error adding additional run (84481): No filler entry for 0. Final: 1"
>
> This appears to be from the error-handling block around lines 531-567 of fs_attr.c.
>
> Any ideas?
>
>
> Jon Stewart
> Development Manager
>
> STROZ FRIEDBERG
> 1150 Connecticut Avenue, NW, Suite 700, Washington, DC 20036
>
> T: +1 202.534.3290
> M: +1 202.492.4412
> F: +1 202.534.5700
> [hidden email]   www.strozfriedberg.com
>
> This message and/or its attachments may contain information that is confidential and/or protected by privilege from disclosure. If you have reason to believe you are not the intended recipient, please immediately notify the sender by reply e-mail or by telephone, then delete this message (and any attachments), as well as all copies, including any printed copies. Thank you.
>
> ------------------------------------------------------------------------------
> What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
> patterns at an interface-level. Reveals which users, apps, and protocols are
> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> J-Flow, sFlow and other flows. Make informed decisions using capacity planning
> reports.http://sdm.link/zohodev2dev
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org


------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org