Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Eternal loop reconstructing MFT #6

Closed
gabrielboliveira opened this issue Nov 24, 2016 · 4 comments
Closed

Eternal loop reconstructing MFT #6

gabrielboliveira opened this issue Nov 24, 2016 · 4 comments
Labels
invalid

Comments

@gabrielboliveira
Copy link

I was running RecuperaBit on a 466GB image for a little longer than 100h. I looked at the output and it was repeating the same positions set number.

For example, if you look at the output file, look at the first three positions: 38190544, 37475152, 38357392. The last three positions on the end are the same: 38190544, 37475152, 38357392.

I was able to grab only this part of the output, but when I checked there was more repetition (around 10 or 15 positions). I realized it was repeating the same sequence over and over.

The drive I'm running at is a very damaged one. I'm not sure if it's the image issue (unrecoverable) and I should let it go.

(some more info: running on Mac OS 10.12.1, was using a whole lot of memory, around 12GB~14GB)

Python 2.7.12 (aff251e543859ce4508159dd9f1a82a2f553de00, Nov 13 2016, 01:57:41)
[PyPy 5.6.0 with GCC 4.2.1 Compatible Apple LLVM 8.0.0 (clang-800.0.42.1)]
@Lazza
Copy link
Owner

Lazza commented Nov 24, 2016

Please, before line 823 of ntfs.py:

for address in partitioned_files:

Add the following lines:

print partitioned_files
print list(partitioned_files)
exit(1)

With the same indentation. This will stop the program just after the scan, printing useful debug information.

@gabrielboliveira
Copy link
Author

This is the output with those lines: recuperabit.txt

@Lazza
Copy link
Owner

Lazza commented Nov 30, 2016
edited
Loading

From the output you posted, it seems you have various traces of files which get divided into over 127000 (127 thousand!) partitions. This can result from an extremely fragmented MFT (that maybe has sustained defragmentation many times in the past).

See this file where they are ordered by length -> count (accumulator):

many_partitions.txt

Long story short, the program is not looping, it's just running. 😅 You might want to put a limit to ignore partitions with few files. For instance, you can ignore those with less than 5001 files.

Start with a fresh, unmodified copy of RecuperaBit and add this before line 823 of ntfs.py:

partitioned_files = {
    index: partitioned_files[index]
    for index in partitioned_files
    if len(partitioned_files[index].files) > 5000
}

This way you will only analyze about 50 partitions. I am going to close this issue, however you might consider suggesting one or both of these:

  • option to disable the search of partition boundaries for those that are not immediately detectable from boot sectors
  • option to prune partitions with few files, or to limit the search to the top N partitions

These could be nice enhancements in the future.

@Lazza Lazza closed this as completed Nov 30, 2016
@gabrielboliveira
Copy link
Author

Great! Thanks for the suggestion. I'll try what you suggested.

@Lazza Lazza mentioned this issue Mar 8, 2017
Closed
@Lazza Lazza mentioned this issue Oct 18, 2017
Closed
@Lazza Lazza mentioned this issue Oct 5, 2018
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
invalid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Lazza @gabrielboliveira