GetThis fails to grab files larger than 2GB

[blardy]

Hello,

When I use GetThis command to compress files (7z output) larger than 2GB it failed, below an excerpt of the output :

$> .\DFIR-Orc.exe GetThis /sample="plop2G.plop" "D:\" /out=test.7z /MaxTotalBytes=10GB

[...]

Global limits imposed on collection:
        Maximum bytes per sample  = Unlimited
        Maximum bytes collected   = 10737418240
        Maximum number of samples = Unlimited
        Default content copied is attribute's data

Samples looked after:

   Sample:  (copy data)

      Name is plop2G.plop

Start time            : 09/16/2020 08:54:36.894 (UTC)
        \plop2G.plop matched (-2147483115 bytes)

Adding matching samples to archive:
ERROR (Not enough memory resources are available to complete this operation, hr=0x8007000e): Failed to update test.7z
ERROR (Not enough memory resources are available to complete this operation, hr=0x8007000e): Failed to flush queue to test.7z
ERROR (Not enough memory resources are available to complete this operation, hr=0x8007000e):
GetThis failed while collecting samples

However, it works fine using zip instead of 7z. I guess the file size is wrong -2147483115 bytes. Am I doing something wrong here, or is this an overflow ?

Thanks for the tool ;)

[sc-anssi]

Hi Bastien, I can confirm there is a formatting error in the size displayed in the line "... matched (-... bytes)" but this should not affect the behaviour of GetThis.

However, I've not been able to reproduce your issue of memory exhaustion with DFIR-Orc v10.0.14, a 2.5GB file of random bytes and the exact same command line on a test system with 1GB of RAM (tested both on 32bits and 64bits Windows 7).

Can you provide the hardware and software configuration of your system please ? At least the DFIR-Orc version, OS version and architecture, memory information (and whether your system was under high memory pressure before launching the tool).

If your test was not with the latest version of DFIR-Orc, could you try to reproduce this issue with v10.0.14 ?

Thanks !

[blardy]

Tanks for the prompt reply !

I have used the master branch for compiling DFIR-Orc, I also have tested v10.0.14 and I still have the same issue. However, it seems you are correct to assume that it may be specific to my hardware / software configuration as I tested on a Virtual Machine (Microsoft Windows 10 Professional build 18362, 64-bit system with 2GB RAM and also tested with 64GB RAM) and I had no issue (with the x86 and with the x64 version).

On my host the x64 version (v10.0.14 and master) is working fine (it compressed the 2GB file and create the 7z archive), however the x86 fails with the error Not enough memory resources are available to complete this operation.

Host was not under pressure (except for running DFIR-Orc) and configuration is as follows:

• Architecture: x64
• OS: Microsoft Windows 10 Professional (build 19041), 64-bit
• Memory: 64GB

Hope that helps...

[jeanga]

With this kind of issue, you may also test with different levels of compression. 7zip is know for consuming very large amount of memory with compression level like ultra. Are you using the default compression level in your tests?

[blardy]

I was using the default value and the crash occurs immediately after starting compression. I have tried running DFIR-Orc using different levels of compression and here are the results:

• /Compression=None - works
• /Compression=Fast - works
• /Compression=Fastest - works
• /Compression=Normal - fails
• /Compression=Maximum - fails
• /Compression=Ultra - fails

So I'll stick to /Compression=Fastest for now. Thanks for the hints :)