Invoke-IR / PowerForensics

PowerForensics provides an all in one platform for live disk forensic analysis
MIT License
1.39k stars 274 forks source link

Add buffering methods #167

Closed jpohls1 closed 2 years ago

jpohls1 commented 2 years ago

This PR introduces a new method GetContentBytesBuffered to support files bigger than 2GB which crash the original implementation.

The new method produces the same results as the original one for files <2GB.

For files >2GB the new method does not crash, however, there is still a problem: Big files are not read completely.

The line

foreach (DataRun dr in this.DataRun)

does not iterate over the full file when the file is too big. The DataRun field is populated in FileRecordAttribute.cs like

DataRun = Ntfs.DataRun.GetInstances(bytes, offset, volume);

In the GetInstances method we have variables like

                int DataRunLengthByteCount = bytes[i] & 0x0F;
                int DataRunOffsetByteCount = ((bytes[i] & 0xF0) >> 4);

maximum integer in C# is 2,147,483,647 (2 GiB).

Hyptothesis: We probably run into an overflow somewhere along these lines.

Changing the datatype is not trivial due to dependencies in subsequent methods.

jpohls1 commented 2 years ago

Sorry this was not supposed to be opened yet.