search

Lazza / RecuperaBit

A tool for forensic file system reconstruction.
GNU General Public License v3.0
534 stars 75 forks source link

Function best_name crashes while sorting entries #110

Closed Aztec03hub closed 12 months ago

Aztec03hub commented 2 years ago

Hello, I'm quite interested in how powerful RecuperaBit appears.

I have a 2TB NTFS drive, which was given to me in a failed state (with the complete PC). The drive was originally in a RAID, although I'm uncertain as to which kind.

I was unable to obtain much information pertaining to what was done to the drive before it was fielded to me, other than someone trying to rebuild the RAID the drives were part of.

(On the actual affected machine) I was able to start Ubuntu 22.04 from a Live USB, and used ddrescue to create an image of the failed drive, using: sudo ddrescue /dev/sdb /media/aztec/iODD/test-recovery/copy.img /media/aztec/iODD/test-recovery/status.log

(The iODD is my external device - with 4TB space - which I used to save the "copy.img" onto.)

Following @Lazza 's instructions here, I was able to get the image to begin scanning by RecuperaBit... However, after quite a bit of time, riiiiight at the end of the scan, it outputs the following:

INFO:root:Found NTFS index record at sector 3512960696
INFO:root:Found NTFS index record at sector 3513125936
INFO:root:Found NTFS index record at sector 3513125944
INFO:root:Found NTFS boot sector at sector 3513184255
INFO:root:Found NTFS boot sector at sector 3513184511
INFO:root:First scan completed
INFO:root:Saving results to /media/aztec/iODD/lockheed/recovery/recuperasavefile.save
INFO:root:Parsing MFT entries
ERROR:root:Cannot handle multiple attribute $STANDARD_INFORMATION
ERROR:root:Cannot handle multiple attribute $STANDARD_INFORMATION
ERROR:root:Cannot handle multiple attribute $STANDARD_INFORMATION
ERROR:root:Cannot handle multiple attribute $STANDARD_INFORMATION
Traceback (most recent call last):
  File "/media/aztec/iODD/drive recovery tools/RecuperaBit-master/main.py", line 374, in <module>
    main()
  File "/media/aztec/iODD/drive recovery tools/RecuperaBit-master/main.py", line 357, in main
    parts.update(scanner.get_partitions())
  File "/media/aztec/iODD/drive recovery tools/RecuperaBit-master/recuperabit/fs/ntfs.py", line 716, in get_partitions
    part.add_file(NTFSFile(parsed, position))
  File "/media/aztec/iODD/drive recovery tools/RecuperaBit-master/recuperabit/fs/ntfs.py", line 291, in __init__
    name = best_name([
  File "/media/aztec/iODD/drive recovery tools/RecuperaBit-master/recuperabit/fs/ntfs.py", line 61, in best_name
    entries.sort()
TypeError: '<' not supported between instances of 'NoneType' and 'int'
aztec@omron:/media/aztec/iODD/drive recovery tools/RecuperaBit-master$

I am uncertain as to how to handle this, and any help would be greatly appreciated.

If any further info is required, just let me know, and I'll do my best to provide it.

Lazza commented 2 years ago

Can you please try to replace this block: https://github.com/Lazza/RecuperaBit/blob/728e978e459463e259bacca18d8a13a66241f309/recuperabit/fs/ntfs.py#L291-L294

With this code?

        candidates = [
            (f['content']['namespace'], f['content']['name'] + ads_suffix)
            for f in filtered
        ]
        print(candidates)
        name = best_name(candidates)

Then re-run the program. It will give the same error but it should also print some useful information.

Lazza commented 12 months ago

Unfortunately, this cannot be reproduced.