Closed mappu closed 1 year ago
scudette
commented
1 year ago Thanks for reporting this. I think I heard of this problem before as well for a disk found in the wild but it could not be shared.
Do you have a reliable way to reproduce such a condition?
scudette
commented
1 year ago Ok I was able to replicate this issue. I used the following test program to create many files on the disk:
package main
import (
"fmt"
"os"
)
func main() {
max_files := 65534
buff := make([]byte, 500)
fmt.Printf("Writing files of size %v\n", len(buff))
// A maximum number of files in a single directory
for j := 0; j < max_files; j++ {
dirname := fmt.Sprintf("./Directory %v", j)
err := os.Mkdir(dirname, 0777)
if err != nil {
panic(err)
}
fmt.Printf("Creating %v files in %v\n", max_files, dirname)
for i := 0; i < max_files; i++ {
filename := fmt.Sprintf("test%06d.txt", i)
fd, err := os.OpenFile(dirname+"/"+filename,
os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0660)
if err != nil {
os.Exit(-1)
}
// Make file resident
fd.Write([]byte(buff))
fd.Close()
}
}
}Initially I made the files 20kb which forced them all to be created non-resident. I then filled the disk. The new files caused the mft to grow. I then deleted some of these files and switch to writing 500 byte files. The 500 bytes files were all resident which means that all data was now stored in the MFT and the MFT was the only thing growing. Because most of the old files were still there the MFT had to become very fragmented. By keeping the free disk small and writing resident files I can force the MFT to grow to a huge size.
Using tsk's istat I can see the $DATA stream is split across attributes:
$ATTRIBUTE_LIST Attribute Values:
Type: 16-0 MFT Entry: 0 VCN: 0
Type: 48-3 MFT Entry: 0 VCN: 0
Type: 128-6 MFT Entry: 0 VCN: 0
Type: 128-0 MFT Entry: 15 VCN: 1604054
Type: 176-0 MFT Entry: 16 VCN: 0
Type: 176-0 MFT Entry: 17 VCN: 192
Attributes:
Type: $STANDARD_INFORMATION (16-0) Name: N/A Resident size: 72
Type: $ATTRIBUTE_LIST (32-7) Name: N/A Non-Resident size: 192 init_size: 192
Staring address: 13259686, length: 1
Type: $FILE_NAME (48-3) Name: N/A Resident size: 74
Type: $DATA (128-6) Name: N/A Non-Resident size: 7003963392 init_size: 7003963392
Staring address: 786432, length: 51232
Staring address: 3655387, length: 51286
Staring address: 6866774, length: 51327
Staring address: 8950058, length: 51649
Staring address: 9869303, length: 52178
Staring address: 7928311, length: 54509
Staring address: 9554898, length: 54411
Staring address: 7789667, length: 116800
Staring address: 8234950, length: 102208
Staring address: 8337270, length: 51210
Staring address: 2502427, length: 51205
Staring address: 12494949, length: 51227
Staring address: 6975639, length: 51209
Staring address: 7191088, length: 51216
Staring address: 12896106, length: 51222
Staring address: 13027445, length: 51211
Staring address: 13305128, length: 51224
Staring address: 13581134, length: 51218
Staring address: 13862004, length: 51212
Staring address: 14135458, length: 51230
Staring address: 14413462, length: 51210
Staring address: 14689732, length: 51228
Staring address: 14966333, length: 51203
Staring address: 15243662, length: 51218
Staring address: 15519776, length: 10336
Staring address: 13745939, length: 16593
Staring address: 13698530, length: 16039
Staring address: 13838949, length: 13677
Staring address: 13934597, length: 9431
Staring address: 13726456, length: 8929
Staring address: 13818066, length: 8848
Staring address: 13691689, length: 6706
Staring address: 13923911, length: 6054
Staring address: 13772310, length: 5470
Staring address: 13798934, length: 5267
Staring address: 13958125, length: 5072
Staring address: 13777879, length: 4995
Staring address: 13951756, length: 4836
Staring address: 13813328, length: 4662
Staring address: 13788035, length: 4638
Staring address: 13721924, length: 4531
Staring address: 13930050, length: 4461
Staring address: 13741268, length: 4137
Staring address: 13782940, length: 4026
Staring address: 13795055, length: 3878
Staring address: 13947092, length: 3848
Staring address: 13831550, length: 3627
Staring address: 13827042, length: 3098
Staring address: 13717609, length: 2708
Staring address: 13974702, length: 2565
Staring address: 9844131, length: 2489
Staring address: 8723635, length: 2364
Staring address: 9955626, length: 2316
Staring address: 14084653, length: 2313
Staring address: 9851182, length: 2254
Staring address: 9857997, length: 2253
Staring address: 8730562, length: 2253
Staring address: 9830504, length: 2252
Staring address: 14036636, length: 2248
Staring address: 14002153, length: 2247
Staring address: 8719000, length: 2225
Staring address: 13963261, length: 2222
Staring address: 13917257, length: 2219
Staring address: 9837318, length: 2217
Staring address: 9860378, length: 2216
Staring address: 13965555, length: 2209
Staring address: 13735467, length: 2197
Staring address: 8714395, length: 2191
Staring address: 9839663, length: 2189
Staring address: 13972361, length: 2178
Staring address: 13852733, length: 2178
Staring address: 13792801, length: 2176
Staring address: 13993016, length: 2174
Staring address: 13857122, length: 2169
Staring address: 14093882, length: 2167
Staring address: 12851709, length: 2167
Staring address: 14029844, length: 2166
Staring address: 8716714, length: 2158
Staring address: 14054997, length: 2156
Staring address: 13999870, length: 2155
Staring address: 8707544, length: 2155
Staring address: 8721353, length: 2154
Staring address: 14082373, length: 2152
Staring address: 8700854, length: 2152
Staring address: 13811071, length: 2151
Staring address: 14077753, length: 2149
Staring address: 9862722, length: 2148
Staring address: 9835042, length: 2148
Staring address: 8726127, length: 2148
Staring address: 9855722, length: 2147
Staring address: 13986183, length: 2146
Staring address: 12954390, length: 2146
Staring address: 14041234, length: 2140
Staring address: 13983853, length: 2138
Staring address: 13981482, length: 2132
Staring address: 9864998, length: 2131
Staring address: 14087094, length: 2130
Staring address: 8703134, length: 2130
Staring address: 14080116, length: 2129
Staring address: 8709827, length: 2129
Staring address: 14043572, length: 2127
Staring address: 13915119, length: 2124
Staring address: 14009811, length: 3179
Staring address: 14209372, length: 2355
Staring address: 14006770, length: 2260
Staring address: 13979300, length: 2182
Staring address: 13714777, length: 2092
Staring address: 14064285, length: 2089
Staring address: 14039012, length: 2086
Staring address: 12949730, length: 2082
Staring address: 13990610, length: 2080
Staring address: 13970247, length: 2080
Staring address: 14073388, length: 2078
Staring address: 13988417, length: 2073
Staring address: 14214134, length: 2052
Staring address: 9867257, length: 2046
Staring address: 13944985, length: 2044
Staring address: 14018261, length: 2041
Staring address: 14013779, length: 2035
Staring address: 13855019, length: 2034
Staring address: 14022848, length: 2032
Staring address: 14059750, length: 2031
Staring address: 8728403, length: 2031
Staring address: 9853564, length: 2030
Staring address: 9832884, length: 2030
Staring address: 14089352, length: 2027
Staring address: 9849029, length: 2025
Staring address: 8705392, length: 2024
Staring address: 13859377, length: 2002
Staring address: 14068830, length: 1982
Staring address: 14015926, length: 1965
Staring address: 14220949, length: 1935
Staring address: 12849658, length: 1923
Staring address: 12952391, length: 1871
Staring address: 14032320, length: 1844
Staring address: 14207025, length: 1809
Staring address: 14071380, length: 1809
Staring address: 13913216, length: 1595And I can compare with the output of the runs command:
f:\ntfs.exe runs \\.\c: 0
0 MappedReader: FileOffset 0 -> DiskOffset 0 (Length 6692536320, Cluster 1) Delegate *parser.RangeReader
1 MappedReader: FileOffset 0 -> DiskOffset 9835042 (Length 2148, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 2148 -> DiskOffset 8726127 (Length 2148, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 4296 -> DiskOffset 9855722 (Length 2147, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 6443 -> DiskOffset 13986183 (Length 2146, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 8589 -> DiskOffset 12954390 (Length 2146, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 10735 -> DiskOffset 14041234 (Length 2140, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 12875 -> DiskOffset 13983853 (Length 2138, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 15013 -> DiskOffset 13981482 (Length 2132, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 17145 -> DiskOffset 9864998 (Length 2131, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 19276 -> DiskOffset 14087094 (Length 2130, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 21406 -> DiskOffset 8703134 (Length 2130, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 23536 -> DiskOffset 14080116 (Length 2129, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 25665 -> DiskOffset 8709827 (Length 2129, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 27794 -> DiskOffset 14043572 (Length 2127, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 29921 -> DiskOffset 13915119 (Length 2124, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 32045 -> DiskOffset 14009811 (Length 3179, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 35224 -> DiskOffset 14209372 (Length 2355, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 37579 -> DiskOffset 14006770 (Length 2260, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 39839 -> DiskOffset 13979300 (Length 331, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 40170 -> DiskOffset 786432 (Length 51232, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 91402 -> DiskOffset 3655387 (Length 51286, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 142688 -> DiskOffset 6866774 (Length 51327, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 194015 -> DiskOffset 8950058 (Length 51649, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 245664 -> DiskOffset 9869303 (Length 52178, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 297842 -> DiskOffset 7928311 (Length 54509, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 352351 -> DiskOffset 9554898 (Length 54411, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 406762 -> DiskOffset 7789667 (Length 116800, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 523562 -> DiskOffset 8234950 (Length 102208, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 625770 -> DiskOffset 8337270 (Length 51210, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 676980 -> DiskOffset 2502427 (Length 51205, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 728185 -> DiskOffset 12494949 (Length 51227, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 779412 -> DiskOffset 6975639 (Length 51209, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 830621 -> DiskOffset 7191088 (Length 51216, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 881837 -> DiskOffset 12896106 (Length 51222, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 933059 -> DiskOffset 13027445 (Length 51211, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 984270 -> DiskOffset 13305128 (Length 51224, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1035494 -> DiskOffset 13581134 (Length 51218, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1086712 -> DiskOffset 13862004 (Length 51212, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1137924 -> DiskOffset 14135458 (Length 51230, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1189154 -> DiskOffset 14413462 (Length 51210, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1240364 -> DiskOffset 14689732 (Length 51228, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1291592 -> DiskOffset 14966333 (Length 51203, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1342795 -> DiskOffset 15243662 (Length 51218, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1394013 -> DiskOffset 15519776 (Length 10336, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1404349 -> DiskOffset 13745939 (Length 16593, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1420942 -> DiskOffset 13698530 (Length 16039, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1436981 -> DiskOffset 13838949 (Length 13677, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1450658 -> DiskOffset 13934597 (Length 9431, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1460089 -> DiskOffset 13726456 (Length 8929, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1469018 -> DiskOffset 13818066 (Length 8848, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1477866 -> DiskOffset 13691689 (Length 6706, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1484572 -> DiskOffset 13923911 (Length 6054, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1490626 -> DiskOffset 13772310 (Length 5470, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1496096 -> DiskOffset 13798934 (Length 5267, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1501363 -> DiskOffset 13958125 (Length 5072, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1506435 -> DiskOffset 13777879 (Length 4995, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1511430 -> DiskOffset 13951756 (Length 4836, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1516266 -> DiskOffset 13813328 (Length 4662, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1520928 -> DiskOffset 13788035 (Length 4638, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1525566 -> DiskOffset 13721924 (Length 4531, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1530097 -> DiskOffset 13930050 (Length 4461, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1534558 -> DiskOffset 13741268 (Length 4137, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1538695 -> DiskOffset 13782940 (Length 4026, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1542721 -> DiskOffset 13795055 (Length 3878, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1546599 -> DiskOffset 13947092 (Length 3848, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1550447 -> DiskOffset 13831550 (Length 3627, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1554074 -> DiskOffset 13827042 (Length 3098, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1557172 -> DiskOffset 13717609 (Length 2708, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1559880 -> DiskOffset 13974702 (Length 2565, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1562445 -> DiskOffset 9844131 (Length 2489, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1564934 -> DiskOffset 8723635 (Length 2364, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1567298 -> DiskOffset 9955626 (Length 2316, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1569614 -> DiskOffset 14084653 (Length 2313, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1571927 -> DiskOffset 9851182 (Length 2254, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1574181 -> DiskOffset 9857997 (Length 2253, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1576434 -> DiskOffset 8730562 (Length 2253, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1578687 -> DiskOffset 9830504 (Length 2252, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1580939 -> DiskOffset 14036636 (Length 2248, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1583187 -> DiskOffset 14002153 (Length 2247, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1585434 -> DiskOffset 8719000 (Length 2225, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1587659 -> DiskOffset 13963261 (Length 2222, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1589881 -> DiskOffset 13917257 (Length 2219, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1592100 -> DiskOffset 9837318 (Length 2217, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1594317 -> DiskOffset 9860378 (Length 2216, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1596533 -> DiskOffset 13965555 (Length 2209, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1598742 -> DiskOffset 13735467 (Length 2197, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1600939 -> DiskOffset 8714395 (Length 2191, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1603130 -> DiskOffset 9839663 (Length 2189, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1605319 -> DiskOffset 13972361 (Length 2178, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1607497 -> DiskOffset 13852733 (Length 2178, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1609675 -> DiskOffset 13792801 (Length 2176, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1611851 -> DiskOffset 13993016 (Length 2174, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1614025 -> DiskOffset 13857122 (Length 2169, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1616194 -> DiskOffset 14093882 (Length 2167, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1618361 -> DiskOffset 12851709 (Length 2167, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1620528 -> DiskOffset 14029844 (Length 2166, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1622694 -> DiskOffset 8716714 (Length 2158, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1624852 -> DiskOffset 14054997 (Length 2156, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1627008 -> DiskOffset 13999870 (Length 2155, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1629163 -> DiskOffset 8707544 (Length 2155, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1631318 -> DiskOffset 8721353 (Length 2154, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1633472 -> DiskOffset 14082373 (Length 2152, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1635624 -> DiskOffset 8700854 (Length 2152, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1637776 -> DiskOffset 13811071 (Length 2151, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1639927 -> DiskOffset 14077753 (Length 2149, Cluster 4096) Delegate *parser.PagedReader
1 MappedReader: FileOffset 1642076 -> DiskOffset 9862722 (Length 2148, Cluster 4096) Delegate *parser.PagedReaderIt is only able to see the first lot of runs in the first VCN.
msuhanov
commented
1 year ago Another sample is here: https://github.com/msuhanov/ntfs-samples#ntfs_extremely_fragmented_mftraw
scudette
commented
1 year ago This should be fixed by #72 and incorporated into Velociraptor at https://github.com/Velocidex/velociraptor/commit/e9bc30aed32a1da0dcdfac8bcf0fc80898e0ccc9
Hi, thanks so much for this project, it's incredibly useful.
I have an NTFS disk image where the MFT is sufficiently large and fragmented, such that all the extents are not immediately in the
$DATAattribute. The$DATAattribute contains only a single extent (4 long x cluster size 4096 / MFT entry size 1024 = 16 MFT IDs) and the rest of the MFT IDs have overflown into the$ATTRIBUTE_LIST(0x20).Go-ntfs is only able to read MFT IDs up to 16. However, the NTFS implementation in Sleuthkit handles this edge case and is able to see all the files inside this disk image. It checks the
$ATTRIBUTE_LIST, finds an additional$DATArun, and treats it as a continuation of the first short$DATArun.In this case when reading the MFT, go-ntfs should also check if the
$ATTRIBUTE_LISTcontains an additional$DATAattribute, and add it to therunsin the reader, probably somewhere near https://github.com/Velocidex/go-ntfs/blob/master/parser/mft.go#L466 . There is already support in go-ntfs for parsing the$ATTRIBUTE_LISTbut it just doesn't seem to be applied in this particular case.I can confirm this issue on both v0.1.1 and master (b97c856cb140e6c05c63455fd543c882e205819b),