search

sleuthkit / autopsy

Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It can be used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.
http://www.sleuthkit.org/autopsy/
2.41k stars 597 forks source link

Ext4 filesystem parsing issue in Autopsy 4.18.0-TSK 4.10.2-RELEASE (results are consistent in sleuthkit command line v 4.6.7) #7033

Open swappage opened 3 years ago

swappage commented 3 years ago

Hello, i'm having a pretty serious consistency problem when analyzing an ext4 filesystem from a samsung S7 edge android device internal emmc storage.

Informations about the software versions used:

The symptom is that certain files size and content are wrongly returned by autopsy and content is therefore not parsed properly. I noticed it because i suspected something was wrong with some whatsapp database files that i knew for sure were filled with data while the size reported by autopsy itself was 0 bytes allocated.

image

as you can see in the image the msgstore.db file is 0 bytes in size

This looked very strange so i double checked using fls from the sleuthkit and here is the result

image

as you can see the file size is different. the ones from TSK are correct, i can export the allocated file and parse it properly while autopsy fails.

I'm very worried that this problem can also affect other files on the same image but i can't know for sure

here are the information resturned about the partition by fsstat

--------------------------------------------
File System Type: Ext4
Volume Name:
Volume ID: <REDACTED>

Last Written at: 2021-06-03 10:45:37 (CEST)
Last Checked at: 2020-06-14 22:35:46 (CEST)

Last Mounted at: 2021-06-03 10:15:22 (CEST)
Unmounted properly
Last mounted on: /data

Source OS: Linux
Dynamic Structure
Compat Features: Journal, Ext Attributes,
InCompat Features: Filetype, Extents, Flexible Block Groups,
Read Only Compat Features: Sparse Super, Large File,

Journal ID: 00
Journal Inode: 8

and here are the informations returned by autopsy, at a glance they look the same

image

unfortunately i cannot share the image as this is a real evidence, reason i know this might be VERY problematic to troubleshoot.

swappage commented 3 years ago

A quick update i've made the same test using the sleuthkit windows binaries 4.10.2 and the results are correct (same as with 4.6.7, so i wonder if this is in any way related to a filesystem parsing issue or something more autopsy related.