Open Erik-White opened 1 month ago
simsong
commented
1 month ago Thank you for the analysis. This is great. Do you see any solution other than reading the entire drive and then removing any allocated file from the list of unallocated files if it happens to be there?
Erik-White
commented
1 month ago Sorry I don't know enough about how Sleuthkit indexes files to offer any alternatives. That said, it sounds like a reasonable solution.
simsong
commented
1 month ago It probably needs to be done in autopsy, not in TSK. This ticket will be moved there.
I have an E01 disk image of an exFAT formatted volume: LIN-exFAT.zip
Note that there is only one JPEG file on the volume:
\IX 01\Freaston\Madison\Madison\Madison\[PHOTOS]\03\049.jpgBut Sleuthkit reports the existence of two files:
Potential reason for this discrepancy:
There is a deleted folder on the volume:
\IX 01\Vikush\P2\WBC.01-100.P2\In the parent folder for the live Freaston folder, the first cluster is recorded as 1,625 stored as 0x59 0x06 (little endian) on disk in the folder structure.
In the parent folder for the deleted WBC.01-100.P2 folder, its first cluster is also 1,625. That is, the Freaston folder was created after WBC.01-100.P2 and happened to be stored at the same physical location on the volume as the previously deleted WBC.01-100.P2. Sleuthkit is mistakenly identifying both folders as the parent of the first Madison folder, and continues from that point downwards so that it appears that they both also contain 049.jpg.
Screenshot from Autopsy that shows the same problem: