search

sleuthkit / autopsy

Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It can be used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.
http://www.sleuthkit.org/autopsy/
2.42k stars 596 forks source link

ewf_image_read error treated as non-critical image error #84

Open kefir- opened 12 years ago

kefir- commented 12 years ago

This may be a policy decision, but when I added an EWF image and something failed, I was informed:

*Image added (non-critical image errors encountered). Click below to view the Add Image Log.

I opened the image log, and it says:

Errors occurred while ingesting image

  1. Error reading image file (ewf_image_read - offset: 186271182848 - len: 65536 - Results too large) (TskAutoDb::addFsInfoUnalloc: error walking fs unalloc blocks: fs id: XXXXXX)
kefir- commented 12 years ago

Also, in case it makes a difference, processing of this image (add image, not ingest) had been working for about 2.5 hours already at this stage. It was reading data until this error occurred, according to Windows Process Explorers process tab and network tab. Image was read from a (usually fast) CIFS share.

adam-m commented 11 years ago

This may have been fixed. I saw similar issues when there were leaks in the add image code.

bcarrier commented 11 years ago

We should review if we classify this type of read failure as critical or not though. There are some types of read failures -- from deleted files for example that point to beyond the disk image -- that we do not classify as critical. Unallocated space extraction though should be considered critical because it should be within the bounds of the image.