Usn operation error : Invalid read file size - Githubissues

thewhiteninja / ntfstool

Forensics tool for NTFS (parser, mft, bitlocker, deleted files)

MIT License

483 stars 97 forks source link

Usn operation error : Invalid read file size #5

Closed goldenscale closed 2 years ago

goldenscale commented 2 years ago

commit: af24822b

OS：Version Microsoft Windows 10 LTSC : 10.0.17763

cmd: I:>ntfstool.x64.exe usn disk=2 volume=4 output=usn.json format=json USN Journals from \.\PhysicalDrive2 > Volume:4

[+] Opening \?\Volume{XXXXXXX-XXXX-XXXX}\ [+] Finding $Extend\$UsnJrnl record [+] Found in file record : 69279 [+] Data stream $J size : 11.16 GiBs [+] Reading $J [!] Invalid read file size

[+] Closing volume

Debug: in thewhiteninja_ntfstool\Sources\NTFS\ntfs_mft_record.cpp line: 578 std::shared_ptr extRecordHeader = _mft->record_from_number(pAttrListI->recordNumber & 0xffffffffffff);

         if (is_first_data)
         {
            filesize_left = extRecordHeader->datasize();
            is_first_data = false;
         }

... extRecordHeader->datasize(); return 0

thewhiteninja commented 2 years ago

Nice catch! For some big files, there are 2 or more $data attributes and I only read the first one. I will fix it soon 👍

thewhiteninja commented 2 years ago

It should be fixed in 04df5cca1067cd67a01a241778740758a25fefc5

goldenscale commented 2 years ago

Fast and very productive work ! It works very well ! Thank you for your hard work and help !

goldenscale commented 2 years ago

I will continue to pay attention to this project ! Hope it becomes more and more successful !