sleuthkit icon indicating copy to clipboard operation
sleuthkit copied to clipboard
verified publisher icon sleuthkit

ntfs - Error in metadata structure (Error Finding Bitmap Data Attribute)

Open ventz opened this issue 11 years ago • 1 comments

Getting a strange error with a 500GB NTFS HD (using latest source from github, and older versions too).

Here is the mmls:

./mmls -v /dev/sda

tsk_img_open: Type: 0 NumImg: 1 Img1: /dev/sda tsk_img_findFiles: /dev/sda found tsk_img_findFiles: 1 total segments found raw_open: segment: 0 size: 500107862016 max offset: 500107862016 path: /dev/sda dos_load_prim: Table Sector: 0 raw_read: byte offset: 0 len: 65536 raw_read: found in image 0 relative offset: 0 len: 65536 raw_read_segment: opening file into slot 0: /dev/sda dos_load_prim_table: Testing FAT/NTFS conditions load_pri:0:0 Start: 2048 Size: 976771072 Type: 7 load_pri:0:1 Start: 0 Size: 0 Type: 0 load_pri:0:2 Start: 0 Size: 0 Type: 0 load_pri:0:3 Start: 0 Size: 0 Type: 0 bsd_load_table: Table Sector: 1 gpt_load_table: Sector: 0 gpt_open: Trying other sector sizes gpt_open: Trying sector size: 512 gpt_load_table: Sector: 0 gpt_open: Trying sector size: 1024 gpt_load_table: Sector: 0 gpt_open: Trying sector size: 2048 gpt_load_table: Sector: 0 gpt_open: Trying sector size: 4096 gpt_load_table: Sector: 0 gpt_open: Trying sector size: 8192 gpt_load_table: Sector: 0 sun_load_table: Trying sector: 0 sun_load_table: Trying sector: 1 mac_load_table: Sector: 1 mac_load: Missing initial magic value mac_open: Trying 4096-byte sector size instead of 512-byte mac_load_table: Sector: 1 mac_load: Missing initial magic value DOS Partition Table Offset Sector: 0 Units are in 512-byte sectors

 Slot    Start        End          Length       Description

00: Meta 0000000000 0000000000 0000000001 Primary Table (#0) 01: ----- 0000000000 0000002047 0000002048 Unallocated 02: 00:00 0000002048 0976773119 0976771072 NTFS / exFAT (0x07) 03: ----- 0976773120 0976773167 0000000048 Unallocated

And here is the fls in verbose (error):

./fls -f ntfs -v /dev/sda1 tsk_img_open: Type: 0 NumImg: 1 Img1: /dev/sda1 tsk_img_findFiles: /dev/sda1 found tsk_img_findFiles: 1 total segments found raw_open: segment: 0 size: 500106788864 max offset: 500106788864 path: /dev/sda1 raw_read: byte offset: 0 len: 65536 raw_read: found in image 0 relative offset: 0 len: 65536 raw_read_segment: opening file into slot 0: /dev/sda1 ntfs_dinode_lookup: Processing MFT 0 raw_read: byte offset: 3221225472 len: 65536 raw_read: found in image 0 relative offset: 3221225472 len: 65536 ntfs_proc_attrseq: Processing extended entry for primary entry 0 ntfs_proc_attrseq: Resident Attribute in Type: 16 Id: 0 IdNew: 0 Name: ntfs_proc_attrseq: Resident Attribute in Type: 48 Id: 3 IdNew: 3 Name: ntfs_proc_attrseq: Non-Resident Attribute Type: 128 Id: 1 IdNew: 1 Name: Start VCN: 0 ntfs_make_data_run: Len idx: 0 cur: 128 (80) tot: 128 (80) ntfs_make_data_run: Len idx: 1 cur: 75 (4b) tot: 19328 (4b80) ntfs_make_data_run: Off idx: 0 cur: 0 (0) tot: 0 (0) ntfs_make_data_run: Off idx: 1 cur: 0 (0) tot: 0 (0) ntfs_make_data_run: Off idx: 2 cur: 12 (c) tot: 786432 (c0000) ntfs_make_data_run: Signed addr_offset: 786432 Previous address: 0 ntfs_make_data_run: Len idx: 0 cur: 0 (0) tot: 0 (0) ntfs_make_data_run: Len idx: 1 cur: 11 (b) tot: 2816 (b00) ntfs_make_data_run: Off idx: 0 cur: 144 (90) tot: 144 (90) ntfs_make_data_run: Off idx: 1 cur: 70 (46) tot: 18064 (4690) ntfs_make_data_run: Off idx: 2 cur: 152 (98) tot: 9979536 (984690) ntfs_make_data_run: Off idx: 3 cur: 0 (0) tot: 9979536 (984690) ntfs_make_data_run: Signed addr_offset: 9979536 Previous address: 786432 ntfs_make_data_run: Len idx: 0 cur: 128 (80) tot: 128 (80) ntfs_make_data_run: Len idx: 1 cur: 72 (48) tot: 18560 (4880) ntfs_make_data_run: Off idx: 0 cur: 132 (84) tot: 132 (84) ntfs_make_data_run: Off idx: 1 cur: 233 (e9) tot: 59780 (e984) ntfs_make_data_run: Off idx: 2 cur: 219 (db) tot: 14412164 (dbe984) ntfs_make_data_run: Signed addr_offset: -2365052 Previous address: 10765968 ntfs_proc_attrseq: Non-Resident Attribute Type: 176 Id: 8 IdNew: 8 Name: Start VCN: 0 ntfs_make_data_run: Len idx: 0 cur: 1 (1) tot: 1 (1) ntfs_make_data_run: Off idx: 0 cur: 255 (ff) tot: 255 (ff) ntfs_make_data_run: Off idx: 1 cur: 255 (ff) tot: 65535 (ffff) ntfs_make_data_run: Off idx: 2 cur: 11 (b) tot: 786431 (bffff) ntfs_make_data_run: Signed addr_offset: 786431 Previous address: 0 ntfs_make_data_run: Len idx: 0 cur: 4 (4) tot: 4 (4) ntfs_make_data_run: Off idx: 0 cur: 21 (15) tot: 21 (15) ntfs_make_data_run: Off idx: 1 cur: 63 (3f) tot: 16149 (3f15) ntfs_make_data_run: Off idx: 2 cur: 5 (5) tot: 343829 (53f15) ntfs_make_data_run: Signed addr_offset: 343829 Previous address: 786431 ntfs_dinode_lookup: Processing MFT 3 ntfs_dinode_lookup: Found in offset: 786432 size: 19328 at offset: 3072 ntfs_dinode_lookup: Entry address at: 3221228544 ntfs_proc_attrseq: Processing extended entry for primary entry 3 ntfs_proc_attrseq: Resident Attribute in Type: 16 Id: 0 IdNew: 0 Name: ntfs_proc_attrseq: Resident Attribute in Type: 48 Id: 1 IdNew: 1 Name: ntfs_proc_attrseq: Resident Attribute in Type: 64 Id: 6 IdNew: 6 Name: ntfs_proc_attrseq: Resident Attribute in Type: 96 Id: 4 IdNew: 4 Name: ntfs_proc_attrseq: Resident Attribute in Type: 112 Id: 5 IdNew: 5 Name: ntfs_proc_attrseq: Resident Attribute in Type: 128 Id: 3 IdNew: 3 Name: ntfs_dinode_lookup: Processing MFT 6 ntfs_dinode_lookup: Found in offset: 786432 size: 19328 at offset: 6144 ntfs_dinode_lookup: Entry address at: 3221231616 ntfs_open: Error loading block bitmap (Error in metadata structure (Error Finding Bitmap Data Attribute)) Error in metadata structure (Error Finding Bitmap Data Attribute)

Any ideas on what's causing this?

At last, with the ntfs-3g driver, I can mount and read the data without issues.

ventz avatar Oct 24 '14 22:10 ventz

I got here while trying to recover a hard disk and tried to find out which files get corrupted by the unreadable sectors via the ddru_findbad script from ddrutility package. Unfortunately I got the same error. While ddru_findbad uses fsstat just to detect the filesystem type I modified the script to assume ntfs in my case and continue.

Later I am trying now to find out why fsstat cannot open this partition - while ntfs-3g is able to.

As far as I see sleuthkit expects in ntfs_load_bmap to get a attribute of type NTFS_ATYPE_DATA (ntfs-3g: AT_DATA) before reaching the end attribute 0xffffffff (ntfs-3g: AT_END) https://github.com/sleuthkit/sleuthkit/blob/ff6e54dee5a0cd390804ade696a0874f4e7bc67f/tsk/fs/ntfs.c#L3276-L3281

Unfortunately my partition just has a NTFS_ATYPE_SI, NTFS_ATYPE_ATTRLIST and NTFS_ATYPE_FNAME before it reaches 0xffffffff, but no NTFS_ATYPE_DATA.

It looks like ntfs-3g retrieves a element from the NTFS_ATYPE_ATTRLIST attribute of type AT_DATA and retrieves from it the offset (ntfs_attr_pread_i, ntfs_attr_find_vcn) to read another sector and retrieve the information somehow from there.

bernhardu avatar Feb 27 '22 01:02 bernhardu