Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Get-ForensicFileRecord : Array dimensions exceeded supported range. #150

Open
AndresPae opened this issue Oct 12, 2017 · 5 comments
Open

Get-ForensicFileRecord : Array dimensions exceeded supported range. #150

AndresPae opened this issue Oct 12, 2017 · 5 comments

Comments

@AndresPae
Copy link

PS K:> Get-ForensicFileRecord -VolumeName U:
Get-ForensicFileRecord : Array dimensions exceeded supported range.
At line:1 char:1

  • Get-ForensicFileRecord -VolumeName U:
  •   + CategoryInfo          : NotSpecified: (:) [Get-ForensicFileRecord], OverflowException
  + FullyQualifiedErrorId : System.OverflowException,PowerForensics.Cmdlets.GetFileRecordCommand

PS K:> $StackTrace
at PowerForensics.Ntfs.NonResident.GetBytes(String volume)
at PowerForensics.Ntfs.FileRecord.GetInstances(String volume)
at PowerForensics.Cmdlets.GetFileRecordCommand.ProcessRecord()
at System.Management.Automation.CommandProcessor.ProcessRecord()
@AndresPae
Copy link
Author

MFT Information

MFT size : 2205 MB (0% of drive)

PS C:> [int]::MaxValue
2147483647

Is this reason ?

@jaredcatkinson
Copy link
Member

It doesn't appear to be an issue with the overall size of the MFT itself. Based on the StackTrace (thank you for providing that), the issue seems to be with the parsing of a Non Resident MFT Attribute. I'll try to get you a debug version tonight to identify where the issue is happening within the MFT itself. Then we can try to identify the specific attribute that is causing the issue.

Is this a production or test system? In either case, would you be able to provide me with an exported version of the MFT, or even a specific MFT Entry (once we narrow it down)?

@mgreen27
Copy link

mgreen27 commented Nov 27, 2017
edited
Loading

im getting this same issue on a Windows10 machine over a winrm session running.
(Get-ForensicFileRecord -Path "C:\$Extend\$UsnJrnl").CopyFile($output + "\disk\$J","$J")
The Get-ForensicFileRecord component works but im hitting the same issue on the copy file.

$StackTrace
at PowerForensics.FileSystems.Ntfs.NonResident.GetBytes()
at PowerForensics.FileSystems.Ntfs.FileRecord.GetContent(String StreamName)
at PowerForensics.FileSystems.Ntfs.FileRecord.CopyFile(String Destination, String StreamName)
at CallSite.Target(Closure , CallSite , Object , Object , String )

@mgreen27
Copy link

mgreen27 commented Dec 9, 2017
edited
Loading

testing this again across a few environments I believe this issue is caused when the file being copied is greater than the [int32]::MaxValue in bytes.
For example the $J above was above 3GB, I also tested on another file > 3GB and hit the same error.
The issue is consistent across Powershell and WinRM shell

Just to differentiate from the original issue. I can list the File details using Get-ForensicFilerecord but when copying hit the issue.

@mgreen27
Copy link

Hello,

I am reviewing source code to see how Powerforensics works about an issue I have been seeing where when running Powerforensics extractions over WinRM, Memory spikes on the target machine to larger than the copied file.

I can see Powerforensics seems to try to create an array of the full byte stream - why we hit the [int32]::MaxValue issue on large files.

I think even increasing to Int64 we will see memory issues, a better way would be to chunk the files up into smaller sizes and append to the destination file.

Matt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mgreen27 @jaredcatkinson @AndresPae