Computer Forensic Failures – File system issues

Jon Rajewski computer forensic failures

I’m very happy to report that I received short story that clearly resulted in the author learning from their actions. The author of this story wished to remain anonymous. The below story has not been edited but a picture was added for those that have never seen an an IBM AIX tower.

computer digital forensic failure
IBM AIX Server

I saw your post on one of the forensic forums and thought I would share this, not a failure but lesson learned that delayed my work.  When imaging sometimes matching file system to file system is best.  I was imaging a 1TB RAID’d storage device connected to an old IBM AIX minicomputer.  A logical acquisition was the cheapest option, so that was what the client asked for.  I thought no problem, no external connection such as a USB or firewire, so it was going to be over the 10MB connection.  I had 1.5 TB drives so no problem…..right.  I connected and mounted the drive to my forensic laptop running Linux, and proceeded to pipe all the files via scp from the IBM’s RAID over the network to my laptop, everything was going well for a day, then all of sudden the job would quit no error messages, just stop short.  I checked the drive still room, so I was perplexed.  Tried again with a different drive, same result.  I knew something was up, but not exactly what.  My drives were formatted with NTFS.  Hmmm …Linux, maybe try a Linux file system.   I took another drive reformatted as EXT3 and restarted the process.  Ran without an issue.  What I found out later was the system admins didn’t want to spend money on more storage for that old box, so they kept dropping the cluster size down and down so they could keep adding files.  What I gathered is I hit the NTFS’s maximum file capacity before the scp was done.  So lesson learned was sometimes you need to work apples to apples if you have an unexplained issue.

I followed up with question for this person –

NFTS’s maximum amount of files per volume is 4,294,967,295 (2^32-1), How many files were on the EXT3 partition?

Their response was:

That was what I thought, I didn’t do any research on it, does seem a little out there to be that.  The RAID device ran for many many years and no maintenance was don.  From what I was told, the sys admins, kept lowering the cluster size to pack in more data, until they got down to 1 cluster = 1 sector.  I was thinking I had hit some limitation of NTFS which made it stop copying to the device, since switching to ext3 resolved the issue.   I had plenty of space left on my NTFS drive.

The drive we brought back was used with Encase and we didn’t have any problems exporting out the files to the network and going into our review platform.  Thinking back know and from other experiences, it could  have been a long file name/path issue too since NTFS doesn’t handle those and I had other issues with LFNs  on their SAN that we imaged later. 

In closing, please help this mini project by submitting what you’ve learned. Thank you.