Aristeu Junior

@Nehberg, the use blockchain2graph project lead me to a >3TB database size in weeks. His schema leads to a database much bigger, while using the same input. It grows faster,...

Hello, Right now I could find this two small and simple images that could be tested with the PR. Simple test disk with lvm https://drive.google.com/file/d/1UuG8C0k6PLl3bCAtvY-ome6OVX1mZy38/view?usp=share_link Ubuntu server default installation https://drive.google.com/file/d/1MvDbIazpsWWclhGPyZb6j-6HsSbgP1lG/view?usp=sharing...

I can confirm here that timesketch_importer is also creating doubled sources for JSONL imports, doubling the events on searches. The same does not apply to web imports, that seems to...

[sample.zip](https://github.com/google/timesketch/files/12718675/sample.zip) @jaegeral , try this. password: sample123 It has 484 events, but doubles up on importing. Regards

@jaegeral I just realized that you're using timesketch cli instead of timesketch-import-client (timesketch_importer). Is there any difference on the approaches?

I made another smaller test image with lvm that gives another free() error on the same function ("invalid pointer") followed by core dump. https://drive.google.com/file/d/1xdYd4AFc3IRc881j2Yl1FFA01qFqBy2D/view?usp=drive_link ``` Reading symbols from tsk_loaddb... [New...

Have you tested https://github.com/sleuthkit/sleuthkit/pull/3244 against the LVM images, guys? Here, with ubuntu, it corrects the "double free" but falls on to another crash dump. Looks like a problem with the...

The test with APFS Pool was similar, with coredump on other part of the code. But in this case, I saw that the code is indeed doing two tsk_img_close on...

An APFS image I just did to test on apfs also. https://drive.google.com/file/d/1_usLsiB_ReyRN64G9ZQ9KYk0nv_nrPBi/view?usp=drive_link

a356797b7f975d27300d595f57e46bd5 apfs_pool.dd 8a7b3262064f8d75b37ccb96103c2896 lvm-test2.dd dbc64eeb12f3283931287eee6c61e2dc teste-lvm.dd ec210faff2b0c0438c8d4687c8ccdca2 ubuntu-server_lvm.dd