Maxim Suhanov

Here is a bash script to reproduce the first issue using _device-mapper_. ``` #!/bin/bash src_file='src.raw' dst_file_1='dst-dcfl.raw' dst_file_2='dst-dd.raw' dd if=/dev/urandom of="$src_file" bs=512 count=20480 loop1=$(losetup -f) losetup "$loop1" "$src_file" loop2=$(losetup -f) losetup...

The second issue (or something similar to the second issue) can be reproduced with this line: `table=$(echo -e "0 10232 linear $loop1 0\n10232 1 error\n")` (A faulty sector is the...

Hello. > Have you tried to bring this patch to the upstream linux kernel? No. > Do you know if any of the "forensic distributions" uses it? Grml (2014.11) and...

> just as reference: Grml is Grml-Forensic https://grml-forensic.org/ (as there is another live distri called https://grml.org/ ) http://git.grml.org/?p=grml-kernel.git;a=blob;f=linux-3/debian/patches/grml/ext4-readonly.patch

CAINE: No. It marks block devices as read-only, but this mode isn't enforced with a kernel patch. PALADIN: It includes a modified version of my patch (they never included the...

I found a raw MFT entry attached to the original discussion on the mailing list ("mft2_16793.raw"). The issue is that the update sequence array isn't applied when trying to decode...

There is a related issue: https://github.com/sleuthkit/sleuthkit/issues/1382.

There are many volumes with the "Created" timestamps tracked without subsecond precision, so the _timetens_ value is either 0 or 100. Thus, the issue doesn't affect 1 timestamp out of...

A similar issue fixed before: https://github.com/sleuthkit/sleuthkit/issues/906.

Similarly, an unallocated set of LFN entries can be attached to an allocated SFN entry...