Duplicate file entries

[Erik-White]

I have an E01 disk image of an exFAT formatted volume: LIN-exFAT.zip

Note that there is only one JPEG file on the volume:
\IX 01\Freaston\Madison\Madison\Madison\[PHOTOS]\03\049.jpg

But Sleuthkit reports the existence of two files:

\IX 01\Freaston\Madison\Madison\Madison\[PHOTOS]\03\049.jpg
\IX 01\Vikush\P2\WBC.01-100.P2\Madison\Madison\Madison \049.jpg

Potential reason for this discrepancy:

There is a deleted folder on the volume:
\IX 01\Vikush\P2\WBC.01-100.P2\

In the parent folder for the live Freaston folder, the first cluster is recorded as 1,625 stored as 0x59 0x06 (little endian) on disk in the folder structure.

In the parent folder for the deleted WBC.01-100.P2 folder, its first cluster is also 1,625. That is, the Freaston folder was created after WBC.01-100.P2 and happened to be stored at the same physical location on the volume as the previously deleted WBC.01-100.P2. Sleuthkit is mistakenly identifying both folders as the parent of the first Madison folder, and continues from that point downwards so that it appears that they both also contain 049.jpg.

Screenshot from Autopsy that shows the same problem:

[simsong]

Thank you for the analysis. This is great. Do you see any solution other than reading the entire drive and then removing any allocated file from the list of unallocated files if it happens to be there?

[Erik-White]

Sorry I don't know enough about how Sleuthkit indexes files to offer any alternatives. That said, it sounds like a reasonable solution.

[simsong]

It probably needs to be done in autopsy, not in TSK. This ticket will be moved there.