Re: [sleuthkit-users] fls: missing field
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] fls: missing field
|
From: Simson G. <si...@ac...> - 2009-07-12 22:17:42
|
That's wild. As a short-term fix, you could use fiwalk, which will now output in body file format. You can download fiwalk from http://afflib.org/ Cheers. On Jul 12, 2009, at 2:38 PM, . wrote: > Hi > > When running fls against one of my Ext3 partitions I notice that 34 > out > of 17512 entries are missing one of the 'body file' format fields. > > $ fls -V > The Sleuth Kit ver 3.0.1 > > $ sudo fls -r -m / /dev/sda4 > fls.out > > According to the wiki http://wiki.sleuthkit.org/index.php?title=Body_file > > The 3.X output has the following fields: > MD5|name|inode|mode_as_string|UID|GID|size|atime|mtime|ctime|crtime > > Example output: > ... > 0|/Dir1/SubDir1/FileA > (deleted)|9551913|r/rrwxrwx---|1000|1000|0|1199618002|1199765794| > 1199765794|0 > 0|/Dir1/SubDir2/FileB|2769344|r/rrwxr-xr-x|1000|1000|73350| > 1239210630|1234051666|1235248434|0 > ... > 0|/Dir1/FileC (deleted)|0|r/----------|0|0|0|0|0|0 > 0|/Dir1/FileD (deleted)|0|d/----------|0|0|0|0|0|0 > ... > > The last two entries have 10 fields instead of 11. > It is difficult to identify which field is missing in each case as > most > values are zeroes. > Do you know which field is missing and why? > > Other info: > > $ sudo istat /dev/sda4 0 > Metadata address is too small for image (1) > > $ sudo ils /dev/sda4 0 > class|host|device|start_time > ils|myhost||1247422110 > st_ino|st_alloc|st_uid|st_gid|st_mtime|st_atime|st_ctime|st_crtime| > st_mode|st_nlink|st_size > Invalid walk range (extXfs_inode_walk: end inode: 0) > > Thank you > > JS > > ------------------------------------------------------------------------------ > Enter the BlackBerry Developer Challenge > This is your chance to win up to $100,000 in prizes! For a limited > time, > vendors submitting new applications to BlackBerry App World(TM) will > have > the opportunity to enter the BlackBerry Developer Challenge. See > full prize > details at: http://p.sf.net/sfu/Challenge > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > |