Re: [sleuthkit-developers] JFFS2 Support
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-developers] JFFS2 Support
|
From: Knut E. <kn...@ac...> - 2008-01-10 10:58:29
|
Dear Jeff, > It appears that TSK actively tries to avoid external dependencies, for > instance, the ext2 support does not depend upon <linux/ext2.h>. > Understanding that I shouldn't include <linux/jffs2.h> in my source, how > appropriate is it examine that file in my creation of a jffs2.h file for > TSK? As I tried to familiarize myself with the TSK file system code, > I've made a point of not looking into the jffs2.h file in the Linux > headers, but obviously using that code (even if it were copied along > with the copyright notice), would make my task easier. In my opinion (and experience - I added experimental support for JFS for Linux, not published (yet) but available on request as a source diff to tsk-2.03), you should definitely look at jffs2.h, but not necessarily copy the whole file for the following reasons: 1. It may include more data structure definitions and/or macros than you will need for your TSK module, e.g. in-kernel memory data structures in addition to on-disk data structures 2. I see the on-disk data structures specified in e.g. jffs2.h as a "published interface", which means that you should read them and understand them, but also be prepared to validate during your development and testing whether the sequence of bytes in the jffs2 images you will analyse contain additional, "unpublished details" which could be very relevant from a forensic point of view. 3. I am not a lawyer, but I would see data structure definitions in .h files not as code, but as an interface definition, so I would not worry too much about license issues. You could also just take the component data types from the data structure definition and (re)define the data structures using your own component names. I initially studied the FFS code in TSK to understand the differen types of callback routines and data structures and then tried to keep with TSK naming conventions etc when creating my own jfs.h file. Naturally there are limits to this, as JFFS2 in your case may have concepts and consequentially data structures which are very different from FFS. The jffs2.h file may also contain macro definitions, which could be seen as code, so you may want to avoid copying those macros directly. Kind regards, Knut |
