Re: [sleuthkit-developers] extra directory entries found in ext2 by sk
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-developers] extra directory entries found in ext2 by sk
|
From: Brian C. <ca...@sl...> - 2008-07-07 14:35:21
|
Hi David, These are false positives that result from the goal of supporting non- Latin file names (ExtX stores non-Latin text in UTF-8) and file names with control characters (both of which can occur). So, the code that parses through the directory looking for deleted directory entries can't really do any checks on the text of the file name (because everything is "valid" if we allow control characters). We allow control characters because they do not seem to be uncommon and when I disabled the support a while back I quickly had requests to enable it again. The current code "cleans" up control characters by replacing them with a '^'. The code that tests the directory entries now looks at the other non- name fields. It checks if the inode number is too big, if the record length is shorter than the name length, if the record length is not a multiple of 4 etc. So, there will be false positives. brian On Jul 5, 2008, at 12:23 AM, David Collett wrote: > Hi Brian, > > Sleuthkit (fls) seems to find bogus deleted directory entries in the > following (ext2) image: > > http://www.pyflag.net/testimages/pyflag_stdimage_0.1.e01 > > The offending entries are the three containing non-printable > characters (output appended below). > I've opened the same fs in 'debugfs' and it does not find these > deleted entries (it does find all the others that sk finds). > Can you explain this? Is sk being over zealous in its search for > deleted ext2 directory entries? Is it normal to get a few > false-positives? > > Thanks, > Dave > > Here is the output of "fls -r": > > d/d 11: lost+found > r/- * 0: 0000000001289728.jpg > r/- * 0: NTUSER.DAT > r/r 14: hello.txt > d/d 1281: Documents and Settings > + d/d 1282: Administrator > ++ d/d 1283: Local Settings > +++ r/r 1284: index.dat > +++ -/- * 0: @"^^��������^ > +++ -/r * 20(realloc): > ��^^��������������������^ > ++ r/r 1285: outlook.pst > ++ r/r 13: NTUSER.DAT > + -/r * 20(realloc): > `,^^�����������������^ > r/r 15: rk_044.zip > r/r 16: test.txt.gz > r/r 17: test.zip > r/r 18: dscf1081.jpg > r/r 19: dscf1082.jpg > r/r 20: dscf1080.jpg > r/- * 0: dscf1061.jpg > r/r 22: dscf1052.jpg > r/- * 0: .DonVittos_private_key.txt.swp > r/r 23: DonVittos_private_key.txt > ---------------------------------------------------------------------- > --- > Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! > Studies have shown that voting for your favorite open source project, > along with a healthy diet, reduces your potential for chronic lameness > and boredom. Vote Now at http://www.sourceforge.net/community/cca08 > _______________________________________________ > sleuthkit-developers mailing list > sle...@li... > https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers |
