[sleuthkit-developers] [ sleuthkit-Bugs-2596397 ] mactime sorting bug in TSK3
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-developers] [ sleuthkit-Bugs-2596397 ] mactime sorting bug in TSK3
|
From: SourceForge.net <no...@so...> - 2009-02-14 03:29:32
|
Bugs item #2596397, was opened at 2009-02-13 11:16 Message generated for change (Settings changed) made by carrier You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=2596397&group_id=55685 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Timeline Tools Group: None >Status: Closed >Resolution: Fixed Priority: 5 Private: No Submitted By: Bruce Nikkel (bnikkel) >Assigned to: Brian Carrier (carrier) Summary: mactime sorting bug in TSK3 Initial Comment: Hi Brian, I think mactime in Sleuthkit3 is not sorting correctly when a filesystem contains timestamps older than Sept 9, 2001. In the version 3 mactime script, epoch time is now sorted as a string, not a number (like in v2). If a filesystem has timestamp strings less than 10 digits long (earlier than Sept 9, 2001), the resulting timeline will be incorrectly sorted/displayed. One way to fix this sorting bug is to add leading zeros to epoch timestamp strings under 10 digits. Adding the following code at line 317 in mactime 3.0.1 seems to solve the problem: # add leading zeros to timestamps # (corrects sorting bug) $st_mtime = sprintf("%.10d",$st_mtime); $st_atime = sprintf("%.10d",$st_atime); $st_ctime = sprintf("%.10d", $st_ctime); $st_crtime = sprintf("%.10d", $st_crtime); I don't know if this breaks things elsewhere, but from my brief tests it seemed to fix the problems I had with timelines containing older files. Kind regards, Bruce Nikkel ---------------------------------------------------------------------- >Comment By: Brian Carrier (carrier) Date: 2009-02-13 22:29 Message: Patch applied, verified, and checked into trunk. Sending CHANGES.txt Sending tools/timeline/mactime.base Transmitting file data .. Committed revision 62. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=2596397&group_id=55685 |
