[sleuthkit-developers] [ sleuthkit-Bugs-2821031 ] missing body fields
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-developers] [ sleuthkit-Bugs-2821031 ] missing body fields
|
From: SourceForge.net <no...@so...> - 2009-07-14 00:56:12
|
Bugs item #2821031, was opened at 2009-07-13 19:56 Message generated for change (Tracker Item Submitted) made by carrier You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=2821031&group_id=55685 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: File System Tools Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Brian Carrier (carrier) Assigned to: Brian Carrier (carrier) Summary: missing body fields Initial Comment: For unallocated files with no metadata structure, TSK is missing a 0 for the new body format. From: jsm...@go... Subject: [sleuthkit-users] fls: missing field Date: July 12, 2009 2:38:53 PM EDT To: sle...@li... Reply-To: jsm...@gm... Hi When running fls against one of my Ext3 partitions I notice that 34 out of 17512 entries are missing one of the 'body file' format fields. $ fls -V The Sleuth Kit ver 3.0.1 $ sudo fls -r -m / /dev/sda4 > fls.out According to the wiki http://wiki.sleuthkit.org/index.php?title=Body_file The 3.X output has the following fields: MD5|name|inode|mode_as_string|UID|GID|size|atime|mtime|ctime|crtime Example output: ... 0|/Dir1/SubDir1/FileA (deleted)|9551913|r/rrwxrwx---|1000|1000|0|1199618002|1199765794|1199765794|0 0|/Dir1/SubDir2/FileB|2769344|r/rrwxr-xr-x|1000|1000|73350|1239210630|1234051666|1235248434|0 ... 0|/Dir1/FileC (deleted)|0|r/----------|0|0|0|0|0|0 0|/Dir1/FileD (deleted)|0|d/----------|0|0|0|0|0|0 ... The last two entries have 10 fields instead of 11. It is difficult to identify which field is missing in each case as most values are zeroes. Do you know which field is missing and why? Other info: $ sudo istat /dev/sda4 0 Metadata address is too small for image (1) $ sudo ils /dev/sda4 0 class|host|device|start_time ils|myhost||1247422110 st_ino|st_alloc|st_uid|st_gid|st_mtime|st_atime|st_ctime|st_crtime|st_mode|st_nlink|st_size Invalid walk range (extXfs_inode_walk: end inode: 0) Thank you JS ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=2821031&group_id=55685 |
