[sleuthkit-developers] [ sleuthkit-Bugs-2891285 ] unable to read file's content for a file on NTFS
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-developers] [ sleuthkit-Bugs-2891285 ] unable to read file's content for a file on NTFS system
|
From: SourceForge.net <no...@so...> - 2009-11-04 00:23:32
|
Bugs item #2891285, was opened at 2009-11-03 09:38 Message generated for change (Comment added) made by carrier You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=2891285&group_id=55685 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: File System Tools Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: oncer oncer surname (oncer82) Assigned to: Nobody/Anonymous (nobody) Summary: unable to read file's content for a file on NTFS system Initial Comment: This issue is specific to NTFS file system only. TSK’s routine “tsk_fs_file_read” returns an error while trying to read content of a file (for "Bitmap Image.bmp" ) by some specific offset. Reading is done as a sequential reading from beginning to an end of a stream. Error message is “tsk_fs_read: Offset is too large for image: 2043904”. Error goes from a point where routine tries to read raw data from a “$Data” attribute – reading from data runs. Seems like error is at the routine where offset is calculated for NTFS for some particular data run. I tried the same set of files but on Ext3 and Fat32 file systems: no errors – content reading was done successfully. I supplied mentioned partitions to a posix-sample application (from a TSK‘s package) – the same result: reading data from a file fails always on NTFS, but succeeded for Ext3 and Fat32. ---------------------------------------------------------------------- >Comment By: Brian Carrier (carrier) Date: 2009-11-03 19:23 Message: That error means that it is trying to read past the end of the file system. Can you do the following: - provide the size of the disk image - Use 'icat' to extract the file contents (icat -o OFFSET_OF_FILESYSTEM IMAGE_NAME INODE) ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=2891285&group_id=55685 |
