[sleuthkit-developers] [ sleuthkit-Bugs-2891285 ] unable to read file's content for a file on NTFS
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-developers] [ sleuthkit-Bugs-2891285 ] unable to read file's content for a file on NTFS system
|
From: SourceForge.net <no...@so...> - 2009-11-06 20:52:06
|
Bugs item #2891285, was opened at 2009-11-03 09:38 Message generated for change (Settings changed) made by carrier You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=2891285&group_id=55685 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: File System Tools Group: None >Status: Closed >Resolution: Fixed Priority: 5 Private: No Submitted By: oncer oncer surname (oncer82) Assigned to: Nobody/Anonymous (nobody) Summary: unable to read file's content for a file on NTFS system Initial Comment: This issue is specific to NTFS file system only. TSK’s routine “tsk_fs_file_read” returns an error while trying to read content of a file (for "Bitmap Image.bmp" ) by some specific offset. Reading is done as a sequential reading from beginning to an end of a stream. Error message is “tsk_fs_read: Offset is too large for image: 2043904”. Error goes from a point where routine tries to read raw data from a “$Data” attribute – reading from data runs. Seems like error is at the routine where offset is calculated for NTFS for some particular data run. I tried the same set of files but on Ext3 and Fat32 file systems: no errors – content reading was done successfully. I supplied mentioned partitions to a posix-sample application (from a TSK‘s package) – the same result: reading data from a file fails always on NTFS, but succeeded for Ext3 and Fat32. ---------------------------------------------------------------------- >Comment By: Brian Carrier (carrier) Date: 2009-11-06 15:52 Message: Fixed in trunk. Had to do with sanity check on reading last block of file system using the POSIX-style API. Sending trunk/CHANGES.txt Sending trunk/tsk3/fs/fs_io.c Transmitting file data .. Committed revision 119. ---------------------------------------------------------------------- Comment By: oncer oncer surname (oncer82) Date: 2009-11-04 04:25 Message: Here is a link to an image to reproduce the issue - http://rapidshare.com/files/302212622/simplefiles_ntfs.dd.html MD5: FEC9AFCB26A8DE34108AEB40854110F2 Problem file is "Bitmap Image.bmp" (inode 64). I've tried ICAT application: it read content of a problem file successfully. But POSIX-SAMPLE application unable to do the same task. But, - ICAT uses "tsk_fs_read_block" function for reading content. - POSIX-SAMPLE uses "tsk_fs_file_read" function for reading content. So, probably issue goes from the "tsk_fs_file_read" function. Also, here are links on Ext and Fat FiIe Systems that contain the same set of files. Applications works successfully with these images. http://rapidshare.com/files/302213151/simplefiles_ext3.dd.html MD5: 48F116F12B2C6DA6FDE2F0112B1DDB73 http://rapidshare.com/files/302213821/simplefiles_fat32.dd.html MD5: 2CB87CC602E90300C4499D93614600AD ---------------------------------------------------------------------- Comment By: Brian Carrier (carrier) Date: 2009-11-03 19:23 Message: That error means that it is trying to read past the end of the file system. Can you do the following: - provide the size of the disk image - Use 'icat' to extract the file contents (icat -o OFFSET_OF_FILESYSTEM IMAGE_NAME INODE) ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=2891285&group_id=55685 |
