[sleuthkit-users] Errors in a specific folder in an EXT2 file system
Brought to you by:
carrier
From: Jordi G. V. <jor...@gm...> - 2010-06-21 10:07:42
|
Hello everyone, I have found a problem with a specific image file (.E01 format) with The Sleuth Kit, version 3.1.2. I work in a Ubuntu GNU/Linux environment, version 10.04 LTS (Lucid Lynx). The image file I am working with includes a partition with a EXT2 file system. When I use the fls utility in a specific folder of this image, the contents are not retrieved right (fls -v -o 63 image.E* 524447). I have seen in the source code in the function named ext2fs_dent_parse_block (file tsk3/fs/ext2fs_dent.c), that the variable minreclen is calculated using the namelen variable (minreclen = EXT2FS_DIRSIZ_lcl(namelen), this is, 11 bytes plus the name length, aligned on 4 bytes boundaries). Shouldn't it be calculated using the reclen variable ? In the case I am working with, there are some bytes in the end of a specific record that are not used in the name, so the record is 28 bytes long: the header (8 bytes), the name length is 14 characters, and there are 6 extra unused bytes unitl the next entry, so using the record length is better than using the name length + 8 bytes. In my case the ext2 linked list directory was like this (each entry in a line): 9f 00 08 00 0c 00 01 02 2e 00 00 00 8e 00 08 00 0c 00 02 02 2e 2e 00 00 a1 00 08 00 1c 00 0e 01 73 74 79 6c 65 73 68 65 65 74 2e 63 73 73 35 33 64 36 64 00 a0 00 08 00 cc 0f 0a 01 62 61 6e 6e 65 72 2e 63 73 73 00 00 a1 00 08 00 b8 0f 17 01 73 74 79 6c 65 73 68 65 65 74 2e 63 73 73 3b 34 39 39 35 33 64 36 64 00 00 00 00 The fls utility retrieved 3 entries in this folder (the first one was "stylesheet.css", and "stylesheet.css;49953d6d" as the third one. The second one, the name should be "banner.css", wasn't displayed right (the name was "^^^bann", and the rest of metadata was wrong). If I change the minreclen calculation to "minreclen=reclen", the three entries are displayed right. Regards, Jordi Gilabert Vall |