[sleuthkit-developers] [ sleuthkit-Bugs-3023481 ] icat exporting error, FAT
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-developers] [ sleuthkit-Bugs-3023481 ] icat exporting error, FAT
|
From: SourceForge.net <no...@so...> - 2010-09-18 13:29:53
|
Bugs item #3023481, was opened at 2010-06-30 13:35 Message generated for change (Comment added) made by carrier You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=3023481&group_id=55685 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: File System Tools Group: None >Status: Closed >Resolution: Invalid Priority: 5 Private: No Submitted By: John Lehr (jlehr) Assigned to: Nobody/Anonymous (nobody) Summary: icat exporting error, FAT Initial Comment: icat of any deleted file in a FAT16 partition only export 4kb of file. The Sleuth Kit ver 3.1.3b1 Ubuntu 10.04 ---------------------------------------------------------------------- >Comment By: Brian Carrier (carrier) Date: 2010-09-18 08:29 Message: Closing this since the issue was likely that non-recoverable files were trying to be exported. ---------------------------------------------------------------------- Comment By: Brian Carrier (carrier) Date: 2010-08-13 11:18 Message: If you still have the image, can you run 'istat' on the files that are not recovering as much as you expect (and not 'fsstat' on the full file system). Because of the way that FAT deletes files, TSK can't always figure out where the file used to be. It tries to guess where it was, but if it can't figure it out then it will only recover the first cluster of the file (which is stored in the directory entry). ---------------------------------------------------------------------- Comment By: Brian Carrier (carrier) Date: 2010-06-30 21:00 Message: Can you run 'istat' on the file? It will tell you if the file is recoverable or not. ---------------------------------------------------------------------- Comment By: John Lehr (jlehr) Date: 2010-06-30 17:52 Message: more information: in a fat32 file system with 32kb clusters, icat recovered 32kb of the deleted file. Thus, the bug appears to be that icat extracts only one cluster of deleted files from fat32. ---------------------------------------------------------------------- Comment By: John Lehr (jlehr) Date: 2010-06-30 16:05 Message: Correction, Fat32 Partition: FILE SYSTEM INFORMATION -------------------------------------------- File System Type: FAT32 OEM Name: MSDOS5.0 Volume ID: 0x861f3d71 Volume Label (Boot Sector): NO NAME Volume Label (Root Directory): CRUZER File System Type Label: FAT32 Next Free Sector (FS Info): 90352 Free Sector Count (FS Info): 5609032 Sectors before file system: 63 File System Layout (in sectors) Total Range: 0 - 15695441 * Reserved: 0 - 35 ** Boot Sector: 0 ** FS Info Sector: 1 ** Backup Boot Sector: 6 * FAT 0: 36 - 15333 * FAT 1: 15334 - 30631 * Data Area: 30632 - 15695441 ** Cluster Area: 30632 - 15695439 *** Root Directory: 30632 - 30639 ** Non-clustered: 15695440 - 15695441 METADATA INFORMATION -------------------------------------------- Range: 2 - 250636966 Root Directory: 2 CONTENT INFORMATION -------------------------------------------- Sector Size: 512 Cluster Size: 4096 Total Cluster Range: 2 - 1958102 Further study shows that regular files are extracted correctly with icat and the issue is limited to deleted files over 4.0 K. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=3023481&group_id=55685 |
