Re: [sleuthkit-developers] output of ntfs file names.
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-developers] output of ntfs file names.
|
From: Lee A. <ay...@in...> - 2011-01-19 21:20:02
|
Oh my, upon further review I kinda screwed up my problem. It happened
quite a while back and I hacked a fix into 3.1.3 that I had to revisit
as I was working on confirming that 3.2.0 will integrate into our
process. Working from memory is a bad policy, however I was on the
right track. Ill show the code and give an illustrative example.
Beginning with line 4187 in ntfs.c
if (fs_file->meta->name2) {
TSK_FS_META_NAME_LIST *fs_name = fs_file->meta->name2;
tsk_fprintf(hFile, "Name: ");
while (fs_name) {
tsk_fprintf(hFile, "%s", fs_name->name);
fs_name = fs_name->next;
if (fs_name)
tsk_fprintf(hFile, ", ");
else
tsk_fprintf(hFile, "\n");
}
}
I have come across instances in the wild of files with the same name
attribute twice. I dont know enough about the way Windows manages
files to be able to assert why that was. Such a file with a duplicated
name attribute, for example, with the name "Larry, Curly, and Moe"
would have the following line in istat output:
"Name: Larry, Curly, and Moe, Larry, Curly, and Moe"
A human reader may be able to tease that apart, but a script is likely
to freak out.
On Wed, Jan 19, 2011 at 2:52 PM, Brian Carrier <ca...@sl...> wrote:
> Hi Lee,
>
> Can you point to an example in the code where this happens? Line number is fine if you have one. I'm not sure that I am following the problem.
>
> thanks,
> brian
>
>
> On Jan 19, 2011, at 1:46 PM, Lee Ayres wrote:
>
>> In the current version of ntfs.c multiple names are concatenated
>> together and separated by white space. This makes multiple names
>> difficult to distinguish from file names with white space in them. I
>> propose that a change be made to the formatting of names for output.
--
Lee T. Ayres, Senior Analyst
Interhack Corporation
http://web.interhack.com/ +1 614 545 4225
|
