[sleuthkit-developers] [ sleuthkit-Bugs-3173095 ] fls misses allocated files in fat16 file system

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Bugs item #3173095, was opened at 2011-02-04 15:01
Message generated for change (Comment added) made by jlehr
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=477889&aid=3173095&group_id=55685

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: File System Tools
Group: None
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: John Lehr (jlehr)
Assigned to: Nobody/Anonymous (nobody)
Summary: fls misses allocated files in fat16 file system

Initial Comment:
System: Sleuthkit 3.2.0 on Debian Testing, Target was a 2gb MicroSD imaged in ewf (encase6) with libewf 20100226.

BUG: The allocated files under directory "501" are not listed in recursive or direct listing but are listed by standard file list tools when the filesystem is mounted.  Specifying the -f fat16 flag has no effect.

$ fls -o137 -r image.dd
r/r 5:	._.Trashes
d/d * 6:	_RASHE~1.0ZW
d/d 8:	.Trashes
+ d/d 17056261:	501
+ r/r 17056263:	._501
d/d 10:	.fseventsd
+ r/r 17058311:	fseventsd-uuid
+ r/r 17058314:	0000000000007a09
+ r/r 17058317:	0000000000014426
v/v 61463043:	$MBR
v/v 61463044:	$FAT1
v/v 61463045:	$FAT2
d/d 61463046:	$OrphanFiles

$ fls -o137 image.dd 17056261 -a
d/d 17056261:	.
d/d 8:	..

$ tree --inodes -a  #mounted file system through xmount
.
|-- [    190]  DCIM
|   `-- [    195]  100media
|       `-- [    197]  Rec_000.3gp
|-- [    193]  .fseventsd
|   |-- [    202]  0000000000007a09
|   |-- [    203]  0000000000014426
|   `-- [    201]  fseventsd-uuid
|-- [    192]  .Trashes
|   |-- [    206]  501
|   |   |-- [    211]  Rec_000.3gp
|   |   `-- [    210]  sun810.3gp
|   `-- [    207]  ._501
`-- [    191]  ._.Trashes

--------------------------------------------------------------------
Additional data of interest:

$mmls image.dd 
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

     Slot    Start        End          Length       Description
00:  Meta    0000000000   0000000000   0000000001   Primary Table (#0)
01:  -----   0000000000   0000000136   0000000137   Unallocated
02:  00:00   0000000137   0003842047   0003841911   DOS FAT16 (0x06)

$fsstat -o137 image.ddFILE SYSTEM INFORMATION
--------------------------------------------
File System Type: FAT16

OEM Name:         
Volume ID: 0x4326430
Volume Label (Boot Sector): ^@^@^@^@^@^@^@^@^@^@^@
Volume Label (Root Directory):
File System Type Label: FAT16   

Sectors before file system: 137

File System Layout (in sectors)
Total Range: 0 - 3841910
* Reserved: 0 - 0
** Boot Sector: 0
* FAT 0: 1 - 235
* FAT 1: 236 - 470
* Data Area: 471 - 3841910
** Root Directory: 471 - 502
** Cluster Area: 503 - 3841910

METADATA INFORMATION
--------------------------------------------
Range: 2 - 61463046
Root Directory: 2

CONTENT INFORMATION
--------------------------------------------
Sector Size: 512
Cluster Size: 32768
Total Cluster Range: 2 - 60023

----------------------------------------------------------------------

>Comment By: John Lehr (jlehr)
Date: 2011-02-04 15:34

Message:
I just noticed the allocated DCIM folder (and contents) on the root is not
displayed by fls either.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=477889&aid=3173095&group_id=55685