[sleuthkit-developers] [ sleuthkit-Bugs-3173095 ] fls misses allocated files in fat16 file system

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Bugs item #3173095, was opened at 2011-02-04 15:01
Message generated for change (Comment added) made by jlehr
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=477889&aid=3173095&group_id=55685

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: File System Tools
Group: None
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: John Lehr (jlehr)
Assigned to: Nobody/Anonymous (nobody)
Summary: fls misses allocated files in fat16 file system

Initial Comment:
System: Sleuthkit 3.2.0 on Debian Testing, Target was a 2gb MicroSD imaged in ewf (encase6) with libewf 20100226.

BUG: The allocated files under directory "501" are not listed in recursive or direct listing but are listed by standard file list tools when the filesystem is mounted.  Specifying the -f fat16 flag has no effect.

$ fls -o137 -r image.dd
r/r 5:	._.Trashes
d/d * 6:	_RASHE~1.0ZW
d/d 8:	.Trashes
+ d/d 17056261:	501
+ r/r 17056263:	._501
d/d 10:	.fseventsd
+ r/r 17058311:	fseventsd-uuid
+ r/r 17058314:	0000000000007a09
+ r/r 17058317:	0000000000014426
v/v 61463043:	$MBR
v/v 61463044:	$FAT1
v/v 61463045:	$FAT2
d/d 61463046:	$OrphanFiles

$ fls -o137 image.dd 17056261 -a
d/d 17056261:	.
d/d 8:	..

$ tree --inodes -a  #mounted file system through xmount
.
|-- [    190]  DCIM
|   `-- [    195]  100media
|       `-- [    197]  Rec_000.3gp
|-- [    193]  .fseventsd
|   |-- [    202]  0000000000007a09
|   |-- [    203]  0000000000014426
|   `-- [    201]  fseventsd-uuid
|-- [    192]  .Trashes
|   |-- [    206]  501
|   |   |-- [    211]  Rec_000.3gp
|   |   `-- [    210]  sun810.3gp
|   `-- [    207]  ._501
`-- [    191]  ._.Trashes

--------------------------------------------------------------------
Additional data of interest:

$mmls image.dd 
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

     Slot    Start        End          Length       Description
00:  Meta    0000000000   0000000000   0000000001   Primary Table (#0)
01:  -----   0000000000   0000000136   0000000137   Unallocated
02:  00:00   0000000137   0003842047   0003841911   DOS FAT16 (0x06)

$fsstat -o137 image.ddFILE SYSTEM INFORMATION
--------------------------------------------
File System Type: FAT16

OEM Name:         
Volume ID: 0x4326430
Volume Label (Boot Sector): ^@^@^@^@^@^@^@^@^@^@^@
Volume Label (Root Directory):
File System Type Label: FAT16   

Sectors before file system: 137

File System Layout (in sectors)
Total Range: 0 - 3841910
* Reserved: 0 - 0
** Boot Sector: 0
* FAT 0: 1 - 235
* FAT 1: 236 - 470
* Data Area: 471 - 3841910
** Root Directory: 471 - 502
** Cluster Area: 503 - 3841910

METADATA INFORMATION
--------------------------------------------
Range: 2 - 61463046
Root Directory: 2

CONTENT INFORMATION
--------------------------------------------
Sector Size: 512
Cluster Size: 32768
Total Cluster Range: 2 - 60023

----------------------------------------------------------------------

>Comment By: John Lehr (jlehr)
Date: 2011-02-04 23:21

Message:
I have determined that tsk is only reporting one file system state prior to
the current state in  the FAT16 file system (after the initial file system
change).  The problem can be reproduced thusly:

1) create an empty file with dd, e.g., dd if=/dev/zero of=fat16.dd bs=1024
count=102400
2) format the file fat16, e.g., mkfs.vfat -F16 fat16.dd
3) fls -r fat16.dd shows no files
4) mount fat16.dd
5) make a directory in the mounted fat16 file system, e.g., /dir1
6) fls -r fat16.dd shows dir1
7) make another directory, e.g., /dir2
8) fls -r fat16.dd shows only dir1
9) make another directory, e.g., /dir3,  dir2 appears but not dir3. 
10) Any query of the filesystem, such as ls or umount the file system,
will cause fls to now report dir3. 

The images I was examining were all mounted in OSX and had files moved to
.Trashes.  This in some cases, but not all was the last action on the
filesystem.  Otherwise the cards were inserted in digital video cameras of
an unknown manufacturer.

----------------------------------------------------------------------

Comment By: John Lehr (jlehr)
Date: 2011-02-04 15:34

Message:
I just noticed the allocated DCIM folder (and contents) on the root is not
displayed by fls either.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=477889&aid=3173095&group_id=55685