Re: [sleuthkit-users] fls core

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Brian Carrier wrote:
>  
> 
> 
>>when i run fls from the shell as follows :
>>
>>/usr/local/bin/task/bin# ./fls -r -m on /somepath/images/c0t0d0s0-root.dd
>>
>>i dont get any core.
> 
> 
> That is very strange.  Save the 'fls' output to a file.  How big is the
> file?  I've never seen perl core though because the output was so big.
> What do you have the timezone, timeskew, and mounting point set as?
> Those are also passed when Autopsy actually runs the tools.

I have the following dd images ,
one for each mont point in the original filesystem :
-rw-r--r--  1 root  wheel   1075994624 Mar 16 22:08 c0t0d0s0-root.dd
-rw-r--r--  1 root  wheel   1075994624 Mar 18 15:42 c0t0d0s1-var.dd
-rw-r--r--  1 root  wheel    106151936 Mar 18 15:56 c0t0d0s5-opt.dd
-rw-r--r--  1 root  wheel  12624842752 Mar 17 22:29 c0t0d0s6-usr.dd
-rw-r--r--  1 root  wheel   2149576704 Mar 18 16:45 c0t0d0s7-exporthome.dd

Inside Autopsy host definition :
/mnt/host/ 		images/c0t0d0s0-root.dd details
/mnt/host/export/home/ 	images/c0t0d0s7-exporthome.dd details
/mnt/host/opt/ 		images/c0t0d0s5-opt.dd details
/mnt/host/usr/ 		images/c0t0d0s6-usr.dd details
/mnt/host/var/ 		images/c0t0d0s1-var.dd

Timezone: CET
Timeskew: 1

 From the command line :

blackbox:/usr/local/bin/task/bin# ./fls -r -m on 
/somepath/images/c0t0d0s0-root.dd > c0t0d0s0.txt
blackbox:/usr/local/bin/task/bin# ls -la c0t0d0s0.txt
-rw-r--r--  1 root  staff  672014 Mar 24 15:47 c0t0d0s0.txt

blackbox:/usr/local/bin/task/bin# ./fls -r -m on 
/somepath/images/c0t0d0s1-var.dd > c0t0d0s1.txt
blackbox:/usr/local/bin/task/bin# ls -la c0t0d0s1.txt
-rw-r--r--  1 root  staff  626144 Mar 24 15:56 c0t0d0s1.txt

blackbox:/usr/local/bin/task/bin# ./fls -r -m on 
/somepath/images/c0t0d0s5-opt.dd > c0t0d0s5.txt
blackbox:/usr/local/bin/task/bin# ls -la c0t0d0s5.txt
-rw-r--r--  1 root  staff  421 Mar 24 15:58 c0t0d0s5.txt

blackbox:/usr/local/bin/task/bin# ./fls -r -m on 
/somepath/images/c0t0d0s6-usr.dd > c0t0d0s6.txt
./fls: read block read error (8192@12624838656): Unknown error: 0
blackbox:/usr/local/bin/task/bin# ls -la c0t0d0s6.txt
-rw-r--r--  1 root  staff  545931 Mar 24 15:59 c0t0d0s6.txt

blackbox:/usr/local/bin/task/bin# ./fls -r -m on 
/somepath/images/c0t0d0s7-exporthome.dd > c0t0d0s7.txt
blackbox:/usr/local/bin/task/bin# ls -la c0t0d0s7.txt
-rw-r--r--  1 root  staff  184 Mar 24 16:00 c0t0d0s7.txt

As i pasted in the previous email ,
several core messages appear in the Autopsy browser ,
not only in the creation of the data file in timeline section,
also for example when i go to file analysis :
Deleted Files      Type
dir  / in    File Name    Modified Time    Access Time    Change Time 
  Size    UID    GID    Meta
Error parsing string: Segmentation fault (core dumped)

I removed from config the biggest image that gives a read error ,
but the cores remains , also if i work with only the smallest one.

Best regards ,
Josep M Homs