Re: [sleuthkit-users] Autopsy "File Analysis" problem
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Autopsy "File Analysis" problem
|
From: Brian C. <ca...@sl...> - 2003-09-21 15:16:28
|
> I have just installed the Sleuthkit 1.65 and Autopsy 1.74 on a RH9 > system. During installation everything seemed fine, but now, > unfortunately, the "File Analysis" mode in Autopsy seems to be broken. > Alle files are displayed like this: > > Error parsing string: r/r * 5: Jimmy Jungle.doc (_IMMYJ~1.DOC) > 2002.04.15 14:42:30 () 2002.09.11 00:00:00 () 2002.09.11 08:49:48 () > 20480 0 0 > Stefan, This is a known problem that I have not been able to reproduce. Hopefully you can help with this. This error occurs because you used an invalid timezone when you set the host up. There should be a timezone value in between the '()' in the above line. For example, my output is '2002.04.15 14:42:30 (EST)' for the SOTM. Whenever I test this by making up an invalid timezone, it defaults to GMT and there is '(GMT)' in the line. All of my systems return some timezone value in the parenthesis. I would like to add a check to add 'GMT' when no timezone is given by the system, but I first need to verify that the default value is actually GMT. To test this, we need a non-FAT image because FAT does not use timezones (hence why my times are the same as yours for the SOTM). So, if you could run the following as 'root', we can use your Linux file systems as a test (assuming that you have EXT3FS and not Resier). # istat -f linux-ext3 -z blah /dev/hda1 2 # istat -f linux-ext3 -z GMT /dev/hda1 2 The first will get the MAC times from the root directory with a made up timezone and it should have no timezone in the '()'. The second will run it with a valid timezone and should have '(GMT)'. Can you let me know the time difference between the two outputs, or ideally send the outputs to me (you can do it off list). thanks, brian |
