Re: [sleuthkit-users] Autopsy "File Analysis" problem

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

> I have just installed the Sleuthkit 1.65 and Autopsy 1.74 on a RH9
> system. During installation everything seemed fine, but now,
> unfortunately, the "File Analysis" mode in Autopsy seems to be broken.
> Alle files are displayed like this:
>
> Error parsing string: r/r * 5: Jimmy Jungle.doc (_IMMYJ~1.DOC)
> 2002.04.15 14:42:30 () 2002.09.11 00:00:00 () 2002.09.11 08:49:48 ()
> 20480 0 0
>
Stefan,

This is a known problem that I have not been able to reproduce.  
Hopefully you can help with this.

This error occurs because you used an invalid timezone when you set the 
host up.  There should be a timezone value in between the '()' in the 
above line.  For example, my output is '2002.04.15 14:42:30 (EST)' for 
the SOTM.  Whenever I test this by making up an invalid timezone, it 
defaults to GMT and there is '(GMT)' in the line.  All of my systems 
return some timezone value in the parenthesis.

I would like to add a check to add 'GMT' when no timezone is given by 
the system, but I first need to verify that the default value is 
actually GMT.  To test this, we need a non-FAT image because FAT does 
not use timezones (hence why my times are the same as yours for the 
SOTM).  So, if you could run the following as 'root', we can use your 
Linux file systems as a test (assuming that you have EXT3FS and not 
Resier).

# istat -f linux-ext3 -z blah /dev/hda1 2

# istat -f linux-ext3 -z GMT /dev/hda1 2

The first will get the MAC times from the root directory with a made up 
timezone and it should have no timezone in the '()'.  The second will 
run it with a valid timezone and should have '(GMT)'.  Can you let me 
know the time difference between the two outputs, or ideally send the 
outputs to me (you can do it off list).

thanks,
brian