Re: [sleuthkit-users] OS X Errors
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] OS X Errors
|
From: Brian C. <ca...@sl...> - 2003-10-13 22:19:17
|
On Monday, October 13, 2003, at 09:15 AM, McMillon, Matt wrote: > I'm consistanly getting these two errors on a Redhat 7.3 ext3 image. =20= > Also, the OS X compliled fsstat does not seem to differnitate between=20= > ext2 & 3. The only difference between ext2 and ext3 is that ext3 has a journal,=20 but The Sleuth Kit does not read the journal so there should be no=20 difference. > Errors: > > Error parsing string: -/- * 0: =A9=A3'@`=DF =A9=A3$@'2@?<@(=EDM > Error parsing string: ^=E7=FF=BF=D5 @p%@`! 0000.00.00 00:00:00 = (GMT) =20 > 0000.00.00 00:00:00 (GMT) 0000.00.00 00:00:00 (GMT) 0 =20= > 0 0 Wow! What is happening is that the 'fls' tool is looking in the=20 directory for deleted file name entries. The above data met its=20 requirements for a valid deleted structure. There are currently no=20 name checks because it is possible to make file names with=20 non-printable ASCII. Autopsy though, will only accept printable ASCII.=20= Therefore, I must either update Autopsy so that it reads unprintable=20= ASCII (although you would never see it in the browser ..) or add some=20 constraints into 'fls'. Either way, you can ignore the message. It=20 processed the rest of the entries after it found the error. > ERROR: Negative byte offset (-89) Your version of strings likely does=20= > not support large files Did you install the strings script for OS X? The strings that comes=20 with OS X doesn't support the same flags as binutils and this script=20 converts the syntax (if you put it in /usr/local/bin). http://prdownloads.sourceforge.net/autopsy/strings?download brian= |
