[sleuthkit-users] Re: [sleuthkit-developers] Slack space and icat
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Re: [sleuthkit-developers] Slack space and icat
|
From: Brian C. <ca...@sl...> - 2004-03-11 03:41:17
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ok, bug fixed. Stupid error using an unsigned variable. The same problem existed in the FFS code and is now fixed. The new versions can be found here: sleuthkit.sf.net/sleuthkit/ffs.c sleuthkit.sf.net/sleuthkit/ext2fs.c One of the things that I forgot on the list of goals for v2 (and Knut Eckstein reminded me of) is that I want to go through the code and get rid of all of the uses of size_t and addr_t type variables and move to int32_t and u_int32_t because the sizes and signs for the different platforms is too confusing. brian On Mar 10, 2004, at 4:06 PM, Epsilon wrote: > --- Brian Carrier <ca...@sl...> wrote: >> >> On Feb 18, 2004, at 1:58 PM, Epsilon wrote: >> >>> I'm getting a very large (>500 MB) file when using the -s option >> with >>> icat when I should be getting a file that's around 40 KB. I'm >> using >>> sleuthkit-1.67. Anyone else seeing this? >> >> Wow. What file system type? Can you send the output of running >> 'istat' on it? > > OK, I've been meaning to respond to this for a while. I'm now using > sleuthkit-1.68 under Fedora Core 1 with latest patches applied. I'm > using the honeypot.hda5.dd image from here: > > http://honeynet.org/misc/files/challenge-images.tar > > And here's the exact command I'm running: > > $ ./icat -s -f linux-ext2 honeypot.hda5.dd 1604 > inode-1604-all.out > > After about 5 seconds I ^C it and run icat w/o the -s: > > $ ./icat -f linux-ext2 honeypot.hda5.dd 1604 > inode-1604-data.out > > Look at the results: > > $ ls -l *.out > -rw-r--r-- 1 ep users 141107200 Mar 10 16:01 inode-1604-all.out > -rw-r--r-- 1 ep users 119671 Mar 10 16:01 inode-1604-data.out > > I'm expecting to see inode-1604-all.out to be 122880 bytes in size > (4096 * 30 clusters). Is this a wrong assumption? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFAT9ucOK1gLsdFTIsRAqn2AJ0U0L/JA/AxZ+dl2Vl5n6uRjLXDSwCePJx4 qyTQvjU7ZF2QRhEwkF0qzVA= =mGQ8 -----END PGP SIGNATURE----- |
