FW: Re: [sleuthkit-users] RE: Sleuthkit install problem

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

In-Reply-To: <B05...@sl...>
References: <B05...@sl...>

It really is late here - I sent this to Brian without copying it to the list. 
Apologies.

--forwarded message begins--

From: Angus Marshall <an...@n-...>
To: Brian Carrier <ca...@sl...>

On Tuesday 25 May 2004 18:41, Brian Carrier wrote:
> On May 25, 2004, at 11:35 AM, Drew Fahey wrote:
> > The problem is not 64-bit HW.  I have the same problem on my laptop
> > with
> > Fedora Core 2 as well.  The problem is in the Kernel headers and with
> > util-linux.  The kernel headers need to have the syscall5 macro fixed
> > or
> > util-linux needs to be patched to not use llseek.
>
> So are you saying that this is a general problem with all applications
> that use llseek and  Fedora Core 2 and they are working on a solution
> or that TSK needs to be fixed for Fedora Core specific things?

Not sure which is the case - but here's a thought (don't scream) - if 
src/makedefs is modified to change the "-DLINUX2" to read "-DOPENBSD3", 
sleuthkit seems to compile just fine. What the implications of doing this are 
- I really don't know - it's 2 minutes to midnight here and I've just closed 
off two cases for delivery to the investigation team tomorrow, so my brain is 
pretty well fried anyway. 

Brian, if I read the code correctly, this affects fs_tools.h and mm_tools.h 
and selects the OS-provided functions instead of the SK provided functions. 
Since SK seems to compile OK - could it be that Linux 2.6 now supports the 
functions better than 2.2/2.4 used to ? Of course, it looks like it will 
cause some problems with filesystem types, but maybe the workaround is for us 
Linux 2.6ers to patch src/fstools/fs_tools.h to make the LSEEK definition go 
to lseek instead of mylseek ?

Is there a reference test that someone could perform to see if this would work 
?
(I run Linux 2.4 on my desktop workstation and have a choice of 2.4 or 2.6 on 
my laptop so I'm happy to check one against the other if someone can suggest 
a valid test set)