Re: [sleuthkit-users] fls simply reports usage information?

[Seth A. <sa...@im...>]

On Thu, Jan 06, 2005 at 12:18:53AM -0500, Brian Carrier wrote:
> >  fls -f fat -la -s 0 /path/to/dd/image 2
>=20
> [For future reference, the commands are listed in the execution log in=20
> the evidence locker. :) ]

Oh, how convenient! You've thought of everything. :) My fairly blunt
strace at least showed the same thing the execution log shows.

> Are you sure you have a partition image and not a disk image?  What is=20
> the error message before the usage information is displayed. There=20
> should be one line that explains why it gave an error.

Sadly, there isn't even the one-liner error message. :( I've appended
output near the end.

I'm positive I have a partition image; I still have that shell open,
and it's history command shows that I copied /dev/sda1 -- the first
partition on the first scsi disk. (Linux supports Sandisk by emulating
a SCSI drive.)

(While I don't know filesystem internals well enough to tell from the
contents of what I've got, maybe you do. So I've appended that near the
end as well. :)

> Hmm.  I do not know of anyone that has used them under Debian on an=20
> iBook.  There could be an endian ordering issue with the package.  You=20
> may want to try directly from the source.

"Try directly from the source" -- do you mean try running autopsy and
TSK on my brother's OS X machine? Or compiling TSK from source? I
tried compiling TSK from Debian's source on machine with identical
results. (This shouldn't surprise me. I did it with intentions of being
able to try suggestions that include source modifications. :) I haven't
tried running TSK on my brother's OS X machine simply because I've never
compiled anything on it and didn't want to bother late at night.. :)

Thanks Brian.

ps: now I can't recall if I mentioned that I tried a variety of fat*
filesystem types -- fat12, fat16, fat32, FAT12, FAT16, FAT32, and just
plain fat. (I tried the 12 bit fat out of desparation. No way a gigabyte
SD card uses FAT12 though... :)

The log file includes this:
Wed Jan  5 00:49:30 2005: '/usr/bin/fls' -f fat -la  -s 0 '/home/sarnold/er=
ic_sandisk/ericsandisk/macosx/images/eric_sandisk' 2


Running fls by hand:
$ /usr/bin/fls -f fat -la  -s 0 /home/sarnold/sandisk.dd
usage: /usr/bin/fls [-adDFlpruvV] [-f fstype] [-m dir/] [-z ZONE] [-s secon=
ds] image [inode]
        If [inode] is not given, the root directory is used
        -a: Display "." and ".." entries
        -d: Display deleted entries only
        -D: Display directory entries only
        -F: Display file entries only (NOTE: This was -f in TCTUTILs)
        -l: Display long version (like ls -l)
        -m: Display output in mactime input format with
              dir/ as the actual mount point of the image
        -p: Display full path for each file
        -r: Recurse on directory entries
        -u: Display undeleted entries only
        -v: verbose output to stderr
        -V: Print version
        -z: Time zone of original machine (i.e. EST5EDT or GMT) (only usefu=
l with -l)
        -s seconds: Time skew of original machine (in seconds) (only useful=
 with -l & -m)
        -f fstype: Image file system type
Supported file system types:
        bsdi (BSDi FFS)
        fat (auto-detect FAT)
        fat12 (FAT12)
        fat16 (FAT16)
        fat32 (FAT32)
        freebsd (FreeBSD FFS)
        linux-ext (auto-detect Linux EXTxFS)
        linux-ext2 (Linux EXT2FS)
        linux-ext3 (Linux EXT3FS)
        netbsd (NetBSD FFS)
        ntfs (NTFS)
        openbsd (OpenBSD FFS)
        raw (Raw Data)
        solaris (Solaris FFS)
        swap (Swap Space)
$

Running fls under ltrace:
$ cat /tmp/fls.out
__libc_start_main(7, 0x7ffffd14, 0x7ffffd34, 0x7ffffd7c, 0x3000bee4 <unfini=
shed ...>
getopt(7, 0x7ffffd14, "adDf:Fm:lprs:uvVz:")                                =
    =3D 102
getopt(7, 0x7ffffd14, "adDf:Fm:lprs:uvVz:")                                =
    =3D 108
getopt(7, 0x7ffffd14, "adDf:Fm:lprs:uvVz:")                                =
    =3D 97
getopt(7, 0x7ffffd14, "adDf:Fm:lprs:uvVz:")                                =
    =3D 115
__strtol_internal("0", NULL, 10)                                           =
    =3D 0
getopt(7, 0x7ffffd14, "adDf:Fm:lprs:uvVz:")                                =
    =3D -1
printf("usage: %s [-adDFlpruvV] [-f fsty"..., "/usr/bin/fls")              =
    =3D 93
puts("\tIf [inode] is not given, the ro"...)                               =
    =3D 53
puts("\t-a: Display "." and ".." entrie"...)                               =
    =3D 34
=2E...

And, a bit of the start of the partition image:
$ od /tmp/fivetwelve | head
0000000 165476 110120 073562 051550 067564 020000 001040 000400
0000020 001000 001000 000370 172400 037400 020000 037400 000000
0000040 140603 017000 100000 024710 060736 066105 047523 057504
0000060 044507 044524 040514 043101 052061 033040 020040 031777
0000100 107337 137000 076215 116344 000616 043402 176271 000002
0000120 171644 143407 054000 177457 106310 175216 150274 000006
0000140 175613 166203 166026 142466 074000 104566 173214 057370
0000160 106576 165271 005400 053763 122137 107331 137170 000211
0000200 036214 042002 007037 143105 002022 143105 004417 131000
0000220 110715 011640 014000 173046 015000 104506 175203 037352
$ hexdump /tmp/fivetwelve | head
0000000 eb3e 9050 7772 5368 6f74 2000 0220 0100
0000010 0200 0200 00f8 f500 3f00 2000 3f00 0000
0000020 c183 1e00 8000 29c8 61de 6c45 4f53 5f44
0000030 4947 4954 414c 4641 5431 3620 2020 33ff
0000040 8edf be00 7c8d 9ce4 018e 4702 fcb9 0002
0000050 f3a4 c707 5800 ff2f 8cc8 fa8e d0bc 0006
0000060 fb8b ec83 ec16 c536 7800 8976 f68c 5ef8
0000070 8d7e eab9 0b00 57f3 a45f 8ed9 be78 0089
0000080 3c8c 4402 0e1f c645 0412 c645 090f b200
0000090 91cd 13a0 1800 f626 1a00 8946 fa83 3eea