[sleuthkit-developers] fiwalk byte run options
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-developers] fiwalk byte run options
|
From: Jon S. <jo...@li...> - 2013-01-29 21:27:04
|
Howdy,
The trunk version of fiwalk has option "-g", which adds
TSK_FS_FILE_WALK_FLAG_AONLY to the flags for calls to
tsk_fs_file_walk(). However, it is currently a useless option because
the only way to trigger tsk_fs_file_walk() is if
content::need_file_walk() in content.cpp returns true. Here is
content::need_file_walk():
bool content::need_file_walk()
{
return opt_md5 || opt_sha1 || opt_save || do_plugin || opt_magic
|| opt_get_fragments;
// || opt_compute_sector_hashes;
}
Any of the options "opt_md5 || opt_sha1 || opt_save || do_plugin ||
opt_magic" require the file content to be meaningful. That leaves
"opt_get_fragments". In trunk, opt_get_fragments is initialized to
false and never assigned to again.
This patch on github initializes opt_get_fragments to true while
keeping -g to control only whether the data is retrieved.
Additionally, it adds "-b" to set opt_get_fragments to false and
suppress byte runs from being printed:
https://github.com/jonstewart/sleuthkit/commit/bcdc5f7b1c1123c73009eea2b6cc6c6746e3bdc1
However, both -g and -b only make if "opt_md5 || opt_sha1 || opt_save
|| do_plugin || opt_magic" is false.
My questions are:
1. Does this change (setting opt_get_fragments to true by default,
adding -b to disable it) make sense to folks?
2. Does it make sense to add a check so that if (opt_md5 || opt_sha1
|| opt_save || do_plugin || opt_magic) is true, then "-g" is
overridden and the content is always retrieved?
cheers,
Jon
--
Jon Stewart, Principal
(646) 719-0317 | jo...@li... | Arlington, VA
|
