Re: [sleuthkit-developers] fiwalk byte run options
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-developers] fiwalk byte run options
|
From: Jon S. <jo...@li...> - 2013-02-01 22:49:19
|
Opened it this afternoon.
Jon
On Fri, Feb 1, 2013 at 5:23 PM, Brian Carrier <ca...@sl...> wrote:
> Simson said he was fine with this. Can you send a pull request?
>
> On Jan 29, 2013, at 3:24 PM, Jon Stewart <jo...@li...> wrote:
>
>> Howdy,
>>
>> The trunk version of fiwalk has option "-g", which adds
>> TSK_FS_FILE_WALK_FLAG_AONLY to the flags for calls to
>> tsk_fs_file_walk(). However, it is currently a useless option because
>> the only way to trigger tsk_fs_file_walk() is if
>> content::need_file_walk() in content.cpp returns true. Here is
>> content::need_file_walk():
>>
>> bool content::need_file_walk()
>> {
>> return opt_md5 || opt_sha1 || opt_save || do_plugin || opt_magic
>> || opt_get_fragments;
>> // || opt_compute_sector_hashes;
>> }
>>
>> Any of the options "opt_md5 || opt_sha1 || opt_save || do_plugin ||
>> opt_magic" require the file content to be meaningful. That leaves
>> "opt_get_fragments". In trunk, opt_get_fragments is initialized to
>> false and never assigned to again.
>>
>> This patch on github initializes opt_get_fragments to true while
>> keeping -g to control only whether the data is retrieved.
>> Additionally, it adds "-b" to set opt_get_fragments to false and
>> suppress byte runs from being printed:
>>
>> https://github.com/jonstewart/sleuthkit/commit/bcdc5f7b1c1123c73009eea2b6cc6c6746e3bdc1
>>
>>
>> However, both -g and -b only make if "opt_md5 || opt_sha1 || opt_save
>> || do_plugin || opt_magic" is false.
>>
>> My questions are:
>>
>> 1. Does this change (setting opt_get_fragments to true by default,
>> adding -b to disable it) make sense to folks?
>>
>> 2. Does it make sense to add a check so that if (opt_md5 || opt_sha1
>> || opt_save || do_plugin || opt_magic) is true, then "-g" is
>> overridden and the content is always retrieved?
>>
>>
>> cheers,
>>
>>
>> Jon
>> --
>> Jon Stewart, Principal
>> (646) 719-0317 | jo...@li... | Arlington, VA
>>
>> ------------------------------------------------------------------------------
>> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
>> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
>> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
>> MVPs and experts. ON SALE this month only -- learn more at:
>> http://p.sf.net/sfu/learnnow-d2d
>> _______________________________________________
>> sleuthkit-developers mailing list
>> sle...@li...
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
>
--
Jon Stewart, Principal
(646) 719-0317 | jo...@li... | Arlington, VA
|
