Re: [sleuthkit-developers] fiwalk byte run options

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Merged in.  Thanks.

On Feb 1, 2013, at 5:25 PM, Jon Stewart wrote:

> Opened it this afternoon.
> 
> 
> Jon
> 
> On Fri, Feb 1, 2013 at 5:23 PM, Brian Carrier <ca...@sl...> wrote:
>> Simson said he was fine with this.  Can you send a pull request?
>> 
>> On Jan 29, 2013, at 3:24 PM, Jon Stewart <jo...@li...> wrote:
>> 
>>> Howdy,
>>> 
>>> The trunk version of fiwalk has option "-g", which adds
>>> TSK_FS_FILE_WALK_FLAG_AONLY to the flags for calls to
>>> tsk_fs_file_walk(). However, it is currently a useless option because
>>> the only way to trigger tsk_fs_file_walk() is if
>>> content::need_file_walk() in content.cpp returns true. Here is
>>> content::need_file_walk():
>>> 
>>> bool content::need_file_walk()
>>> {
>>> return opt_md5 || opt_sha1 || opt_save || do_plugin || opt_magic
>>>     || opt_get_fragments;
>>> //      || opt_compute_sector_hashes;
>>> }
>>> 
>>> Any of the options "opt_md5 || opt_sha1 || opt_save || do_plugin ||
>>> opt_magic" require the file content to be meaningful. That leaves
>>> "opt_get_fragments". In trunk, opt_get_fragments is initialized to
>>> false and never assigned to again.
>>> 
>>> This patch on github initializes opt_get_fragments to true while
>>> keeping -g to control only whether the data is retrieved.
>>> Additionally, it adds "-b" to set opt_get_fragments to false and
>>> suppress byte runs from being printed:
>>> 
>>> https://github.com/jonstewart/sleuthkit/commit/bcdc5f7b1c1123c73009eea2b6cc6c6746e3bdc1
>>> 
>>> 
>>> However, both -g and -b only make if "opt_md5 || opt_sha1 || opt_save
>>> || do_plugin || opt_magic" is false.
>>> 
>>> My questions are:
>>> 
>>> 1. Does this change (setting opt_get_fragments to true by default,
>>> adding -b to disable it) make sense to folks?
>>> 
>>> 2. Does it make sense to add a check so that if (opt_md5 || opt_sha1
>>> || opt_save || do_plugin || opt_magic) is true, then "-g" is
>>> overridden and the content is always retrieved?
>>> 
>>> 
>>> cheers,
>>> 
>>> 
>>> Jon
>>> --
>>> Jon Stewart, Principal
>>> (646) 719-0317 | jo...@li... | Arlington, VA
>>> 
>>> ------------------------------------------------------------------------------
>>> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
>>> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
>>> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
>>> MVPs and experts. ON SALE this month only -- learn more at:
>>> http://p.sf.net/sfu/learnnow-d2d
>>> _______________________________________________
>>> sleuthkit-developers mailing list
>>> sle...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
>> 
> 
> 
> 
> -- 
> Jon Stewart, Principal
> (646) 719-0317 | jo...@li... | Arlington, VA
> 
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_jan
> _______________________________________________
> sleuthkit-developers mailing list
> sle...@li...
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers