Re: [sleuthkit-users] Bug in the icat command into sleuthkit-4.1.0 version for EXT4 support
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Bug in the icat command into sleuthkit-4.1.0 version for EXT4 support
|
From: Brian C. <ca...@sl...> - 2013-09-05 14:39:55
|
Agreed on the intended behavior. I'll log a bug about that. On Sep 5, 2013, at 9:16 AM, Grundy Barry J TIGTA <Bar...@ti...> wrote: > ./icat -f ext4 -r /dev/sda3 483647 >picture.jpg > > for any deleted file when I run an icat command like this I'm getting this error message > > Invalid API argument (tsk_fs_attrlist_get: Null list pointer) > > > > I don’t think I would label that as a bug…I’ve been testing 4.1.0 and what you are seeing is on my list of items to address (you beat me to it). > > I think the message is simply describing “expected behavior” for ext4, but it’s presenting itself as an error which seems a little confusing - at least that’s my take on it. The message is most likely coming from the fact that the Direct Blocks are zero’d out when a file is deleted on ext4 (as with ext3). If you run istat on the inode in question, you get the same error right where “direct blocks” are listed at the bottom of the output > > You won’t be able to recover deleted files on ext3/4 with icat. The block pointers are gone, and the error message is telling you that. It’s the “Error reading file:” that makes it look like a bug. > > You will get the same results with an ext3 image, but WITHOUT the confusing error message. The blocks just show up as empty in istat. > > I prefer the ext3 behavior. It might be nice to have both ext3 and ext4 state that there are no pointers to follow, to eliminate confusion. I would try a patch myself, but I’m no programmer. > > > /******************************************* > Barry J. Grundy > Assistant Special Agent in Charge > Digital Forensic Support Group > Electronic Crimes and Intelligence Division > Treasury Inspector General for Tax Administration > (301) 210-8741 (w) > (202) 527-5778 (c) > Bar...@ti... > ********************************************\ > > From: Maikel Alonso [mailto:mai...@gm...] > Sent: Thursday, September 05, 2013 8:09 AM > To: sle...@li... > Subject: [sleuthkit-users] Bug in the icat command into sleuthkit-4.1.0 version for EXT4 support > > Hi all: > > I'm testing the 4.1.0 version of sleuthkit and I think I've found a bug. > > I've compiled the sources downloaded from > > http://sourceforge.net/projects/sleuthkit/files/sleuthkit/4.1.0/sleuthkit-4.1.0.tar.gz/download > > and then when I use the command > > # fls -f ext4 -dpFrl /dev/sda3 on my Ubuntu 13.04 64bits > > > > I get correctly many line with information about deleted files > > all lines are like > > r/r * 483647: home/mainu/Imágenes/IMG_ > 20121114_190334.jpg 2013-09-05 07:12:50 (CEST) 2013-09-03 23:05:13 (CEST) 2013-09-05 07:12:50 (CEST) 2012-11-19 16:16:30 (CET) 0 1000 1000 > > but problem is when I run the command > > ./icat -f ext4 -r /dev/sda3 483647 >picture.jpg > > for any deleted file when I run an icat command like this I'm getting this error message > > Invalid API argument (tsk_fs_attrlist_get: Null list pointer) > > and nothing is recovered. > > This is not happening for fat deleted files. They are recovered correctly. > > Is there a bug in the ext4 support? What do you think? > > Thanks in advance. > Makelen > ------------------------------------------------------------------------------ > Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! > Discover the easy way to master current and previous Microsoft technologies > and advance your career. Get an incredible 1,500+ hours of step-by-step > tutorial videos with LearnDevNow. Subscribe today and save! > http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
