[sleuthkit-users] file oddity
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] file oddity
|
From: Stuart M. <st...@ap...> - 2014-09-03 19:02:25
|
I am using tsk 4.1.3 on Ubuntu, 64-bit machine. /dev/sda1 is a ext4 filessytem. I have an inode for which istat claims allocated inode: 1322012 size: 4296704 direct blocks: 5289177 If I dd the file, I do indeed see 4296704 bytes produced. Somewhat curiously, the first 1876 bytes appear to be 'regular content', in fact utf-16 text (the file itself is some sort of kde cache file), while the remainder of the file, over 4MB, are all zeros. According to dd that is. Now, if I icat this file (icat also from 4.1.3), the icat produces only 4096 bytes of content. I presume this number reflects the fact that istat said there was only a single block, and the fs block size is 4096. The icat output shows the same 1876 leading bytes as dd did, and further has all zeros from there up to its 4096 byte length. I am not quite sure what is going on. I was under the impression that icat and dd would give the same result for this file (and would for all allocated files in general). Any help appreciated. Stuart |
