[sleuthkit-users] file oddity, follow up
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] file oddity, follow up
|
From: Stuart M. <st...@ap...> - 2014-09-03 19:02:35
|
To follow up my recent post concerning icat and dd differences, I suspect my file in question has 'missing runs', i.e. the file content fits in a single block, and so the remainder of the advertised file size can be produced by the OS as all zeros. Looking at the docs for tsk_fs_file_read, which I suspect is used by icat, I note "0s are returned for missing runs of files" Does that mean the 'return value', or that '0s are inserted into the user buffer' and "Returns the number of bytes read or -1 on error" Does that mean the actual byte count read off disk, which would be 0 for a 'missing run' or does the return value accommodate a missing run, and return any count of 'produced zeros'? Again, and help appreciated. Stu |
