Re: [sleuthkit-users] hashing a file system

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi all, I'm glad to have provoked some conversation on the merits (or 
otherwise!) of md5 sums as useful representations of the state of a file 
system.

Can anyone enlighten me as to the meaning of the 'flags' member in a 
TSK_FS_ATTR_RUN?  Specifically, what does this comment mean?

TSK_FS_ATTR_RUN_FLAG_FILLER = 0x01,     ///< Entry is a filler for a run 
that has not been seen yet in the processing (or has been lost)

In a fs I am walking and inspecting the runs for, I am seeing run 
structs with addr 0 and flags 1.  I was under the impression that any 
run address of 0 represented a 'missing run' i.e. that this part of the 
file content is N zeros, where N = run.length * fs.blocksize.  I presume 
that would be the case were the run flags value 2:

TSK_FS_ATTR_RUN_FLAG_SPARSE = 0x02      ///< Entry is a sparse run where 
all data in the run is zeros

If I use istat, I can see inodes which have certain 'Direct Blocks' of 
value 0, and when I see M consecutive 0 blocks that matches up to a 
'missing run' when inspecting the runs using the tsk lib (actually my 
tsk4jJava binding, which is now finally showing its worth since I can do 
all data structure manipulation in Java, nicer than in C, for me at least).

I am worried at being 'filler' and not 'sparse', the partial file 
content represented by the run(s) with addr 0 is not necessarily a 
sequence of zeros.

Anyone shed light on this?  Brian?

Thanks

Stuart