Re: [sleuthkit-users] file oddity
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] file oddity
|
From: Brian C. <ca...@sl...> - 2014-09-10 01:49:40
|
Hi Stuart, I'm wondering if the file in question is sparse and Ext4 isn't properly dealing with that. I made an issue for it. Any debugging help would be appreciated though to verify that in the original file. brian On Sep 3, 2014, at 3:21 PM, Stuart Maclean <st...@ap...> wrote: > I am using tsk 4.1.3 on Ubuntu, 64-bit machine. /dev/sda1 is a ext4 > filessytem. > > I have an inode for which istat claims > > allocated > inode: 1322012 > size: 4296704 > direct blocks: 5289177 > > If I dd the file, I do indeed see 4296704 bytes produced. Somewhat > curiously, the first 1876 bytes appear to be 'regular content', in fact > utf-16 text (the file itself is some sort of kde cache file), while the > remainder of the file, over 4MB, are all zeros. According to dd that is. > > Now, if I icat this file (icat also from 4.1.3), the icat produces only > 4096 bytes of content. I presume this number reflects the fact that > istat said there was only a single block, and the fs block size is > 4096. The icat output shows the same 1876 leading bytes as dd did, and > further has all zeros from there up to its 4096 byte length. > > I am not quite sure what is going on. I was under the impression that > icat and dd would give the same result for this file (and would for all > allocated files in general). > > Any help appreciated. > > Stuart > > > ------------------------------------------------------------------------------ > Slashdot TV. > Video for Nerds. Stuff that matters. > http://tv.slashdot.org/ > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
