[sleuthkit-users] TSK_FS_ATTR.id uniqueness bug with ext2
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] TSK_FS_ATTR.id uniqueness bug with ext2
|
From: Jon S. <JSt...@St...> - 2016-03-28 20:18:17
|
The docs say:
"Each attribute has a type and an ID. The types are defined in the TSK_FS_ATTR_TYPE_ENUM structure and the ID is an integer that is unique to the file. A file can have multiple attributes with the same type, but it can have only one attribute with a given id."
But I have an ext2 filesystem, some simple test evidence, where many files have two different attributes with id == 0. The docs also say that "TSK stores UFS and ExtX indirect blocks in separate attribute. [sic]" With these files there are type 4097 attributes, TSK_FS_ATTR_TYPE_UNIX_INDIR, so presumably such attributes contain the pointers for indirect blocks. It looks like these types of attributes also do not respect the uniqueness of attribute IDs.
My guess is that the docs should be updated to reflect that attribute ID is unique only for given types, although it sure would be convenient to have a unique attribute ID regardless of type.
Example:
"attrs":[
{
"flags":"In Use, Non resident",
"id":0,
"name":"",
"size":348576,
"type":1,
"rd_buf_size":0,
"nrd_allocsize":352256,
"nrd_compsize":0,
"nrd_initsize":348576,
"nrd_skiplen":0,
"nrd_runs":[
{"addr":34009,"flags":"","len":12,"offset":0},
{"addr":34022,"flags":"","len":74,"offset":12},
{"addr":0,"flags":"Sparse","len":950,"offset":86}
]
},
{
"flags":"In Use, Non-resident",
"id":0,
"name":"",
"size":4096,
"type":4097,
"rd_buf_size":0,
"nrd_allocsize":4096,
"nrd_compsize":0,
"nrd_initsize":4096,
"nrd_skiplen":0,
"nrd_runs":[
{"addr":34021,"flags":"","len":1,"offset":0}
]
}]
Jon Stewart
Development Manager
STROZ FRIEDBERG
1150 Connecticut Avenue, NW, Suite 700, Washington, DC 20036
T: +1 202.534.3290
M: +1 202.492.4412
F: +1 202.534.5700
JSt...@St... www.strozfriedberg.com
This message and/or its attachments may contain information that is confidential and/or protected by privilege from disclosure. If you have reason to believe you are not the intended recipient, please immediately notify the sender by reply e-mail or by telephone, then delete this message (and any attachments), as well as all copies, including any printed copies. Thank you.
|
