Re: [sleuthkit-users] TSK_FS_ATTR.id uniqueness bug with ext2
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] TSK_FS_ATTR.id uniqueness bug with ext2
|
From: Brian C. <ca...@sl...> - 2016-03-29 01:58:01
|
Hey Jon,
Those docs should certainly be updated. There is another comment about:
#define TSK_FS_ATTR_ID_DEFAULT 0 ///< Default Data ID used if file system does not assign one.
And TSK_FS_ATTR_ID_DEFAULT is what Ext2 is using for its ID. So, the easiest thing is to update the docs as you suggested. Do you have a use case where having an ID would be useful? It would probably not be much work to make that happen if it is important.
thanks,
brian
> On Mar 28, 2016, at 3:57 PM, Jon Stewart <JSt...@St...> wrote:
>
> The docs say:
>
> "Each attribute has a type and an ID. The types are defined in the TSK_FS_ATTR_TYPE_ENUM structure and the ID is an integer that is unique to the file. A file can have multiple attributes with the same type, but it can have only one attribute with a given id."
>
> But I have an ext2 filesystem, some simple test evidence, where many files have two different attributes with id == 0. The docs also say that "TSK stores UFS and ExtX indirect blocks in separate attribute. [sic]" With these files there are type 4097 attributes, TSK_FS_ATTR_TYPE_UNIX_INDIR, so presumably such attributes contain the pointers for indirect blocks. It looks like these types of attributes also do not respect the uniqueness of attribute IDs.
>
> My guess is that the docs should be updated to reflect that attribute ID is unique only for given types, although it sure would be convenient to have a unique attribute ID regardless of type.
>
> Example:
>
> "attrs":[
> {
> "flags":"In Use, Non resident",
> "id":0,
> "name":"",
> "size":348576,
> "type":1,
> "rd_buf_size":0,
> "nrd_allocsize":352256,
> "nrd_compsize":0,
> "nrd_initsize":348576,
> "nrd_skiplen":0,
> "nrd_runs":[
> {"addr":34009,"flags":"","len":12,"offset":0},
> {"addr":34022,"flags":"","len":74,"offset":12},
> {"addr":0,"flags":"Sparse","len":950,"offset":86}
> ]
> },
> {
> "flags":"In Use, Non-resident",
> "id":0,
> "name":"",
> "size":4096,
> "type":4097,
> "rd_buf_size":0,
> "nrd_allocsize":4096,
> "nrd_compsize":0,
> "nrd_initsize":4096,
> "nrd_skiplen":0,
> "nrd_runs":[
> {"addr":34021,"flags":"","len":1,"offset":0}
> ]
> }]
>
>
> Jon Stewart
> Development Manager
>
> STROZ FRIEDBERG
> 1150 Connecticut Avenue, NW, Suite 700, Washington, DC 20036
>
> T: +1 202.534.3290
> M: +1 202.492.4412
> F: +1 202.534.5700
> JSt...@St... www.strozfriedberg.com
>
> This message and/or its attachments may contain information that is confidential and/or protected by privilege from disclosure. If you have reason to believe you are not the intended recipient, please immediately notify the sender by reply e-mail or by telephone, then delete this message (and any attachments), as well as all copies, including any printed copies. Thank you.
>
>
>
>
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
|
