[sleuthkit-users] Sleuthkit implementation inconsistent with API documentation

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Greetings,

I am integrating TSK within a tool to add its forensics capabilities.

I am writing an API capable of retrieving the inode of a given block in 
a similar manner as for the command:

ifind -d 1232 win.dd

I am using the ifind logic as a reference implementation and I stumbled 
over some inconsistency with the API documentation.

According to the documentation, the tsk_fs_attr_walk function calls a 
callback function passing the address (TSK_DADDR_T) of the data block 
being analysed.

http://www.sleuthkit.org/sleuthkit/docs/api-docs/4.2/tsk__fs_8h.html#a90bf87426f9ff3b898a6bdc61a8eff76

The documentation states that the User must check the flags 
(<http://www.sleuthkit.org/sleuthkit/docs/api-docs/4.2/tsk__fs_8h.html#a1e6bf157f5d258191bf5d8ae31ee7148>TSK_FS_BLOCK_FLAG_ENUM) 
and verify the block is raw (TSK_FS_BLOCK_FLAG_RAW).

Yet the implementation seems to check only whether the block is sparse 
or not (TSK_FS_BLOCK_FLAG_SPARSE):

https://github.com/sleuthkit/sleuthkit/blob/develop/tsk/fs/ifind_lib.c#L479

I guess that check could be avoided by passing the no sparse 
(TSK_FS_FILE_WALK_FLAG_NOSPARSE) flag to the tsk_fs_attr_walk function.

After further reading, it seems to me that enforcing the blocks to be 
raw would skip compressed ones which would be valid as well.

What do you thing is the correct approach? Shall I just skip sparse 
blocks or shall I report only raw blocks?

Thank you.