[sleuthkit-users] Strange files found by "fsd"
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Strange files found by "fsd"
|
From: jisse <ji...@ko...> - 2006-08-04 18:28:03
|
Hi, I had the wonderful idea of cross-checking the files on a Ext2/Ext3 filesystem seen by "fsd" with the files seen with a simple "readdir()" statement. The result was interesting: I found a lot of files that weren't supposed to be there. The command "fsd -rupfm / /dev/hda2" run on a default Fedora Core 5 installation showed some weird entries that could not be seen by a "readdir()" in a Perl script. One of the entries was the following: 0|/etc/rc.d/init.d/^T|0|14386|0|-/----------|0|0|0|0|0|0|0|0|4096|0 I had sent the output to a logfile, so I could determine that the filename was "/etc/rc.d/init.d/^T" were the "^T" was a control character. A simple "ls" of this file of course didn't show up. I opened up "debugfs" and did a "stat" on the file name: The file could not be found. Hmm, so 'fls' finds it and 'debugfs' does not? I checked the validity of the inode-number 14386 with "ncheck" and discovered "debugfs" could not find any inode with that number either. But still if I ran "fsd" again, the same file popped-up again. Other strange files included: /etc/pam.d/ (with a space as filename) /etc/ntp/( Any ideas? Regards, Jisse This mail signature is distributed under the GNU General Public License. For more information visit http://www.gnu.org/copyleft/gpl.html |
