[sleuthkit-users] Help: Bug in icat?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

First off, this is my first time postin	g to this list.  So, if this 
isn't the right place to request some help, then please let me know, and 
I'll happily take my request elsewhere.  I don't want to offend.

I've been using TSK and Autopsy for about 2 years now.  It's been a 
great toolset.  Kudos to everyone involved!

Today, I ran into my first big problem:  When running the File Type
Sort in Autopsy, I get errors and an incomplete result set.  In my
output directory, it finds some of the images / graphics I'm looking
for, and some that were on the disk and deleted, but not all of them.
For example, when I mount the disk image via loopback, I can find
JPG's (just using "find") that the File Type Sort doesn't.

Here are some of the details:

I'm running autopsy 2.08 and Sleuthkit 2.06.

I ran "sorter" manually like this:
/sorter -h -m 'C:/' -d /var/opt/data/tmp/ -o 0 -i raw -f ntfs -C \
~/forensics/sleuthkit-2.06/share/sorter/images.sort -s -U \
/var/opt/data/evidence/yyyymmdd-xxyy/pyy-xxxx/images/sda1

Here is the output from that command:

Analyzing  "/var/opt/data/evidence/20061006-0201/p06-2165/images/sda1"
  Loading Allocated File Listing
  Processing 2054 Allocated Files and Directories
  Invalid argument (fs_data_lookup: Null head pointer) ( -
proc_attrseq: put run)
Invalid argument (fs_data_lookup: Null head pointer) ( - proc_attrseq: 
put run)
100%

  Loading Unallocated File Listing
  Processing 2488 Unallocated meta-data structures
  *** glibc detected ***
/home/markj/forensics/sleuthkit-2.06//bin/icat: double free or
corruption (!prev): 0x09d216d8 ***
======= Backtrace: =========
/lib/libc.so.6[0x267a68]
/lib/libc.so.6(__libc_free+0x78)[0x26af6f]
/home/markj/forensics/sleuthkit-2.06//bin/icat[0x806c343]
/home/markj/forensics/sleuthkit-2.06//bin/icat[0x806e95f]
/home/markj/forensics/sleuthkit-2.06//bin/icat[0x806ee1b]
/home/markj/forensics/sleuthkit-2.06//bin/icat[0x807d734]
/home/markj/forensics/sleuthkit-2.06//bin/icat[0x8049f8a]
/lib/libc.so.6(__libc_start_main+0xdc)[0x2194e4]
/home/markj/forensics/sleuthkit-2.06//bin/icat(__gxx_personality_v0+0x91)[0x8049a31]
======= Memory map: ========
00101000-0010c000 r-xp 00000000 fd:00 124961
/lib/libgcc_s-4.1.1-20060525.so.1
0010c000-0010d000 rwxp 0000a000 fd:00 124961
/lib/libgcc_s-4.1.1-20060525.so.1
001e6000-001e7000 r-xp 001e6000 00:00 0          [vdso]
001e7000-00200000 r-xp 00000000 fd:00 124930     /lib/ld-2.4.so
00200000-00201000 r-xp 00018000 fd:00 124930     /lib/ld-2.4.so
00201000-00202000 rwxp 00019000 fd:00 124930     /lib/ld-2.4.so
00204000-00331000 r-xp 00000000 fd:00 124946     /lib/libc-2.4.so
00331000-00333000 r-xp 0012d000 fd:00 124946     /lib/libc-2.4.so
00333000-00334000 rwxp 0012f000 fd:00 124946     /lib/libc-2.4.so
00334000-00337000 rwxp 00334000 00:00 0
00339000-0035c000 r-xp 00000000 fd:00 124953     /lib/libm-2.4.so
0035c000-0035d000 r-xp 00022000 fd:00 124953     /lib/libm-2.4.so
0035d000-0035e000 rwxp 00023000 fd:00 124953     /lib/libm-2.4.so
00360000-00362000 r-xp 00000000 fd:00 124957     /lib/libdl-2.4.so
00362000-00363000 r-xp 00001000 fd:00 124957     /lib/libdl-2.4.so
00363000-00364000 rwxp 00002000 fd:00 124957     /lib/libdl-2.4.so
00484000-00496000 r-xp 00000000 fd:03 1083798    /usr/lib/libz.so.1.2.3
00496000-00497000 rwxp 00011000 fd:03 1083798    /usr/lib/libz.so.1.2.3
03bdb000-03cbd000 r-xp 00000000 fd:03 1083860    /usr/lib/libstdc++.so.6.0.8
03cbd000-03cc1000 r-xp 000e1000 fd:03 1083860    /usr/lib/libstdc++.so.6.0.8
03cc1000-03cc2000 rwxp 000e5000 fd:03 1083860    /usr/lib/libstdc++.so.6.0.8
03cc2000-03cc8000 rwxp 03cc2000 00:00 0
03cca000-03de9000 r-xp 00000000 fd:00 124969     /lib/libcrypto.so.0.9.8a
03de9000-03dfc000 rwxp 0011e000 fd:00 124969     /lib/libcrypto.so.0.9.8a
03dfc000-03dff000 rwxp 03dfc000 00:00 0
08048000-080a4000 r-xp 00000000 fd:01 230521
/home/markj/forensics/sleuthkit-2.06/bin/icat
080a4000-080a5000 rw-p 0005c000 fd:01 230521
/home/markj/forensics/sleuthkit-2.06/bin/icat
080a5000-080a6000 rw-p 080a5000 00:00 0
09c9c000-09d52000 rw-p 09c9c000 00:00 0          [heap]
b7b00000-b7b21000 rw-p b7b00000 00:00 0
b7b21000-b7c00000 ---p b7b21000 00:00 0
b7cf3000-b7cf4000 rw-p b7cf3000 00:00 0
b7cf4000-b7ef4000 r--p 00000000 fd:03 1085707 /usr/lib/locale/locale-archive
b7ef4000-b7ef6000 rw-p b7ef4000 00:00 0
b7f0a000-b7f0b000 rw-p b7f0a000 00:00 0
bfca1000-bfcb7000 rw-p bfca1000 00:00 0          [stack]
sh: line 1: 27188 Aborted                 (core dumped)
"/home/markj/forensics/sleuthkit-2.06//bin/icat" -i raw -o 0 -f ntfs
-R "/var/opt/data/evidence/20061006-0201/p06-2165/images/sda1" "34539"
 > "/var/opt/data/tmp//.sorter-sda1-22198-34539"
*** glibc detected *** /home/markj/forensics/sleuthkit-2.06//bin/icat:
free(): invalid next size (normal): 0x090166d8 ***
======= Backtrace: =========
/lib/libc.so.6[0x267a68]
/lib/libc.so.6(__libc_free+0x78)[0x26af6f]
/home/markj/forensics/sleuthkit-2.06//bin/icat[0x806c343]
/home/markj/forensics/sleuthkit-2.06//bin/icat[0x806e95f]
/home/markj/forensics/sleuthkit-2.06//bin/icat[0x806ee1b]
/home/markj/forensics/sleuthkit-2.06//bin/icat[0x807d734]
/home/markj/forensics/sleuthkit-2.06//bin/icat[0x8049f8a]
/lib/libc.so.6(__libc_start_main+0xdc)[0x2194e4]
/home/markj/forensics/sleuthkit-2.06//bin/icat(__gxx_personality_v0+0x91)[0x8049a31]
======= Memory map: ========
00101000-0010c000 r-xp 00000000 fd:00 124961
/lib/libgcc_s-4.1.1-20060525.so.1
0010c000-0010d000 rwxp 0000a000 fd:00 124961
/lib/libgcc_s-4.1.1-20060525.so.1
001e6000-001e7000 r-xp 001e6000 00:00 0          [vdso]
001e7000-00200000 r-xp 00000000 fd:00 124930     /lib/ld-2.4.so
00200000-00201000 r-xp 00018000 fd:00 124930     /lib/ld-2.4.so
00201000-00202000 rwxp 00019000 fd:00 124930     /lib/ld-2.4.so
00204000-00331000 r-xp 00000000 fd:00 124946     /lib/libc-2.4.so
00331000-00333000 r-xp 0012d000 fd:00 124946     /lib/libc-2.4.so
00333000-00334000 rwxp 0012f000 fd:00 124946     /lib/libc-2.4.so
00334000-00337000 rwxp 00334000 00:00 0
00339000-0035c000 r-xp 00000000 fd:00 124953     /lib/libm-2.4.so
0035c000-0035d000 r-xp 00022000 fd:00 124953     /lib/libm-2.4.so
0035d000-0035e000 rwxp 00023000 fd:00 124953     /lib/libm-2.4.so
00360000-00362000 r-xp 00000000 fd:00 124957     /lib/libdl-2.4.so
00362000-00363000 r-xp 00001000 fd:00 124957     /lib/libdl-2.4.so
00363000-00364000 rwxp 00002000 fd:00 124957     /lib/libdl-2.4.so
00484000-00496000 r-xp 00000000 fd:03 1083798    /usr/lib/libz.so.1.2.3
00496000-00497000 rwxp 00011000 fd:03 1083798    /usr/lib/libz.so.1.2.3
03bdb000-03cbd000 r-xp 00000000 fd:03 1083860    /usr/lib/libstdc++.so.6.0.8
03cbd000-03cc1000 r-xp 000e1000 fd:03 1083860    /usr/lib/libstdc++.so.6.0.8
03cc1000-03cc2000 rwxp 000e5000 fd:03 1083860    /usr/lib/libstdc++.so.6.0.8
03cc2000-03cc8000 rwxp 03cc2000 00:00 0
03cca000-03de9000 r-xp 00000000 fd:00 124969     /lib/libcrypto.so.0.9.8a
03de9000-03dfc000 rwxp 0011e000 fd:00 124969     /lib/libcrypto.so.0.9.8a
03dfc000-03dff000 rwxp 03dfc000 00:00 0
08048000-080a4000 r-xp 00000000 fd:01 230521
/home/markj/forensics/sleuthkit-2.06/bin/icat
080a4000-080a5000 rw-p 0005c000 fd:01 230521
/home/markj/forensics/sleuthkit-2.06/bin/icat
080a5000-080a6000 rw-p 080a5000 00:00 0
08f91000-09047000 rw-p 08f91000 00:00 0          [heap]
b7b00000-b7b21000 rw-p b7b00000 00:00 0
b7b21000-b7c00000 ---p b7b21000 00:00 0
b7cfe000-b7cff000 rw-p b7cfe000 00:00 0
b7cff000-b7eff000 r--p 00000000 fd:03 1085707 /usr/lib/locale/locale-archive
b7eff000-b7f01000 rw-p b7eff000 00:00 0
b7f15000-b7f16000 rw-p b7f15000 00:00 0
bfd75000-bfd8a000 rw-p bfd75000 00:00 0          [stack]
sh: line 1: 27362 Aborted                 (core dumped)
"/home/markj/forensics/sleuthkit-2.06//bin/icat" -i raw -o 0 -f ntfs
-R "/var/opt/data/evidence/20061006-0201/p06-2165/images/sda1" "34786"
 > "/var/opt/data/tmp//.sorter-sda1-22198-34786"
100%

All files have been saved to: /var/opt/data/tmp/

This is basically the same output that I get when I run the command
("sorter") from inside Autopsy rather than from the command line.

I have two core files that were generated by this.  I'm happy to send
them to someone if that would help.  I'm not all that great with a
debugger, but here's what gdb had to say:

[markj@forwkstn1 autopsy-2.08]$ gdb ../sleuthkit-2.06/bin/icat core.1983
GNU gdb Red Hat Linux (6.3.0.0-1.134.fc5rh)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain 
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...Using host
libthread_db library "/lib/libthread_db.so.1".

Reading symbols from shared object read from target memory...done.
Loaded system supplied DSO at 0x1e6000
Core was generated by `/home/markj/forensics/sleuthkit-2.06//bin/icat
-i raw -o 0 -f ntfs -R /var/opt/'.
Program terminated with signal 6, Aborted.

warning: svr4_current_sos: Can't read pathname for load map: 
Input/output error

Reading symbols from /usr/lib/libz.so.1...done.
Loaded symbols for /usr/lib/libz.so.1
Reading symbols from /lib/libcrypto.so.6...done.
Loaded symbols for /lib/libcrypto.so.6
Reading symbols from /usr/lib/libstdc++.so.6...done.
Loaded symbols for /usr/lib/libstdc++.so.6
Reading symbols from /lib/libm.so.6...done.
Loaded symbols for /lib/libm.so.6
Reading symbols from /lib/libgcc_s.so.1...done.
Loaded symbols for /lib/libgcc_s.so.1
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/libdl.so.2...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
#0  0x001e6402 in __kernel_vsyscall ()
(gdb) where
#0  0x001e6402 in __kernel_vsyscall ()
#1  0x0022bee9 in raise () from /lib/libc.so.6
#2  0x0022d4f1 in abort () from /lib/libc.so.6
#3  0x0026053b in __libc_message () from /lib/libc.so.6
#4  0x00267a68 in _int_free () from /lib/libc.so.6
#5  0x0026af6f in free () from /lib/libc.so.6
#6  0x0806c343 in ntfs_uncompress_done (comp=0xbfb430a4) at ntfs.c:754
#7  0x0806e95f in ntfs_data_walk (ntfs=0x859e048, inum=34539,
    fs_data=0x85a26f0, flags=36, action=0x807d761 <icat_action>, ptr=0x0)
    at ntfs.c:1432
#8  0x0806ee1b in ntfs_file_walk (fs=0x859e048, fs_inode=0x85a0570, 
type=128,
    id=0, flags=Variable "flags" is not available.
) at ntfs.c:3039
#9  0x0807d734 in fs_icat (fs=0x859e048, lclflags=0 '\0', inum=34539, 
type=0,
    id=0, flags=36) at icat_lib.c:71
#10 0x08049f8a in main (argc=10, argv=Cannot access memory at address 0x7c3
) at icat.c:173
(gdb)

This is all on an up to date Fedora Core 5 box.

I'd be grateful if someone could provide some guidance on where to go 
from here.

Thanks,

Mark W. Jeanmougin