Re: [sleuthkit-developers] Slack space and icat
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-developers] Slack space and icat
|
From: Epsilon <ep...@ya...> - 2004-03-10 21:24:24
|
--- Brian Carrier <ca...@sl...> wrote: > > On Feb 18, 2004, at 1:58 PM, Epsilon wrote: > > > I'm getting a very large (>500 MB) file when using the -s option > with > > icat when I should be getting a file that's around 40 KB. I'm > using > > sleuthkit-1.67. Anyone else seeing this? > > Wow. What file system type? Can you send the output of running > 'istat' on it? OK, I've been meaning to respond to this for a while. I'm now using sleuthkit-1.68 under Fedora Core 1 with latest patches applied. I'm using the honeypot.hda5.dd image from here: http://honeynet.org/misc/files/challenge-images.tar And here's the exact command I'm running: $ ./icat -s -f linux-ext2 honeypot.hda5.dd 1604 > inode-1604-all.out After about 5 seconds I ^C it and run icat w/o the -s: $ ./icat -f linux-ext2 honeypot.hda5.dd 1604 > inode-1604-data.out Look at the results: $ ls -l *.out -rw-r--r-- 1 ep users 141107200 Mar 10 16:01 inode-1604-all.out -rw-r--r-- 1 ep users 119671 Mar 10 16:01 inode-1604-data.out I'm expecting to see inode-1604-all.out to be 122880 bytes in size (4096 * 30 clusters). Is this a wrong assumption? TIA, ep __________________________________ Do you Yahoo!? Yahoo! Search - Find what youre looking for faster http://search.yahoo.com |
