[sleuthkit-developers] NTFS File System Seg Fault
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-developers] NTFS File System Seg Fault
|
From: Al M. <alp...@gm...> - 2007-09-06 04:11:03
|
Hello list, I've been using sk for a while (it's great), and I've just started using the excellent python bindings for the sleuthkit (from www.pyflag.net). Anyway, when processing a disk image I ran across a seg fault. Basically here is what is happened: - I walked the file system - I tried to extract all the files one by one by name - When attempting to extract one I got a seg fault I narrowed it down to the one file it was crashing on, say /foo/bar/foobar/file doing an ifind on this seg faults, as too does doing one on foobar; doing an ifind on bar gives me an inode of zero. Obviously something is not correct. The seg fault occurs in ifind_lib.c. In the pyflag version it's line 235, but this might be slightly different in the current sk source. The line in question is: if ((fs_dent->fsi->mode & TSK_FS_INODE_MODE_FMT) == ... It occurs because in this particular instance, fs_dent->fsi is null. I would love to debug it myself, but I fear it would take far longer than my employer would appreciate :P . I've managed to work around it by using inodes instead of file names, so it's not a big deal for me anymore, but thought I would raise it. Maybe just a check for a null fsi and then returning a TS_WALK_ERROR would do? I can spend a bit more time debugging it if you can provide me some pointers. It may well just be a corrupt file system? Oh yeah it's an NTFS file system. I've checked this against v2.06 and v2.09, both seg fault. Thanks again, tsk is cool :) Cheers, Al |
