[sleuthkit-developers] mmls mis-feature?
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-developers] mmls mis-feature?
|
From: Michael C. <scu...@gm...> - 2007-09-11 11:08:28
|
Hi List,
I tried to use mmls today on a truncated disk image and received an
error that the partition table was invalid. This was despite the fact
that sfdisk and disktype successfully printed the partition table. I
looked into it and saw this kind of code, e.g. dos.c:
DADDR_T max_addr = (mm->img_info->size - mm->offset) / mm->block_size;
and
if (part_start > max_addr) {
tsk_error_reset();
tsk_errno = TSK_ERR_MM_BLK_NUM;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"dos_load_prim_table: Starting sector too large for image");
if (tsk_verbose)
tsk_fprintf(stderr,
"Starting sector %" PRIu32 " too large for image\n",
part_start);
return 1;
}
The problem is that some of the later partitions of course fall past the end of
the truncated image. In this case I get no output at all, and it errors out
altogether.
I wonder if its better to either change the error to a warning or leave this
error check altogether - whats the point of it? I kind of expected mmls to tell
me what the partition table says - its irrelevant that its not exactly expected
from the image. I would have expected to at least be told something about the
earlier partitions that can possibly fall in this image.
Thanks,
Michael.
|
