[sleuthkit-developers] NTFS
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-developers] NTFS
|
From: David C. <dav...@gm...> - 2007-12-05 12:30:30
|
Hi Brian, I've found a bug in fs_read_file_int in fs_io.c in sleuthkit. on line 410 it sets the 'type' of the ntfs attribute regardless of what was passed in to the function. This caused the function to fail when trying to read a particular attribute ($Extend/$ObjID:$0 (25-144-2)) as the '144' was being reset to '128' and the lookup on line 421 failed as the attribute 25-128-2 did not exist. I think the solution is to simply surround the block (410-414) with an "if(type == 0)" check. Also, the compressed file handling on line 385 occurs before this block which assigns a default type, so it may be called with a type=0, is this ok? I think file_walk will just give you the default ($DATA) attribute if this is 0, but I cant remember for sure. Thanks, Dave |
