sleuthkit-developers

[sleuthkit-developers] [ sleuthkit-Feature Requests-2677107 ] Sleuthkit restricts AFF support

[SourceForge.net <no...@so...>]

Feature Requests item #2677107, was opened at 2009-03-09 20:34
Message generated for change (Comment added) made by carrier
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2677107&group_id=55685

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
>Category: None
Group: None
Status: Open
Priority: 5
Private: No
Submitted By: Michael Cohen (scudette)
Assigned to: Nobody/Anonymous (nobody)
Summary: Sleuthkit restricts AFF support

Initial Comment:
The AFF library has a vnode interface allowing it to transparently support multiple image types, however in Sleuthkit we have code like (aff.c):

   else if (type == AF_IDENTIFY_AFF) {
        img_info->itype = TSK_IMG_TYPE_AFF_AFF;
    }
    else if (type == AF_IDENTIFY_AFD) {
        img_info->itype = TSK_IMG_TYPE_AFF_AFD;
    }
    else if (type == AF_IDENTIFY_AFM) {
        img_info->itype = TSK_IMG_TYPE_AFF_AFM;
    }  else {
        tsk_error_reset();
        tsk_errno = TSK_ERR_IMG_MAGIC;
        snprintf(tsk_errstr, TSK_ERRSTR_L,
            "aff_open: Not an AFF, AFD, or AFM file");
        free(aff_info);
        if (tsk_verbose)
            tsk_fprintf(stderr, "Not an AFF/AFD/AFM file\n");

        return NULL;
    }

etc

This does not allow afflib to present other types of images than those which sleuthkit specifically knows about.

Sleuthkit should just trap errors from afflib and allow it to handle everything else by itself. I realise this might interfere with sleuthkit's own support for ewf etc. So maybe this should only be allowed where the -i switch is specifically given to use afflib.

----------------------------------------------------------------------

>Comment By: Brian Carrier (carrier)
Date: 2009-03-23 22:52

Message:
I think the way I want to resolve this is to create a special image file
type that enables the non-tested AFF formats. In general, I do not want to
enable features that I am not sure how well they work and am not sure how
much they have been tested because any bugs that existing in the image
library will likely be reported as TSK bugs, which I then need to debug.
Therefore, my plan is to allow the stable formats to be included in the
autodetection methods and force the users to "opt-in" to the newer
formats.


----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2677107&group_id=55685

[sleuthkit-developers] [ sleuthkit-Feature Requests-2677107 ] Sleuthkit restricts AFF support

[SourceForge.net <no...@so...>]

Feature Requests item #2677107, was opened at 2009-03-09 20:34
Message generated for change (Comment added) made by carrier
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2677107&group_id=55685

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: None
>Status: Closed
Priority: 5
Private: No
Submitted By: Michael Cohen (scudette)
Assigned to: Nobody/Anonymous (nobody)
Summary: Sleuthkit restricts AFF support

Initial Comment:
The AFF library has a vnode interface allowing it to transparently support multiple image types, however in Sleuthkit we have code like (aff.c):

   else if (type == AF_IDENTIFY_AFF) {
        img_info->itype = TSK_IMG_TYPE_AFF_AFF;
    }
    else if (type == AF_IDENTIFY_AFD) {
        img_info->itype = TSK_IMG_TYPE_AFF_AFD;
    }
    else if (type == AF_IDENTIFY_AFM) {
        img_info->itype = TSK_IMG_TYPE_AFF_AFM;
    }  else {
        tsk_error_reset();
        tsk_errno = TSK_ERR_IMG_MAGIC;
        snprintf(tsk_errstr, TSK_ERRSTR_L,
            "aff_open: Not an AFF, AFD, or AFM file");
        free(aff_info);
        if (tsk_verbose)
            tsk_fprintf(stderr, "Not an AFF/AFD/AFM file\n");

        return NULL;
    }

etc

This does not allow afflib to present other types of images than those which sleuthkit specifically knows about.

Sleuthkit should just trap errors from afflib and allow it to handle everything else by itself. I realise this might interfere with sleuthkit's own support for ewf etc. So maybe this should only be allowed where the -i switch is specifically given to use afflib.

----------------------------------------------------------------------

>Comment By: Brian Carrier (carrier)
Date: 2009-05-29 12:06

Message:
Sending        trunk/CHANGES.txt
Sending        trunk/tsk3/img/aff.c
Sending        trunk/tsk3/img/img_open.c
Sending        trunk/tsk3/img/img_types.c
Sending        trunk/tsk3/img/tsk_img.h
Sending        trunk/xcode/sleuthkit.xcodeproj/project.pbxproj
Transmitting file data ......
Committed revision 99.

Specify "afflib" as the image type to get support for all AFFLIB formats.


----------------------------------------------------------------------

Comment By: Brian Carrier (carrier)
Date: 2009-03-23 22:52

Message:
I think the way I want to resolve this is to create a special image file
type that enables the non-tested AFF formats. In general, I do not want to
enable features that I am not sure how well they work and am not sure how
much they have been tested because any bugs that existing in the image
library will likely be reported as TSK bugs, which I then need to debug.
Therefore, my plan is to allow the stable formats to be included in the
autodetection methods and force the users to "opt-in" to the newer
formats.


----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2677107&group_id=55685