sleuthkit-developers

[sleuthkit-developers] [ sleuthkit-Bugs-2821031 ] missing body fields

[SourceForge.net <no...@so...>]

Bugs item #2821031, was opened at 2009-07-13 19:56
Message generated for change (Tracker Item Submitted) made by carrier
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=477889&aid=2821031&group_id=55685

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: File System Tools
Group: None
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Brian Carrier (carrier)
Assigned to: Brian Carrier (carrier)
Summary: missing body fields

Initial Comment:
For unallocated files with no metadata structure, TSK is missing a 0 for the new body format. 

	From: 	jsm...@go...
	Subject: 	[sleuthkit-users] fls: missing field
	Date: 	July 12, 2009 2:38:53 PM EDT
	To: 	sle...@li...
	Reply-To: 	jsm...@gm...

Hi

When running fls against one of my Ext3 partitions I notice that 34 out
of 17512 entries are missing one of the 'body file' format fields.

$ fls -V
The Sleuth Kit ver 3.0.1

$ sudo fls -r -m / /dev/sda4 > fls.out

According to the wiki http://wiki.sleuthkit.org/index.php?title=Body_file

   The 3.X output has the following fields:
   MD5|name|inode|mode_as_string|UID|GID|size|atime|mtime|ctime|crtime

Example output:
...
0|/Dir1/SubDir1/FileA
(deleted)|9551913|r/rrwxrwx---|1000|1000|0|1199618002|1199765794|1199765794|0
0|/Dir1/SubDir2/FileB|2769344|r/rrwxr-xr-x|1000|1000|73350|1239210630|1234051666|1235248434|0
...
0|/Dir1/FileC (deleted)|0|r/----------|0|0|0|0|0|0
0|/Dir1/FileD (deleted)|0|d/----------|0|0|0|0|0|0
...

The last two entries have 10 fields instead of 11.
It is difficult to identify which field is missing in each case as most
values are zeroes.
Do you know which field is missing and why?

Other info:

$ sudo istat /dev/sda4 0
Metadata address is too small for image (1)

$ sudo ils /dev/sda4 0
class|host|device|start_time
ils|myhost||1247422110
st_ino|st_alloc|st_uid|st_gid|st_mtime|st_atime|st_ctime|st_crtime|st_mode|st_nlink|st_size
Invalid walk range (extXfs_inode_walk: end inode: 0)

Thank you

JS

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=477889&aid=2821031&group_id=55685

[sleuthkit-developers] [ sleuthkit-Bugs-2821031 ] missing body fields

[SourceForge.net <no...@so...>]

Bugs item #2821031, was opened at 2009-07-13 19:56
Message generated for change (Comment added) made by carrier
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=477889&aid=2821031&group_id=55685

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: File System Tools
Group: None
>Status: Closed
>Resolution: Fixed
Priority: 5
Private: No
Submitted By: Brian Carrier (carrier)
Assigned to: Brian Carrier (carrier)
Summary: missing body fields

Initial Comment:
For unallocated files with no metadata structure, TSK is missing a 0 for the new body format. 

	From: 	jsm...@go...
	Subject: 	[sleuthkit-users] fls: missing field
	Date: 	July 12, 2009 2:38:53 PM EDT
	To: 	sle...@li...
	Reply-To: 	jsm...@gm...

Hi

When running fls against one of my Ext3 partitions I notice that 34 out
of 17512 entries are missing one of the 'body file' format fields.

$ fls -V
The Sleuth Kit ver 3.0.1

$ sudo fls -r -m / /dev/sda4 > fls.out

According to the wiki http://wiki.sleuthkit.org/index.php?title=Body_file

   The 3.X output has the following fields:
   MD5|name|inode|mode_as_string|UID|GID|size|atime|mtime|ctime|crtime

Example output:
...
0|/Dir1/SubDir1/FileA
(deleted)|9551913|r/rrwxrwx---|1000|1000|0|1199618002|1199765794|1199765794|0
0|/Dir1/SubDir2/FileB|2769344|r/rrwxr-xr-x|1000|1000|73350|1239210630|1234051666|1235248434|0
...
0|/Dir1/FileC (deleted)|0|r/----------|0|0|0|0|0|0
0|/Dir1/FileD (deleted)|0|d/----------|0|0|0|0|0|0
...

The last two entries have 10 fields instead of 11.
It is difficult to identify which field is missing in each case as most
values are zeroes.
Do you know which field is missing and why?

Other info:

$ sudo istat /dev/sda4 0
Metadata address is too small for image (1)

$ sudo ils /dev/sda4 0
class|host|device|start_time
ils|myhost||1247422110
st_ino|st_alloc|st_uid|st_gid|st_mtime|st_atime|st_ctime|st_crtime|st_mode|st_nlink|st_size
Invalid walk range (extXfs_inode_walk: end inode: 0)

Thank you

JS

----------------------------------------------------------------------

>Comment By: Brian Carrier (carrier)
Date: 2009-07-13 19:58

Message:
Sending        CHANGES.txt
Sending        tsk3/fs/fs_name.c
Transmitting file data ..
Committed revision 102.


----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=477889&aid=2821031&group_id=55685