sleuthkit-developers

[sleuthkit-developers] [ sleuthkit-Feature Requests-2206306 ] function to map name to inode

[SourceForge.net <no...@so...>]

Feature Requests item #2206306, was opened at 2008-10-29 07:13
Message generated for change (Comment added) made by negin99
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2206306&group_id=55685

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: API
Group: None
Status: Open
Priority: 5
Private: No
Submitted By: Brian Carrier (carrier)
Assigned to: Nobody/Anonymous (nobody)
Summary: function to map name to inode

Initial Comment:
A more formal function should exist to map the name to an inode / metadata address. 

----------------------------------------------------------------------

Comment By: Negin Ahmadian (negin99)
Date: 2010-03-30 18:04

Message:
Dear Mr.Carrier,
Would you please explain more about this issue? What is its usability?
Could you please give me an example.  

Actually I'm doing my graduate thesis about digital forensics field and
need to implement some new features for an open source tool. I've chosen
Autopsy and TSK. 
I read each requested feature detail carefully but couldn't decide what to
implement yet.
I'm familiar with etx3 file system and TSK data structures. I want to know
if you could give me a suggestion.
Thanks a lot in advance.
Best,
Negin

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2206306&group_id=55685

[sleuthkit-developers] [ sleuthkit-Feature Requests-2206306 ] function to map name to inode

[SourceForge.net <no...@so...>]

Feature Requests item #2206306, was opened at 2008-10-28 22:43
Message generated for change (Comment added) made by carrier
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2206306&group_id=55685

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: API
Group: None
Status: Open
Priority: 5
Private: No
Submitted By: Brian Carrier (carrier)
Assigned to: Nobody/Anonymous (nobody)
Summary: function to map name to inode

Initial Comment:
A more formal function should exist to map the name to an inode / metadata address. 

----------------------------------------------------------------------

>Comment By: Brian Carrier (carrier)
Date: 2010-03-30 16:49

Message:
There is the tsk_fs_ffind() method in tsk3/fs/ffind_lib.c that is not very
library friendly and will print the names of the files that use a given
metadata address.  It would be nicer to have a more general approach that
either returns a list of the names or that has a callback so that other
programs can find out the names of a metadata address without needing to
print the data. tsk_fs_ifind_data() has similar needs for improvement
because it too prints the metadata addresses that point to blocks instead
of somehow returning the value to the caller and letting it decide how to
handle the data (print, process, etc.). 

tsk_fs_path2inum() was made more library friendly and returns the metadata
address, but this is an easier problem because there is only one value that
a name can point to.  The challenge with mapping blocks to metadata and
metadata to a name is that there could be multiple values. 

----------------------------------------------------------------------

Comment By: Negin Ahmadian (negin99)
Date: 2010-03-30 08:34

Message:
Dear Mr.Carrier,
Would you please explain more about this issue? What is its usability?
Could you please give me an example.  

Actually I'm doing my graduate thesis about digital forensics field and
need to implement some new features for an open source tool. I've chosen
Autopsy and TSK. 
I read each requested feature detail carefully but couldn't decide what to
implement yet.
I'm familiar with etx3 file system and TSK data structures. I want to know
if you could give me a suggestion.
Thanks a lot in advance.
Best,
Negin

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2206306&group_id=55685

[sleuthkit-developers] [ sleuthkit-Feature Requests-2206306 ] function to map name to inode

[SourceForge.net <no...@so...>]

Feature Requests item #2206306, was opened at 2008-10-29 07:13
Message generated for change (Comment added) made by negin99
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2206306&group_id=55685

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: API
Group: None
Status: Open
Priority: 5
Private: No
Submitted By: Brian Carrier (carrier)
Assigned to: Nobody/Anonymous (nobody)
Summary: function to map name to inode

Initial Comment:
A more formal function should exist to map the name to an inode / metadata address. 

----------------------------------------------------------------------

Comment By: Negin Ahmadian (negin99)
Date: 2010-05-27 11:02

Message:
Thanks for the info. I decided to implement the request with returning a
list of file names. But I want to know which is more suitable according to
the TSK architecture: defining a static length string array or returning
one single char* string? 
Thanks in advance for your soon answer.

----------------------------------------------------------------------

Comment By: Brian Carrier (carrier)
Date: 2010-03-31 02:19

Message:
There is the tsk_fs_ffind() method in tsk3/fs/ffind_lib.c that is not very
library friendly and will print the names of the files that use a given
metadata address.  It would be nicer to have a more general approach that
either returns a list of the names or that has a callback so that other
programs can find out the names of a metadata address without needing to
print the data. tsk_fs_ifind_data() has similar needs for improvement
because it too prints the metadata addresses that point to blocks instead
of somehow returning the value to the caller and letting it decide how to
handle the data (print, process, etc.). 

tsk_fs_path2inum() was made more library friendly and returns the metadata
address, but this is an easier problem because there is only one value that
a name can point to.  The challenge with mapping blocks to metadata and
metadata to a name is that there could be multiple values. 

----------------------------------------------------------------------

Comment By: Negin Ahmadian (negin99)
Date: 2010-03-30 18:04

Message:
Dear Mr.Carrier,
Would you please explain more about this issue? What is its usability?
Could you please give me an example.  

Actually I'm doing my graduate thesis about digital forensics field and
need to implement some new features for an open source tool. I've chosen
Autopsy and TSK. 
I read each requested feature detail carefully but couldn't decide what to
implement yet.
I'm familiar with etx3 file system and TSK data structures. I want to know
if you could give me a suggestion.
Thanks a lot in advance.
Best,
Negin

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2206306&group_id=55685

[sleuthkit-developers] [ sleuthkit-Feature Requests-2206306 ] function to map name to inode

[SourceForge.net <no...@so...>]

Feature Requests item #2206306, was opened at 2008-10-29 07:13
Message generated for change (Comment added) made by negin99
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2206306&group_id=55685

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: API
Group: None
Status: Open
Priority: 5
Private: No
Submitted By: Brian Carrier (carrier)
Assigned to: Nobody/Anonymous (nobody)
Summary: function to map name to inode

Initial Comment:
A more formal function should exist to map the name to an inode / metadata address. 

----------------------------------------------------------------------

Comment By: Negin Ahmadian (negin99)
Date: 2010-05-27 11:02

Message:
Thanks for the info. I decided to implement the request with returning a
list of file names. But I want to know which is more suitable according to
the TSK architecture: defining a static length string array or returning
one single char* string? 
Thanks in advance for your soon answer.

----------------------------------------------------------------------

Comment By: Negin Ahmadian (negin99)
Date: 2010-05-27 11:02

Message:
Thanks for the info. I decided to implement the request with returning a
list of file names. But I want to know which is more suitable according to
the TSK architecture: defining a static length string array or returning
one single char* string? 
Thanks in advance for your soon answer.

----------------------------------------------------------------------

Comment By: Brian Carrier (carrier)
Date: 2010-03-31 02:19

Message:
There is the tsk_fs_ffind() method in tsk3/fs/ffind_lib.c that is not very
library friendly and will print the names of the files that use a given
metadata address.  It would be nicer to have a more general approach that
either returns a list of the names or that has a callback so that other
programs can find out the names of a metadata address without needing to
print the data. tsk_fs_ifind_data() has similar needs for improvement
because it too prints the metadata addresses that point to blocks instead
of somehow returning the value to the caller and letting it decide how to
handle the data (print, process, etc.). 

tsk_fs_path2inum() was made more library friendly and returns the metadata
address, but this is an easier problem because there is only one value that
a name can point to.  The challenge with mapping blocks to metadata and
metadata to a name is that there could be multiple values. 

----------------------------------------------------------------------

Comment By: Negin Ahmadian (negin99)
Date: 2010-03-30 18:04

Message:
Dear Mr.Carrier,
Would you please explain more about this issue? What is its usability?
Could you please give me an example.  

Actually I'm doing my graduate thesis about digital forensics field and
need to implement some new features for an open source tool. I've chosen
Autopsy and TSK. 
I read each requested feature detail carefully but couldn't decide what to
implement yet.
I'm familiar with etx3 file system and TSK data structures. I want to know
if you could give me a suggestion.
Thanks a lot in advance.
Best,
Negin

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2206306&group_id=55685

[sleuthkit-developers] [ sleuthkit-Feature Requests-2206306 ] function to map name to inode

[SourceForge.net <no...@so...>]

Feature Requests item #2206306, was opened at 2008-10-28 22:43
Message generated for change (Comment added) made by carrier
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2206306&group_id=55685

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: API
Group: None
Status: Open
Priority: 5
Private: No
Submitted By: Brian Carrier (carrier)
Assigned to: Nobody/Anonymous (nobody)
Summary: function to map name to inode

Initial Comment:
A more formal function should exist to map the name to an inode / metadata address. 

----------------------------------------------------------------------

>Comment By: Brian Carrier (carrier)
Date: 2010-05-27 08:26

Message:
I would say that the requirements for the function should be:
- Can handle an unlimited number of names (i.e. it does not return only
the first 10 names).  In most cases, there will be only one or two names,
but if there is a limit than it could be a data hiding technique.
- Does not use global variables so that this can be used in a
multi-threaded environment. 

You could create a new struct that stores the number of names found and a
list of the names along with a function to free the data allocated to the
struct. The caller than needs to free the struct when they are done with
the contents. 

----------------------------------------------------------------------

Comment By: Negin Ahmadian (negin99)
Date: 2010-05-27 01:32

Message:
Thanks for the info. I decided to implement the request with returning a
list of file names. But I want to know which is more suitable according to
the TSK architecture: defining a static length string array or returning
one single char* string? 
Thanks in advance for your soon answer.

----------------------------------------------------------------------

Comment By: Negin Ahmadian (negin99)
Date: 2010-05-27 01:32

Message:
Thanks for the info. I decided to implement the request with returning a
list of file names. But I want to know which is more suitable according to
the TSK architecture: defining a static length string array or returning
one single char* string? 
Thanks in advance for your soon answer.

----------------------------------------------------------------------

Comment By: Brian Carrier (carrier)
Date: 2010-03-30 16:49

Message:
There is the tsk_fs_ffind() method in tsk3/fs/ffind_lib.c that is not very
library friendly and will print the names of the files that use a given
metadata address.  It would be nicer to have a more general approach that
either returns a list of the names or that has a callback so that other
programs can find out the names of a metadata address without needing to
print the data. tsk_fs_ifind_data() has similar needs for improvement
because it too prints the metadata addresses that point to blocks instead
of somehow returning the value to the caller and letting it decide how to
handle the data (print, process, etc.). 

tsk_fs_path2inum() was made more library friendly and returns the metadata
address, but this is an easier problem because there is only one value that
a name can point to.  The challenge with mapping blocks to metadata and
metadata to a name is that there could be multiple values. 

----------------------------------------------------------------------

Comment By: Negin Ahmadian (negin99)
Date: 2010-03-30 08:34

Message:
Dear Mr.Carrier,
Would you please explain more about this issue? What is its usability?
Could you please give me an example.  

Actually I'm doing my graduate thesis about digital forensics field and
need to implement some new features for an open source tool. I've chosen
Autopsy and TSK. 
I read each requested feature detail carefully but couldn't decide what to
implement yet.
I'm familiar with etx3 file system and TSK data structures. I want to know
if you could give me a suggestion.
Thanks a lot in advance.
Best,
Negin

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2206306&group_id=55685

[sleuthkit-developers] [ sleuthkit-Feature Requests-2206306 ] function to map name to inode

[SourceForge.net <no...@so...>]

Feature Requests item #2206306, was opened at 2008-10-29 07:13
Message generated for change (Comment added) made by negin99
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2206306&group_id=55685

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: API
Group: None
Status: Open
Priority: 5
Private: No
Submitted By: Brian Carrier (carrier)
Assigned to: Nobody/Anonymous (nobody)
Summary: function to map name to inode

Initial Comment:
A more formal function should exist to map the name to an inode / metadata address. 

----------------------------------------------------------------------

Comment By: Negin Ahmadian (negin99)
Date: 2010-06-09 16:15

Message:
I could prepare the first version according to your comments. But I
couldn't find an option to upload my files here! Should I add new artifact?

----------------------------------------------------------------------

Comment By: Brian Carrier (carrier)
Date: 2010-05-27 17:56

Message:
I would say that the requirements for the function should be:
- Can handle an unlimited number of names (i.e. it does not return only
the first 10 names).  In most cases, there will be only one or two names,
but if there is a limit than it could be a data hiding technique.
- Does not use global variables so that this can be used in a
multi-threaded environment. 

You could create a new struct that stores the number of names found and a
list of the names along with a function to free the data allocated to the
struct. The caller than needs to free the struct when they are done with
the contents. 

----------------------------------------------------------------------

Comment By: Negin Ahmadian (negin99)
Date: 2010-05-27 11:02

Message:
Thanks for the info. I decided to implement the request with returning a
list of file names. But I want to know which is more suitable according to
the TSK architecture: defining a static length string array or returning
one single char* string? 
Thanks in advance for your soon answer.

----------------------------------------------------------------------

Comment By: Negin Ahmadian (negin99)
Date: 2010-05-27 11:02

Message:
Thanks for the info. I decided to implement the request with returning a
list of file names. But I want to know which is more suitable according to
the TSK architecture: defining a static length string array or returning
one single char* string? 
Thanks in advance for your soon answer.

----------------------------------------------------------------------

Comment By: Brian Carrier (carrier)
Date: 2010-03-31 02:19

Message:
There is the tsk_fs_ffind() method in tsk3/fs/ffind_lib.c that is not very
library friendly and will print the names of the files that use a given
metadata address.  It would be nicer to have a more general approach that
either returns a list of the names or that has a callback so that other
programs can find out the names of a metadata address without needing to
print the data. tsk_fs_ifind_data() has similar needs for improvement
because it too prints the metadata addresses that point to blocks instead
of somehow returning the value to the caller and letting it decide how to
handle the data (print, process, etc.). 

tsk_fs_path2inum() was made more library friendly and returns the metadata
address, but this is an easier problem because there is only one value that
a name can point to.  The challenge with mapping blocks to metadata and
metadata to a name is that there could be multiple values. 

----------------------------------------------------------------------

Comment By: Negin Ahmadian (negin99)
Date: 2010-03-30 18:04

Message:
Dear Mr.Carrier,
Would you please explain more about this issue? What is its usability?
Could you please give me an example.  

Actually I'm doing my graduate thesis about digital forensics field and
need to implement some new features for an open source tool. I've chosen
Autopsy and TSK. 
I read each requested feature detail carefully but couldn't decide what to
implement yet.
I'm familiar with etx3 file system and TSK data structures. I want to know
if you could give me a suggestion.
Thanks a lot in advance.
Best,
Negin

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2206306&group_id=55685

[sleuthkit-developers] [ sleuthkit-Feature Requests-2206306 ] function to map name to inode

[SourceForge.net <no...@so...>]

Feature Requests item #2206306, was opened at 2008-10-28 22:43
Message generated for change (Comment added) made by carrier
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2206306&group_id=55685

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: API
Group: None
Status: Open
Priority: 5
Private: No
Submitted By: Brian Carrier (carrier)
Assigned to: Nobody/Anonymous (nobody)
Summary: function to map name to inode

Initial Comment:
A more formal function should exist to map the name to an inode / metadata address. 

----------------------------------------------------------------------

>Comment By: Brian Carrier (carrier)
Date: 2010-06-12 14:41

Message:
You can add it here as an attachment. Please make sure that it is up to
date with either the trunk code or the sleuthkit-3.1 branch code in the SVN
repository. 

----------------------------------------------------------------------

Comment By: Negin Ahmadian (negin99)
Date: 2010-06-09 06:45

Message:
I could prepare the first version according to your comments. But I
couldn't find an option to upload my files here! Should I add new artifact?

----------------------------------------------------------------------

Comment By: Brian Carrier (carrier)
Date: 2010-05-27 08:26

Message:
I would say that the requirements for the function should be:
- Can handle an unlimited number of names (i.e. it does not return only
the first 10 names).  In most cases, there will be only one or two names,
but if there is a limit than it could be a data hiding technique.
- Does not use global variables so that this can be used in a
multi-threaded environment. 

You could create a new struct that stores the number of names found and a
list of the names along with a function to free the data allocated to the
struct. The caller than needs to free the struct when they are done with
the contents. 

----------------------------------------------------------------------

Comment By: Negin Ahmadian (negin99)
Date: 2010-05-27 01:32

Message:
Thanks for the info. I decided to implement the request with returning a
list of file names. But I want to know which is more suitable according to
the TSK architecture: defining a static length string array or returning
one single char* string? 
Thanks in advance for your soon answer.

----------------------------------------------------------------------

Comment By: Negin Ahmadian (negin99)
Date: 2010-05-27 01:32

Message:
Thanks for the info. I decided to implement the request with returning a
list of file names. But I want to know which is more suitable according to
the TSK architecture: defining a static length string array or returning
one single char* string? 
Thanks in advance for your soon answer.

----------------------------------------------------------------------

Comment By: Brian Carrier (carrier)
Date: 2010-03-30 16:49

Message:
There is the tsk_fs_ffind() method in tsk3/fs/ffind_lib.c that is not very
library friendly and will print the names of the files that use a given
metadata address.  It would be nicer to have a more general approach that
either returns a list of the names or that has a callback so that other
programs can find out the names of a metadata address without needing to
print the data. tsk_fs_ifind_data() has similar needs for improvement
because it too prints the metadata addresses that point to blocks instead
of somehow returning the value to the caller and letting it decide how to
handle the data (print, process, etc.). 

tsk_fs_path2inum() was made more library friendly and returns the metadata
address, but this is an easier problem because there is only one value that
a name can point to.  The challenge with mapping blocks to metadata and
metadata to a name is that there could be multiple values. 

----------------------------------------------------------------------

Comment By: Negin Ahmadian (negin99)
Date: 2010-03-30 08:34

Message:
Dear Mr.Carrier,
Would you please explain more about this issue? What is its usability?
Could you please give me an example.  

Actually I'm doing my graduate thesis about digital forensics field and
need to implement some new features for an open source tool. I've chosen
Autopsy and TSK. 
I read each requested feature detail carefully but couldn't decide what to
implement yet.
I'm familiar with etx3 file system and TSK data structures. I want to know
if you could give me a suggestion.
Thanks a lot in advance.
Best,
Negin

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2206306&group_id=55685

[sleuthkit-developers] [ sleuthkit-Feature Requests-2206306 ] function to map name to inode

[SourceForge.net <no...@so...>]

Feature Requests item #2206306, was opened at 2008-10-29 07:13
Message generated for change (Comment added) made by negin99
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2206306&group_id=55685

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: API
Group: None
Status: Open
Priority: 5
Private: No
Submitted By: Brian Carrier (carrier)
Assigned to: Nobody/Anonymous (nobody)
Summary: function to map name to inode

Initial Comment:
A more formal function should exist to map the name to an inode / metadata address. 

----------------------------------------------------------------------

Comment By: Negin Ahmadian (negin99)
Date: 2010-06-13 08:41

Message:
Unfortunately, as I mentioned, the attachment option is disabled and there
was no way to attach my files here. I think only the creator of an artifact
is allowed to attach files. Sorry that I forced to add new artifact and add
my files there. I'm eagerly waiting to receive your opinions.

----------------------------------------------------------------------

Comment By: Brian Carrier (carrier)
Date: 2010-06-13 00:11

Message:
You can add it here as an attachment. Please make sure that it is up to
date with either the trunk code or the sleuthkit-3.1 branch code in the SVN
repository. 

----------------------------------------------------------------------

Comment By: Negin Ahmadian (negin99)
Date: 2010-06-09 16:15

Message:
I could prepare the first version according to your comments. But I
couldn't find an option to upload my files here! Should I add new artifact?

----------------------------------------------------------------------

Comment By: Brian Carrier (carrier)
Date: 2010-05-27 17:56

Message:
I would say that the requirements for the function should be:
- Can handle an unlimited number of names (i.e. it does not return only
the first 10 names).  In most cases, there will be only one or two names,
but if there is a limit than it could be a data hiding technique.
- Does not use global variables so that this can be used in a
multi-threaded environment. 

You could create a new struct that stores the number of names found and a
list of the names along with a function to free the data allocated to the
struct. The caller than needs to free the struct when they are done with
the contents. 

----------------------------------------------------------------------

Comment By: Negin Ahmadian (negin99)
Date: 2010-05-27 11:02

Message:
Thanks for the info. I decided to implement the request with returning a
list of file names. But I want to know which is more suitable according to
the TSK architecture: defining a static length string array or returning
one single char* string? 
Thanks in advance for your soon answer.

----------------------------------------------------------------------

Comment By: Negin Ahmadian (negin99)
Date: 2010-05-27 11:02

Message:
Thanks for the info. I decided to implement the request with returning a
list of file names. But I want to know which is more suitable according to
the TSK architecture: defining a static length string array or returning
one single char* string? 
Thanks in advance for your soon answer.

----------------------------------------------------------------------

Comment By: Brian Carrier (carrier)
Date: 2010-03-31 02:19

Message:
There is the tsk_fs_ffind() method in tsk3/fs/ffind_lib.c that is not very
library friendly and will print the names of the files that use a given
metadata address.  It would be nicer to have a more general approach that
either returns a list of the names or that has a callback so that other
programs can find out the names of a metadata address without needing to
print the data. tsk_fs_ifind_data() has similar needs for improvement
because it too prints the metadata addresses that point to blocks instead
of somehow returning the value to the caller and letting it decide how to
handle the data (print, process, etc.). 

tsk_fs_path2inum() was made more library friendly and returns the metadata
address, but this is an easier problem because there is only one value that
a name can point to.  The challenge with mapping blocks to metadata and
metadata to a name is that there could be multiple values. 

----------------------------------------------------------------------

Comment By: Negin Ahmadian (negin99)
Date: 2010-03-30 18:04

Message:
Dear Mr.Carrier,
Would you please explain more about this issue? What is its usability?
Could you please give me an example.  

Actually I'm doing my graduate thesis about digital forensics field and
need to implement some new features for an open source tool. I've chosen
Autopsy and TSK. 
I read each requested feature detail carefully but couldn't decide what to
implement yet.
I'm familiar with etx3 file system and TSK data structures. I want to know
if you could give me a suggestion.
Thanks a lot in advance.
Best,
Negin

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2206306&group_id=55685