> I have just installed the Sleuthkit 1.65 and Autopsy 1.74 on a RH9
> system. During installation everything seemed fine, but now,
> unfortunately, the "File Analysis" mode in Autopsy seems to be broken.
> Alle files are displayed like this:
>
> Error parsing string: r/r * 5: Jimmy Jungle.doc (_IMMYJ~1.DOC)
> 2002.04.15 14:42:30 () 2002.09.11 00:00:00 () 2002.09.11 08:49:48 ()
> 20480 0 0
>
Stefan,
This is a known problem that I have not been able to reproduce.
Hopefully you can help with this.
This error occurs because you used an invalid timezone when you set the
host up. There should be a timezone value in between the '()' in the
above line. For example, my output is '2002.04.15 14:42:30 (EST)' for
the SOTM. Whenever I test this by making up an invalid timezone, it
defaults to GMT and there is '(GMT)' in the line. All of my systems
return some timezone value in the parenthesis.
I would like to add a check to add 'GMT' when no timezone is given by
the system, but I first need to verify that the default value is
actually GMT. To test this, we need a non-FAT image because FAT does
not use timezones (hence why my times are the same as yours for the
SOTM). So, if you could run the following as 'root', we can use your
Linux file systems as a test (assuming that you have EXT3FS and not
Resier).
# istat -f linux-ext3 -z blah /dev/hda1 2
# istat -f linux-ext3 -z GMT /dev/hda1 2
The first will get the MAC times from the root directory with a made up
timezone and it should have no timezone in the '()'. The second will
run it with a valid timezone and should have '(GMT)'. Can you let me
know the time difference between the two outputs, or ideally send the
outputs to me (you can do it off list).
thanks,
brian
|
