Thread: [sleuthkit-users] invalid arguement : fsstat, img_stat

Brought to you by: carrier

sleuthkit-users

[sleuthkit-users] invalid arguement : fsstat, img_stat

From: J B <je...@ad...> - 2006-01-11 03:30:53

I installed tsk on my ibook running ppc fedora.  Some things work, =
others don't

I have a file called old.dd which is an image of an old 512mb hd.

mmls /evidence/old.dd=20
*reports first sector (0) Primary Table, 1 > 62 unallocated, 63 > =
1031121 DOS FAT16

however,

fsstat old.dd
invalid arguemnt: old.dd

fsstat "old.dd" =3D invalid argument: old.dd
fsstat 'old.dd', ...
fsstat "\evidence\old.dd" =3D invalid argument: \evidence\old.dd

verbose doesn't even report anything.

Any suggestions?

-JB

Re: [sleuthkit-users] invalid arguement : fsstat, img_stat

From: farmer d. <far...@ya...> - 2006-01-11 05:39:36

JB,

What happens when you pass one or more arguments to
"fsstat"?  Perhaps;

fsstat -t old.dd

-OR-

fsstat -f FSTYPE_HERE old.dd

-OR-

fsstat -vt old.dd


Does your mileage improve by passing arguments before
the file name?


regards,

farmerdude

http://www.farmerdude.com/farmercd.html



--- J B <je...@ad...> wrote:

> I installed tsk on my ibook running ppc fedora. 
> Some things work, others don't
> 
> I have a file called old.dd which is an image of an
> old 512mb hd.
> 
> mmls /evidence/old.dd 
> *reports first sector (0) Primary Table, 1 > 62
> unallocated, 63 > 1031121 DOS FAT16
> 
> however,
> 
> fsstat old.dd
> invalid arguemnt: old.dd
> 
> fsstat "old.dd" = invalid argument: old.dd
> fsstat 'old.dd', ...
> fsstat "\evidence\old.dd" = invalid argument:
> \evidence\old.dd
> 
> verbose doesn't even report anything.
> 
> Any suggestions?
> 
> -JB


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Re: [sleuthkit-users] invalid arguement : fsstat, img_stat

From: Barry J. G. <bg...@im...> - 2006-01-11 20:07:37

On Tue, 2006-01-10 at 22:30 -0500, J B wrote:

> mmls /evidence/old.dd 
> *reports first sector (0) Primary Table, 1 > 62 unallocated, 63 >
> 1031121 DOS FAT16
<snip>
> fsstat old.dd
> invalid arguemnt: old.dd

In addition to the fstype, as farmerdude pointed out, you will probably
want to point to the offset to the file system.  Your mmls output
reports that the fs is at sector 63, not the front of the image.

fsstat -f fat -o 63 old.dd  (assuming it's formatted FAT).

-- 
/***************************************
Special Agent Barry J. Grundy
NASA Office of Inspector General
Computer Crimes Division 
Goddard Space Flight Center
Code 190
Greenbelt Rd.
Greenbelt, MD 20771
(301)286-3358
**************************************/

Re: [sleuthkit-users] invalid arguement : fsstat, img_stat

From: J B <je...@ad...> - 2006-01-12 01:00:53

>> mmls /evidence/old.dd
>> *reports first sector (0) Primary Table, 1 > 62 unallocated, 63 >
>> 1031121 DOS FAT16
> <snip>
>> fsstat old.dd
>> invalid arguemnt: old.dd
>
> In addition to the fstype, as farmerdude pointed out, you will probably
> want to point to the offset to the file system.  Your mmls output
> reports that the fs is at sector 63, not the front of the image.
>
> fsstat -f fat -o 63 old.dd  (assuming it's formatted FAT).
>
>

Thank you.. at your suggestion, I tried that.  I tried offsets 61, 62, 63, 
64 and didn't get anywhere.

I changed the filename to just "old".

#mmls old  //still reports a primary table, unallocated, dos fat16 (starting 
at 63)

interestingly enough,

#fls -r -o 63 -f fat /evidence/old   //works fine, I can even grep JPG as 
long as I remember unix is case sensitive ;)

There's probably something obvious I'm overlooking with fsstat

thanks, JB

Re: [sleuthkit-users] invalid arguement : fsstat, img_stat

From: Brian C. <ca...@sl...> - 2006-01-12 01:14:58

On Jan 11, 2006, at 8:00 PM, J B wrote:
>
> Thank you.. at your suggestion, I tried that.  I tried offsets 61,  
> 62, 63, 64 and didn't get anywhere.
>
> I changed the filename to just "old".
>
> #mmls old  //still reports a primary table, unallocated, dos fat16  
> (starting at 63)
>
> interestingly enough,
>
> #fls -r -o 63 -f fat /evidence/old   //works fine, I can even grep  
> JPG as long as I remember unix is case sensitive ;)
>
> There's probably something obvious I'm overlooking with fsstat

That is very strange. Do all of the other tools work?  Have you tried  
to recompile?  I can't say that I have tried Fedora on a PPC, but I  
don't see why some tools would work and others wouldn't.  .   They  
all share the same image opening routines.  Nothing at all is printed  
to stderr with '-v'?

brian

Re: [sleuthkit-users] invalid arguement : fsstat, img_stat

From: J B <je...@ad...> - 2006-01-12 02:56:30

> 
> That is very strange. Do all of the other tools work?  Have you tried  
> to recompile?  I can't say that I have tried Fedora on a PPC, but I  
> don't see why some tools would work and others wouldn't.  .   They  
> all share the same image opening routines.  Nothing at all is printed  
> to stderr with '-v'?
> 
> brian

nope, nothing but the invalid... and then correct usage readout

I appreciate your help.

-jessop