Thread: [sleuthkit-users] fls simply reports usage information?
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users
|
From: Seth A. <sa...@im...> - 2005-01-05 23:05:00
|
Hello, I've been trying to use autopsy's interface to the sleuthkit tools to try to recover information from my brother's sandisk CF card. (_Very_ impressive-looking tools! Job well done on the interface.) However, I'm stopped very early on by a failing 'fls' command. Autopsy's file/directory listing interface is clearly not prepared to handle the usage() output from fls. I used 'strace' to find the arguments to the fls command, which (as I recall from memory..) looked like this: fls -f fat -la -s 0 /path/to/dd/image 2 I tried running fls by hand innumerable times with various permuations of the arguments like this: fls -f fat -la -s 0 /path/to/dd/image 2 fls -f fat -l -a -s 0 /path/to/dd/image 2 fls -f fat -la -s0 /path/to/dd/image 2 fls -f fat -l -a -s0 /path/to/dd/image 2 fls -f fat -la -s 0 /path/to/dd/image 1 fls -f fat -l -a -s 0 /path/to/dd/image 1 fls -f fat -la -s0 /path/to/dd/image 1 fls -f fat -l -a -s0 /path/to/dd/image 1 fls -f fat -la -s 0 /path/to/dd/image fls -f fat -l -a -s 0 /path/to/dd/image fls -f fat -la -s0 /path/to/dd/image fls -f fat -l -a -s0 /path/to/dd/image fls -f fat -s 0 /path/to/dd/image 2 fls -f fat -s0 /path/to/dd/image 2 fls -f fat -s 0 /path/to/dd/image fls -f fat -s0 /path/to/dd/image fls -f fat /path/to/dd/image 2 fls -f fat /path/to/dd/image fls -f fat -la -s 0 /path/to/dd/image 2 2 Every single attempt _always_ reported the usage statement. :( I glanced at the fls.c source code, but didn't spot anything obviously wrong in the main() function. I'm using the version of sleuthkit as packaged in Debian Unstable on my G3 iBook. Debian reports the version is 1.73-4. There are no related bugs filed at bugs.debian.org. Does anyone have suggestions what to do next? :) Thanks! |
|
From: Brian C. <ca...@sl...> - 2005-01-06 05:19:09
|
On Jan 5, 2005, at 6:04 PM, Seth Arnold wrote: > Hello, > > I've been trying to use autopsy's interface to the sleuthkit tools to > try to recover information from my brother's sandisk CF card. (_Very_ > impressive-looking tools! Job well done on the interface.) > > However, I'm stopped very early on by a failing 'fls' command. > Autopsy's > file/directory listing interface is clearly not prepared to handle the > usage() output from fls. I used 'strace' to find the arguments to the > fls command, which (as I recall from memory..) looked like this: > > fls -f fat -la -s 0 /path/to/dd/image 2 [For future reference, the commands are listed in the execution log in the evidence locker. :) ] Are you sure you have a partition image and not a disk image? What is the error message before the usage information is displayed. There should be one line that explains why it gave an error. > I'm using the version of sleuthkit as packaged in Debian Unstable on my > G3 iBook. Debian reports the version is 1.73-4. There are no related > bugs filed at bugs.debian.org. Hmm. I do not know of anyone that has used them under Debian on an iBook. There could be an endian ordering issue with the package. You may want to try directly from the source. brian |
|
From: Seth A. <sa...@im...> - 2005-01-06 05:54:36
|
On Thu, Jan 06, 2005 at 12:18:53AM -0500, Brian Carrier wrote:
> > fls -f fat -la -s 0 /path/to/dd/image 2
>=20
> [For future reference, the commands are listed in the execution log in=20
> the evidence locker. :) ]
Oh, how convenient! You've thought of everything. :) My fairly blunt
strace at least showed the same thing the execution log shows.
> Are you sure you have a partition image and not a disk image? What is=20
> the error message before the usage information is displayed. There=20
> should be one line that explains why it gave an error.
Sadly, there isn't even the one-liner error message. :( I've appended
output near the end.
I'm positive I have a partition image; I still have that shell open,
and it's history command shows that I copied /dev/sda1 -- the first
partition on the first scsi disk. (Linux supports Sandisk by emulating
a SCSI drive.)
(While I don't know filesystem internals well enough to tell from the
contents of what I've got, maybe you do. So I've appended that near the
end as well. :)
> Hmm. I do not know of anyone that has used them under Debian on an=20
> iBook. There could be an endian ordering issue with the package. You=20
> may want to try directly from the source.
"Try directly from the source" -- do you mean try running autopsy and
TSK on my brother's OS X machine? Or compiling TSK from source? I
tried compiling TSK from Debian's source on machine with identical
results. (This shouldn't surprise me. I did it with intentions of being
able to try suggestions that include source modifications. :) I haven't
tried running TSK on my brother's OS X machine simply because I've never
compiled anything on it and didn't want to bother late at night.. :)
Thanks Brian.
ps: now I can't recall if I mentioned that I tried a variety of fat*
filesystem types -- fat12, fat16, fat32, FAT12, FAT16, FAT32, and just
plain fat. (I tried the 12 bit fat out of desparation. No way a gigabyte
SD card uses FAT12 though... :)
The log file includes this:
Wed Jan 5 00:49:30 2005: '/usr/bin/fls' -f fat -la -s 0 '/home/sarnold/er=
ic_sandisk/ericsandisk/macosx/images/eric_sandisk' 2
Running fls by hand:
$ /usr/bin/fls -f fat -la -s 0 /home/sarnold/sandisk.dd
usage: /usr/bin/fls [-adDFlpruvV] [-f fstype] [-m dir/] [-z ZONE] [-s secon=
ds] image [inode]
If [inode] is not given, the root directory is used
-a: Display "." and ".." entries
-d: Display deleted entries only
-D: Display directory entries only
-F: Display file entries only (NOTE: This was -f in TCTUTILs)
-l: Display long version (like ls -l)
-m: Display output in mactime input format with
dir/ as the actual mount point of the image
-p: Display full path for each file
-r: Recurse on directory entries
-u: Display undeleted entries only
-v: verbose output to stderr
-V: Print version
-z: Time zone of original machine (i.e. EST5EDT or GMT) (only usefu=
l with -l)
-s seconds: Time skew of original machine (in seconds) (only useful=
with -l & -m)
-f fstype: Image file system type
Supported file system types:
bsdi (BSDi FFS)
fat (auto-detect FAT)
fat12 (FAT12)
fat16 (FAT16)
fat32 (FAT32)
freebsd (FreeBSD FFS)
linux-ext (auto-detect Linux EXTxFS)
linux-ext2 (Linux EXT2FS)
linux-ext3 (Linux EXT3FS)
netbsd (NetBSD FFS)
ntfs (NTFS)
openbsd (OpenBSD FFS)
raw (Raw Data)
solaris (Solaris FFS)
swap (Swap Space)
$
Running fls under ltrace:
$ cat /tmp/fls.out
__libc_start_main(7, 0x7ffffd14, 0x7ffffd34, 0x7ffffd7c, 0x3000bee4 <unfini=
shed ...>
getopt(7, 0x7ffffd14, "adDf:Fm:lprs:uvVz:") =
=3D 102
getopt(7, 0x7ffffd14, "adDf:Fm:lprs:uvVz:") =
=3D 108
getopt(7, 0x7ffffd14, "adDf:Fm:lprs:uvVz:") =
=3D 97
getopt(7, 0x7ffffd14, "adDf:Fm:lprs:uvVz:") =
=3D 115
__strtol_internal("0", NULL, 10) =
=3D 0
getopt(7, 0x7ffffd14, "adDf:Fm:lprs:uvVz:") =
=3D -1
printf("usage: %s [-adDFlpruvV] [-f fsty"..., "/usr/bin/fls") =
=3D 93
puts("\tIf [inode] is not given, the ro"...) =
=3D 53
puts("\t-a: Display "." and ".." entrie"...) =
=3D 34
=2E...
And, a bit of the start of the partition image:
$ od /tmp/fivetwelve | head
0000000 165476 110120 073562 051550 067564 020000 001040 000400
0000020 001000 001000 000370 172400 037400 020000 037400 000000
0000040 140603 017000 100000 024710 060736 066105 047523 057504
0000060 044507 044524 040514 043101 052061 033040 020040 031777
0000100 107337 137000 076215 116344 000616 043402 176271 000002
0000120 171644 143407 054000 177457 106310 175216 150274 000006
0000140 175613 166203 166026 142466 074000 104566 173214 057370
0000160 106576 165271 005400 053763 122137 107331 137170 000211
0000200 036214 042002 007037 143105 002022 143105 004417 131000
0000220 110715 011640 014000 173046 015000 104506 175203 037352
$ hexdump /tmp/fivetwelve | head
0000000 eb3e 9050 7772 5368 6f74 2000 0220 0100
0000010 0200 0200 00f8 f500 3f00 2000 3f00 0000
0000020 c183 1e00 8000 29c8 61de 6c45 4f53 5f44
0000030 4947 4954 414c 4641 5431 3620 2020 33ff
0000040 8edf be00 7c8d 9ce4 018e 4702 fcb9 0002
0000050 f3a4 c707 5800 ff2f 8cc8 fa8e d0bc 0006
0000060 fb8b ec83 ec16 c536 7800 8976 f68c 5ef8
0000070 8d7e eab9 0b00 57f3 a45f 8ed9 be78 0089
0000080 3c8c 4402 0e1f c645 0412 c645 090f b200
0000090 91cd 13a0 1800 f626 1a00 8946 fa83 3eea
|
|
From: Brian C. <ca...@sl...> - 2005-01-06 14:42:10
Attachments:
fls.c
|
On Jan 6, 2005, at 12:54 AM, Seth Arnold wrote: > >> Are you sure you have a partition image and not a disk image? What is >> the error message before the usage information is displayed. There >> should be one line that explains why it gave an error. > > Sadly, there isn't even the one-liner error message. :( I've appended > output near the end. I just fixed that so that all 'usage' statements have an error. There were a couple that do not. I've updated the src/fstools/fls.c file with more error messages (based on if there are too few or too many arguments). Try it and see if it gives more details. The command you are using is standard, so I do not know why it is giving problems. > I'm positive I have a partition image; I still have that shell open, > and it's history command shows that I copied /dev/sda1 -- the first > partition on the first scsi disk. (Linux supports Sandisk by emulating > a SCSI drive.) Ok. > (While I don't know filesystem internals well enough to tell from the > contents of what I've got, maybe you do. So I've appended that near the > end as well. :) It looks legit. > >> Hmm. I do not know of anyone that has used them under Debian on an >> iBook. There could be an endian ordering issue with the package. You >> may want to try directly from the source. > > "Try directly from the source" -- do you mean try running autopsy and > TSK on my brother's OS X machine? Or compiling TSK from source? I > tried compiling TSK from Debian's source on machine with identical > results. (This shouldn't surprise me. I did it with intentions of being > able to try suggestions that include source modifications. :) I haven't > tried running TSK on my brother's OS X machine simply because I've > never > compiled anything on it and didn't want to bother late at night.. :) I meant to download the tarball from sleuthkit.org and compile it. Do any of the other tools work? It seems that 'fsstat' worked because you were able to import the image. Try to run 'istat -f fat /home/sarnold/sandisk.dd 2'. Also let me know how using the fls.c file worked. When compiling from the source, it will not install itself in '/usr/bin/', so make sure you are running the new binaries and not the original ones :) brian |
|
From: Seth A. <sa...@im...> - 2005-01-07 04:57:36
Attachments:
sleuthkit-getopt-type-error.patch
|
On Thu, Jan 06, 2005 at 09:41:57AM -0500, Brian Carrier wrote: > I just fixed that so that all 'usage' statements have an error. There Brian, thank you for your quick fix. It made it easy to find the bug. :) The problem is that getopt() will return a character in the normal case and a negative integer in the failure case. Because 'ch' was declared as a char, it does not have sufficient range to accept all character values _and_ the error return value -1. (This was made pretty clear when I modified your default: case to print the character: ÿ. I've learned to fear this character over the years.. it is 0xFF, 255, or (unsigned char) -1.) Thanks also for showing consistent discipline in your programs -- it was very easy to track down a few more programs that exhibit this error. Attached is a patch that will correct these errors. (Please forgive me my indulgence of re-indenting a handful of lines in the switch statement. I found the original a little difficult to read. If you'd rather keep the indenting the way it was, it should be easy to undo my changes by hand. :) Thanks for taking the time to help find the problem. Much appreciated. |
|
From: Brian C. <ca...@sl...> - 2005-01-07 07:28:05
|
On Jan 6, 2005, at 11:57 PM, Seth Arnold wrote: > On Thu, Jan 06, 2005 at 09:41:57AM -0500, Brian Carrier wrote: >> I just fixed that so that all 'usage' statements have an error. There > > Brian, thank you for your quick fix. It made it easy to find the bug. > :) > > The problem is that getopt() will return a character in the normal case > and a negative integer in the failure case. Interesting. I have actually spent the last day cleaning up all of the variables (version 2 is on its way - I am finishing up support for disk images!) and I fixed those instances. I hadn't heard of them causing problems before. It must be a change in libc. > Thanks also for showing consistent discipline in your programs -- it > was very easy to track down a few more programs that exhibit this > error. > Attached is a patch that will correct these errors. (Please forgive me > my > indulgence of re-indenting a handful of lines in the switch statement. > I > found the original a little difficult to read. If you'd rather keep the > indenting the way it was, it should be easy to undo my changes by > hand. :) Thanks. Yea, the indenting (especially of the switches) has gotten out of hand. I have changed editors a couple of times and that has made it worse. I applied indent to the v2 tree. brian |
|
From: Seth A. <sa...@im...> - 2005-01-07 08:02:04
|
On Fri, Jan 07, 2005 at 02:27:52AM -0500, Brian Carrier wrote: > Interesting. I have actually spent the last day cleaning up all of the= =20 > variables (version 2 is on its way - I am finishing up support for disk= =20 > images!) and I fixed those instances. I hadn't heard of them causing=20 > problems before. It must be a change in libc. Oooh, I like the sound of upcoming version 2. :) I wish I knew why it causes problems on my ppc linux but not on x86 linux or ppc mac os x. If you find out, please let me know. :) (I'm honestly a bit surprised it worked fine on x86 linux, but I've seen odder..) > Yea, the indenting (especially of the switches) has gotten out of hand.= =20 > I have changed editors a couple of times and that has made it worse. =20 > I applied indent to the v2 tree. Cool. :) Changing editors can do that. Thanks again. |
|
From: Seth A. <sa...@im...> - 2005-01-08 08:25:36
|
Brian, thanks for the fantastic program. Autopsy made Sleuthkit very easy to use, and Sleuthkit did a great job reading files off my brother's formatted CF card. Very cool. Thanks. |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X