sleuthkit-users

[sleuthkit-users] fls core

[Josep M H. <jm...@me...>]

Hi ,
i have just installed TASK v1.60 and Autopsy v1.70
in a FreeBSD 4.8RC box.
It seems to be a problem with the base system Perl in FreeBSD with
the large files , so i installed the Perl 5.8 port version ,
and the problem at make time seems to disappear.
But now (also before Perl upgrade) i receive some coredumps from fls 
while working with some dd Solaris images from the browser with Autopsy.
For example , while creating data file in timeline section :

Running fls -r -m on images/c0t0d0s0-root.dd
Segmentation fault (core dumped)
Running ils -m on images/c0t0d0s0-root.dd
Running fls -r -m on images/c0t0d0s7-exporthome.dd
Running ils -m on images/c0t0d0s7-exporthome.dd
Running fls -r -m on images/c0t0d0s6-usr.dd
Segmentation fault (core dumped)
Running ils -m on images/c0t0d0s6-usr.dd
Running fls -r -m on images/c0t0d0s1-var.dd
Segmentation fault (core dumped)
Running ils -m on images/c0t0d0s1-var.dd
Running fls -r -m on images/c0t0d0s5-opt.dd
Segmentation fault (core dumped)
Running ils -m on images/c0t0d0s5-opt.dd

when i run fls from the shell as follows :

/usr/local/bin/task/bin# ./fls -r -m on /somepath/images/c0t0d0s0-root.dd

i dont get any core.

Any idea ?

Thanks in advance ,
Josep M Homs

Re: [sleuthkit-users] fls core

[Brian C. <ca...@ce...>]

 

> when i run fls from the shell as follows :
> 
> /usr/local/bin/task/bin# ./fls -r -m on /somepath/images/c0t0d0s0-root.dd
> 
> i dont get any core.

That is very strange.  Save the 'fls' output to a file.  How big is the
file?  I've never seen perl core though because the output was so big.
What do you have the timezone, timeskew, and mounting point set as?
Those are also passed when Autopsy actually runs the tools.

brian

Re: [sleuthkit-users] fls core

[Josep M H. <jm...@me...>]

Brian Carrier wrote:
>  
> 
> 
>>when i run fls from the shell as follows :
>>
>>/usr/local/bin/task/bin# ./fls -r -m on /somepath/images/c0t0d0s0-root.dd
>>
>>i dont get any core.
> 
> 
> That is very strange.  Save the 'fls' output to a file.  How big is the
> file?  I've never seen perl core though because the output was so big.
> What do you have the timezone, timeskew, and mounting point set as?
> Those are also passed when Autopsy actually runs the tools.


I have the following dd images ,
one for each mont point in the original filesystem :
-rw-r--r--  1 root  wheel   1075994624 Mar 16 22:08 c0t0d0s0-root.dd
-rw-r--r--  1 root  wheel   1075994624 Mar 18 15:42 c0t0d0s1-var.dd
-rw-r--r--  1 root  wheel    106151936 Mar 18 15:56 c0t0d0s5-opt.dd
-rw-r--r--  1 root  wheel  12624842752 Mar 17 22:29 c0t0d0s6-usr.dd
-rw-r--r--  1 root  wheel   2149576704 Mar 18 16:45 c0t0d0s7-exporthome.dd

Inside Autopsy host definition :
/mnt/host/ 		images/c0t0d0s0-root.dd details
/mnt/host/export/home/ 	images/c0t0d0s7-exporthome.dd details
/mnt/host/opt/ 		images/c0t0d0s5-opt.dd details
/mnt/host/usr/ 		images/c0t0d0s6-usr.dd details
/mnt/host/var/ 		images/c0t0d0s1-var.dd

Timezone: CET
Timeskew: 1

 From the command line :

blackbox:/usr/local/bin/task/bin# ./fls -r -m on 
/somepath/images/c0t0d0s0-root.dd > c0t0d0s0.txt
blackbox:/usr/local/bin/task/bin# ls -la c0t0d0s0.txt
-rw-r--r--  1 root  staff  672014 Mar 24 15:47 c0t0d0s0.txt

blackbox:/usr/local/bin/task/bin# ./fls -r -m on 
/somepath/images/c0t0d0s1-var.dd > c0t0d0s1.txt
blackbox:/usr/local/bin/task/bin# ls -la c0t0d0s1.txt
-rw-r--r--  1 root  staff  626144 Mar 24 15:56 c0t0d0s1.txt

blackbox:/usr/local/bin/task/bin# ./fls -r -m on 
/somepath/images/c0t0d0s5-opt.dd > c0t0d0s5.txt
blackbox:/usr/local/bin/task/bin# ls -la c0t0d0s5.txt
-rw-r--r--  1 root  staff  421 Mar 24 15:58 c0t0d0s5.txt

blackbox:/usr/local/bin/task/bin# ./fls -r -m on 
/somepath/images/c0t0d0s6-usr.dd > c0t0d0s6.txt
./fls: read block read error (8192@12624838656): Unknown error: 0
blackbox:/usr/local/bin/task/bin# ls -la c0t0d0s6.txt
-rw-r--r--  1 root  staff  545931 Mar 24 15:59 c0t0d0s6.txt

blackbox:/usr/local/bin/task/bin# ./fls -r -m on 
/somepath/images/c0t0d0s7-exporthome.dd > c0t0d0s7.txt
blackbox:/usr/local/bin/task/bin# ls -la c0t0d0s7.txt
-rw-r--r--  1 root  staff  184 Mar 24 16:00 c0t0d0s7.txt


As i pasted in the previous email ,
several core messages appear in the Autopsy browser ,
not only in the creation of the data file in timeline section,
also for example when i go to file analysis :
Deleted Files      Type
dir  / in    File Name    Modified Time    Access Time    Change Time 
  Size    UID    GID    Meta
Error parsing string: Segmentation fault (core dumped)

I removed from config the biggest image that gives a read error ,
but the cores remains , also if i work with only the smallest one.


Best regards ,
Josep M Homs

Re: [sleuthkit-users] fls core

[Brian C. <ca...@ce...>]

Hmm.  Can you send me the contents of the 'host.aut' file in the host
directory?

Also, can you run:

	# fls -f solaris -la -z CET -s 1 path/c0t0d0s0-root.dd

Does it core?


brian

Re: [sleuthkit-users] fls core

[Josep M H. <jm...@me...>]

Brian Carrier wrote:
> Hmm.  Can you send me the contents of the 'host.aut' file in the host
> directory?
> 

desc Server
timezone  CET
timeskew  1
image  images/c0t0d0s0-root.dd    solaris    /mnt/host/
body  output/body
timeline  output/mactime-test
timeline  output/mactime-test
body  output/body
body  output/body
body  output/body
body  output/body
body  output/body


> Also, can you run:
> 
> 	# fls -f solaris -la -z CET -s 1 path/c0t0d0s0-root.dd
> 
> Does it core?
> 

Yes , it does.

> 
> brian
> 
> 

Thanks ,
Josep M Homs

Re: [sleuthkit-users] fls core

[Brian C. <ca...@ce...>]

On Tue, Mar 25, 2003 at 05:15:38PM +0100, Josep M Homs wrote:
> >Also, can you run:
> >
> >	# fls -f solaris -la -z CET -s 1 path/c0t0d0s0-root.dd
> >
> >Does it core?
> 
> Yes , it does.

Strange.  Can you try it with out the '-l' and without the '-a' to  
figure out which flags are causing the core (since it does not always
crash).  Can you also run the a version that crashes with the '-v' flag
to get some more details about where it is crashing?  

What platform are you running this on?  

Or, you can attach it to gdb and get some runtime details:

1.  run 'gdb ./fls' from the bin directory
2.  type 'set args -f solaris -la -z CET -s 1 path/c0t0d0s0-root.dd'
3.  type 'run'
4.  When it cores, type 'bt' to get the stack trace and send that output.

Thanks!

brian

Re: [sleuthkit-users] fls core

[Josep M H. <jm...@me...>]

Brian Carrier wrote:
> On Tue, Mar 25, 2003 at 05:15:38PM +0100, Josep M Homs wrote:
> 
>>>Also, can you run:
>>>
>>>	# fls -f solaris -la -z CET -s 1 path/c0t0d0s0-root.dd
>>>
>>>Does it core?
>>
>>Yes , it does.
> 
> 
> Strange.  Can you try it with out the '-l' and without the '-a' to  
> figure out which flags are causing the core (since it does not always
> crash).  Can you also run the a version that crashes with the '-v' flag
> to get some more details about where it is crashing?  

The problematic flag seems to be "-l" , with only "-a" dont crash.
I paste the last lines with "-v" :

fs_read_block: read block 56 offs 57344 len 8192 (inode block)
fs_read_block: read block 24 offs 24576 len 8192 (cylinder block)
-/r 214:        .bash_history   2003.03.16 22:19:19 (CET) 
2003.03.16 22:19:19 (CET)       2003.03.16 22:19:19 (CET)       3 
1       0
Segmentation fault (core dumped)
blackbox:/usr/local/bin/task/bin#

> 
> What platform are you running this on?  


FreeBSD 4.8-RC #0: Mon Mar 24 19:52:47 CET 2003


> 
> Or, you can attach it to gdb and get some runtime details:
> 
> 1.  run 'gdb ./fls' from the bin directory
> 2.  type 'set args -f solaris -la -z CET -s 1 path/c0t0d0s0-root.dd'
> 3.  type 'run'
> 4.  When it cores, type 'bt' to get the stack trace and send that output.
> 


OK , so portinstall gdb ;-)
I have to leave now ... i'll send you the output in some hours.


> Thanks!
> 

thanks to you ,
Josep M Homs

> brian
> 

Re: [sleuthkit-users] fls core

[Brian C. <ca...@ce...>]

On Wed, Mar 26, 2003 at 03:25:04PM +0100, Josep M Homs wrote:

> I'll send to you directly all the debug details in order to don't flood 
> the list.

Replace 'fls.c' in /src/fstools with the attached version.  I was
missing a NULL pointer check when a clock skew was used.  This will be
incorporated into the next release.

brian

Re: [sleuthkit-users] fls core

[Josep M H. <jm...@me...>]

Brian Carrier wrote:

> Replace 'fls.c' in /src/fstools with the attached version.  I was
> missing a NULL pointer check when a clock skew was used.  This will be
> incorporated into the next release.
> 
> brian
> 

Great ! it works.
Thanks for your time.

Best regards ,
Josep M Homs