Thread: [sleuthkit-users] Error Parsing File (invalid characters?)

Brought to you by: carrier

sleuthkit-users

[sleuthkit-users] Error Parsing File (invalid characters?)

From: Stefan K. <sk...@bf...> - 2010-11-15 16:34:49

All,

When analyzing an image with Autopsy (v2.2.4, TSK v3.2.0) I'm getting
lots of warnings upon viewing "all deleted files":


Error Parsing File (invalid characters?)
: +++++ r/r 1242-128-1: xxxxxxx.xx1 2009-05-07 14:31:33 (CEST) 
2009-05-07 14:35:34 (CEST) 2009-10-27 10:37:05 (CET) 2009-05-07 14:35:34 
(CEST) 439 0 0
Error Parsing File (invalid characters?)
: +++++ r/r 1245-128-3: xxxxxxx.xx2 2009-05-07 14:31:33 (CEST) 
2009-05-07 14:35:34 (CEST) 2009-10-27 10:37:05 (CET) 2009-05-07 14:35:34 
(CEST) 6617 0 0
Error Parsing File (invalid characters?)
: +++++ r/r 1246-128-3: xxxxxxx.xx3 2010-07-19 09:31:04 (CEST) 
2010-07-19 09:31:04 (CEST) 2010-07-19 09:31:04 (CEST) 2009-05-07 
14:58:12 (CEST) 2128 0 0

Following those warning is the output I'd expect.

I've tried multiple images; same behaviour.

I think (but am not sure) that this has been introduced
with upgrading to TSK 3.2.0.

Hints anyone?

Thanks,

	Stefan.

-- 
Stefan Kelm                   <sk...@bf...>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstrasse 100             Tel: +49-721-96201-1
D-76133 Karlsruhe             Fax: +49-721-96201-99

Re: [sleuthkit-users] Error Parsing File (invalid characters?)

From: Brian C. <ca...@sl...> - 2010-11-16 17:24:34

Hi Stefan,

If you run 'fls' directly instead of via Autopsy, what do you get (I can help with the specific syntax if needed)? 

TSK 3.2 changed where "name cleanup" is done to get rid of invalid characters.  That change could be the cause of the observed problem.

thanks,
brian



On Nov 15, 2010, at 11:34 AM, Stefan Kelm wrote:

> All,
> 
> When analyzing an image with Autopsy (v2.2.4, TSK v3.2.0) I'm getting
> lots of warnings upon viewing "all deleted files":
> 
> 
> Error Parsing File (invalid characters?)
> : +++++ r/r 1242-128-1: xxxxxxx.xx1 2009-05-07 14:31:33 (CEST) 
> 2009-05-07 14:35:34 (CEST) 2009-10-27 10:37:05 (CET) 2009-05-07 14:35:34 
> (CEST) 439 0 0
> Error Parsing File (invalid characters?)
> : +++++ r/r 1245-128-3: xxxxxxx.xx2 2009-05-07 14:31:33 (CEST) 
> 2009-05-07 14:35:34 (CEST) 2009-10-27 10:37:05 (CET) 2009-05-07 14:35:34 
> (CEST) 6617 0 0
> Error Parsing File (invalid characters?)
> : +++++ r/r 1246-128-3: xxxxxxx.xx3 2010-07-19 09:31:04 (CEST) 
> 2010-07-19 09:31:04 (CEST) 2010-07-19 09:31:04 (CEST) 2009-05-07 
> 14:58:12 (CEST) 2128 0 0
> 
> Following those warning is the output I'd expect.
> 
> I've tried multiple images; same behaviour.
> 
> I think (but am not sure) that this has been introduced
> with upgrading to TSK 3.2.0.
> 
> Hints anyone?
> 
> Thanks,
> 
> 	Stefan.
> 
> -- 
> Stefan Kelm                   <sk...@bf...>
> BFK edv-consulting GmbH       http://www.bfk.de/
> Kriegsstrasse 100             Tel: +49-721-96201-1
> D-76133 Karlsruhe             Fax: +49-721-96201-99
> 
> ------------------------------------------------------------------------------
> Centralized Desktop Delivery: Dell and VMware Reference Architecture
> Simplifying enterprise desktop deployment and management using
> Dell EqualLogic storage and VMware View: A highly scalable, end-to-end
> client virtualization framework. Read more!
> http://p.sf.net/sfu/dell-eql-dev2dev
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

Re: [sleuthkit-users] Error Parsing File (invalid characters?)

From: Stefan K. <sk...@bf...> - 2010-11-17 11:52:15

Hi Brian,

> If you run 'fls' directly instead of via Autopsy, what do you get (I can help with the specific syntax if needed)? 

Sure. I guess you want the '-ldr' options to be passed to fls? Here's
some sample output (truncated):

fls -ldr -o 63 image.dd:

r/r 4-128-4:    $AttrDef        2009-10-27 20:32:58 (CET)...
r/r 8-128-2:    $BadClus        2009-10-27 20:32:58 (CET)...
r/r 8-128-1:    $BadClus:$Bad   2009-10-27 20:32:58 (CET)...
r/r 6-128-1:    $Bitmap 	2009-10-27 20:32:58 (CET)...
r/r 7-128-1:    $Boot   	2009-10-27 20:32:58 (CET)...
d/d 11-144-4:   $Extend 	2009-10-27 20:32:58 (CET)...
+ r/r 25-144-2: $ObjId:$O       2009-10-27 20:32:59 (CET)...
+ r/r 24-144-3: $Quota:$O       2009-10-27 20:32:59 (CET)...
+ r/r 24-144-2: $Quota:$Q       2009-10-27 20:32:59 (CET)...

I reckon it's the "+" signs that confuse Autopsy.

One workaround would be to pass '-pldr' instead of '-ldr' in line
#1460 of Autopsy's 'File.pm' module. But things get *really* slow
afterwards.

Another workaround would be to change line #1555 in 'File.pm' from

/^($::REG_MTYPE)\/($::REG_MTYPE)\s*(\*?)\s*($::REG_META)(\(realloc\))?:\t(.+?)\t($::REG_DATE)\t($::REG_DATE)\t($::REG_DATE)\t($::REG_DATE)\t(\d+)\t(\d+)\t(\d+)$/o

to

/^[+ 
]*($::REG_MTYPE)\/($::REG_MTYPE)\s*(\*?)\s*($::REG_META)(\(realloc\))?:\t(.+?)\t($::REG_DATE)\t($::REG_DATE)\t($::REG_DATE)\t($::REG_DATE)\t(\d+)\t(\d+)\t(\d+)$/o

but I'm note sure whether or not this would break other things.

Cheers,

	Stefan.

-- 
Stefan Kelm                   <sk...@bf...>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstrasse 100             Tel: +49-721-96201-1
D-76133 Karlsruhe             Fax: +49-721-96201-99

Re: [sleuthkit-users] Error Parsing File (invalid characters?)

From: Stefan K. <sk...@bf...> - 2010-11-18 11:48:07

Brian,

>> If you run 'fls' directly instead of via Autopsy, what do you get (I can help with the specific syntax if needed)? 
> 
> Sure. I guess you want the '-ldr' options to be passed to fls? Here's
> some sample output (truncated):
> 
> fls -ldr -o 63 image.dd:

Nevermind - I just tried the 2010.11.18 trunk of 'fls' and
everythings worked fine now. No workarounds necessary.  :-)

Cheers,

	Stefan.

-- 
Stefan Kelm                   <sk...@bf...>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstrasse 100             Tel: +49-721-96201-1
D-76133 Karlsruhe             Fax: +49-721-96201-99