-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ok, bug fixed. Stupid error using an unsigned variable. The same
problem existed in the FFS code and is now fixed. The new versions can
be found here:
sleuthkit.sf.net/sleuthkit/ffs.c
sleuthkit.sf.net/sleuthkit/ext2fs.c
One of the things that I forgot on the list of goals for v2 (and Knut
Eckstein reminded me of) is that I want to go through the code and get
rid of all of the uses of size_t and addr_t type variables and move to
int32_t and u_int32_t because the sizes and signs for the different
platforms is too confusing.
brian
On Mar 10, 2004, at 4:06 PM, Epsilon wrote:
> --- Brian Carrier <ca...@sl...> wrote:
>>
>> On Feb 18, 2004, at 1:58 PM, Epsilon wrote:
>>
>>> I'm getting a very large (>500 MB) file when using the -s option
>> with
>>> icat when I should be getting a file that's around 40 KB. I'm
>> using
>>> sleuthkit-1.67. Anyone else seeing this?
>>
>> Wow. What file system type? Can you send the output of running
>> 'istat' on it?
>
> OK, I've been meaning to respond to this for a while. I'm now using
> sleuthkit-1.68 under Fedora Core 1 with latest patches applied. I'm
> using the honeypot.hda5.dd image from here:
>
> http://honeynet.org/misc/files/challenge-images.tar
>
> And here's the exact command I'm running:
>
> $ ./icat -s -f linux-ext2 honeypot.hda5.dd 1604 > inode-1604-all.out
>
> After about 5 seconds I ^C it and run icat w/o the -s:
>
> $ ./icat -f linux-ext2 honeypot.hda5.dd 1604 > inode-1604-data.out
>
> Look at the results:
>
> $ ls -l *.out
> -rw-r--r-- 1 ep users 141107200 Mar 10 16:01 inode-1604-all.out
> -rw-r--r-- 1 ep users 119671 Mar 10 16:01 inode-1604-data.out
>
> I'm expecting to see inode-1604-all.out to be 122880 bytes in size
> (4096 * 30 clusters). Is this a wrong assumption?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
iD8DBQFAT9ucOK1gLsdFTIsRAqn2AJ0U0L/JA/AxZ+dl2Vl5n6uRjLXDSwCePJx4
qyTQvjU7ZF2QRhEwkF0qzVA=
=mGQ8
-----END PGP SIGNATURE-----
|
