On Monday, October 13, 2003, at 09:15 AM, McMillon, Matt wrote:
> I'm consistanly getting these two errors on a Redhat 7.3 ext3 image. =20=
> Also, the OS X compliled fsstat does not seem to differnitate between=20=
> ext2 & 3.
The only difference between ext2 and ext3 is that ext3 has a journal,=20
but The Sleuth Kit does not read the journal so there should be no=20
difference.
> Errors:
>
> Error parsing string: -/- * 0: =A9=A3'@`=DF =A9=A3$@'2@?<@(=EDM
> Error parsing string: ^=E7=FF=BF=D5 @p%@`! 0000.00.00 00:00:00 =
(GMT) =20
> 0000.00.00 00:00:00 (GMT) 0000.00.00 00:00:00 (GMT) 0 =20=
> 0 0
Wow! What is happening is that the 'fls' tool is looking in the=20
directory for deleted file name entries. The above data met its=20
requirements for a valid deleted structure. There are currently no=20
name checks because it is possible to make file names with=20
non-printable ASCII. Autopsy though, will only accept printable ASCII.=20=
Therefore, I must either update Autopsy so that it reads unprintable=20=
ASCII (although you would never see it in the browser ..) or add some=20
constraints into 'fls'. Either way, you can ignore the message. It=20
processed the rest of the entries after it found the error.
> ERROR: Negative byte offset (-89) Your version of strings likely does=20=
> not support large files
Did you install the strings script for OS X? The strings that comes=20
with OS X doesn't support the same flags as binutils and this script=20
converts the syntax (if you put it in /usr/local/bin).
http://prdownloads.sourceforge.net/autopsy/strings?download
brian=
|
