There is a really stupid (but potentially serious) bug in 2.00 that can
cause issues with icat and split images. It is caused by a simple typo
and when icat is closing down, it MAY close the file handle for
standard output, which means that you may not see the file output. It
doesn't always occur. It depends on what happens to be in memory when
the program closes. I never saw the problem on my OS X system, but I
did confirm the behavior on a Linux system and the original report came
from a Linux system. When using the command line, the content will be
printed, but you can't redirect it and it will not be shown in Autopsy.
I want to wait a few days to release a new version in case there are
any other little bugs in the new 2.00 features, but here is an interim
patch / fix. The new icat.c file can be found at:
http://sleuthkit.sourceforge.net/sleuthkit/icat.c
Save it to src/fstools/ and recompile. Or, the patch is here. It is a
simple fix (just the argument to img->close()).
--- sleuthkit-2.00/src/fstools/icat.c Tue Mar 15 19:42:30 2005
+++ sleuthkit-03.24/src/fstools/icat.c Thu Mar 24 21:51:16 2005
@@ -165,7 +165,7 @@
fs_icat(fs, 0, inum, type, id, flags | FS_FLAG_FILE_NOID);
fs->close(fs);
- img->close(fs);
+ img->close(img);
exit(0);
}
brian
|
