Thread: [sleuthkit-users] read error
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users
|
From: Josep M H. <jm...@me...> - 2003-04-10 14:19:51
|
All my past problems with fls were solved , but i still have problems with the biggest partition (12Gb). While creating the timeline body file the following read error appears : /usr/local/bin/sleuthkit/bin/fls: read block read error (8192@12624838656): Unknown error: 0 Running ils -m on images/c0t0d0s6-usr.dd I copied this partition thru dd/ssh with the source system up and running , could that be the problem ? must i boot from a live cd system in order to produce a good image ? note that I have no problem with the other partitions that were copied that way ... Thanks , Josep M Homs |
|
From: Brian C. <ca...@ce...> - 2003-04-10 15:43:10
|
How big exactly is the image? that message usually appears when it tries to read past the end of the file (if a few blocks were missed) or if it is trying to read invalid data. Invalid data usually exists because the file was deleted and the block pointers were written over with different data. Run 'fls' from the command line (with -rp) to see where the error occurs. Then do an istat on the file. fls -f ntfs -rp IMG brian On Thu, Apr 10, 2003 at 04:18:13PM +0200, Josep M Homs wrote: > All my past problems with fls were solved , > but i still have problems with the biggest partition (12Gb). > While creating the timeline body file the following read error appears : > > /usr/local/bin/sleuthkit/bin/fls: read block read error > (8192@12624838656): Unknown error: 0 Running ils -m on > images/c0t0d0s6-usr.dd > > I copied this partition thru dd/ssh with the source system up and > running , could that be the problem ? > must i boot from a live cd system in order to produce a good image ? > note that I have no problem with the other partitions that were copied > that way ... > > Thanks , > Josep M Homs > > > > ------------------------------------------------------- > This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger > for complex code. Debugging C/C++ programs can leave you feeling lost and > disoriented. TotalView can help you find your way. Available on major UNIX > and Linux platforms. Try it free. www.etnus.com > _______________________________________________ > sleuthkit-users mailing list > sle...@li... > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users |
|
From: Josep M H. <jm...@me...> - 2003-04-10 16:32:20
|
Brian Carrier wrote: > How big exactly is the image? -rw-r--r-- 1 root wheel 12624842752 Apr 9 20:34 c0t0d0s6-usr.dd that message usually appears when it > tries to read past the end of the file (if a few blocks were missed) or > if it is trying to read invalid data. Invalid data usually exists > because the file was deleted and the block pointers were written over > with different data. > > Run 'fls' from the command line (with -rp) to see where the error > occurs. Then do an istat on the file. > > fls -f ntfs -rp IMG > #/usr/local/bin/sleuthkit/bin/fls -f solaris -rp ./c0t0d0s6-usr.dd ---[cut]----- -/d 1465088: lib/devfsadm -/l 1465089: lib/devfsadm/devfsadmd -/d 1471296: lib/devfsadm/linkmod /usr/local/bin/sleuthkit/bin/fls: read block read error (8192@12624838656): Unknown error: 0 #/usr/local/bin/sleuthkit/bin/istat -f solaris ./c0t0d0s6-usr.dd 1471296 inode: 1471296 Allocated Group: 237 uid / gid: 0 / 3 mode: drwxr-xr-x size: 512 num of links: 2 Inode Times: Accessed: Mon Mar 17 16:16:24 2003 File Modified: Thu Oct 17 12:21:23 2002 Inode Modified: Thu Oct 17 12:21:23 2002 Direct Blocks: 12328944 > brian > > On Thu, Apr 10, 2003 at 04:18:13PM +0200, Josep M Homs wrote: > >>All my past problems with fls were solved , >>but i still have problems with the biggest partition (12Gb). >>While creating the timeline body file the following read error appears : >> >>/usr/local/bin/sleuthkit/bin/fls: read block read error >>(8192@12624838656): Unknown error: 0 Running ils -m on >>images/c0t0d0s6-usr.dd >> >>I copied this partition thru dd/ssh with the source system up and >>running , could that be the problem ? >>must i boot from a live cd system in order to produce a good image ? >>note that I have no problem with the other partitions that were copied >>that way ... >> >>Thanks , >>Josep M Homs >> >> >> >>------------------------------------------------------- >>This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger >>for complex code. Debugging C/C++ programs can leave you feeling lost and >>disoriented. TotalView can help you find your way. Available on major UNIX >>and Linux platforms. Try it free. www.etnus.com >>_______________________________________________ >>sleuthkit-users mailing list >>sle...@li... >>https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > > |
|
From: Brian C. <ca...@sl...> - 2003-04-10 22:17:25
|
Josep M Homs <jm...@me...> said: > Brian Carrier wrote: > > How big exactly is the image? > > -rw-r--r-- 1 root wheel 12624842752 Apr 9 20:34 c0t0d0s6-usr.dd > .. > > -/d 1471296: lib/devfsadm/linkmod > /usr/local/bin/sleuthkit/bin/fls: read block read error > (8192@12624838656): Unknown error: 0 It is trying to read 8192 bytes at 12624838656, but there is only 4096 bytes left in the image. So, there are either invalid pointers or you are missing part of the image. What is the 'fsstat' output for the image. That will give the total number of blocks in the file system. As the image size is not a multiple of 8192 (the block size), I would guess that you do not have the full image. The 'fsstat' output contains the required info. brian |
|
From: Josep M H. <jm...@me...> - 2003-04-11 13:32:05
|
>>
>>>How big exactly is the image?
>>
>>-rw-r--r-- 1 root wheel 12624842752 Apr 9 20:34 c0t0d0s6-usr.dd
>>
>
>
> ..
>
>
>>-/d 1471296: lib/devfsadm/linkmod
>>/usr/local/bin/sleuthkit/bin/fls: read block read error
>>(8192@12624838656): Unknown error: 0
>
>
> It is trying to read 8192 bytes at 12624838656, but there is only 4096 bytes
> left in the image. So, there are either invalid pointers or you are missing
> part of the image.
I tranferred again the image and the exact size remains the same.
What is the 'fsstat' output for the image. That will give
> the total number of blocks in the file system. As the image size is not a
> multiple of 8192 (the block size), I would guess that you do not have the full
> image. The 'fsstat' output contains the required info.
/usr/local/bin/sleuthkit/bin/fsstat -f solaris ./c0t0d0s6-usr.dd
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: FFS
Last Written: Wed Apr 9 15:42:50 2003
META-DATA INFORMATION
--------------------------------------------
Inode Range: 0 - 1477503
Root Directory: 2
CONTENT-DATA INFORMATION
--------------------------------------------
Fragment Range: 0 - 12328947
Block Size: 8192
Fragment Size: 1024
CYLINDER GROUP INFORMATION
--------------------------------------------
Number of Cylinder Groups: 238
Inodes per group: 6208
Fragments per group: 51832
Group 0:
Inode Range: 0 - 6207
Fragment Range: 0 - 51831
Boot Block: 0 - 7
Super Block: 8 - 9
Super Block: 16 - 17
Group Desc: 24 - 24
Inode Table: 32 - 807
Data Fragments: 808 - 51831
-------[cut]-------
Group 237:
Inode Range: 1471296 - 1477503
Fragment Range: 12284184 - 12328947
Super Block: 12285864 - 12285865
Group Desc: 12285872 - 12285872
Inode Table: 12285880 - 12286655
Data Fragments: 12284184 - 12285863, 12286656 - 12336015
If needed i can send the full output.
>
>
> brian
>
>
Thanks ,
Josep M Homs
|
|
From: Brian C. <ca...@sl...> - 2003-04-11 14:49:10
|
Interesting. FFS actually allows you to have a file system size that is not a multiple of the block size, but it is a multiple of the fragment size. In this case, it appears that you have data in the last 4 fragments and it is trying to read the full block and just extract the fragments. Can you run the 'fls -rp' with '-v' as well to get the verbose output? I need to find out where it is being called from. I just fixed a bug in 'fsstat' that takes this into account (notice that the last fragments in the group extend beyond the final fragment). brian |
|
From: Josep M H. <jm...@me...> - 2003-04-11 15:10:09
|
Brian Carrier wrote: > Interesting. FFS actually allows you to have a file system size that is not a > multiple of the block size, but it is a multiple of the fragment size. In > this case, it appears that you have data in the last 4 fragments and it is > trying to read the full block and just extract the fragments. Can you run the > 'fls -rp' with '-v' as well to get the verbose output? I need to find out > where it is being called from. > /usr/local/bin/sleuthkit/bin/fls -f solaris -rp -v ./c0t0d0s6-usr.dd inodes 1477504 root ino 2 cyl groups 238 blocks 12328948 fs_read_block: read block 32 offs 32768 len 8192 (inode block) fs_read_block: read block 24 offs 24576 len 8192 (cylinder block) fs_read_block: read block 824 offs 843776 len 8192 (data block) -/d 3: lost+found fs_read_block: read block 816 offs 835584 len 8192 (data block) fs_read_block: read block 5859232 offs 5999853568 len 8192 (inode block) fs_read_block: read block 5859216 offs 5999837184 len 8192 (cylinder block) -------- [cut] ---------------------- -/d 1465088: lib/devfsadm fs_read_block: read block 12232360 offs 12525936640 len 8192 (data block) fs_read_block: read block 103952 offs 106446848 len 8192 (inode block) fs_read_block: read block 103944 offs 106438656 len 8192 (cylinder block) fs_read_block: read block 12233920 offs 12527534080 len 8192 (inode block) fs_read_block: read block 12232361 offs 12525937664 len 1024 (link block) fs_read_block: read block 12233912 offs 12527525888 len 8192 (cylinder block) -/l 1465089: lib/devfsadm/devfsadmd fs_read_block: read block 12285880 offs 12580741120 len 8192 (inode block) fs_read_block: read block 12285872 offs 12580732928 len 8192 (cylinder block) -/d 1471296: lib/devfsadm/linkmod fs_read_block: read block 12328944 offs 12624838656 len 8192 (data block) /usr/local/bin/sleuthkit/bin/fls: read block read error (8192@12624838656): Unknown error: 0 > I just fixed a bug in 'fsstat' that takes this into account (notice that the > last fragments in the group extend beyond the final fragment). > > brian > |
|
From: Brian C. <ca...@sl...> - 2003-04-14 23:56:46
|
This was fixed and Josep has the patch. You can now read the final fragments in a FFS image that are not a multiple of a block (which seems to be rare). If anyone else needs it before the next version is released, let me know. brian |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X