Nabble - The Sleuth Kit

beta 3.1.0b1 - tsk3/fs/tsk_fs_i.h

2009-12-05T21:28:13Z

tsk_fs_make_ls(TSK_FS_META *, char *); is declared in tsk_fs_i.h , but tsk_fs_i.h is not installed into /usr/local/include/tsk3 in the 3.1 beta. Can it be added?

------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing.
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org

From forum: sleuthkit-users

3.10b1 - tsk_img_open_utf8

2009-12-05T11:07:18Z

Sleuthkit 3.1 changes the calling sequence of tsk_img_open_utf8.

The new calling sequence is:

extern TSK_IMG_INFO *tsk_img_open_utf8(int num_img,
const char *const images[], TSK_IMG_TYPE_ENUM type, unsigned int);

This is good news --- apparently the new argument is the sector size (0 for default).

But it would be nice if the #include file gave a name for the fourth argument, rather than just calling it "unsigned int"

Please change the include file to read:

extern TSK_IMG_INFO *tsk_img_open_utf8(int num_img,
const char *const images[], TSK_IMG_TYPE_ENUM type, unsigned int sector_size);

------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing.
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org

From forum: sleuthkit-users

[ sleuthkit-Feature Requests-2908516 ] HFS Hot files

2009-12-03T18:47:37Z

Feature Requests item #2908516, was opened at 2009-12-03 21:47
Message generated for change (Tracker Item Submitted) made by carrier
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2908516&group_id=55685

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: File System
Group: None
Status: Open
Priority: 5
Private: No
Submitted By: Brian Carrier (carrier)
Assigned to: Nobody/Anonymous (nobody)
Summary: HFS Hot files

Initial Comment:
Show users which files are in the Hot Files B-Tree.

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2908516&group_id=55685

------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing.
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
sleuthkit-developers mailing list
sleuthkit-developers@...
https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers

From forum: sleuthkit-developers

[ sleuthkit-Feature Requests-2908514 ] Finish HFS+ features

2009-12-03T18:44:57Z

Feature Requests item #2908514, was opened at 2009-12-03 21:44
Message generated for change (Tracker Item Submitted) made by carrier
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2908514&group_id=55685

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: None
Status: Open
Priority: 5
Private: No
Submitted By: Brian Carrier (carrier)
Assigned to: Nobody/Anonymous (nobody)
Summary: Finish HFS+ features

Initial Comment:
Add:
- Resource fork support
- Soft links
- Hard links

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2908514&group_id=55685

------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing.
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
sleuthkit-developers mailing list
sleuthkit-developers@...
https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers

From forum: sleuthkit-developers

[ sleuthkit-Feature Requests-2908510 ] Make temporal data more granular

2009-12-03T18:41:18Z

Feature Requests item #2908510, was opened at 2009-12-03 21:41
Message generated for change (Tracker Item Submitted) made by carrier
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2908510&group_id=55685

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: File System
Group: None
Status: Open
Priority: 5
Private: No
Submitted By: Brian Carrier (carrier)
Assigned to: Nobody/Anonymous (nobody)
Summary: Make temporal data more granular

Initial Comment:
TSK currently ignores temporal data that is smaller than 1 second. We should be storing that data somewhere (in a separate variable) and allowing the user to use it.

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2908510&group_id=55685

------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing.
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
sleuthkit-developers mailing list
sleuthkit-developers@...
https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers

From forum: sleuthkit-developers

[ sleuthkit-Feature Requests-2351426 ] Include mactime with Windows binaries

2009-12-03T18:39:22Z

Feature Requests item #2351426, was opened at 2008-11-26 11:37
Message generated for change (Comment added) made by carrier
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2351426&group_id=55685

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Timeline
Group: None
Status: Open
Priority: 5
Private: No
Submitted By: Brian Carrier (carrier)
Assigned to: Nobody/Anonymous (nobody)
Summary: Include mactime with Windows binaries

Initial Comment:
mactime could be included with the Windows binaries. Some installation issues need to be figured out because the 'make' process currently locates perl and adds that to the top of the mactime script.

It was suggested that PAR could help... I haven't looked into it yet.

----------------------------------------------------------------------

>Comment By: Brian Carrier (carrier)
Date: 2009-12-03 21:39

Message:
>From RB:
On Nov 19, 2009, at 5:33 PM, RB wrote:

On Thu, Nov 19, 2009 at 15:05, Brian Carrier <carrier@...>
wrote:
then I can make it happen. For example, what needs to happen for the
script
to find Perl.exe? Does the user have to edit the first line of the file
to
point to their installation? Do they need to run it as "perl mactime"?

Generally speaking, yes - it's up to the Perl distribution to insert
itself into %PATH%, and they typically do a good job of that. The
ubiquitous "#!" from UNIX is relatively meaningless in that world,
IIRC, so unless the user has also associated .pl scripts with perl.exe
(another thing I've seen done), you'll have to invoke Perl first.

Steps to make this happen:
- update the release process to set the version in the script
- Update the doc on using mactime on windows.

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2351426&group_id=55685

------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing.
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
sleuthkit-developers mailing list
sleuthkit-developers@...
https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers

From forum: sleuthkit-developers

[ sleuthkit-Feature Requests-2367458 ] Process NTFS Security Attribute

2009-12-03T18:36:48Z

Feature Requests item #2367458, was opened at 2008-11-30 18:00
Message generated for change (Settings changed) made by carrier
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2367458&group_id=55685

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: File System
Group: None
>Status: Closed
Priority: 5
Private: No
Submitted By: Brian Carrier (carrier)
Assigned to: Nobody/Anonymous (nobody)
Summary: Process NTFS Security Attribute

Initial Comment:
Display the security settings for a file.

----------------------------------------------------------------------

>Comment By: Brian Carrier (carrier)
Date: 2009-12-03 21:36

Message:
This has been addressed by the patch in Issue 2895607.

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2367458&group_id=55685

------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing.
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
sleuthkit-developers mailing list
sleuthkit-developers@...
https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers

From forum: sleuthkit-developers

[ sleuthkit-Bugs-2905750 ] reading data from compressed file on NTFS

2009-12-03T18:27:17Z

Bugs item #2905750, was opened at 2009-11-29 16:33
Message generated for change (Comment added) made by carrier
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=477889&aid=2905750&group_id=55685

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: File System Tools
Group: None
>Status: Closed
>Resolution: Fixed
Priority: 5
Private: No
Submitted By: oncer oncer surname (oncer82)
Assigned to: Nobody/Anonymous (nobody)
Summary: reading data from compressed file on NTFS

Initial Comment:
This issue is reprodusable when trying to read content of a compressed file on NTFS with using tsk_fs_file_read funstion.

Bug is reproduced on an alive OS while trying to read content of a C:\WINDOWS\ie7\inetres.adm file.
Function tsk_fs_file_read continues reading data even when an offset from where to read data is past file's boundary.
Function continues returning data without any error.

----------------------------------------------------------------------

>Comment By: Brian Carrier (carrier)
Date: 2009-12-03 21:27

Message:
I confirmed that the code does not return -1 when offset is past the end of
the file. 0 was returned instead. This was inconsistent with the reading
functionality of the image layer, which returns -1 in that case. All file
system code was updated to return -1 when an offset is given past the end
of the allocated file size. Thanks!

Sending trunk/tsk3/base/tsk_base.h
Sending trunk/tsk3/base/tsk_error.c
Sending trunk/tsk3/fs/fs_attr.c
Sending trunk/tsk3/fs/fs_file.c
Sending trunk/tsk3/fs/ntfs.c
Sending trunk/tsk3/fs/tsk_fs.h
Transmitting file data ......
Committed revision 138.

----------------------------------------------------------------------

Comment By: oncer oncer surname (oncer82)
Date: 2009-11-29 16:35

Message:
Windows XP, search pak 2.

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=477889&aid=2905750&group_id=55685

------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing.
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
sleuthkit-developers mailing list
sleuthkit-developers@...
https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers

From forum: sleuthkit-developers

Re: TSK 3.0.1 crashes with truncated volumes

2009-12-01T19:12:55Z

Thanks for the trace. I fixed it and it is checked into the trunk.

thanks,
brian

On Dec 1, 2009, at 9:54 PM, Simson Garfinkel wrote:

> Hi, Brian. I also got it to crash with TSK 3.1beta
>
> (gdb) run -o63 ~/0411.iso
> Starting program: /Users/simsong/domex/src/dist/sleuthkit-3.1.0b1/
> tools/fstools/fls -o63 ~/0411.iso
> Reading symbols for shared libraries .+++++++++. done
>
> Program received signal EXC_BAD_ACCESS, Could not access memory.
> Reason: KERN_INVALID_ADDRESS at address: 0x00000001007f9ff0
> 0x00007fffffe00f40 in __memcpy ()
> (gdb) where
> #0 0x00007fffffe00f40 in __memcpy ()
> #1 0x0000000100004580 in __inline_memcpy_chk (__dest=0x100801e00,
> __src=0x1001ce014, __len=18446744073709519360) at _string.h:58
> #2 0x0000000100004285 in tsk_img_read (a_img_info=0x10018e000,
> a_off=97792, a_buf=0x100801e00 "", a_len=1536) at img_io.c:71
> #3 0x000000010003e8e6 in tsk_fs_read (a_fs=0x1002007a0,
> a_off=65536, a_buf=0x100801e00 "", a_len=1536) at fs_io.c:63
> #4 0x00000001000364a2 in ffs_open (img_info=0x10018e000,
> offset=32256, ftype=TSK_FS_TYPE_FFS_DETECT) at ffs.c:1963
> #5 0x000000010003ffc8 in tsk_fs_open_img (a_img_info=0x10018e000,
> a_offset=32256, a_ftype=TSK_FS_TYPE_DETECT) at fs_open.c:157
> #6 0x0000000100001457 in main (argc=<value temporarily unavailable,
> due to optimizations>, argv1=0x7fff5fbfef80) at fls.cpp:263
> (gdb) up
> #1 0x0000000100004580 in __inline_memcpy_chk (__dest=0x100801e00,
> __src=0x1001ce014, __len=18446744073709519360) at _string.h:58
> 58 return __builtin___memcpy_chk (__dest, __src, __len,
> __darwin_obsz0(__dest));
> Current language: auto; currently c
> (gdb) up
> #2 0x0000000100004285 in tsk_img_read (a_img_info=0x10018e000,
> a_off=97792, a_buf=0x100801e00 "", a_len=1536) at img_io.c:71
> 71 memcpy(a_buf,
> (gdb) list 65,75
> 65 if (tsk_verbose)
> 66 fprintf(stderr,
> 67 "tsk_img_read: Read found in cache %d\n", i);
> 68 */
> 69
> 70 // We found it...
> 71 memcpy(a_buf,
> 72 &a_img_info->cache[i][a_off -
> 73 a_img_info->cache_off[i]], len2);
> 74 retval = (ssize_t) len2;
> 75
> (gdb) p a_buf
> $1 = 0x100801e00 ""
> (gdb) p i
> $2 = 3
> (gdb) p a_off
> $3 = 97792
> (gdb) p a_img_info->cache_off[i]
> $4 = 32256
> (gdb) p len2
> $5 = 18446744073709519360
> (gdb)
>
>
> ------------------------------------------------------------------------------
> Join us December 9, 2009 for the Red Hat Virtual Experience,
> a free event focused on virtualization and cloud computing.
> Attend in-depth sessions from your desk. Your couch. Anywhere.
> http://p.sf.net/sfu/redhat-sfdev2dev
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing.
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org

From forum: sleuthkit-users

[ sleuthkit-Bugs-2907248 ] crash in image layer caching

2009-12-01T19:12:25Z

Bugs item #2907248, was opened at 2009-12-01 22:10
Message generated for change (Settings changed) made by carrier
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=477889&aid=2907248&group_id=55685

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: File System Tools
Group: None
>Status: Closed
>Resolution: Fixed
Priority: 5
Private: No
Submitted By: Brian Carrier (carrier)
Assigned to: Nobody/Anonymous (nobody)
Summary: crash in image layer caching

Initial Comment:
Reported from Simson Garfinkel:

(gdb) run -o63 ~/0411.iso
Starting program: /Users/simsong/domex/src/dist/sleuthkit-3.1.0b1/tools/fstools/fls -o63 ~/0411.iso
Reading symbols for shared libraries .+++++++++. done

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x00000001007f9ff0
0x00007fffffe00f40 in __memcpy ()
(gdb) where
#0 0x00007fffffe00f40 in __memcpy ()
#1 0x0000000100004580 in __inline_memcpy_chk (__dest=0x100801e00, __src=0x1001ce014, __len=18446744073709519360) at _string.h:58
#2 0x0000000100004285 in tsk_img_read (a_img_info=0x10018e000, a_off=97792, a_buf=0x100801e00 "", a_len=1536) at img_io.c:71
#3 0x000000010003e8e6 in tsk_fs_read (a_fs=0x1002007a0, a_off=65536, a_buf=0x100801e00 "", a_len=1536) at fs_io.c:63
#4 0x00000001000364a2 in ffs_open (img_info=0x10018e000, offset=32256, ftype=TSK_FS_TYPE_FFS_DETECT) at ffs.c:1963
#5 0x000000010003ffc8 in tsk_fs_open_img (a_img_info=0x10018e000, a_offset=32256, a_ftype=TSK_FS_TYPE_DETECT) at fs_open.c:157
#6 0x0000000100001457 in main (argc=<value temporarily unavailable, due to optimizations>, argv1=0x7fff5fbfef80) at fls.cpp:263
(gdb) up
#1 0x0000000100004580 in __inline_memcpy_chk (__dest=0x100801e00, __src=0x1001ce014, __len=18446744073709519360) at _string.h:58
58 return __builtin___memcpy_chk (__dest, __src, __len, __darwin_obsz0(__dest));
Current language: auto; currently c
(gdb) up
#2 0x0000000100004285 in tsk_img_read (a_img_info=0x10018e000, a_off=97792, a_buf=0x100801e00 "", a_len=1536) at img_io.c:71
71 memcpy(a_buf,
(gdb) list 65,75
65 if (tsk_verbose)
66 fprintf(stderr,
67 "tsk_img_read: Read found in cache %d\n", i);
68 */
69
70 // We found it...
71 memcpy(a_buf,
72 &a_img_info->cache[i][a_off -
73 a_img_info->cache_off[i]], len2);
74 retval = (ssize_t) len2;
75
(gdb) p a_buf
$1 = 0x100801e00 ""
(gdb) p i
$2 = 3
(gdb) p a_off
$3 = 97792
(gdb) p a_img_info->cache_off[i]
$4 = 32256
(gdb) p len2
$5 = 18446744073709519360
(gdb)

----------------------------------------------------------------------

>Comment By: Brian Carrier (carrier)
Date: 2009-12-01 22:12

Message:
Fixed. Issue was with length calculation when reading past end of image.

Sending trunk/tsk3/img/img_io.c
Transmitting file data .
Committed revision 136.

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=477889&aid=2907248&group_id=55685

------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing.
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
sleuthkit-developers mailing list
sleuthkit-developers@...
https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers

From forum: sleuthkit-developers

[ sleuthkit-Bugs-2907248 ] crash in image layer caching

2009-12-01T19:10:13Z

Bugs item #2907248, was opened at 2009-12-01 22:10
Message generated for change (Tracker Item Submitted) made by carrier
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=477889&aid=2907248&group_id=55685

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: File System Tools
Group: None
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Brian Carrier (carrier)
Assigned to: Nobody/Anonymous (nobody)
Summary: crash in image layer caching

Initial Comment:
Reported from Simson Garfinkel:

(gdb) run -o63 ~/0411.iso
Starting program: /Users/simsong/domex/src/dist/sleuthkit-3.1.0b1/tools/fstools/fls -o63 ~/0411.iso
Reading symbols for shared libraries .+++++++++. done

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x00000001007f9ff0
0x00007fffffe00f40 in __memcpy ()
(gdb) where
#0 0x00007fffffe00f40 in __memcpy ()
#1 0x0000000100004580 in __inline_memcpy_chk (__dest=0x100801e00, __src=0x1001ce014, __len=18446744073709519360) at _string.h:58
#2 0x0000000100004285 in tsk_img_read (a_img_info=0x10018e000, a_off=97792, a_buf=0x100801e00 "", a_len=1536) at img_io.c:71
#3 0x000000010003e8e6 in tsk_fs_read (a_fs=0x1002007a0, a_off=65536, a_buf=0x100801e00 "", a_len=1536) at fs_io.c:63
#4 0x00000001000364a2 in ffs_open (img_info=0x10018e000, offset=32256, ftype=TSK_FS_TYPE_FFS_DETECT) at ffs.c:1963
#5 0x000000010003ffc8 in tsk_fs_open_img (a_img_info=0x10018e000, a_offset=32256, a_ftype=TSK_FS_TYPE_DETECT) at fs_open.c:157
#6 0x0000000100001457 in main (argc=<value temporarily unavailable, due to optimizations>, argv1=0x7fff5fbfef80) at fls.cpp:263
(gdb) up
#1 0x0000000100004580 in __inline_memcpy_chk (__dest=0x100801e00, __src=0x1001ce014, __len=18446744073709519360) at _string.h:58
58 return __builtin___memcpy_chk (__dest, __src, __len, __darwin_obsz0(__dest));
Current language: auto; currently c
(gdb) up
#2 0x0000000100004285 in tsk_img_read (a_img_info=0x10018e000, a_off=97792, a_buf=0x100801e00 "", a_len=1536) at img_io.c:71
71 memcpy(a_buf,
(gdb) list 65,75
65 if (tsk_verbose)
66 fprintf(stderr,
67 "tsk_img_read: Read found in cache %d\n", i);
68 */
69
70 // We found it...
71 memcpy(a_buf,
72 &a_img_info->cache[i][a_off -
73 a_img_info->cache_off[i]], len2);
74 retval = (ssize_t) len2;
75
(gdb) p a_buf
$1 = 0x100801e00 ""
(gdb) p i
$2 = 3
(gdb) p a_off
$3 = 97792
(gdb) p a_img_info->cache_off[i]
$4 = 32256
(gdb) p len2
$5 = 18446744073709519360
(gdb)

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=477889&aid=2907248&group_id=55685

------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing.
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
sleuthkit-developers mailing list
sleuthkit-developers@...
https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers

From forum: sleuthkit-developers

Re: TSK 3.0.1 crashes with truncated volumes

2009-12-01T18:54:49Z

Hi, Brian. I also got it to crash with TSK 3.1beta

(gdb) run -o63 ~/0411.iso
Starting program: /Users/simsong/domex/src/dist/sleuthkit-3.1.0b1/tools/fstools/fls -o63 ~/0411.iso
Reading symbols for shared libraries .+++++++++. done

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x00000001007f9ff0
0x00007fffffe00f40 in __memcpy ()
(gdb) where
#0 0x00007fffffe00f40 in __memcpy ()
#1 0x0000000100004580 in __inline_memcpy_chk (__dest=0x100801e00, __src=0x1001ce014, __len=18446744073709519360) at _string.h:58
#2 0x0000000100004285 in tsk_img_read (a_img_info=0x10018e000, a_off=97792, a_buf=0x100801e00 "", a_len=1536) at img_io.c:71
#3 0x000000010003e8e6 in tsk_fs_read (a_fs=0x1002007a0, a_off=65536, a_buf=0x100801e00 "", a_len=1536) at fs_io.c:63
#4 0x00000001000364a2 in ffs_open (img_info=0x10018e000, offset=32256, ftype=TSK_FS_TYPE_FFS_DETECT) at ffs.c:1963
#5 0x000000010003ffc8 in tsk_fs_open_img (a_img_info=0x10018e000, a_offset=32256, a_ftype=TSK_FS_TYPE_DETECT) at fs_open.c:157
#6 0x0000000100001457 in main (argc=<value temporarily unavailable, due to optimizations>, argv1=0x7fff5fbfef80) at fls.cpp:263
(gdb) up
#1 0x0000000100004580 in __inline_memcpy_chk (__dest=0x100801e00, __src=0x1001ce014, __len=18446744073709519360) at _string.h:58
58 return __builtin___memcpy_chk (__dest, __src, __len, __darwin_obsz0(__dest));
Current language: auto; currently c
(gdb) up
#2 0x0000000100004285 in tsk_img_read (a_img_info=0x10018e000, a_off=97792, a_buf=0x100801e00 "", a_len=1536) at img_io.c:71
71 memcpy(a_buf,
(gdb) list 65,75
65 if (tsk_verbose)
66 fprintf(stderr,
67 "tsk_img_read: Read found in cache %d\n", i);
68 */
69
70 // We found it...
71 memcpy(a_buf,
72 &a_img_info->cache[i][a_off -
73 a_img_info->cache_off[i]], len2);
74 retval = (ssize_t) len2;
75
(gdb) p a_buf
$1 = 0x100801e00 ""
(gdb) p i
$2 = 3
(gdb) p a_off
$3 = 97792
(gdb) p a_img_info->cache_off[i]
$4 = 32256
(gdb) p len2
$5 = 18446744073709519360
(gdb)

------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing.
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org

From forum: sleuthkit-users

Re: 3.1.0 beta

2009-12-01T18:28:09Z

Hi Adric,

Thanks. If you could check for missing files and errors about
unexpected data, then that would be great.

thanks,
brian

On Nov 30, 2009, at 8:59 PM, Adric Net wrote:

> Hi,
>
> I've got the beta loaded up on my MacBook here and have a freshly
> acquired Tiger Server HFS+ image (dd splitfile) loaded into Autopsy.
> I'll be poking at it with sleuthkit and looking around over the next
> few days, but if there is anything in particular you'd like tested,
> please let me know.
>
> Thanks,
> adric
>
> On Nov 25, 2009, at 3:57 PM, Brian Carrier wrote:
>
>> I was hoping to get the 3.1.0 release out in the Spring before the
>> baby was born, but that didn't work. So, a new release is LONG over
>> due. There are a lot of bug fixes in the 3.1.0 release and HFS
>> support is now enabled by default. Thanks to Rob Joyce and ATC-NY
>> for
>> their HFS help. I would like to have the HFS code put through some
>> more tests before an official release is made though.
>>
>> 3.1.0b1 is available from http://www.sleuthkit.org/betas/. I'll build
>> the Windows executables next week. Everyone is free to try it out,
>> but
>> help with HFS is especially appreciated. The goal is to have the
>> official 3.1.0 out by the end of 09.
>>
>> thanks!
>>
>> brian
>>
>>
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports
>> 2008 30-Day
>> trial. Simplify your report design, integration and deployment -
>> and focus on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
>
> Adric Net
> adric@...
>
>
>
>
> ------------------------------------------------------------------------------
> Join us December 9, 2009 for the Red Hat Virtual Experience,
> a free event focused on virtualization and cloud computing.
> Attend in-depth sessions from your desk. Your couch. Anywhere.
> http://p.sf.net/sfu/redhat-sfdev2dev
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

From forum: sleuthkit-users

Re: TSK 3.0.1 crashes with truncated volumes

2009-12-01T18:22:07Z

Hi Simson,

I can't recreate this with the trunk or 3.0.1:

# fls -o 63 ~/Downloads/0411.iso
Error reading image file (tsk_fs_read_block: Address missing in
partial image: 261)) (tsk_fs_file_walk: Error reading block at 261 -
fatfs_dir_open_meta)
# fls -V
The Sleuth Kit ver 3.0.1

Can you run 'fls' in gdb and send me the 'bt' stack trace for the
crash on your system?

thanks,
brian

On Nov 29, 2009, at 12:49 AM, Simson Garfinkel wrote:

> I have a number of disks for which I was only able to image the
> first 64K of so. These images cause TSK to crash.
>
> One of the images is 0411.iso, which can be downloaded from http://www.simson.net/0411.iso
>
> $ mmls ~/0411.iso
> DOS Partition Table
> Offset Sector: 0
> Units are in 512-byte sectors
>
> Slot Start End Length Description
> 00: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
> 01: ----- 0000000000 0000000062 0000000063 Unallocated
> 02: 00:00 0000000063 0002124863 0002124801 DOS FAT16 (0x06)
> c$ fls -o 63 ~/0411.iso
> Segmentation fault (core dumped)
> 12:47 AM t:~/domex/src/fiwalk/src$ ls -l ~/0411.iso
> -rw-r--r-- 1 simsong slg 65536 2009-11-29 00:46 /home/simsong/0411.iso
> $ fls -V
> The Sleuth Kit ver 3.0.1
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> trial. Simplify your report design, integration and deployment - and
> focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

From forum: sleuthkit-users

[ sleuthkit-Feature Requests-2895607 ] Identify in NTFS the SID of the owner of a file

2009-12-01T14:49:22Z

Feature Requests item #2895607, was opened at 2009-11-10 19:25
Message generated for change (Comment added) made by carrier
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2895607&group_id=55685

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: File System
Group: None
Status: Open
Priority: 5
Private: No
Submitted By: James Butler (jamiebutler)
Assigned to: Nobody/Anonymous (nobody)
Summary: Identify in NTFS the SID of the owner of a file

Initial Comment:
The owner SID of files needs to be identified per file.

Every file has an associated security identifier which identifies the owner, groups, etc. of the file. More than one file may have the same security identifier if the files share the exact same security descriptor. Using the security identifier of the file (secid), we can lookup its security descriptor within $Secure. Security descriptors are variable length and contained in the $SDS stream within $Secure. The $SII stream of $Secure is an index into the $SDS stream. $SII entries are stored incrementally by the secid. Once we find the secid of the file inside the $SII stream, the $SII entry will tell the offset within the $SDS stream to read the security descriptor.

Use the tsk_fs_file_read_owner_sid function within fs_file.c to get the string representation of the owner SID of a file on NTFS. When an NTFS filesystem is opened ntfs_open is called. ntfs_open initializes a pointer to ntfs_lookup_security_id and then calls ntfs_load_secure. ntfs_load_secure opens MFT entry 9, $Secure, and reads in the $SDS and $SII streams. When tsk_fs_file_read_owner_sid is called on a TSK_FS_FILE, the owner SID is returned in its string form.

----------------------------------------------------------------------

>Comment By: Brian Carrier (carrier)
Date: 2009-12-01 17:49

Message:
Thanks. This has been added to the trunk. I changed it up a bit and moved
some code around. For example, I moved the NTFS code from fs_file into
ntfs.c and changed some of the NTFS functions, but most of it is the same.

I'm keeping this open as a reminder to go in an add some more error
statements into ntfs.c

Sending trunk/tsk3/fs/fs_attrlist.c
Sending trunk/tsk3/fs/fs_file.c
Sending trunk/tsk3/fs/ntfs.c
Sending trunk/tsk3/fs/tsk_fs.h
Sending trunk/tsk3/fs/tsk_fs_i.h
Sending trunk/tsk3/fs/tsk_ntfs.h
Transmitting file data ......
Committed revision 135.

----------------------------------------------------------------------

Comment By: James Butler (jamiebutler)
Date: 2009-11-25 17:12

Message:
Sorry, here is that function.

#define MIN(a, b) ((a) < (b) ? (a) : (b))

/**
* \internal
* Search the attribute list of TSK_FS_ATTR structures for an entry with a
given
* type (no ID) and a given name. If more than one entry with the same
type exists,
* the one with the lowest ID will be returned.
*
* @param a_fs_attrlist Data list structure to search in
* @param a_type Type of attribute to find
* @param name Name of the attribute to find
*
* @return NULL is returned on error and if an entry could not be found.
* tsk_errno will be set to TSK_ERR_FS_ATTR_NOTFOUND if entry could not be
found.
*/
const TSK_FS_ATTR *
tsk_fs_attrlist_get_name_type(const TSK_FS_ATTRLIST * a_fs_attrlist,
TSK_FS_ATTR_TYPE_ENUM a_type, char *name)
{
TSK_FS_ATTR *fs_attr_cur;
TSK_FS_ATTR *fs_attr_ok = NULL;

if ((!a_fs_attrlist) || (name == NULL)) {
tsk_error_reset();
tsk_errno = TSK_ERR_FS_ARG;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"tsk_fs_attrlist_get: Null list pointer");
tsk_errstr2[0] = '\0';
return NULL;
}

for (fs_attr_cur = a_fs_attrlist->head; fs_attr_cur; fs_attr_cur =
fs_attr_cur->next)
{
if ((fs_attr_cur->flags & TSK_FS_ATTR_INUSE) &&
(fs_attr_cur->type == a_type) &&
(!strncmp(fs_attr_cur->name, name, MIN(fs_attr_cur->name_size,
strlen(name))))
)
{

/* If we are looking for NTFS $Data,
* then return default when we see it */
if ((fs_attr_cur->type == TSK_FS_ATTR_TYPE_NTFS_DATA) &&
(fs_attr_cur->name_size > 5) &&
(strncmp(fs_attr_cur->name, "$Data", 5) == 0))
{
return fs_attr_cur;
}

// make sure we return the lowest if multiple exist
if ((fs_attr_ok == NULL) || (fs_attr_ok->id >
fs_attr_cur->id))
fs_attr_ok = fs_attr_cur;
}
}

if (!fs_attr_ok) {
tsk_errno = TSK_ERR_FS_ATTR_NOTFOUND;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"tsk_fs_attrlist_get: Attribute %d not found", a_type);
return NULL;
}
else {
return fs_attr_ok;
}
}

----------------------------------------------------------------------

Comment By: Brian Carrier (carrier)
Date: 2009-11-25 11:01

Message:
Jamie, did you create a tsk_fs_attrlist_get_name_type() function as well?
It is being called from the new NTFS code, but it is not defined in TSK and
I didn't see it in the patch.

thanks.

----------------------------------------------------------------------

Comment By: Brian Carrier (carrier)
Date: 2009-11-25 10:30

Message:
Applied memory leak patches into fs_file.c:
Sending fs/fs_file.c
Transmitting file data .
Committed revision 131.

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2895607&group_id=55685

------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing.
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
sleuthkit-developers mailing list
sleuthkit-developers@...
https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers

From forum: sleuthkit-developers

Re: 3.1.0 beta

2009-11-30T17:59:21Z

Hi,

I've got the beta loaded up on my MacBook here and have a freshly acquired Tiger Server HFS+ image (dd splitfile) loaded into Autopsy.
I'll be poking at it with sleuthkit and looking around over the next few days, but if there is anything in particular you'd like tested, please let me know.

Thanks,
adric

On Nov 25, 2009, at 3:57 PM, Brian Carrier wrote:

> I was hoping to get the 3.1.0 release out in the Spring before the
> baby was born, but that didn't work. So, a new release is LONG over
> due. There are a lot of bug fixes in the 3.1.0 release and HFS
> support is now enabled by default. Thanks to Rob Joyce and ATC-NY for
> their HFS help. I would like to have the HFS code put through some
> more tests before an official release is made though.
>
> 3.1.0b1 is available from http://www.sleuthkit.org/betas/. I'll build
> the Windows executables next week. Everyone is free to try it out, but
> help with HFS is especially appreciated. The goal is to have the
> official 3.1.0 out by the end of 09.
>
> thanks!
>
> brian
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

Adric Net
adric@...

------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing.
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org

From forum: sleuthkit-users

[ sleuthkit-Bugs-2905750 ] reading data from compressed file on NTFS

2009-11-29T13:35:22Z

Bugs item #2905750, was opened at 2009-11-29 23:33
Message generated for change (Comment added) made by oncer82
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=477889&aid=2905750&group_id=55685

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: File System Tools
Group: None
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: oncer oncer surname (oncer82)
Assigned to: Nobody/Anonymous (nobody)
Summary: reading data from compressed file on NTFS

Initial Comment:
This issue is reprodusable when trying to read content of a compressed file on NTFS with using tsk_fs_file_read funstion.

Bug is reproduced on an alive OS while trying to read content of a C:\WINDOWS\ie7\inetres.adm file.
Function tsk_fs_file_read continues reading data even when an offset from where to read data is past file's boundary.
Function continues returning data without any error.

----------------------------------------------------------------------

>Comment By: oncer oncer surname (oncer82)
Date: 2009-11-29 23:35

Message:
Windows XP, search pak 2.

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=477889&aid=2905750&group_id=55685

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
sleuthkit-developers mailing list
sleuthkit-developers@...
https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers

From forum: sleuthkit-developers

[ sleuthkit-Bugs-2905750 ] reading data from compressed file on NTFS

2009-11-29T13:33:01Z

Bugs item #2905750, was opened at 2009-11-29 23:33
Message generated for change (Tracker Item Submitted) made by oncer82
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=477889&aid=2905750&group_id=55685

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: File System Tools
Group: None
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: oncer oncer surname (oncer82)
Assigned to: Nobody/Anonymous (nobody)
Summary: reading data from compressed file on NTFS

Initial Comment:
This issue is reprodusable when trying to read content of a compressed file on NTFS with using tsk_fs_file_read funstion.

Bug is reproduced on an alive OS while trying to read content of a C:\WINDOWS\ie7\inetres.adm file.
Function tsk_fs_file_read continues reading data even when an offset from where to read data is past file's boundary.
Function continues returning data without any error.

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=477889&aid=2905750&group_id=55685

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
sleuthkit-developers mailing list
sleuthkit-developers@...
https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers

From forum: sleuthkit-developers

TSK 3.0.1 crashes with truncated volumes

2009-11-28T21:49:17Z

I have a number of disks for which I was only able to image the first 64K of so. These images cause TSK to crash.

One of the images is 0411.iso, which can be downloaded from http://www.simson.net/0411.iso

$ mmls ~/0411.iso
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

Slot Start End Length Description
00: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
01: ----- 0000000000 0000000062 0000000063 Unallocated
02: 00:00 0000000063 0002124863 0002124801 DOS FAT16 (0x06)
c$ fls -o 63 ~/0411.iso
Segmentation fault (core dumped)
12:47 AM t:~/domex/src/fiwalk/src$ ls -l ~/0411.iso
-rw-r--r-- 1 simsong slg 65536 2009-11-29 00:46 /home/simsong/0411.iso
$ fls -V
The Sleuth Kit ver 3.0.1

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org

From forum: sleuthkit-users

[ sleuthkit-Feature Requests-2895607 ] Identify in NTFS the SID of the owner of a file

2009-11-25T14:12:19Z

Feature Requests item #2895607, was opened at 2009-11-10 19:25
Message generated for change (Comment added) made by jamiebutler
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2895607&group_id=55685

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: File System
Group: None
Status: Open
Priority: 5
Private: No
Submitted By: James Butler (jamiebutler)
Assigned to: Nobody/Anonymous (nobody)
Summary: Identify in NTFS the SID of the owner of a file

Initial Comment:
The owner SID of files needs to be identified per file.

Every file has an associated security identifier which identifies the owner, groups, etc. of the file. More than one file may have the same security identifier if the files share the exact same security descriptor. Using the security identifier of the file (secid), we can lookup its security descriptor within $Secure. Security descriptors are variable length and contained in the $SDS stream within $Secure. The $SII stream of $Secure is an index into the $SDS stream. $SII entries are stored incrementally by the secid. Once we find the secid of the file inside the $SII stream, the $SII entry will tell the offset within the $SDS stream to read the security descriptor.

Use the tsk_fs_file_read_owner_sid function within fs_file.c to get the string representation of the owner SID of a file on NTFS. When an NTFS filesystem is opened ntfs_open is called. ntfs_open initializes a pointer to ntfs_lookup_security_id and then calls ntfs_load_secure. ntfs_load_secure opens MFT entry 9, $Secure, and reads in the $SDS and $SII streams. When tsk_fs_file_read_owner_sid is called on a TSK_FS_FILE, the owner SID is returned in its string form.

----------------------------------------------------------------------

>Comment By: James Butler (jamiebutler)
Date: 2009-11-25 17:12

Message:
Sorry, here is that function.

#define MIN(a, b) ((a) < (b) ? (a) : (b))

/**
* \internal
* Search the attribute list of TSK_FS_ATTR structures for an entry with a
given
* type (no ID) and a given name. If more than one entry with the same
type exists,
* the one with the lowest ID will be returned.
*
* @param a_fs_attrlist Data list structure to search in
* @param a_type Type of attribute to find
* @param name Name of the attribute to find
*
* @return NULL is returned on error and if an entry could not be found.
* tsk_errno will be set to TSK_ERR_FS_ATTR_NOTFOUND if entry could not be
found.
*/
const TSK_FS_ATTR *
tsk_fs_attrlist_get_name_type(const TSK_FS_ATTRLIST * a_fs_attrlist,
TSK_FS_ATTR_TYPE_ENUM a_type, char *name)
{
TSK_FS_ATTR *fs_attr_cur;
TSK_FS_ATTR *fs_attr_ok = NULL;

if ((!a_fs_attrlist) || (name == NULL)) {
tsk_error_reset();
tsk_errno = TSK_ERR_FS_ARG;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"tsk_fs_attrlist_get: Null list pointer");
tsk_errstr2[0] = '\0';
return NULL;
}

for (fs_attr_cur = a_fs_attrlist->head; fs_attr_cur; fs_attr_cur =
fs_attr_cur->next)
{
if ((fs_attr_cur->flags & TSK_FS_ATTR_INUSE) &&
(fs_attr_cur->type == a_type) &&
(!strncmp(fs_attr_cur->name, name, MIN(fs_attr_cur->name_size,
strlen(name))))
)
{

/* If we are looking for NTFS $Data,
* then return default when we see it */
if ((fs_attr_cur->type == TSK_FS_ATTR_TYPE_NTFS_DATA) &&
(fs_attr_cur->name_size > 5) &&
(strncmp(fs_attr_cur->name, "$Data", 5) == 0))
{
return fs_attr_cur;
}

// make sure we return the lowest if multiple exist
if ((fs_attr_ok == NULL) || (fs_attr_ok->id >
fs_attr_cur->id))
fs_attr_ok = fs_attr_cur;
}
}

if (!fs_attr_ok) {
tsk_errno = TSK_ERR_FS_ATTR_NOTFOUND;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"tsk_fs_attrlist_get: Attribute %d not found", a_type);
return NULL;
}
else {
return fs_attr_ok;
}
}

----------------------------------------------------------------------

Comment By: Brian Carrier (carrier)
Date: 2009-11-25 11:01

Message:
Jamie, did you create a tsk_fs_attrlist_get_name_type() function as well?
It is being called from the new NTFS code, but it is not defined in TSK and
I didn't see it in the patch.

thanks.

----------------------------------------------------------------------

Comment By: Brian Carrier (carrier)
Date: 2009-11-25 10:30

Message:
Applied memory leak patches into fs_file.c:
Sending fs/fs_file.c
Transmitting file data .
Committed revision 131.

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2895607&group_id=55685

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
sleuthkit-developers mailing list
sleuthkit-developers@...
https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers

From forum: sleuthkit-developers

3.1.0 beta

2009-11-25T12:57:38Z

I was hoping to get the 3.1.0 release out in the Spring before the
baby was born, but that didn't work. So, a new release is LONG over
due. There are a lot of bug fixes in the 3.1.0 release and HFS
support is now enabled by default. Thanks to Rob Joyce and ATC-NY for
their HFS help. I would like to have the HFS code put through some
more tests before an official release is made though.

3.1.0b1 is available from http://www.sleuthkit.org/betas/. I'll build
the Windows executables next week. Everyone is free to try it out, but
help with HFS is especially appreciated. The goal is to have the
official 3.1.0 out by the end of 09.

thanks!

brian

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org

From forum: sleuthkit-users

Re: make-live-cd returns...

2009-11-25T10:53:00Z

Confirming that the fix works. Thank you Brian.

Brian Carrier wrote:

That is a bug. I just fixed it. If you copy this file:

http://svn.sleuthkit.org/repos/autopsy/trunk/base/make-live-cd.base

to your 'base' directory, and then type './configure'. You can say no to the question about making a new config file and yes to making a new 'autopsy'. Then, it should work.

brian

On Nov 24, 2009, at 11:47 PM, suman.beros@... wrote:

Missing Sleuth Kit executable (md5) at ./make-live-cd line 48.

Autopsy reports MD5 values, so I'd say it was able to find it. Browsing through sleuthkit-users archive I don't see any mention of this situation. Would appreciate any help.

sleuthkit-3.01
autopsy-2.21
ubuntu 9.10

Best regards,
Suman
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org

__________ Information from ESET NOD32 Antivirus, version of virus signature database 4636 (20091125) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org

From forum: sleuthkit-users

Re: make-live-cd returns...

2009-11-25T09:17:35Z

That is a bug. I just fixed it. If you copy this file:

http://svn.sleuthkit.org/repos/autopsy/trunk/base/make-live-cd.base

to your 'base' directory, and then type './configure'. You can say no
to the question about making a new config file and yes to making a new
'autopsy'. Then, it should work.

brian

On Nov 24, 2009, at 11:47 PM, suman.beros@... wrote:

> Missing Sleuth Kit executable (md5) at ./make-live-cd line 48.
>
> Autopsy reports MD5 values, so I'd say it was able to find it.
> Browsing through sleuthkit-users archive I don't see any mention of
> this situation. Would appreciate any help.
>
> sleuthkit-3.01
> autopsy-2.21
> ubuntu 9.10
>
> Best regards,
> Suman
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> trial. Simplify your report design, integration and deployment - and
> focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

From forum: sleuthkit-users

[ sleuthkit-Feature Requests-2895607 ] Identify in NTFS the SID of the owner of a file

2009-11-25T08:01:36Z

From forum: sleuthkit-developers

[ sleuthkit-Feature Requests-2895607 ] Identify in NTFS the SID of the owner of a file

2009-11-25T07:30:13Z

From forum: sleuthkit-developers

[ sleuthkit-Feature Requests-2903757 ] HFS+ specific ffind code

2009-11-25T06:37:10Z

Feature Requests item #2903757, was opened at 2009-11-25 09:37
Message generated for change (Tracker Item Submitted) made by carrier
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2903757&group_id=55685

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: File System
Group: None
Status: Open
Priority: 5
Private: No
Submitted By: Brian Carrier (carrier)
Assigned to: Nobody/Anonymous (nobody)
Summary: HFS+ specific ffind code

Initial Comment:
HFS+, like NTFS already does, should have special code to map a metadata address to a name. The current code recurses the directories until it finds a file that maps to the metadata. We could develop code that looks up the thread for the metadata address, and goes up the parent directory links in the catalog file.

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2903757&group_id=55685

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
sleuthkit-developers mailing list
sleuthkit-developers@...
https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers

From forum: sleuthkit-developers

[ sleuthkit-Feature Requests-2903408 ] ffind -d option

2009-11-25T06:01:04Z

Feature Requests item #2903408, was opened at 2009-11-24 17:46
Message generated for change (Comment added) made by carrier
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2903408&group_id=55685

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: File System
Group: None
Status: Open
Priority: 5
Private: No
Submitted By: Brian Carrier (carrier)
Assigned to: Nobody/Anonymous (nobody)
Summary: ffind -d option

Initial Comment:
Make an ffind -d option that allows you to specify the block and it finds the metadata address and then the name. This merges 'ifind -d' into ffind.

----------------------------------------------------------------------

>Comment By: Brian Carrier (carrier)
Date: 2009-11-25 09:01

Message:
Requires request 2206344 to be resolved first, which makes ifind more
library friendly.

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2903408&group_id=55685

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
sleuthkit-developers mailing list
sleuthkit-developers@...
https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers

From forum: sleuthkit-developers

[ sleuthkit-Feature Requests-2903736 ] ffind -d option

2009-11-25T05:56:10Z

Feature Requests item #2903736, was opened at 2009-11-25 08:55
Message generated for change (Settings changed) made by carrier
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2903736&group_id=55685

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: File System
Group: None
>Status: Deleted
Priority: 5
Private: No
Submitted By: Brian Carrier (carrier)
Assigned to: Nobody/Anonymous (nobody)
Summary: ffind -d option

Initial Comment:
Make an ffind -d option that allows you to specify the block and it finds the metadata address and then the name. This merges 'ifind -d' into ffind.

----------------------------------------------------------------------

>Comment By: Brian Carrier (carrier)
Date: 2009-11-25 08:56

Message:
Created by accident. Duplicate of existing request.

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2903736&group_id=55685

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
sleuthkit-developers mailing list
sleuthkit-developers@...
https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers

From forum: sleuthkit-developers

[ sleuthkit-Feature Requests-2903736 ] ffind -d option

2009-11-25T05:55:03Z

Feature Requests item #2903736, was opened at 2009-11-25 08:55
Message generated for change (Tracker Item Submitted) made by carrier
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2903736&group_id=55685

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: File System
Group: None
Status: Open
Priority: 5
Private: No
Submitted By: Brian Carrier (carrier)
Assigned to: Nobody/Anonymous (nobody)
Summary: ffind -d option

Initial Comment:
Make an ffind -d option that allows you to specify the block and it finds the metadata address and then the name. This merges 'ifind -d' into ffind.

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2903736&group_id=55685

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
sleuthkit-developers mailing list
sleuthkit-developers@...
https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers

From forum: sleuthkit-developers

make-live-cd returns...

2009-11-24T20:47:33Z

Missing Sleuth Kit executable (md5) at ./make-live-cd line 48.

Autopsy reports MD5 values, so I'd say it was able to find it. Browsing through sleuthkit-users archive I don't see any mention of this situation. Would appreciate any help.

sleuthkit-3.01
autopsy-2.21
ubuntu 9.10

Best regards,
Suman

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org

From forum: sleuthkit-users

Badblocks - Speed...

2009-11-24T20:39:39Z

Hi,

This maybe slightly OT, but definitly I am sure someone here can help out.

I am running badblocks on a drive (which possibly has water damage).

Normally when badblocks finds a badblock it simply output the badblock number to the std output, ie:
1998696

Thought I have noticed, sometimes I get output like:
1998696 done, 13:55 elapsed

I think this means that the block passed, but it may have taken more time than normal to test that block?

Now on the drive in question I have done 2000017 blocks and its been running for about 30 minutes though the command line reads:
2000017 done, 15:23 elapsed

But I am sure its been longer that 15 minutes. The drive is a WD 2.5" 250Gb.

So, a few questions about interpreting the results and in particular whether that seems slow? I my experience I have been able to test 100-200Gb drives in about 15 minutes. At this rate with a total of 488397167 it is going to take a very long time (days!).

I would also assume that a drive this slow is a sign of impending failure?

Cheers in advance,

-Al

From forum: sleuthkit-users

Re: icat and ifind -- Help with -- Please DO NOT hijack threads

2009-11-24T16:08:50Z

Brian,

Precisely correct! The hard drives now hide the low-level details of how data is stored, and only provide us with LBAs.

Yours for more fuller encapsulation,

Simson

On Nov 24, 2009, at 2:23 PM, Brian Carrier wrote:

>
> On Nov 22, 2009, at 2:05 PM, Simson Garfinkel wrote:
>
>>
>> On Nov 22, 2009, at 10:55 AM, Al Grant wrote:
>>
>>>
>>> Thanks. This has been a most interesting bit of learning.
>>>
>>> While we are on the subject do partitions have to start on a new Cylinder?
>>
>> Hard drives don't have cylinders anymore, and haven't for more than 10 years. Everything is done with the Logical Block Address.
>
> I thought there was no value in low-level details.... :)
>
>
>
>

From forum: sleuthkit-users

[ sleuthkit-Feature Requests-2903408 ] ffind -d option

2009-11-24T14:46:00Z

Feature Requests item #2903408, was opened at 2009-11-24 17:46
Message generated for change (Tracker Item Submitted) made by carrier
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2903408&group_id=55685

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: File System
Group: None
Status: Open
Priority: 5
Private: No
Submitted By: Brian Carrier (carrier)
Assigned to: Nobody/Anonymous (nobody)
Summary: ffind -d option

Initial Comment:
Make an ffind -d option that allows you to specify the block and it finds the metadata address and then the name. This merges 'ifind -d' into ffind.

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2903408&group_id=55685

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
sleuthkit-developers mailing list
sleuthkit-developers@...
https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers

From forum: sleuthkit-developers

Re: icat and ifind -- Help with -- Please DO NOT hijack threads

2009-11-24T14:23:33Z

On Nov 22, 2009, at 2:05 PM, Simson Garfinkel wrote:

>
> On Nov 22, 2009, at 10:55 AM, Al Grant wrote:
>
>>
>> Thanks. This has been a most interesting bit of learning.
>>
>> While we are on the subject do partitions have to start on a new
>> Cylinder?
>
> Hard drives don't have cylinders anymore, and haven't for more than
> 10 years. Everything is done with the Logical Block Address.

I thought there was no value in low-level details.... :)

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org

From forum: sleuthkit-users

Off-topic -- A good forensics education -- How to obtain -- "push button forensics" (PBF)

2009-11-22T15:30:01Z

Theodore Pham wrote:

>> I think there is room for both. Good tools that automate tedious,
>> error prone tasks and are at least somewhat transparent as to what
>> they are doing to achieve a given output are desirable.
>>
>> But at the same time, there are fundamentals that a good forensic
>> analyst should understand independent of what tools they choose to
>> use. If you don't at least expose beginners to the fundamentals of
>> file systems, inodes, and data blocks, then I believe their overall
>> ability to reason and interpret the output of higher level tools is
>> reduced. Especially if the higher level tool has a bug and is lying
>> to you or basing its output on an assumption which may be incorrect in
>> your situation.
>>
>> I'm not arguing that they need to master all the nuances down to
>> assembly language, they just need to be aware of where the limit of
>> their knowledge is so that if they find themselves in a situation
>> where they are not specialized enough, they know to seek out help from
>> someone who is if necessary.
>>
>> Think about doctors. Someone may end up specializing in orthodontics,
>> but they are still forced to do general medical school so they have
>> the proper exposure and understanding of how problems with your teeth
>> may manifest as other symptoms throughout your body.
>>
>> Our field is changing so rapidly that a solid understanding of the
>> fundamentals will do you immense benefit as what is old becomes new
>> again.
>>
>> Then again I went down the SANS path which teaches the fundamentals
>> before showing you the higher level tools so maybe I'm biased.
>>
>> On Sun, Nov 22, 2009 at 1:34 PM, Simson Garfinkel <simsong@...> wrote:
>>> On Nov 21, 2009, at 11:00 AM, Al Grant wrote:
>>>
>>>> Sure I would love it thanks Simson.
>>>>
>>>> I still however want to do it the manual way a few times first, else there
>>>> is no learning :-)
>>> Al,
>>>
>>> I would politely disagree with this statement. I do not think that there is much value in everyone's learning the low-level details of SleuthKit, just as there is no reason to learn the low-level details of assembly language or RTL (resistor transistor logic). Forensics is so complicated that people must specialize --- there is simply too much to learn. We need higher-level tools for creating forensic tools, so that it is easier to automate tasks and pass along each other's knowledge.
>>>
>>> Guidance Software's scripting language (escript) is a good first step. Unfortunately, the language is quite inefficient, poorly documented outside of the company's manuals (which are not freely available), and the only implementation is inside EnCase. The main problem with EnCase is that, as a GUI application, it is hard to use in a forensics pipeline. Because it only runs from a Windows GUI, you can't use EnCase on a cluster, even if you have thousands of disk images that you want to analyze in parallel.
>>>
>>> Simson

This thread of discussion is somewhat relevant to several other, recent
forensics discussions that dealt with the question of the value of "push
button forensics" (PBF). You may find them here:

A)
http://integriography.wordpress.com/2009/11/17/the-value-of-push-button-forensics/

-- see especially the comments that appear _after_ the article.

B)
http://www.linkedin.com/groupAnswers?viewQuestionAndAnswers&discussionID=9884541&gid=36573&commentID=8553835&trk=view_disc

C)
http://integriography.wordpress.com/2009/11/19/push-button-forensics-managing-the-downsides/

The comment that I attached the most value to was the one by Windows
forensics expert Harlan Carvey, whose comment is the first one in the
first link above. I would like to know whether others agree with H.
Carvey's remark.

Sincerely,
Paul Bain

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org

From forum: sleuthkit-users