|

»

»

sleuthkit-users

fls: missing field

View: New views

3 Messages — Rating Filter: Alert me

	fls: missing field by .-54 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi When running fls against one of my Ext3 partitions I notice that 34 out of 17512 entries are missing one of the 'body file' format fields. $ fls -V The Sleuth Kit ver 3.0.1 $ sudo fls -r -m / /dev/sda4 > fls.out According to the wiki http://wiki.sleuthkit.org/index.php?title=Body_file The 3.X output has the following fields: MD5\|name\|inode\|mode_as_string\|UID\|GID\|size\|atime\|mtime\|ctime\|crtime Example output: ... 0\|/Dir1/SubDir1/FileA (deleted)\|9551913\|r/rrwxrwx---\|1000\|1000\|0\|1199618002\|1199765794\|1199765794\|0 0\|/Dir1/SubDir2/FileB\|2769344\|r/rrwxr-xr-x\|1000\|1000\|73350\|1239210630\|1234051666\|1235248434\|0 ... 0\|/Dir1/FileC (deleted)\|0\|r/----------\|0\|0\|0\|0\|0\|0 0\|/Dir1/FileD (deleted)\|0\|d/----------\|0\|0\|0\|0\|0\|0 ... The last two entries have 10 fields instead of 11. It is difficult to identify which field is missing in each case as most values are zeroes. Do you know which field is missing and why? Other info: $ sudo istat /dev/sda4 0 Metadata address is too small for image (1) $ sudo ils /dev/sda4 0 class\|host\|device\|start_time ils\|myhost\|\|1247422110 st_ino\|st_alloc\|st_uid\|st_gid\|st_mtime\|st_atime\|st_ctime\|st_crtime\|st_mode\|st_nlink\|st_size Invalid walk range (extXfs_inode_walk: end inode: 0) Thank you JS ------------------------------------------------------------------------------ Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org
	Re: fls: missing field by Simson Garfinkel-3 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message That's wild. As a short-term fix, you could use fiwalk, which will now output in body file format. You can download fiwalk from http://afflib.org/ Cheers. On Jul 12, 2009, at 2:38 PM, . wrote: > Hi > > When running fls against one of my Ext3 partitions I notice that 34 > out > of 17512 entries are missing one of the 'body file' format fields. > > $ fls -V > The Sleuth Kit ver 3.0.1 > > $ sudo fls -r -m / /dev/sda4 > fls.out > > According to the wiki http://wiki.sleuthkit.org/index.php?title=Body_file > > The 3.X output has the following fields: > MD5\|name\|inode\|mode_as_string\|UID\|GID\|size\|atime\|mtime\|ctime\|crtime > > Example output: > ... > 0\|/Dir1/SubDir1/FileA > (deleted)\|9551913\|r/rrwxrwx---\|1000\|1000\|0\|1199618002\|1199765794\| > 1199765794\|0 > 0\|/Dir1/SubDir2/FileB\|2769344\|r/rrwxr-xr-x\|1000\|1000\|73350\| > 1239210630\|1234051666\|1235248434\|0 > ... > 0\|/Dir1/FileC (deleted)\|0\|r/----------\|0\|0\|0\|0\|0\|0 > 0\|/Dir1/FileD (deleted)\|0\|d/----------\|0\|0\|0\|0\|0\|0 > ... > > The last two entries have 10 fields instead of 11. > It is difficult to identify which field is missing in each case as > most > values are zeroes. > Do you know which field is missing and why? > > Other info: > > $ sudo istat /dev/sda4 0 > Metadata address is too small for image (1) > > $ sudo ils /dev/sda4 0 > class\|host\|device\|start_time > ils\|myhost\|\|1247422110 > st_ino\|st_alloc\|st_uid\|st_gid\|st_mtime\|st_atime\|st_ctime\|st_crtime\| > st_mode\|st_nlink\|st_size > Invalid walk range (extXfs_inode_walk: end inode: 0) > > Thank you > > JS > > ------------------------------------------------------------------------------ > Enter the BlackBerry Developer Challenge > This is your chance to win up to $100,000 in prizes! For a limited > time, > vendors submitting new applications to BlackBerry App World(TM) will > have > the opportunity to enter the BlackBerry Developer Challenge. See > full prize > details at: http://p.sf.net/sfu/Challenge > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > ------------------------------------------------------------------------------ Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org
	Re: fls: missing field by Brian Carrier-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Thanks. I just fixed it. http://svn.sleuthkit.org/repos/sleuthkit/trunk/tsk3/fs/fs_name.c brian On Jul 12, 2009, at 2:38 PM, . wrote: > Hi > > When running fls against one of my Ext3 partitions I notice that 34 > out > of 17512 entries are missing one of the 'body file' format fields. > > $ fls -V > The Sleuth Kit ver 3.0.1 > > $ sudo fls -r -m / /dev/sda4 > fls.out > > According to the wiki http://wiki.sleuthkit.org/index.php?title=Body_file > > The 3.X output has the following fields: > MD5\|name\|inode\|mode_as_string\|UID\|GID\|size\|atime\|mtime\|ctime\|crtime > > Example output: > ... > 0\|/Dir1/SubDir1/FileA > (deleted)\|9551913\|r/rrwxrwx---\|1000\|1000\|0\|1199618002\|1199765794\| > 1199765794\|0 > 0\|/Dir1/SubDir2/FileB\|2769344\|r/rrwxr-xr-x\|1000\|1000\|73350\| > 1239210630\|1234051666\|1235248434\|0 > ... > 0\|/Dir1/FileC (deleted)\|0\|r/----------\|0\|0\|0\|0\|0\|0 > 0\|/Dir1/FileD (deleted)\|0\|d/----------\|0\|0\|0\|0\|0\|0 > ... > > The last two entries have 10 fields instead of 11. > It is difficult to identify which field is missing in each case as > most > values are zeroes. > Do you know which field is missing and why? > > Other info: > > $ sudo istat /dev/sda4 0 > Metadata address is too small for image (1) > > $ sudo ils /dev/sda4 0 > class\|host\|device\|start_time > ils\|myhost\|\|1247422110 > st_ino\|st_alloc\|st_uid\|st_gid\|st_mtime\|st_atime\|st_ctime\|st_crtime\| > st_mode\|st_nlink\|st_size > Invalid walk range (extXfs_inode_walk: end inode: 0) > > Thank you > > JS > > ------------------------------------------------------------------------------ > Enter the BlackBerry Developer Challenge > This is your chance to win up to $100,000 in prizes! For a limited > time, > vendors submitting new applications to BlackBerry App World(TM) will > have > the opportunity to enter the BlackBerry Developer Challenge. See > full prize > details at: http://p.sf.net/sfu/Challenge > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org ------------------------------------------------------------------------------ Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org