issue with ifind on hfsplus.

> I am trying to look up a file name in allocated space for a given  
> block. I was hoping to use ifind to identify the file name however  
> when I try ifind using:
>
> '/usr/local/bin/ifind' -f hfs -d 82009531 -o 0 -i raw '/dsk/case/
> easpro/host1/images/disk0s2'
>
> I get the following:
>
> General file system error (hfs_cat_read_thread_record: unexpected  
> record type 0) ( hfs_cat_file_lookup: file (1853290))
>
> The image that I am using is a 500gig hfs plus partition. the  
> address is relative to the partition. I get the same results using  
> autopsy. autopsy also says that the block is in allocated space.
>
> I have did a simple test with a dmg image and it worked fine. I can  
> also find some files on the problem image (in the root directory)  
> but ifind mostly fales.
>
> Is this a known issue with ifind on the OSX. Is there another way to  
> look up a filename from the block of allocated space? I am new to  
> sluethkit so I am very likely doing something wrong . It is less  
> important that i get ifind to work if there is another way to skin  
> this cat.
>
>
> Thanks
> Eric
>
>
> ------------------------------------------------------------------------------
> Enter the BlackBerry Developer Challenge
> This is your chance to win up to $100,000 in prizes! For a limited  
> time,
> vendors submitting new applications to BlackBerry App World(TM) will  
> have
> the opportunity to enter the BlackBerry Developer Challenge. See  
> full prize
> details at: http://p.sf.net/sfu/Challenge_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

> Hi Eric,
>
> Is this on a released version or a trunk (non-released) build?
>
> thanks,
> brian
>
>
> On Jul 15, 2009, at 9:58 AM, eric smith wrote:
>
>> I am trying to look up a file name in allocated space for a given  
>> block. I was hoping to use ifind to identify the file name however  
>> when I try ifind using:
>>
>> '/usr/local/bin/ifind' -f hfs -d 82009531 -o 0 -i raw '/dsk/case/
>> easpro/host1/images/disk0s2'
>>
>> I get the following:
>>
>> General file system error (hfs_cat_read_thread_record: unexpected  
>> record type 0) ( hfs_cat_file_lookup: file (1853290))
>>
>> The image that I am using is a 500gig hfs plus partition. the  
>> address is relative to the partition. I get the same results using  
>> autopsy. autopsy also says that the block is in allocated space.
>>
>> I have did a simple test with a dmg image and it worked fine. I can  
>> also find some files on the problem image (in the root directory)  
>> but ifind mostly fales.
>>
>> Is this a known issue with ifind on the OSX. Is there another way  
>> to look up a filename from the block of allocated space? I am new  
>> to sluethkit so I am very likely doing something wrong . It is less  
>> important that i get ifind to work if there is another way to skin  
>> this cat.
>>
>>
>> Thanks
>> Eric
>>
>>
>> ---
>> ---
>> ---
>> ---------------------------------------------------------------------
>> Enter the BlackBerry Developer Challenge
>> This is your chance to win up to $100,000 in prizes! For a limited  
>> time,
>> vendors submitting new applications to BlackBerry App World(TM)  
>> will have
>> the opportunity to enter the BlackBerry Developer Challenge. See  
>> full prize
>> details at: http://p.sf.net/sfu/Challenge_______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
>