'Re: [sleuthkit-users] file oddity'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sleuthkit-users
Subject:    Re: [sleuthkit-users] file oddity
From:       Brian Carrier <carrier () sleuthkit ! org>
Date:       2014-09-10 1:49:33
Message-ID: 9E7019A0-530E-47A5-A847-94B72FE590E9 () sleuthkit ! org
[Download RAW message or body]

Hi Stuart,

I'm wondering if the file in question is sparse and Ext4 isn't properly dealing with \
that.   I made an issue for it. Any debugging help would be appreciated though to \
verify that in the original file. 

brian


On Sep 3, 2014, at 3:21 PM, Stuart Maclean <stuart@apl.washington.edu> wrote:

> I am using tsk 4.1.3 on Ubuntu, 64-bit machine.   /dev/sda1 is a ext4 
> filessytem.
> 
> I have an inode for which istat claims
> 
> allocated
> inode: 1322012
> size: 4296704
> direct blocks: 5289177
> 
> If I dd the file, I do indeed see 4296704 bytes produced. Somewhat 
> curiously, the first 1876 bytes appear to be 'regular content', in fact 
> utf-16 text  (the file itself is some sort of kde cache file), while the 
> remainder of the file, over 4MB, are all zeros.  According to dd that is.
> 
> Now, if I icat this file (icat also from 4.1.3), the icat produces only 
> 4096 bytes of content.  I presume this number reflects the fact that 
> istat said there was only a single block, and the fs block size is 
> 4096.  The icat output shows the same 1876 leading bytes as dd did, and 
> further has all zeros from there up to its 4096 byte length.
> 
> I am not quite sure what is going on.  I was under the impression that 
> icat and dd would give the same result for this file (and would for all 
> allocated files in general).
> 
> Any help appreciated.
> 
> Stuart
> 
> 
> ------------------------------------------------------------------------------
> Slashdot TV.  
> Video for Nerds.  Stuff that matters.
> http://tv.slashdot.org/
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org


------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic