Ubuntu
sleuthkit package

autopsy (sleuthkit) meta reports overreport

Bug #225445 reported by hansel
6
Affects Status Importance Assigned to Milestone
sleuthkit (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: sleuthkit

On both x86-64 and x86 platforms, ext2 file system, autopsy (and sleuthkit command line inode tools -- istat) reports more than the actual blocks used. (specifically the report of consecutive blocks continues indefinitely -- probably to the end of a partition image)

Deleting packages and installing sleuthkit and autopsy manually reproduces known file block utilization.

Revision history for this message
Kenny Duffus (kduffus) wrote :

please could you include some more information on what you were running istat on was it a disk or an image? what options were you using with istat? also what version of ubuntu is this on? was it the same version of tsk and autopsy that you installed manually (you mean from source i presume?) or a newer version

thanks

Changed in sleuthkit:
status: New → Incomplete
Revision history for this message
egaskoa (curt-hash) wrote :

I encountered this bug today while running istat on a fully updated Ubuntu Gutsy x86 machine. I was using the sleuthkit binaries from Gutsy's repositories (v2.08).

Running istat (istat <device> <inode #>) on any inode (even for a file that should fit inside one or two blocks) results in a list of directed blocks that continues to increment indefinitely from the starting directed block number.

I was using both a 250GB ext3 physical device, and a dd image of a 50GB ext3 device, both with the same result.

I moved the image to an x86 machine running Gentoo, sleuthkit v2.09, and istat output was correct.

Revision history for this message
Jayson Rowe (jayson.rowe) wrote :

Since it's been a very long time since any additional info was added to this bug, I'm just checking to see if this is still an issue, and find out what additional work should be done on this bug.

Revision history for this message
hansel (hansel-mnstate) wrote : Re: [Bug 225445] Re: autopsy (sleuthkit) meta reports overreport

I have not used the software since last May and likely will not be using
it in the near future.

Mark Hansel

On Sat, 29 Nov 2008, JaysonRowe wrote:

> Date: Sat, 29 Nov 2008 16:45:47 -0000
> From: JaysonRowe <email address hidden>
> Reply-To: Bug 225445 <email address hidden>
> To: <email address hidden>
> Subject: [Bug 225445] Re: autopsy (sleuthkit) meta reports overreport
>
> Since it's been a very long time since any additional info was added to
> this bug, I'm just checking to see if this is still an issue, and find
> out what additional work should be done on this bug.
>
> --
> autopsy (sleuthkit) meta reports overreport
> https://bugs.launchpad.net/bugs/225445
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in “sleuthkit” source package in Ubuntu: Incomplete
>
> Bug description:
> Binary package hint: sleuthkit
>
> On both x86-64 and x86 platforms, ext2 file system, autopsy (and
> sleuthkit command line inode tools -- istat) reports more than the
> actual blocks used. (specifically the report of consecutive blocks
> continues indefinitely -- probably to the end of a partition image)
>
> Deleting packages and installing sleuthkit and autopsy manually
> reproduces known file block utilization.
>

Revision history for this message
Jayson Rowe (jayson.rowe) wrote :

I'm going to close this since it was marked for expiration in Launchpad due to inactivity. If you revisit this issue, and can reproduce the problem again, please come back to this bug and change it's status back to "New". Thanks again for helping improve Ubuntu!

Changed in sleuthkit:
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.