Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Browse files

initial import from CVS

  • Loading branch information...
commit 3a78df5c010fde1b12ecec914bf4caa549565e55 0 parents
@bcarrier bcarrier authored
Showing with 29,184 additions and 0 deletions.
  1. +1,528 −0 CHANGES.txt
  2. +88 −0 INSTALL.txt
  3. +46 −0
  4. +198 −0 README.txt
  5. +24 −0 README_win32.txt
  6. +190 −0 TODO.txt
  7. +5 −0 bootstrap
  8. +323 −0 config/install-sh
  9. +175 −0
  10. +2 −0  docs/
  11. +4 −0 docs/library-api.txt
  12. +25 −0 docs/nsrl.txt
  13. +5 −0 docs/other.txt
  14. +291 −0 docs/ref_fs.txt
  15. +158 −0 docs/ref_timeline.txt
  16. +121 −0 docs/skins_fat.txt
  17. +136 −0 docs/skins_iso9660.txt
  18. +233 −0 docs/skins_ntfs.txt
  19. +58 −0 docs/skins_windows.txt
  20. +343 −0 licenses/GNU-COPYING
  21. +221 −0 licenses/IBM-LICENSE
  22. +213 −0 licenses/cpl1.0.txt
  23. +4 −0 man/
  24. +77 −0 man/blkcalc.1
  25. +82 −0 man/blkcat.1
  26. +66 −0 man/blkls.1
  27. +40 −0 man/blkstat.1
  28. +8 −0 man/build-html
  29. +38 −0 man/disk_sreset.1
  30. +37 −0 man/disk_stat.1
  31. +57 −0 man/ffind.1
  32. +127 −0 man/fls.1
  33. +44 −0 man/fsstat.1
  34. +148 −0 man/hfind.1
  35. +61 −0 man/icat.1
  36. +68 −0 man/ifind.1
  37. +136 −0 man/ils.1
  38. +27 −0 man/img_cat.1
  39. +28 −0 man/img_stat.1
  40. +53 −0 man/istat.1
  41. +48 −0 man/jcat.1
  42. +42 −0 man/jls.1
  43. +70 −0 man/mactime.1
  44. +39 −0 man/mmcat.1
  45. +76 −0 man/mmls.1
  46. +37 −0 man/mmstat.1
  47. +50 −0 man/sigfind.1
  48. +294 −0 man/sorter.1
  49. +1 −0  samples/
  50. +14 −0 samples/
  51. +315 −0 samples/callback-style.cpp
  52. +349 −0 samples/posix-style.cpp
  53. +1 −0  tests/
  54. +15 −0 tests/
  55. +307 −0 tests/fs_attrlist_apis.cpp
  56. +492 −0 tests/fs_fname_apis.cpp
  57. +732 −0 tests/read_apis.cpp
  58. +1 −0  tools/
  59. +1 −0  tools/disktools/
  60. +15 −0 tools/disktools/
  61. +80 −0 tools/disktools/disk_ide.h
  62. +145 −0 tools/disktools/disk_sreset.cpp
  63. +131 −0 tools/disktools/disk_stat.cpp
  64. +289 −0 tools/disktools/ide.c
  65. +1 −0  tools/fstools/
  66. +26 −0 tools/fstools/
  67. +222 −0 tools/fstools/blkcalc.cpp
  68. +337 −0 tools/fstools/blkcat.cpp
  69. +324 −0 tools/fstools/blkls.cpp
  70. +184 −0 tools/fstools/blkstat.cpp
  71. +206 −0 tools/fstools/ffind.cpp
  72. +302 −0 tools/fstools/fls.cpp
  73. +143 −0 tools/fstools/fscheck.cpp
  74. +166 −0 tools/fstools/fsstat.cpp
  75. +213 −0 tools/fstools/icat.cpp
  76. +316 −0 tools/fstools/ifind.cpp
  77. +360 −0 tools/fstools/ils.cpp
  78. +225 −0 tools/fstools/istat.cpp
  79. +228 −0 tools/fstools/jcat.cpp
  80. +208 −0 tools/fstools/jls.cpp
  81. +1 −0  tools/hashtools/
  82. +14 −0 tools/hashtools/
  83. +293 −0 tools/hashtools/hfind.cpp
  84. +79 −0 tools/hashtools/md5.c
  85. +96 −0 tools/hashtools/sha1.c
  86. +1 −0  tools/imgtools/
  87. +14 −0 tools/imgtools/
  88. +145 −0 tools/imgtools/img_cat.cpp
  89. +110 −0 tools/imgtools/img_stat.cpp
  90. +5 −0 tools/sorter/.perltidyrc
  91. +14 −0 tools/sorter/
  92. +1,758 −0 tools/sorter/sorter.base
  93. +1 −0  tools/srchtools/
  94. +15 −0 tools/srchtools/
  95. +337 −0 tools/srchtools/sigfind.cpp
  96. +669 −0 tools/srchtools/srch_strings.c
  97. +5 −0 tools/timeline/.perltidyrc
  98. +12 −0 tools/timeline/
  99. +842 −0 tools/timeline/mactime.base
  100. +1 −0  tools/vstools/
  101. +15 −0 tools/vstools/
  102. +183 −0 tools/vstools/mmcat.cpp
  103. +316 −0 tools/vstools/mmls.cpp
  104. +148 −0 tools/vstools/mmstat.cpp
  105. +14 −0 tsk3/
  106. +1 −0  tsk3/base/
  107. +14 −0 tsk3/base/
  108. +219 −0 tsk3/base/XGetopt.c
  109. +352 −0 tsk3/base/md5c.c
  110. +91 −0 tsk3/base/mymalloc.c
  111. +400 −0 tsk3/base/sha1c.c
  112. +390 −0 tsk3/base/tsk_base.h
  113. +318 −0 tsk3/base/tsk_base_i.h
  114. +76 −0 tsk3/base/tsk_endian.c
  115. +236 −0 tsk3/base/tsk_error.c
  116. +194 −0 tsk3/base/tsk_list.c
  117. +193 −0 tsk3/base/tsk_os.h
  118. +141 −0 tsk3/base/tsk_parse.c
  119. +128 −0 tsk3/base/tsk_printf.c
  120. +103 −0 tsk3/base/tsk_stack.c
  121. +422 −0 tsk3/base/tsk_unicode.c
  122. +46 −0 tsk3/base/tsk_version.c
  123. +1,429 −0 tsk3/docs/Doxyfile
  124. +47 −0 tsk3/docs/base.dox
  125. +74 −0 tsk3/docs/basics.dox
  126. +7 −0 tsk3/docs/footer.html
  127. +175 −0 tsk3/docs/fs.dox
  128. +27 −0 tsk3/docs/hashdb.dox
  129. +26 −0 tsk3/docs/img.dox
  130. +28 −0 tsk3/docs/main.dox
  131. +37 −0 tsk3/docs/vs.dox
  132. +1 −0  tsk3/fs/
  133. +21 −0 tsk3/fs/
  134. +228 −0 tsk3/fs/dcalc_lib.c
  135. +235 −0 tsk3/fs/dcat_lib.c
  136. +237 −0 tsk3/fs/dls_lib.c
  137. +69 −0 tsk3/fs/dstat_lib.c
  138. +2,226 −0 tsk3/fs/ext2fs.c
  139. +378 −0 tsk3/fs/ext2fs_dent.c
  140. +585 −0 tsk3/fs/ext2fs_journal.c
  141. +1,699 −0 tsk3/fs/fatfs.c
  142. +750 −0 tsk3/fs/fatfs_dent.c
Sorry, we could not display the entire diff because it was too big.
1,528 CHANGES.txt
@@ -0,0 +1,1528 @@
+---------------- VERSION 3.00 --------------
+0/00/00: Update: Many, many, many API changes.
+2/14/08: Update: Added mmcat tool.
+2/26/08: Update: Added flags to mmls to specify partition types.
+3/1/08: Update: Major update of man pages.
+4/14/08: Bug Fix: Fixed the calculation of "actual" last block.
+Off by 1 error. Reported by steve.
+5/23/08: Bug Fix: Incorrect malloc return check in srch_strings.
+reported by Petri Latvala.
+5/29/08: Bug Fix: Fixed endian ordering bug in ISO9660 code. Reported
+by Eduardo Aguiar de Oliveira.
+6/17/08: Update: 'sorter' now uses the ifind method for finding
+deleted NTFS files (like Autopsy) does instead of relying on fls.
+Reported by John Lehr.
+6/17/08: Update: 'ifind -p' reports data on ADS.
+7/10/08: Update: FAT looks for a backup boot sector in FAT32 if
+magic is 0
+7/21/08: Bug Fix: Changed define of strcasecmp to _stricmp instead
+of _strnicmp in Windows. (reported by Darren Bilby).
+7/21/08: Bug Fix: Fall back to open "\\.\" image files on Windows
+with SHARE_WRITE access so that drive devices can be opened.
+(reported by Darren Bilby).
+8/20/08: Bug Fix: Look for Windows objects when opening files in
+Cygwin, not just Win32. Reported by Par Osterberg Medina.
+8/21/08: Update: Renamed library and install header files to have a '3'
+in them to allow parallel installations of v2 and v3. Suggested by
+Simson Garfinkel.
+8/22/08: Update: Added -b option to sorter to specify minimum file size
+to process. Suggested by Jeff Kell.
+8/22/08: Update: Added libewf as a requirement to build win32 so that
+E01 files are supported.
+8/29/08: Update: Added initial mingw patches for cross compiling and
+Windows. Patches by Michael Cohen.
+9/X/08: Update: Added ability to access attibutes
+9/6/08: Update: Added image layer cache.
+9/12/08: Bug Fix: Fixed crash from incorrectly cleared value in FS_DIR
+structure. Reported and patched by Jason Miller.
+9/13/08: Update: Changed d* tool names to blk*.
+9/17/08: Update: Finished mingw support so that both tools and
+library work with Unicode file name support.
+9/22/08: Update: Added new HFS+ code from Judson Powers and Rob Joyce (ATC-NY)
+9/24/08: Bug Fix: Fixed some cygwin compile errors about types on Cygwin.
+Reported by Phil Peacock.
+9/25/08: Bug Fix: Added O_BINARY to open() in raw and split because Cygwin
+was having problems. Reported by Mark Stam.
+---------------- VERSION 2.52 --------------
+2/12/08: Bug Fix: Fixed warning messages in mactime about non-Numeric
+data. Reported by Pope.
+2/19/08: Bug Fix: Added #define to tsk_base_i.h to define
+LARGEFILE64_SOURCE based on LARGEFILE_SOURCE for older Linux systems.
+2/20/08: Bug Fix: Updated afflib references and code.
+3/13/08: Update: Added more fixes to auto* so that AFF will compile
+on more systems. I have confirmed that AFFLIB 3.1.3 will run with
+OS X 10.4.11.
+3/14/08: Bug Fix: Added checks to FAT code that calcs size of
+directories. If starting cluster of deleted dir points into a
+cluster chain, then problems can occur. Reported by John Ward.
+3/19/08: Update: I have verified that this compiles with libewf-20070512.
+3/21/08: Bug Fix: Deleted Ext/FFS directories were not being recursed
+into. This case was rare (because typically the metadata are
+wiped), but possible. Reported by JWalker.
+3/24/08: Update: I have verified that this compiles with libewf-20080322.
+Updates from Joachim Metz.
+3/26/08: Update: Changed some of the header file design for the tools
+so that the define settings in tsk_config.h can be used (for large files).
+3/28/08: Update: Added config.h reference to srch_strings to get the
+LARGEFILE support.
+4/5/08: Update: Improved inode argument number parsing function.
+---------------- VERSION 2.51 --------------
+1/30/08: Bug Fix: Fixed potential infinite loop in fls_lib.c. Patch
+by Nathaniel Pierce.
+2/7/08: Bug Fix: Defined some of the new constants that are used
+in disktools because older Linux distros did not define them.
+Reported by Russell Reynolds.
+2/7/08: Bug Fix: Modified autoconf to check for large file build
+requirements and look for new 48-bit structures needed by disktools.
+Both of these were causing problems on older Linux distros.
+2/7/08: Update: hfind will normalize hash values in database so
+that they are case insensitive.
+---------------- VERSION 2.50 --------------
+12/19/07: Update: Finished upgrade to autotools building design. No
+longer include file, afflib, libewf. Resulted in many source code layout
+changes and sorter now searches for md5, sha1, etc.
+---------------- VERSION 2.10 --------------
+7/12/07: Update: 0s are returned for AFF pages that were not imaged.
+7/31/07: Bug Fix: ifind -p could crash if a deleted file name was found
+that did not point to a valid meta data stucture. (Reported by Andy Bontoft)
+8/5/07: Update: Added NSRL support back into sorter.
+8/15/07: Update: Errors are given if supplied sector offset is larger than
+disk image. Reported by Simson Garfinkel.
+8/16/07: Update: Renamed MD5 and SHA1 functions to TSK_MD5_.. and TSK_SHA_....
+8/16/07: Update: tsk_error_get() does not reset the error messages.
+9/26/07: Bug Fix: Changed FATFS check for valid dentries to consider
+second values of 30. Reported by Alessandro Camillo.
+10/18/07: Update: inode_walk for NTFS and FAT will not abort if
+data corruption is found in one entry -- instead they will just
+skip it.
+10/18/07: Update: tsk_os.h uses standard gcc system names instead
+of TSK specific ones.
+10/18/07: Update: Updated raw.c to use ioctl commands on OS X to
+get size of raw device because it does not work with SEEK_END.
+Patch by Rob Joyce.
+10/31/07: Update: Finished upgrade to fatfs_file_walk_off so that
+walking can start at a specific offset. Also finished upgrade that
+caches FAT run list to make the fatfs_file_walk_off more effecient.
+11/14/07: Update: Fixed few places where off_t was being used
+instead of OFF_T. Reported by GiHan Kim.
+11/14/07: Update: Fixed a memory leak in aff.c to free AFF_INFO.
+Reported by GiHan Kim.
+11/24/07: Update: Finished review and update of ISO9660 code.
+11/26/07: Bug Fix: Fixed 64-bit calculation in HFS+ code. Submitted
+by Rob Joyce.
+11/29/07: Update: removed linking of srch_strings.c and libtsk. Reported by
+11/30/07: Upate: Made a #define TSK_USE_HFS compile flag for incorporating
+the HFS support (flag is in src/fstools/fs_tools_i.h)
+11/30/07: Update: restricted the FAT dentry sanity checks to verify
+space padding in the name and latin-only extensions.
+12/5/07: Bug Fix: fs_read_file_int had a bug that ignored the type passed
+for NTFS files. Reported by Dave Collett.
+12/12/07: Update: Changed teh FAT dentry sanity checks to allow spaces
+in volume labels and do more checking on the attribute flag.
+---------------- VERSION 2.09 --------------
+4/6/07: Bug Fix: Inifite loop in ext2 and ffs istat code because of using
+unsigned size_t variable. Reported by Makoto Shiotsuki.
+4/16/07: Bug Fix: Changed use of fseek() to fseeko() in hashtools. Patch
+by Andy Bontoft.
+4/16/07: Bug Fix: Changed Win32 SetFilePointer to use LARGE_INTEGER.
+Reported by Kim GiHan.
+4/19/07: Bug Fix: Not all FAT orphan files were being found because of
+and offset error.
+4/26/07: Bug Fix: ils -O was not working (link value not being
+checked). Reported by Christian Perst.
+4/27/07: Bug Fix: ils -r was showing UNUSED inodes. Reported by
+Christian Perst.
+5/10/07: Update: Redefined the USED and UNUSED flags for NTFS so that
+UNUSED is set when no attributes exist.
+5/16/07: Bug Fix: Fixed several bounds checking bugs that may cause
+a crash if the disk image is corrupt. Reported by Tim Newsham (iSec
+5/17/07: Update: Updated AFFLIB to 2.2.11
+5/17/07: Update: Updated libewf to libewf-20070512
+5/17/07: Update: Updated file to 4.20
+5/29/07: Update: Removed NTFS SID/SDS contributed code because it causes
+crashes on some systems and its output is not entirely clear. (most recent bug
+reported by Andy Scott)
+6/11/07: Update: Updated AFFLIB to 2.2.12.
+6/12/07: Bug Fix: ifind -p was not reporting back info on the allocated name
+when one existed (because strtok was overwritting the name when the search
+continued). Reported by Andy Bontoft.
+6/13/07: Update: Updated file to 4.21
+---------------- VERSION 2.08 --------------
+12/19/06: Bug Fix: ifind_path was not setting *result when root inode
+was searched for. patch by David Collett.
+12/29/06: Update: Removed 'strncpy' in ntfs.c to manual assignment of
+text for '$Data' and 'N/A' for performance reasons.
+1/11/07: Update: Added duname to FS_INFO that contains a string of
+name for a file system's data unit -- Cluster for example.
+1/19/07: Bug Fix: ifind_path was returning an error even after some
+files were found. Errors are now ignored if a file was found.
+Reported by Michael Cohen.
+1/26/07: Bug Fix: Fixed calcuation of inode numbers in fatfs.c
+(reported by Simson Garfinkel).
+2/1/07: Update: Changed aff-install to support symlinked directory.
+2/1/07: Update: img_open modified so that it does not report errors for
+s3:// and http:// files that do not exist.
+2/5/07: Update: updated *_read() return values to look for "<0" instead of
+simply "== -1". (suggested by Simson Garfinkel).
+2/8/07: Update: removed typedef for uintptr in WIN32 code.
+2/13/07: Update: Applied patch from Kim Kulak to update HFS+ code to internal
+design changes.
+2/16/07: Update: Renamed many of the external data structures and flags
+so that they start with TSK_ or tsk_ to prevent name collisions.
+2/16/07: Update: Moved MD5 and SHA1 routines and binaries to auxtools
+instead of hashtools so that they are more easy to access.
+2/16/07: Update: started redesign and port of hashtools.
+2/21/07: Update: Changed inode_walk callback API to remove the flags
+variable -- this was redundant since flags are also in TSK_FS_INODE.
+Same for TSK_FS_DENT.
+3/7/07: Bug Fix: fs_read_file failed for NTFS resident files. Reported
+by Michael Cohen.
+3/8/07: Bug Fix: FATFS assumed a 512-byte sector in a couple of locations.
+3/13/07: Update: Finished hashtools update.
+3/13/07: Update: dcat reads block by block instead of all at once.
+3/23/07: Update: Change ntfs_load_secure to allocate all of its
+needed memory at once instead of doing reallocs.
+3/23/07: Update: Updated AFFLIB to 2.2.0
+3/24/07: Bug Fix: Fixed many locations where return value from strtoull
+was not being properly checked and therefore invalid numbers were not
+being detected.
+3/24/07: Bug Fix: A couple of error messages in ntfs_file_walk should
+have been converted to _RECOVER when the _RECOVERY flag was given.
+3/24/07: Update: Changed behavior of ntfs_file_walk. If no type is
+given, then a default type is chosen for files and dirs. Now, no error
+is generated if that type does not exist -- similar to how no error is
+generated if a FAT file has 0 file size.
+3/26/07: Update: cleaned up and documented fs_data code more.
+3/29/07: Update: Updated AFF to 2.2.2.
+3/29/07: Update: Updated install scripts for afflib, libewf, and file to
+touch files so that the auto* files are in the correct time stamp order.
+4/5/07: Bug Fix: Added sanity checks to offsets and addresses in ExtX and
+UFS group descriptors. Reported by Simson Garfinkel.
+---------------- VERSION 2.07 --------------
+9/6/06: Update: Changed TCHAR and _T to TSK_TCHAR and _TSK_T to avoid
+conflicts with other libraries.
+9/18/06: Update: Added tsk_list_* functions and strutures.
+9/18/06: Update: Added checks for recursive FAT directories.
+9/20/06: Update: Changed FS_META_* flags for LINK and UNLINK and moved
+them to ILS_? flags.
+9/20/06: Update: added flags to ils to find only orphan inodes.
+9/20/06: Update: Added Orphan support for FAT, NTFS, UFS, Ext2, ISO.
+9/20/06: Update: File walk actions now have a flag to identify if a block
+is SPARSE or not (used to identify if the address being passed is valid
+or made up).
+9/21/06: Update: Added file size sanity check to fatfs_is_dentry and
+fixed assignment of fatfs->clustcnt.
+9/21/06: Update: block_, inode, and dent_walk functions now do more flag
+checking and make sure that some things are set instead of making the
+calling code do it.
+9/21/06: Update: Added checks for recursive (infinite loop) NTFS, UFS,
+ExtX, and ISO9660 directories.
+9/21/06: Update Added checks to make sure that walking the FAT for files
+and directories would result in an infinite loop (if FAT is corrupt).
+9/21/06: Update: Added -a and -A to dls to specify allocated and
+unallocated blocks to display.
+9/21/06: Update: Updated AFFLIB to 1.6.31.
+9/22/06: Update: added a fs_read_file() function that allows you to read
+random parts of a file.
+10/10/06: Update: Improved performance of fs_read_file() and added
+new FS_FLAG_META_COMP and FS_FLAG_DATA_COMP flags to show if a file
+and data are using file system-level compression (NTFS only).
+10/18/06: Bug fix: in fs_data_put_run, added a check to see
+if the head was null before looking up. An extra error message
+was being created for nothing.
+10/18/06: Bug Fix: Added a check to the compression buffer
+to see if it is null in _done().
+10/25/06: Bug Fix: Added some more bounds checks to NTFS uncompression code.
+11/3/06: Bug Fix: added check to dcat_lib in case the number of blocks
+requested is too large.
+11/07/06: Update: Added fs_read_file_noid wrapper around fs_read_file
+11/09/06: Update: Updated AFF to 1.7.1
+11/17/06: Update: Updated libewf to 20061008-1
+11/17/06: Bug Fix: Fixed attribute lookup bug in fs_data_lookup.
+Patch by David Collett.
+11/21/06: Bug Fix: Fixed fs_data loops that were stopping when they hit
+an unused attribute. Patch by David Collett.
+11/21/06: Bug Fix: sorter no longer clears the path when it starts. THis
+was causing errors on Cygwin because OpenSSL libraries could not be found.
+11/22/06: Update: Added a tskGetVersion() function to return the string
+of the current version.
+11/29/06: Update: Added more tsk_error_resets to more places to prevent
+extra error messages from being displayed.
+11/30/06: Update: Added Caching to the getFAT function and to fs_read.
+12/1/06: Update: Changed TSK_LIST to a reverse sorted list of buckets.
+12/5/06: Bug Fix: Fixed FS_DATA_INUSE infinite loop bug.
+12/5/06: Bug Fix: Fixed infinite loop bug with NTFS decompression code.
+12/5/06: Update: Added NULL check to fs_inode_free (from Michael Cohen).
+12/5/06: Update: Updated ifind_path so that an allocated name will be
+shown if one exists -- do not exit if we find simply an unallocated
+entry with an address of 0. Suggested by David Collett.
+12/6/06: Update: Updated file to version 4.18.
+12/6/06: Update: Updated libaff to 2.0a10 and changed build process
+12/7/06: Update: Added a tsk_error_get() function that returns a string
+with the error messages -- can be used instead of tsk_error_print.
+12/7/06: Update: fixed some memory leaks in FAT and NTFS code.
+12/11/06: Bug Fix: fatfs_open error message code referenced a value that
+was in freed memory -- reordered statements.
+12/15/06: Update: Include VCProj files in build.
+---------------- VERSION 2.06 --------------
+8/11/06: Bug Fix: Added back in ASCII/UTF-8 checks to remove control
+characters in file names.
+8/11/06: Bug Fix: Added support for fast sym links in UFS1
+8/11/06: Update: Redesigned the endian support so that getuX takes only
+the endian flag so that the Unicode design could be changed as well.
+8/11/06: Update: Redesigned the Unicode support so that there is a
+tsk_UTF... routine instead of fs_UTF...
+8/11/06: Update: Updated GPT to fully convert UTF16 to UTF8.
+8/11/06: Update: There is now only one aux_tools header file to include
+instead of libauxtools and/or aux_lib, which were nearly identical.
+8/16/06: Bug Fix: ntfs_dent_walk could segfault if two consecutive
+unallocated entries were found that had an MFT entry address of 0.
+Reported by Robert-Jan Mora.
+8/16/06: Update: Changed a lot of the header files and reduced them so
+that it is easier to use the library and only one header file needs to
+be included.
+8/21/06: Update: mmtools had char * instead of void * for walk callback
+8/22/06: Update: Added fs_load_file function that returns a buffer full
+with the contents of a file.
+8/23/06: Update: Upgraded AFFLIB to 1.6.31 and libewf to 20060820-1.
+8/25/06: Update: Created printf wrappers so that output is UTF-16 on
+Windows and UTF-8 on Unix.
+8/25/06: Update: Continued port to Windows by starting to use more
+TCHARS and defining needed macros for the Unix side.
+8/25/06: Bug Fix: Fixed crash that could occur because of SDS code
+in NTFS. (reported by Simson Garfinkel) (BUG: 1546925).
+8/25/06: Bug Fix: Fixed crash that could occur because path stack became
+corrupt with deep directories or corrupt images. (reported by Simson
+Garfinkel) (BUG: 1546926).
+8/25/06: Bug Fix: Fixed infinite loop that could occur when trying to
+determine size of FAT directory when the FAT has a loop in it. (BUG:
+8/25/06: Update: Improved FAT checking code to look for '.' and '..'
+entries when inode value is replaced during dent_walk.
+8/29/06: Update: Finished Win32 port and changes to handle UTF-16 vs
+UTF-8 inputs.
+8/29/06: Update: Created a parse_inum function to handle parsing inode
+addresses from command line.
+8/30/06: Update: Made progname a local variable instead of global.
+8/31/06: Bug Fix: Fixed a sizeof() error with the memset in fatfs_inode_walk
+for the sect_alloc buffer.
+8/31/06: Update: if mktime in dos2unixtime returns any negative value,
+then the return value is set to 0. Windows and glibc seem to have
+different return values.
+---------------- VERSION 2.05 --------------
+5/15/06: Bug Fix: Fixed a bug in img_cat that could cause it to
+go into an infinite loop. (BUG: 1489284)
+5/16/06: Update: Fixed printf statements in tsk_error.c that caused
+warning messages for some compilers. Reported by Jason DePriest.
+5/17/06: Update: created a union of file system-specific file times in
+FS_INFO (Patch by Wyatt Banks)
+5/22/06: Bug Fix: Updated libewf to 20060520 to fix bug with reported
+image size. (BUG: 1489287)
+5/22/06: Bug Fix: Updated AFFLIB to 1.6.24 so that TSK could compile in
+CYGWIN. (BUG: 1493013)
+5/22/06: Update: Fixed some more printf statements that were causing
+compile warnings.
+5/23/06: Update: Added a file existence check to img_open to make error
+message more accurate.
+5/23/06: Update: Usage messages had extra "Supported image types message".
+5/25/06: Update: Added block / page range to fsstat for raw and swapfs.
+6/5/06: Update: fixed some typos in the output messages of sigfind (reported
+by Jelle Smet)
+6/9/06: Update: Added HFS+ template to sigfind (Patch by Wyatt Banks)
+6/9/06: Update: Added ntfs and HFS template to sigfind.
+6/19/06: Update: Begin Windows Visual Studio port
+6/22/06: Update: Updated a myflags check in ntfs.c (reported by Wyatt Banks)
+6/28/06: Update: Incorporated NTFS compression patch from I.D.E.A.L.
+6/28/06: Update: Incorporated NTFS SID patch from I.D.E.A.L.
+6/28/06: Bug Fix: A segfault could occur with NTFS if no inode was loaded
+in the dent_walk code. (Reported by Pope).
+7/5/06: Update: Added tsk_error_reset function and updated code to use it.
+7/5/06: Update: Added more sanity checks to the DOS partitions code.
+7/10/06: Update: Upgraded libewf to version 20060708.
+7/10/06: Update: Upgraded AFFLIB to version 1.6.28
+7/10/06: Update: added 'list' option to usage message so that file
+system, image, volume system types are listed only if '-x list' is given.
+Suggested by kenshin.
+7/10/06: Update: Compressed NTFS files use the compression unit size
+specified in the header.
+7/10/06: Update: Added -R flag to icat to suppress recovery warnings and
+use this flag in sorter to prevent FAT recovery messages from filling
+up screen.
+7/10/06: Update: file_walk functions now return FS_ERR_RECOVERY error
+codes for most cases if the RECOVERY flag is set -- this allows the
+errors to be more easily suppressed.
+7/12/06: Update: Removed individual libraries and now make a single
+static libtsk.a library.
+7/12/06: Update: Cleaned up top-level Makefile. Use '-C' flag (suggested
+by kenshin).
+7/14/06: Update: Fixed and redesigned some of the new NTFS compression
+code. Changed variable names.
+7/20/06: Update: Fixed an NTFS compression bug if a sub-block was not
+7/21/06: Update: Made NTFS compression code thread friendly.
+---------------- VERSION 2.04 --------------
+12/1/05: Bug Fix: Fixed a bug in the verbose output of img_open
+that would crash if no type or offset was given. Reported and
+patched by Wyatt Banks.
+12/20/05: Bug Fix: An NTFS directory index sanity check used 356
+instead of 365 when calculating an upper bound on the times. Reported
+by Wyatt Banks.
+12/23/05: Bug Fix: Two printf statements in istat for NTFS printed
+to stdout instead of a specific file handle. Reported by Wyatt
+1/22/06: Bug Fix: fsstat, imgstat and dcalc were using a char instead
+of int for the return value of getopt, which caused some systems to not
+execute the programs. (internal fix and later reported by Bernhard Reiter)
+2/23/06: Update: added support for FreeBSD 6.
+2/27/06: Bug Fix: Indirect blocks would nto be found by ifind with
+UFS and Ext2. Reported by Nelson G. Mejias-Diaz. (BUG: 1440075)
+3/9/06: Update: Added AFF image file support.
+3/14/06: Bug Fix: If the first directory entry of a UFS or ExtX block
+was unallocated, then later entries may not be shown. Reported by John
+Langezaal. (BUG: 1449655)
+4/3/06: Update: Finished the improved error handling. Many internal
+changes, not many external changes. error() function no longer used
+and instead tsk_err variables and function are used. This makes the
+library more powerful.
+4/5/06: Update: The byte offset for a volume is now passed to the mm_
+and fs_ functions instead of img_open. This allows img_info to be used
+for multiple volumes at the same time. This required some mm_ changes.
+4/5/06: Update: All TSK libraries are written to the lib directory.
+4/6/06: Update: Added FS_FLAG_DATA_RES flag to identify data that are
+resident in ntfs_data_walk (suggested by Michael Cohen).
+4/6/06: Update: The partition code (media Management) now checks that a
+partition starts before the end of the image file. There are currently
+no checks about the end of the partition though.
+4/6/06: Update: The media management code now shows unpartitioned space
+as such from the end of the last partition to the end of the image file
+(using the image file size). (Suggested by Wyatt Banks).
+4/7/06: Update: New version of ISO9660 code from Wyatt Banks and Crucial
+Security added and other code updated to allow CDs to be analyzed.
+4/7/06: There was a conflict with guessuXX with mmtools and fstools.
+Renamed to mm_guessXX and fs_guessXX.
+4/10/06: Upgraded AFFLIB to 1.5.6
+4/12/06: Added version of libewf and support for it in imgtools
+4/13/06: Added new img_cat tool to extract raw data from an image format.
+4/24/06: Upgraded AFFLIB to 1.5.12
+4/24/06: split and raw check if the image is a directory
+4/24/06: Updated libewf to 20060423-1
+4/26/06: Updated makedefs to work with SunOS 5.10
+5/3/06: Added iso9660 patch from Wyatt Banks so that version number
+is not printed with file name.
+5/4/06: Updated error checking in icat, istat, fatfs_dent, and ntfs_dent
+5/8/06: Updated libewf to 20060505-1 to fix some gcc 2 compile errors.
+5/9/06: Updated AFFLIB to 1.6.18
+5/11/06: Cleaned up error handling (removed %m and unused legacy code)
+5/11/06: Updated AFFLIB to 1.6.23
+---------------- VERSION 2.03 --------------
+7/26/05: Update: Removed incorrect print_version() statement from
+fs_tools.h (reported by Jaime Chang)
+7/26/05: Update: Renamed libraries to start with "lib"
+7/26/05: Update: Removed the logfp variable for verbose statements
+and instead use only stderr.
+8/12/05: Update: If time is 0, then it is put as 00:00:00 instead of
+the default 1970 or 1980 time.
+8/13/05: Update: Added Unicode support for FAT and NTFS (Supported by
+I.D.E.A.L. Technology Corp).
+9/2/05: Update: Added Unicode support for UFS and ExtX. Non-printable
+ASCII characters are no longer replaced with '^.'.
+9/2/05: Update: Improved the directory entry sanity checks for UFS
+and ExtX.
+9/2/05: Update: Upgraded file to version 4.15.
+9/2/05: Update: The dent_walk code of all file systems does not
+abort if a sub-directory is encountered with an error. If it is the
+top directory explicitly called, then it still gives an error.
+9/2/05: Bug Fix: MD5 and SHA-1 values were incorrect under AMD64
+systems because the incorrect variable sizes were being used.
+(reported by: Regis Friend Cassidy. BUG: 1280966)
+9/2/05: Update: Changed all licenses in TSK to Common Public License
+(except those that were already IBM Public License).
+9/15/05: Bug Fix: The Unicode names would not be displayed if the FAT
+short name entry was using code pages. The ASCII name check was removed,
+which may lead to more false positives during inode_walk.
+10/05/05: Update: improved the sector size check when the FAT boot
+sector is read (check for specific values besides just mod 512).
+10/12/05: Update: The ASCII name check was added back into FAT, but
+the check no longer looks for values over 0x80.
+10/12/05: Update: The inode_walk function in FAT skips clusters
+that are allocated to files. This makes it much faster, but it
+will now not find unallocated directory entries in the slack space
+of allocated files.
+10/13/05: Update: sorter updated to handle unicode in HTML output.
+---------------- VERSION 2.02 --------------
+4/27/05: Bug Fix: the sizes of 'id' were not consistent in the
+front-end and library functions for icat and ffind. Reported by
+John Ward.
+5/16/05: Bug Fix: fls could segfault in FAT if short name did not
+exist. There was also a bug where the long file name variable
+(fatfs->lfn_len) was not reset after processing a directory and the
+next entry could incorrectly get the long name. Reported by Jaime
+Chang. BUG: 1203673.
+5/18/05: Update: Updated makedefs to support Darwin 8 (OS X Tiger)
+5/23/05: Bug Fix: ntfs_dent_walk would not always stop when WALK_STOP
+was returned. This caused some issues with previous versions of ifind.
+This was fixed.
+5/24/05: Bug Fix: Would not compile under Suse because it had header
+file conflicts for the size of int64_t. Reported by: Andrea Ghirardini.
+BUG: 1203676
+5/25/05: Update: Fixed some memory leaks in fstools (reported by Jaime
+6/13/05: Update: Compiled with g++ to get better warning messages.
+Fixed many signed versus unsigned comparisons, -1 assignments to
+unsigned vars, and some other minor internal issues.
+6/13/05: Bug Fix: if UFS or FFS found a valid dentry in unallocated
+space, it could have a documented length that is larger than the
+remaining unallocated space. This would cause an allocated name
+to be skipped. BUG: 1210204 Reported by Christopher Betz.
+6/13/05: Update: Improved design of all dent code so that there are no
+more global variables.
+6/13/05: Update: Improved design of FAT dent code so that FATFS_INFO
+does not keep track of long file name information.
+6/13/05: Bug Fix: If a cluster in a directory started with a strange
+dentry, then FAT inode_walk would skip it. The fixis to make sure
+that all directory sectors are processed. (BUG: 1203669). Reported
+by Jaime Chang.
+6/14/05: Update: Changed design of FS_INODE so that it contains the
+inode address and the inode_walk action was changed to remove inum
+as an argument.
+6/15/05: Update: Added 'ils -o' back in as 'ils -O' to list open
+and deleted files.
+6/15/05: Update: Added '-m' flag to mactime so that it prints the month
+as a number instead of its name.
+7/2/05: Bug Fix: If an NTFS file did not have a $DATA or $IDX_*
+attribute, then fls would not print it. The file had no content, but
+the name should be shown. (BUG: 1231515) (Reported by Fuerst)
+---------------- VERSION 2.01 --------------
+3/24/05: Bug Fix: ffind would fail if the directory had two
+non-printable chars. The handling of non-printable chars was changed
+to replace with '^.'. (BUG: 1170310) (reported by Brian Baskin)
+3/24/05: Bug Fix: icat would not print the output to stdout when split
+images were used. There was a bug in the image closing process of
+icat. (BUG: 1170309) (reported by Brian Baskin)
+3/24/05: Update: Changed the header files in fstools to make fs_lib.h
+more self contained.
+4/1/05: Bug Fix: Imgtools byte offset with many leading 0s could
+cause issues. (BUG: 1174977)
+4/1/05: Update: Removed test check in mmtools/dos.c for value cluster
+size because to many partition tables have that as a valid field.
+Now it checks only OEM name.
+4/8/05: Update: Updated usage of 'strtoul' to 'strtoull' for blocks
+and inodes.
+---------------- VERSION 2.00 --------------
+1/6/05: Update: Added '-b' flag to 'mmls' so that sizes can be
+printed in bytes. Suggested and a patch proposed by Matt Kucenski
+1/6/05: Update: Define DADDR_T, INUM_T, OFF_T, PNUM_T as a static
+size and use those to store values in data structures. Updated
+print statements as well.
+1/6/05: Update: FAT now supports larger images becuase the inode
+address space is 64-bits.
+1/6/05: Moved guess and get functions to misc from mmtools and
+1/7/05: Update: Added imgtools with support for "raw" and "split"
+layers. All fstools have been updated.
+1/7/05: Update: removed dtime from ils output
+1/9/05: Update: FAT code reads in clusters instead of sectors to
+be faster (suggested by David Collett)
+1/9/05: Update: mmtools uses imgtools for split images etc.
+1/10/05: Update: Removed usage of global variables when using
+file_walk internally.
+1/10/05: Update: mmls BSD will use the next sector automatically
+if the wrong is given instead of giving an error.
+1/10/05: Update: Updated file to version 4.12
+1/11/05: Update: Added autodetect to file system tools.
+1/11/05: Update: Changed names to specify file system type (not
+1/11/05: Update: Added '-t' option to fsstat to give just the type.
+1/11/05: Update: Added autodetect to mmls
+1/17/05: Update: Added the 'mmstat' tool that gives the type of
+volume system.
+1/17/05: Update: Now using CVS for local version control - added
+date stamps to all files.
+2/20/05: Bug Fix: ils / istat would go into an infinte loop if the
+attribute list had an entry with a length of 0. Reported by Angus
+Marshall (BUG: 1144846)
+3/2/05: Update: non-printable letters in ExtX/UFS file names are
+now replaced by a '.'
+3/2/05: Update: Made file system tools more library friendly by
+making stubs for each application.
+3/4/05: Update: Redesigned the diskstat tool and created the
+disksreset tool to remove the HPA temporarily.
+3/4/05: Update: Added imgstat tool that displays image format
+3/7/05: Bug Fix: In fsstat on ExtX, the final group would have an
+incorrect _percentage_ of free blocks value (although the actual
+number was correct). Reported by Knut Eckstein. (BUG: 1158620)
+3/11/05: Update: Renamed diskstat, disksreset, sstrings, and imgstat to
+disk_stat, disk_sreset, srch_strings, and img_stat to make the names more
+3/13/05: Bug Fix: The verbose output for fatfs_file_walk had an
+incorrect sector address. Reported by Rudolph Pereira.
+3/13/05: Bug Fix: The beta version had compiling problems on FreeBSD
+because of a naming clash with the new 'fls' functions. (reported
+by secman)
+---------------- VERSION 1.74 --------------
+11/18/04: Bug Fix: FreeBSD 5 would produce incorrect 'icat' output for
+Ext2/3 & UFS1 images because it used a 64-bit on-disk address.
+reported by neutrino neutrino. (BUG: 1068771)
+11/30/04: Bug Fix: The makefile in disktools would generate an error
+on some systems (Cygwin) because of an extra entry. Reported by
+Vajira Ganepola (BUG: 1076029)
+---------------- VERSION 1.73 --------------
+09/09/04: Update: Added journal support for EXT3FS and added jls
+and jcat tools.
+09/13/04: Updated: Added the major and minor device numbers to
+EXTxFS istat.
+09/13/04: Update: Added EXTxFS orphan code to 'fsstat'
+09/24/04: Update: Fixed incorrect usage of 'ptr' and "" in action
+ of ntfs_dent.c. Did not affect any code, but could have in the
+ future. Reported by Pete Winkler.
+09/25/04: Update: Added UFS flags to fsstat
+09/26/04: Update: All fragments are printed for indirect block pointer
+ addresses in UFS istat.
+09/29/04: Update: Print extended UFS2 attributes in 'istat'
+10/07/04: Bug Fix: Changed usage of (int) to (uintptr_t) for pointer
+arithmetic. Caused issues with Debian Sarge. (BUG: 1049352) - turned out
+to be from changes made to package version so that it would compile in
+64-bit system (BUG: 928278).
+10/11/04: Update: Added diskstat to check for HPA on linux systems.
+10/13/04: Update: Added root directory location to FAT32 fsstat output
+10/17/04: Bug Fix: EXTxFS superblock location would not be printed
+for images in fsstat that did not have sparse superblok (which is
+rare) (BUG: 1049355)
+10/17/04: Update: Added sigfind tool to find binary signatures.
+10/27/04: Bug Fix: NTFS is_clust_alloc returned an error when loading
+ $MFT that had attribute list entry. Now I assume that clusters
+ referred to by the $MFT are allocated until the $MFT is loaded.
+ (BUG: 1055862).
+10/28/04: Bug Fix: Check to see if an attribute with the same name
+ exists instead of relying on id only. (ntfs_proc_attrseq) Affects
+ the processing of attribute lists. Reported by Szakacsits Szabolcs,
+ Matt Kucenski, & Gene Meltser (BUG: 1055862)
+10/28/04: Update: Removed usage of mylseek in fstools for all systems
+ (Bug: 928278)
+---------------- VERSION 1.72 --------------
+07/31/04: Update: Added flag to mft_lookup so that ifind can run in noabort
+mode and it will not stop when it finds an invalid magic value.
+08/01/04: Update: Removed previous change and removed MAGIC check
+entirely. XP doesn't even care if the Magic is corrupt, so neither
+does TSK. The update sequence check should find an invalid MFT
+08/01/04: Update: Added error message to 'ifind' if none of the search
+options are given.
+08/05/04: Bug Fix: Fixed g_curdirptr recursive error by clearing the value
+when dent_walk had to abort because a deleted directory could not be recovered.
+(BUG: 1004329) Reported by
+08/16/04: Update: Added a sanity check to fatfs.c fat2unixtime to check
+if the year is > 137 (which is the overflow date for the 32-bit UNIX time).
+08/16/04: Update: Added first version of sstrings from binutils-2.15
+08/20/04: Bug Fix: Fixed a bug where the group number for block 0 of an
+EXT2FS file system would report -1. 'dstat' no longer displays value when it
+is not part of a block group. (BUG: 1013227)
+8/24/04: Update: If an attribute list entry is found with an invalid MFT
+entry address, then it is ignored instead of an error being generated and
+8/26/04: Update: Changed internal design of NTFS to make is_clust_alloc
+8/26/04: Update: If an attribute list entry is found with an invalid MFT
+entry address AND the entry is unallocated, then no error message is
+printed, it is just ignored or logged in verbose mode.
+8/29/04: Update: Added support for 32-bit GID and UID in EXTxFS
+8/30/04: Bug Fix: ntfs_dent_walk was adding 24 extra bytes to the
+size of the index record for the final record processing (calc of
+list_len) (BUG: 1019321) (reported and debugging help from Matt
+8/30/04: Bug Fix: fs_data_lookup was using an id of 0 as a wild
+card, but 0 is a legit id value and this could cause confusion. To
+solve this, a new FS_FLAG_FILE_NOID flag was added and a new
+fs_data_lookup_noid function that will not use the id to lookup
+values. (BUG: 1019690) (reported and debugging help from Matt
+8/30/04: Update: modified fs_data_lookup_noid to return unamed data
+attribute if that type is requested (instead of just relying on id
+value in attributes)
+8/31/04: Update: Updated file to v4.10, which seems to fix the
+CYGWIN compile problem.
+9/1/04: Update: Added more DOS partition types to mmls (submitted by
+Matt Kucenski)
+9/2/04: Update: Added EXT3FS extended attributes and Posix ACL to istat
+9/2/04: Update: Added free inode and block counts per group to fsstat for
+9/7/04: Bug Fix: FreeBSD compile error for PRIx printf stuff in mmtools/gpt.c
+---------------- VERSION 1.71 --------------
+06/05/04: Update: Added sanity checks in fat to unix time conversion so that
+invalid times are set to 0.
+06/08/04: Bug Fix: Added a type cast when size is assigned in FAT
+and removed the assignment to a 32-bit signed variable (which was no
+longer needed). (Bug: 966839)
+06/09/04: Bug Fix: Added a type cast to the 'getuX' macros because some
+compilers were assuming it was signed (Bug: 966839).
+06/11/04: Update: Changed NTFS magic check to use the aa55 at the
+end and fixed the name of the original "magic" value to oemname.
+The oemname is now printed in fsstat.
+06/12/04: Bug Fix: The NTFS serial number was being printed with
+bytes in the wrong order in the fsstat output. (BUG: 972207)
+06/12/04: Update: The begin offset value in index header for NTFS
+was 16-bits instead of 32-bits.
+06/22/04: Update: Created a library for the MD5 and SHA1 functions so
+that it can be incorporated into other tools. Also renamed some of the
+indexing tools that hfind uses.
+06/23/04: Update: Changed output of 'istat' for NTFS images. Added more
+07/13/04: Update: Changed output of 'istat' for NTFS images again. Moved
+more data to the $FILE_NAME section and added new data.
+07/13/04: Update: Changed code for processing NTFS runs and no
+longer check for the offset to be 0 in ntfs_make_data_run(). This
+could have prevented some sparse files from being processed.
+07/13/04: Update: Added flags for compressed and encrypted NTFS
+files. They are not decrypted or uncompressed yet, just identified.
+They cannot be displayed from 'icat', but the known layout is given
+in 'istat'.
+07/18/04: Bug Fix: Sometimes, 'icat' would report an error about an
+existing FILLER entry in an NTFS attribute. This was traced to
+instances when it was run on a non-base file record. There is now
+a check for that to not show the error. (BUG: 993459)
+07/19/04: Bug Fix: A run of -1 may exist for sparse files in non-NT
+versions of NTFS. Changed check for this. reported by Matthew
+Kucenski. (BUG: 994024).
+07/24/04: Bug Fix: NTFS attribute names were missing (rarely) on
+some files because the code assumed they would always be at offset
+64 for non-res attributes (Bug: 996981).
+07/24/04: Update: Made listing of unallcoated NTFS file names less
+strict. There was a check for file name length versus stream length.
+07/24/04: Update: Added $OBJECT_ID output to 'istat'
+07/24/04: Update: Fixed ntfs.c compile warning about constant too
+large in time conversion code.
+07/25/04: Update: Added attribute list contents to NTFS 'istat' output
+07/25/04: Bug Fix: Not all slack space was being shown with 'dls -s'.
+It was documented that this occurs, but it is not what would be
+expected. (BUG: 997800).
+07/25/04: Update: Changed output format of 'dls -s' so that it sends
+zeros where the file content was. Therefore the output is now a
+multiple of the data unit size. Also removed limitation to FAT &
+07/25/04: Update: 'dcalc' now has the '-s' option calculate the
+original location of data from a slack space image (dls -s).
+(from Chris Betz).
+07/26/04: Update: Created the fs_os.h file and adjusted some of the
+header files for the PRI macros (C99). Created defines for OSes that do
+not have the macros already defined.
+07/26/04: Non-release bug fix: Fixed file record size bug introduced with
+recent changes.
+07/27/04: Update: Added GPT support to mmls.
+07/29/04: Update: Added '-p' flag to 'ifind' to find deleted NTFS files
+that point to the given parent directory. Added '-l and -z' as well.
+---------------- VERSION 1.70 --------------
+04/21/04: Update: Changed attribute and mode for FAT 'istat' so
+that actual FAT attributes are used instead of UNIX translation.
+04/21/04: Update: The FAT 'istat' output better handles Long FIle
+Name entry
+04/21/04: Update: The FAT 'istat' output better handles Volume Label
+04/21/04: Update: Allowed the FAT volume label entry to be displayed
+with 'ils'
+04/21/04: Update: Allowed the FAT volume label entry to be displayed
+with 'fls'
+04/24/04: Update: 'dstat' on a FAT cluster now shows the cluster
+address in addition to the sector address.
+04/24/04: Update: Added the cluster range to the FAT 'fsstat' output
+05/01/04: Update: Improved the FAT version autodetect code.
+05/02/04: Update: Removed 'H' flag from 'icat'.
+05/02/04: Update: Changed all of the FS_FLAG_XXX variables in the
+ file system tools to constants that are specific to the usage
+05/03/04: Update: fatfs_inode_walk now goes by sectors instead of clusters
+ to get more dentries from slack space.
+05/03/04: Bug Fix: The allocation status of FAT dentires was set only by
+ the flag and not the allocation status of the cluster it is located in.
+ (BUG: 947112)
+05/03/04: Update: Improved comments and variable names in FAT code
+05/03/04: Update: Added '-r' flag to 'icat' for deleted file recovery
+05/03/04: Update: Added RECOVERY flag to file_walk for deleted file
+ recovery
+05/03/04: Update: Added FAT file recovery.
+05/03/04: Update: Removed '-H' flag from 'icat'. Default is to
+ display holes.
+05/03/04: Update: 'fls -r' will recurse down deleted directories in FAT
+05/03/04: Update: 'fsstat' reports FAT clusters that are marked as BAD
+05/03/04: Update: 'istat' for FAT now shows recovery clusters for
+ deleted files.
+05/04/04: Update: Added output to 'fsstat' for FAT file systems by adding
+ a list of BAD sectors and improving the amount of layout information. I
+ also changed some of the internal variables.
+05/08/04: Update: Removed addr_bsize from FS_INFO, moved block_frags
+ to FFS_INFO, modified dcat output only data unit size.
+05/20/04: Update: Added RECOVERY flag to 'ifind' so that it can find the
+ data units that are allocated to deleted files
+05/20/04: Update: Added icat recovery options to 'sorter'.
+05/20/04: Update: Improved the naming convention in sorter for the 'ils'
+ dead files.
+05/21/04: Update: Added outlook to sorter rules (from David Berger)
+05/27/04: Bug Fix: Added <linux/unistd.h> to mylseek.c so that it compiles
+with Fedora Core 2 (Patch by Angus Marshall) (BUG: 961908).
+05/27/04: Update: Changed the letter with 'fls -l' for FIFO to 'p'
+instead of 'f' (reported by Dave Henkewick).
+05/28/04: Update: Added '-u' flag to 'dcat' so that the data unit size
+can be specified for raw, swap, and dls image types.
+05/28/04: Update: Changed the size argument of 'dcat' to be number of
+data units instead of size in bytes (suggestion by Harald Katzer).
+---------------- VERSION 1.69 --------------
+03/06/04: Update: Fixed some memory leaks in ext2fs_close. reported
+ by Paul Bakker.
+03/10/04: Bug Fix: If the '-s' flag was used with 'icat' on a EXT2FS
+ or FFS file system, then a large amount of extra data came out.
+ Reported by epsion. (BUG: 913874)
+03/10/04: Bug Fix: One of the verbose outputs in ext2fs.c was being sent
+ to STDOUT instead of logfp. (BUG: 913875)
+04/14/04: Update: Added more data to fsstat output of FAT file system.
+04/15/04: Bug Fix: The last sector of a FAT file system may not
+ be analyzed. (BUG: 935976)
+04/16/04: Update: Added full support for swap and raw by making the
+ standard files and functions for them instead of the hack in dcat.
+ Suggested by (and initial patch by) Paul Baker.
+04/18/04: Update: Changed error messages in EXT2/3FS code to be extXfs.
+04/18/04: Update: Updaged to version 4.09 of 'file'. This will
+ help fix some of the problems people have had compiling it under
+ OS X 10.3.
+04/18/04: Update: Added compiling support for SFU 3.5 (Microsoft). Patches
+ from an anonymous person.
+---------------- VERSION 1.68 --------------
+01/20/04: Bug Fix: FAT times were an hour too fast during daylight savings.
+ Now use mktime() instead of manual calculation. Reported by Randall
+ Shane. (BUG: 880606)
+02/01/04: Update: 'hfind -i' now reports the header entry as an invalid
+ entry. The first header row was ignored.
+02/20/04: Bug Fix: indirect block pointer blocks would not be identified by
+ the ifind tool. Reported by Knut Eckstein (BUG: 902709)
+03/01/04: Update: Added fs->seek_pos check to fs_read_random.
+---------------- VERSION 1.67 --------------
+11/15/03: Bug Fix: Added support for OS X 10.3 to src/makedefs. (BUG: 843029)
+11/16/03: Bug Fix: Mac partition tables could generate an error if there were
+ VOID-type partitions. (BUG: 843366)
+11/21/03: Update: Changed NOABORT messages to verbose messages, so invalid
+ data is not printed during 'ifind' searches.
+11/30/03: Bug Fix: icat would not hide the 'holes' if '-h' was given because
+ the _UNALLOC flag was always being passed to file_walk. (reported by
+ Knut Eckstein). (BUG: 851873)
+11/30/03: Bug Fix: NTFS data_walk was not using _ALLOC and _UNALLOC flags
+ and other code that called it was not either. (BUG: 851895)
+11/30/03: Bug Fix: Not all needed commands were using _UNALLOC when they
+ called file_walk (although for most cases it did not matter because
+ sparse files would not be found in a directory for example). (Bug: 851897)
+12/09/03: Bug Fix: FFS and EXT2FS code was using OFF_T type instead of
+ size_t for the size of the file. This could result in a file > 2GB
+ as being a negative size on some systems (BUG: 856957).
+12/26/03: Bug Fix: ffind would crash for root directory of FAT image.
+ Added NULL check and added a NULL name to fake root directory entry.
+ (BUG: 871219)
+01/05/04: Bug Fix: The clustcnt value for FAT was incorrectly calculated
+ and was too large for FAT12 and FAT16 by 32 sectors. This could produce
+ extra entries in the 'fsstat' output when the FAT is dumped.
+ (BUG: 871220)
+01/05/04: Bug Fix: ils, fls, and istat were not printing the full size
+ of files that are > 2GB. (reported by Knut Eckstein) (BUG: 871457)
+01/05/04: Bug Fix: The EXT2FS and EXT3FS code was not using the
+ i_dir_acl value as the upper 32-bits of regular files that are
+ > 2GB (BUG: 871458)
+01/06/04: Mitigation: An error was reported where sorter would error
+ that icat was being passed a '-1' argument. I can't find how that would
+ happen, so I added quotes to all arguments so that the next time it
+ occurs, the error is more useful (BUG: 845840).
+01/06/04: Update: Incorporated patch from Charles Seeger so that 'cc'
+ can be used and compile time warnings are fixed with Sun 'cc'.
+01/06/04: Update: Upgraded file from v3.41 to v4.07
+---------------- VERSION 1.66 --------------
+09/02/03: Bug Fix: Would not compile under OpenBSD 3 because fs_tools.h
+ & mm_tools was missing a defined statment (reported by Randy - m0th_man)
+NOTE: Bugs now will have an entry into the Source Forge bug tracking
+ sytem.
+10/13/03: Bug Fix: buffer was not being cleared between uses and length
+ incorrectly set in NTFS resulted in false deleted file names being shown
+ when the '-r' flag was given. The extra entries were from the previous
+ directory. (BUG: 823057)
+10/13/03: Bug Fix: The results of 'sorter' varied depending on the version
+ of Perl and the system. If the file output matched more than one,
+ sorter could not gaurantee which would match. Therefore, results were
+ different for some files and some machines. 'sorter' now enforces the
+ ordering based on the order they are in the configuration file. The
+ entries at the end of the file have priority over the first entries
+ (generic rules to specific rules). (BUG: 823057)
+10/14/03: Update: 'mmls' prints 'MS LVM' with partition type 0x42 now.
+10/25/03: Bug Fix: NTFS could have a null pointer crash if the image
+ was very corrupt and $Data was not found for the MFT.
+11/10/03: Bug Fix: NTFS 'ffind' would only report the file name and not
+ the attribute name because the type and id were ignored. ffind and
+ ntfs_dent were updated - found during NTFS keyword search test.
+ (Bug: 831579()
+11/12/03: Update: added support for Solaris x86 partition tables to 'mmls'
+11/12/03: Update: Modified the sparc data structure to add the correct
+ location of the 'sanity' magic value.
+11/15/03: Update: Added '-s' flag to 'icat' so that slack space is also
+ displayed.
+---------------- VERSION 1.65 --------------
+08/03/03: Bug Fix: 'sorter' now checks for inode values that are too
+ small to avoid 'icat' errors about invalid inode values.
+08/19/03: Update: 'raw' is now a valid type for 'dcat'.
+08/21/03: Update: mactime and sorter look for perl5.6.0 first.
+08/21/03: Update: Removed NSRL support from 'sorter' until a better
+ wany to identify the known good and known bad files is found
+08/21/03: Bug Fix: The file path replaces < and > with HTML
+ encoding for HTML output (ils names were not being shown)
+08/25/03: Update: Added 'nsrl.txt' describing why the NSRL functionality
+ was removed.
+08/27/03: Update: Improved code in 'mactime' to reduce warnings when
+ '-w' is used with Perl ('exists' checks on arrays).
+08/27/03: Update: Improved code in 'sorter' to reduce warnings when
+ '-w' is used with Perl (inode_int for NTFS).
+---------------- VERSION 1.64 --------------
+08/01/03: Docs Fix: The Sun VTOC was documented as Virtual TOC and it
+ should be Volume TOC (Jake @ UMASS).
+08/02/03: Bug Fix: Some compilers complained about verbose logging
+ assignment in 'mmls' (Ralf Spenneberg).
+---------------- VERSION 1.63 --------------
+06/13/03; Update: Added 'mmtools' directory with 'dos' partitions
+ and 'mmls'.
+06/18/03: Update: Updated the documents in the 'doc' directory
+06/19/03: Update: Updated error message for EXT3FS magic check
+06/27/03: Update: Added slot & table number to mmls
+07/08/03: Update: Added mac support to mmtools
+07/11/03: Bug Fix: 'sorter' was not processing all unallocated meta
+ data structures because of a regexp error. (reported by Jeff Reava)
+07/16/03: Update: Added support for FreeBSD5
+07/16/03: Update: Added BSD disk labels to mmtools
+07/28/03: Update: Relaxed requirements for DOS directory entries, the wtime
+ can be zero (reported by Adam Uccello).
+07/30/03: Update: Added SUN VTOC to mmtools
+07/31/03: Update: Added NetBSD support (
+08/01/03: Update: Added more sanity checks to FAT so that it would not
+ try and process NTFS images that have the same MAGIC value
+---------------- VERSION 1.62 --------------
+04/11/03: Bug Fix: 'fsstat' for an FFS file system could report data
+ fragments in the last group that were larger than the maximum
+ fragment
+04/11/03: Bug Fix: 'ffs' allows the image to not be a multiple of the
+ block size. A read error occured when it tried to read the last
+ fragments since a whole block could not be read.
+04/15/03: Update: Added debug statements to FAT code.
+04/26/03: Update: Added verbose statements to FAT code
+04/26/03: Update: Added NOABORT flag to dls -s
+04/26/03: Update: Added stderr messages for errors that are not aborted
+ because of NOABORT
+05/27/03: Update: Added 'mask' field to FATFS_INFO structure and changed
+ code in fatfs.c to use it.
+05/27/03: Update: isdentry now checks the starting cluster to see if
+ it is a valid size.
+05/27/03: Bug Fix: Added a sanitizer to 'sorter' to remove invalid chars
+ from the 'file' output and reduce the warnings from Perl.
+05/28/03: Bug Fix: Improved sanitize expression in 'sorter'
+05/28/03: Update: Added '-d' option to 'mactime' to allow output to be
+ given in comma delimited format for importing into a spread sheet or
+ other graphing tool
+06/09/03: Update: Added hourly summary / indexing to mactime
+06/09/03: Bug Fix: sorter would not allow linux-ext3 fstype
+---------------- VERSION 1.61 --------------
+02/05/03: Update: Started addition of image thumbnails to sorter
+03/05/03: Update: Updated 'file' to version 3.41
+03/16/03: Update: Added comments and NULL check to 'ifind'
+03/16/03: Bug Fix: Added a valid magic of 0 for MFT entries. This was
+ found in an XP image.
+03/26/03: Bug Fix: fls would crash for an inode of 0 and a clock skew
+ was given. fixed the bug in fls.c (debug help from Josep Homs)
+03/26/03: Update: Added more verbose comments to ntfs_dent.c.
+03/26/03: Bug Fix: 'ifind' for a path could return a result that was
+ shorter than the requested name (strncmp was used)
+03/26/03: Update: Short FAT names can be used in 'ifind -n' and
+ error messages were improved
+03/26/03: Bug Fix: A final NTFS Index Buffer was not always processed in
+ ntfs_dent.c, which resulted in files not being shown. This was fixed
+ with debugging help from Matthew Shannon.
+03/27/03: Update: Added an 'index.html' for image thumbnails in sorter
+ and added a 'details' link from the thumbnail to the images.html file
+03/27/03: Update: 'sorter' can now take a directory inode to start
+ processing
+03/27/03: Update: added '-z' flag when running 'file' in 'sorter' so that
+ compressed file contents are reported
+03/27/03: Update: added '-i' flag to 'mactime' that creates a daily
+ summary of events
+03/27/03: Update: Added support for Version 2 of the NSRL in 'hfind'
+04/01/03: Update: Added support for Hash Keeper to 'hfind'
+04/01/03: Update: Added '-e' flag to 'hfind' for extended info
+ (currently hashkeeper only)
+---------------- VERSION 1.60 --------------
+10/31/02: Bug Fix: the unmounting status of EXT2FS in the 'fsstat' command
+ was not correct (reported by Stephane Denis).
+11/24/02: Bug Fix: The -v argument was not allowed on istat or fls (Michael
+ Stone)
+11/24/02: Bug Fix: When doing an 'ifind' on a UNIX fs, it could abort if it
+ looked at an unallocated inode with invalid indirect block pointers.
+ This was fixed by adding a "NOABORT" flag to the walk code and adding
+ error checks in the file system code instead of relying on the fs_io
+ code. (suggested by Micael Stone)
+11/26/02: Update: ifind has a '-n' argument that allows one to specify a
+ file name it and it searches to find the meta data structure for it
+ (suggested by William Salusky).
+11/26/02: Update: Now that there is a '-n' flag with 'ifind', the '-d'
+ flag was added to specify the data unit address. The old syntax of
+ giving the data_unit at the end is no longer supported.
+11/27/02: Update: Added sanity checks on meta data and data unit addresses
+ earlier in the code.
+12/12/02: Update: Added additional debug statements to NTFS code
+12/19/02: Update: Moved 'hash' directory to 'hashtools'
+12/19/02: Update: Started development of 'hfind'
+12/31/02: Update: Improved verbose debug statements to show full 64-bit
+ offsets
+01/02/03: Update: Finished development of 'hfind' with ability to update
+ for next version of NSRL (which may have a different format)
+01/05/03: Bug Fix: FFS and EXT2FS symbolic link destinations where not
+ properly NULL terminated and some extra chars were appended in 'fls'
+ (later reported by Thorsten Zachmann)
+01/06/03: Bug Fix: getu64() was not properly masking byte sizes and some
+ data was being lost. This caused incorrect times to be displayed in some
+ NTFS files.
+01/06/03: Bug Fix: ifind reported incorrect ownership for some UNIX
+ file systems if the end fragments were allocated to a different file than
+ the first ones were.
+01/07/03: Update: Renamed the src/mactime directory to src/timeline.
+01/07/03: Update: Updated README and man pages for hfind and sorter
+01/12/03: Bug Fix: ntfs_mft_lookup was casting a 64-bit value to a 32-bit
+ variable. This caused MFT Magic errors. Reported and debugged by
+ Keven Murphy
+01/12/03: Update: Added verbose argument to 'fls'
+01/12/03: Bug Fix: '-V' argument to 'istat' was doing verbose instead of
+ version
+01/13/03: Update: Changed static sizes of OFF_T and DADDR_T in Linux
+ version to the actual 'off_t' and 'daddr_t' types
+01/23/03: Update: Changed use of strtok_r to strtok in ifind.c so that
+ Mac 10.1 could compile (Dave Goldsmith).
+01/28/03: Update: Improved code in 'hfind' and 'sorter' to handle
+ files with spaces in the path (Dave Goldsmith).
+---------------- VERSION 1.52 --------------
+09/24/02: Bug Fix: Memory leak in ntfs_dent_idxentry(), ntfs_find_file(),
+ and ntfs_dent_walk()
+09/24/02: Update: Removal of index sequences for index buffers is now
+ done using upd_off, which will allow for NTFS to move the structure in
+ the future.
+09/26/02: Update: Added create time for NTFS / STANDARD_INFO to
+ istat output.
+09/26/02: Update: Changed the method that the NTFS time is converted
+ to UNIX time. Should be more effecient.
+10/09/02: Update: dcat error changed.
+10/02/02: Update: Includes a Beta version of 'sorter'
+---------------- VERSION 1.51 --------------
+09/10/02: Bug Fix: Fixed a design bug that would not allow attribute
+ lists in $MFT. This bug would generate an error that complained about
+ an invalid MFT entry in attribute list.
+09/10/02: Update: The size of files and directories is now calculated
+ after each time proc_attrseq() is called so that it is more up to date
+ when dealing with attribute lists. The size has the sizes of all
+ $Data, $IDX_ROOT, and $IDX_ALLOC streams.
+09/10/02: Update: The maxinum number of MFT entries is now calculated
+ each time an MFT entry is processed while loading the MFT. This
+ allows us to reflect what the maximum possible MFT entry is at that
+ given point based on how many attribute lists have been processed.
+09/10/02: Update: Added file version 3.39 to distro (bigger magic files)
+ (Salusky)
+09/10/02: Bug Fix: fs_data was wasting memory when it was allocated
+09/10/02: Update: added a fs_data_alloc() function
+09/12/02: Bug Fix: Do not give an error if an attribute list of an
+ unallocated file points to an MFT that no longer claims it is a
+ member of the list.
+09/12/02: Update: No longer need version to remove update sequence
+ values from on-disk buffers
+09/19/02: Bug Fix: fixed memory leak in ntfs_load_ver()
+09/19/02: Bug Fix: Update sequence errors were displayed because of a
+ bug that occured when an MFT entry crossed a run in $MFT. Only occured
+ with 512-byte clusters and an odd number of clusters in a run.
+09/19/02: Update: New argument to ils, istat, and fls that allows user to
+ specify a time skew in seconds of the compromised system. Originated
+ from discussion at DFRWS II.
+09/19/02: Update: Added '-h' argument to mactime to display header info
+---------------- VERSION 1.50 --------------
+04/21/02: icat now displays idxroot attribute for NTFS directories
+04/21/02: fs_dent_print functions now are passed the FS_DATA structure
+ instead of the extra inode and name strings. (NTFS)
+04/21/02: fs_dent_print functions display alternate data stream size instead
+ of the default data size (NTFS)
+04/24/02: Fixed bug in istat that displayed too many fragments with ffs images
+04/24/02: Fixed bug in istat that did not display sparse files correctly
+04/24/02: fsstat of FFS images now identifies the fragments at the
+ beginning of cyl groups as data fragments.
+04/26/02: Fixed bug in ext2fs_dent_parse_block that did not advance the
+ directory entry pointer far enough each time
+04/26/02: Fixed bug in ext2fs_dent_parse_block so that gave an error if
+ a file name was exactly 255 chars
+04/29/02: Removed the getX functions from get.c as they are now macros
+05/11/02: Added support for lowercase flag in FAT
+05/11/02: Added support for sequence values (NTFS)
+05/13/02: Added FS_FLAG_META for FAT
+05/13/02: Changed ifind so that it looks the block up to identify if it is
+ a meta data block when an inode can not be found
+05/13/02: Added a conditional to ifind so that it handles sparse files better
+05/19/02: Changed icat so that the default attribute type is set in the
+ file_walk function
+05/20/02: ils and dls now use boundary inode & block values if too large
+ or small are given
+05/21/02: istat now displays all NTFS times
+05/21/02: Created functions to just display date and time
+05/24/02: moved istat functionality to the specific file system file
+05/25/02: added linux-ext3 flag, but no new features
+05/25/02: Added sha1 (so Autopsy can use the NIST SW Database)
+05/26/02: Fixed bug with FAT that did not return all slack space on file_walk
+05/26/02: Added '-s' flag to dls to extract slack space of FAT and NTFS
+06/07/02: fixed _timezone variable so correct times are shown in CYGWIN
+06/11/02: *_copy_inode now sets the flags for the inode
+06/11/02: fixed bug in mactimes that displayed a duplicate entry with time
+ because of header entries in body file
+06/12/02: Added ntfs.README doc
+06/16/02: Added a comment to file Makefile to make it easier to compile for
+ an IR CD.
+06/18/02: Fixed NTFS bug that showed ADS when only deleted files were supposed
+ to be shown (when ADS in directory)
+06/19/02: added the day of the week to the mactime output (Tan)
+07/09/02: Fixed bug that added extra chars to end of symlink destination
+07/17/02: 1.50 Released
+---------------- VERSION 1.00 --------------
+- Integrated TCT-1.09 and TCTUTILs-1.01
+- Fixed bug in bcat if size is not given with type of swap.
+- Added platform indep by including the structures of each file system type
+- Added flags for large file support under linux
+- blockcalc was off by 1 if calculated using the raw block number and
+not the one that lazarus spits out (which start at 1)
+- Changed the inode_walk and block_walk functions slightly to return a
+value so that a walk can be ended in the middle of it.
+- FAT support added
+- Improved ifind to better handle fragments
+- '-z' flag to fls and istat now use the time zone string instead of
+integer value.
+- no longer prepend / in _dent
+- verify that '-m' directory in fls ends with a '/'
+- identify the destination of sym links
+- fsstat tool added
+- fixed caching bug with FAT12 when the value overlapped cache entries
+- added mactime
+- removed the <inode> value in fls when printing mac format (inode is now printed in mactime)
+- renamed src/misc directory to src/hash (it only has md5 and will have sha)
+- renamed aux directory to misc (Windows doesn't allow aux as a name ??)
+- Added support for Cygwin
+- Use the flags in super block of EXT2FS to identify v1 or v2
+- removed file system types of linux1 and linux2 and linux
+- added file system type of linux-ext2 (as ext3 is becoming more popular)
+- bug in file command that reported seek error for object files and STDIN
88 INSTALL.txt
@@ -0,0 +1,88 @@
+ The Sleuth Kit
+ Installation Instructions
+ Last Modified: Sept 2008
+Tested Platform:
+- FreeBSD 2-6.*
+- Linux 2.*
+- OpenBSD 2-3.*
+- Mac OS X
+- SunOS 4-5.*
+- Windows
+- C compiler
+- GNU Make
+Optional Programs:
+- Autopsy: Provides a graphical HTML-based interface to The
+Sleuth Kit (which makes it much easier to use). Install this AFTER
+installing The Sleuth Kit.
+ Available at:
+Optional Libraries:
+There are optional features that TSK can use if you have installed
+them before you build and install TSK.
+- AFFLIB: Allows you to process disk images that are stored in the
+AFF format. Version 3.2.5 has been tested to compile and work with this
+ Available at:
+- LibEWF: Allows you to process disk images that are stored in the
+Expert Witness format (EnCase Format). Version 20080501 has been
+tested to compile and work with this release.
+ Available at:
+Refer to the README_win32.txt file for details on Windows.
+The Sleuth Kit uses the GNU autotools for building and installation.
+There are a few steps to this process. First, run the 'configure'
+script in the root TSK directory.
+ $ ./configure
+If there were no errors, then run 'make'.
+ $ make
+The 'make' process will take a while and will build the TSK tools.
+When this process is complete, the libraries and executables will
+be located in the TSK sub-directories. To install them, type
+'make install'.
+ $ make install
+By default, this will copy everything in to the /usr/local/ structure.
+So, the executables will be in '/usr/local/bin'. This directory will
+need to be in your PATH if you want to run the TSK commands without
+specifying '/usr/local/bin' everytime.
+There are some arguments to 'configure' that you can supply to
+customize the setup. Currently, they focus on the optional disk
+image format libraries.
+--disable-afflib: Supply this if you want TSK to ignore AFFLIB even
+if it is installed.
+--disable-ewf: Supply this if you want TSK to ignore libewf even
+if it is installed.
+Brian Carrier
+carrier <at> sleuthkit <dot> org
@@ -0,0 +1,46 @@
+# Files that we want to include in the dist
+ licenses/GNU-COPYING licenses/IBM-LICENSE licenses/cpl1.0.txt \
+ docs/library-api.txt \
+ win32/BUILDING.txt \
+ win32/blkcalc/blkcalc.vcproj win32/blkcat/blkcat.vcproj \
+ win32/blkls/blkls.vcproj win32/blkstat/blkstat.vcproj \
+ win32/ffind/ffind.vcproj win32/fls/fls.vcproj \
+ win32/fsstat/fsstat.vcproj win32/hfind/hfind.vcproj \
+ win32/icat/icat.vcproj win32/ifind/ifind.vcproj \
+ win32/ils/ils.vcproj win32/img_cat/img_cat.vcproj \
+ win32/img_stat/img_stat.vcproj \
+ win32/istat/istat.vcproj win32/jcat/jcat.vcproj \
+ win32/jls/jls.vcproj win32/mmls/mmls.vcproj \
+ win32/mmstat/mmstat.vcproj win32/mmcat/mmcat.vcproj \
+ win32/tsk-win.sln \
+ win32/libauxtools/libauxtools.vcproj \
+ win32/libfstools/libfstools.vcproj \
+ win32/libhashdbtools/libhashdbtools.vcproj \
+ win32/libimgtools/libimgtools.vcproj \
+ win32/libmmtools/libmmtools.vcproj \
+ win32/posix-sample/posix-sample.vcproj \
+ win32/callback-sample/callback-sample.vcproj
+# directories to compile
+SUBDIRS = tsk3 tools tests samples docs man
+nobase_include_HEADERS = tsk3/libtsk.h tsk3/tsk_incs.h \
+ tsk3/base/tsk_base.h tsk3/base/tsk_os.h \
+ tsk3/img/tsk_img.h tsk3/vs/tsk_vs.h \
+ tsk3/vs/tsk_bsd.h tsk3/vs/tsk_dos.h tsk3/vs/tsk_gpt.h \
+ tsk3/vs/tsk_mac.h tsk3/vs/tsk_sun.h \
+ tsk3/fs/tsk_fs.h tsk3/fs/tsk_ffs.h tsk3/fs/tsk_ext2fs.h tsk3/fs/tsk_fatfs.h \
+ tsk3/fs/tsk_ntfs.h tsk3/fs/tsk_iso9660.h tsk3/fs/tsk_hfs.h \
+ tsk3/hashdb/tsk_hashdb.h
+nobase_dist_data_DATA = tsk3/sorter/default.sort tsk3/sorter/freebsd.sort \
+ tsk3/sorter/images.sort tsk3/sorter/linux.sort tsk3/sorter/openbsd.sort \
+ tsk3/sorter/solaris.sort tsk3/sorter/windows.sort
+ doxygen tsk3/docs/Doxyfile
+ cd man;build-html
198 README.txt
@@ -0,0 +1,198 @@
+ The Sleuth Kit
+ Last Modified: Sept 2008
+The Sleuth Kit is an open source forensic toolkit for analyzing
+Microsoft and UNIX file systems and disks. The Sleuth Kit enables
+investigators to identify and recover evidence from images acquired
+during incident response or from live systems. The Sleuth Kit is
+open source, which allows investigators to verify the actions of
+the tool or customize it to specific needs.
+The Sleuth Kit uses code from the file system analysis tools of
+The Coroner's Toolkit (TCT) by Wietse Venema and Dan Farmer. The
+TCT code was modified for platform independence. In addition,
+support was added for the NTFS (see docs/ntfs.README) and FAT (see
+docs/fat.README) file systems. Previously, The Sleuth Kit was
+called The @stake Sleuth Kit (TASK). The Sleuth Kit is now independant
+of any commercial or academic organizations.
+It is recommended that these command line tools can be used with
+the Autopsy Forensic Browser. Autopsy, (,
+is a graphical interface to the tools of The Sleuth Kit and automates
+many of the procedures and provides features such as image searching
+and MD5 image integrity checks.
+As with any investigation tool, any results found with The Sleuth
+Kit should be be recreated with a second tool to verify the data.
+The Sleuth Kit allows one to analyze a disk or file system image
+created by 'dd', or a similar application that creates a raw image.
+These tools are low-level and each performs a single task. When
+used together, they can perform a full analysis. For a more detailed
+description of these tools, refer to docs/filesystem.README. The
+tools are briefly described in a file system layered approach. Each
+tool name begins with a letter that is assigned to the layer.
+File System Layer:
+A disk contains one or more partitions (or slices). Each of these
+partitions contain a file system. Examples of file systems include
+the Berkeley Fast File System (FFS), Extended 2 File System (EXT2FS),
+File Allocation Table (FAT), and New Technologies File System (NTFS).
+The fsstat tool displays file system details in an ASCII format.
+Examples of data in this display include volume name, last mounting
+time, and the details about each "group" in UNIX file systems.
+Content Layer (block):
+The content layer of a file system contains the actual file content,
+or data. Data is stored in large chunks, with names such as blocks,
+fragments, and clusters. All tools in this layer begin with the letters
+The blkcat tool can be used to display the contents of a specific unit of
+the file system (similar to what 'dd' can do with a few arguments).
+The unit size is file system dependent. The 'blkls' tool displays the
+contents of all unallocated units of a file system, resulting in a
+stream of bytes of deleted content. The output can be searched for
+deleted file content. The 'blkcalc' program allows one to identify the
+unit location in the original image of a unit in the 'blkls' generated
+A new feature of The Sleuth Kit from TCT is the '-l' argument to
+'blkls' (or 'unrm' in TCT). This argument lists the details for data
+units, similar to the 'ils' command. The 'blkstat' tool displays
+the statistics of a specific data unit (including allocation status
+and group number).
+Metadata Layer (inode):
+The metadata layer describes a file or directory. This layer contains
+descriptive data such as dates and size as well as the addresses of the
+data units. This layer describes the file in terms that the computer
+can process efficiently. The structures that the data is stored in
+have names such as inode and directory entry. All tools in this layer
+begin with an 'i'.
+The 'ils' program lists some values of the metadata structures.
+By default, it will only list the unallocated ones. The 'istat'
+displays metadata information in an ASCII format about a specific
+structure. New to The Sleuth Kit is that 'istat' will display the
+destination of symbolic links. The 'icat' function displays the
+contents of the data units allocated to the metadata structure
+(similar to the UNIX cat(1) command). The 'ifind' tool will identify
+which metadata structure has allocated a given content unit or
+file name.
+Refer to the ntfs.README doc for information on addressing metadata
+attributes in NTFS.
+Human Interface Layer (file):
+The human interface layer allows one to interact with files in a
+manner that is more convenient than directly with the metadata
+layer. In some operating systems there are separate structures for
+the metadata and human interface layers while others combine them.
+All tools in this layer begin with the letter 'f'.
+The 'fls' program lists file and directory names. This tool will
+display the names of deleted files as well. The 'ffind' program will
+identify the name of the file that has allocated a given metadata
+structure. With some file systems, deleted files will be identified.
+Time Line Generation
+Time lines are useful to quickly get a picture of file activity.
+Using The Sleuth Kit a time line of file MAC times can be easily
+made. The mactime (TCT) program takes as input the 'body' file
+that was generated by fls and ils. To get data on allocated and
+unallocated file names, use 'fls -rm dir' and for unallocated inodes
+use 'ils -m'. Note that the behavior of these tools are different
+than in TCT. For more information, refer to docs/mac.README.
+Hash Databases
+Hash databases are used to quickly identify if a file is known. The
+MD5 or SHA-1 hash of a file is taken and a database is used to identify
+if it has been seen before. This allows identification to occur even
+if a file has been renamed.
+The Sleuth Kit includes the 'md5' and 'sha1' tools to generate
+hashes of files and other data.
+Also included is the 'hfind' tool. The 'hfind' tool allows one to create
+an index of a hash database and perform quick lookups using a binary
+search algorithm. The 'hfind' tool can perform lookups on the NIST
+National Software Reference Library (NSRL) ( and
+files created from the 'md5' or 'md5sum' command. Refer to the
+docs/hfind.README file for more details.
+File Type Categories
+Different types of files typically have different internal structure.
+The 'file' command comes with most versions of UNIX and a copy is
+also distributed with The Sleuth Kit. This is used to identify
+the type of file or other data regardless of its name and extension.
+It can even be used on a given data unit to help identify what file
+used that unit for storage. Note that the 'file' command typically
+uses data in the first bytes of a file so it may not be able to
+identify a file type based on the middle blocks or clusters.
+The 'sorter' program in The Sleuth Kit will use other Sleuth Kit
+tools to sort the files in a file system image into categories.
+The categories are based on rule sets in configuration files. The
+'sorter' tool will also use hash databases to flag known bad files
+and ignore known good files. Refer to the 'docs/sorter.README'
+file for more details.
+The file system tools (in the src/fstools directory) are released
+under the IBM open source license and Common Public License, both
+are located in the license directory. The modifications to 'mactime'
+from the original 'mactime' in TCT and 'mac-daddy' are released
+under the Common Public License. Other tools in the src directory
+are either Common Public License or the GNU Public License.
+For installation instructions, refer to the INSTALL document.
+The 'docs' directory contains documents that describe the provided tools
+in more detail. The Sleuth Kit Informer is a newsletter that contains
+new documentation and articles.
+Mailing lists exist on SourceForge, for both users and a low-volume
+announcements list.
+Brian Carrier
+carrier <at> sleuthkit <dot> org
24 README_win32.txt
@@ -0,0 +1,24 @@
+ The Sleuth Kit
+ Win32 README File
+ Last Modified: Sept 2008
+The Sleuth Kit (TSK) runs on Windows. If you simply want the
+executables, you can download them from the
+If you want to build your own executables, you have two options.
+One is to use Microsoft Visual Studio. The VS solution file is in
+the win32 directory. Refer to the BUILDING.txt file in that directory
+for details.
+You can also compile Windows executables on Linux using mingw32.
+Simply give the "--host=i586-mingw32msvc" argument when running the
+'./configure' script and use 'make' to compile.
+carrier <at> sleuthkit <dot> org
+Brian Carrier
190 TODO.txt
@@ -0,0 +1,190 @@
+Brian's TSK TODO List
+std wchar_t API to tsk_img_open and ifind
+Make sigfind use imagelayer
+- Make tree searching use node-based reads
+-- Allow read() API to be used to read catalog and extents
+--- Create ATTRLIST from extents file
+--- Create ATTRLIST for Catalog
+-- Update hfs_dent so that it reads nodes at a time
+- fix bug with test image name
+- add ifind changes
+- go through @@@ statements
+-- Other --
+Make NTFS function to process MFT entry buffer (for memory parsing)
+Bug Fixes:
+- Verify VDL slack / init_size fix (need test image)
+ATTRIBUTE Functions:
+- should make FFS/ExtX indirect blocks be in special attribute
+- Windows version does not do globbing of cmd line arguments
+Minor Feature Change:
+- Make ffind code more library friendly and formalize a function to
+map inode to name(s)
+- Document handling of deleted files. What happens when file can't be recovered...
+- Add afflib crypto support
+- Could have better fsstat output that identifies which final sectors
+are missing in image.
+- make ifind more library friendly by not printing all results
+- Change istat and fsstat to print to strings instead of FILE
+- make '-S' option for icat that outputs only slack space (Wyatt)
+Automated Tests:
+- Add raw / swapfs tests
+- Add FFS sparse files to test set
+- Make img_stat regression tests for aff / ewf files
+Incorporate JFS code in.
+There are more offsets in NTFS attributes that we should be validating to
+make sure that they are in teh allocated buffer...
+Make return codes when opening a FS differentiate between not being a file
+system and being a corrupt file system (for a more accurate error message)
+- diskstat: Use 48-bit commands -- support USB / Firewire devices
+- Add DCO detection
+- SQL Patch
+- fsstat
+ - stats on number of things free
+ - UNIX bitmaps per group
+ - List bad blocks (done for FAT)
+- New line of 'f' tools that utilize 'ifind' code:
+ - fstat (istat from path)
+ - fcat
+- Need jfind code to find entries based on FS block number
+- Use backup copy of boot sector if primary fails (done for FAT).
+- output data of ils
+- Incorporate the FS_FLAG_DATA_BAD flag into operation
+- Incorporate HFS
+- come up with better solution for determing size of deleted FAT
+directories. Currently assuming 0 or cluster size.
+- Running ffind on a lfn FAT directory entry results in an "ORPHAN"
+entry because the LFN entries are not sent via inode_walk... perhaps
+make a new flag or a special FAT function. (BUG: 1326007)
+- could add a check to alert a file that has VOL_NAME set in non-root dir
+- Maybe fatfs_dent_walk should only check the times for the first
+entry and not be so strict. 0's can be used if the time is invalid.
+- HP Support
+- Display disk labels in fsstat
+- Make (realloc) appear on NTFS because of sequence numbers being off....
+- figure out a better way that $BADCLUS does not screw things up
+if it has a value in the first run.
+- deleted ADS
+- Read the Security Attributes
+- when doing a timeline in NTFS: do three time machine entries:
+ - time in parent directory
+ - time in STD_INFO
+ - time in $FNAME
+Support more ISO9660 Rock Ridge entry types
+Print extended attributes
+ISO files with multiple entries...
+ISO Volume set
+hfs_open has a bunch of functions that do not check return value
+HFS: still need to update error reporting.
+-- errors when doing ils -e:
+Error finding catalog entry 22 in catalog22|f|0|0|2212122496|2212122496|2212122496|0|0|0|0|0
+- hls
+- extended output for NSRL
+- need an img_integ tool that will verify the ingetrigy of an image
+ (will require the hash to be passed for raw and split files)
+- Add status flags to mac mmls
+- Add bootable flag to mm code for DOS
+- mmls in recursive does not always print location relative to start
+of disk i.e. intel solaris disk offsets are relative to start of
+solaris partition and not disk - should this be modified?
+- add sanity checks based on image size to determine if values are valid
+- mmstat could have an option where when given a partition number, it
+gives stats about that volume (layout, type (META etc.))
+- indexing
+- sstrings and Locale:
+- Incorporate grep or basic regexp to search files
+- minimum size for files
+- add extension to files that do not have one based on their file type.
+- scripts to incorporate logs and such into mactime
+- make 'mactime' able to run with '-w'
+- comma delimited version should have seperate column for deleted status
+(suggested by Keith Wood)
5 bootstrap
@@ -0,0 +1,5 @@
+aclocal \
+ && libtoolize \
+ && automake --foreign --add-missing \
+ && autoconf
323 config/install-sh
@@ -0,0 +1,323 @@
+# install - install a program, script, or datafile
+# This originates from X11R5 (mit/util/scripts/, which was
+# later released in X11R6 (xc/config/util/ with the
+# following copyright and license.
+# Copyright (C) 1994 X Consortium
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to
+# deal in the Software without restriction, including without limitation the
+# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+# sell copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+# Except as contained in this notice, the name of the X Consortium shall not
+# be used in advertising or otherwise to promote the sale, use or other deal-
+# ings in this Software without prior written authorization from the X Consor-
+# tium.
+# FSF changes to this file are in the public domain.
+# Calling this script install-sh is preferred over, to prevent
+# `make' implicit rules from creating a file called install from it
+# when there is no Makefile.
+# This script is compatible with the BSD install script, but was written
+# from scratch. It can only install one file at a time, a restriction
+# shared with many OS's install programs.
+# set DOITPROG to echo to test this script
+# Don't use :- since 4.3BSD and earlier shells don't like it.
+# put in absolute paths if you don't have them in your path; or use env. vars.
+chmodcmd="$chmodprog 0755"
+rmcmd="$rmprog -f"
+usage="Usage: $0 [OPTION]... [-T] SRCFILE DSTFILE
+ or: $0 [OPTION]... -d DIRECTORIES...
+In the 1st form, copy SRCFILE to DSTFILE.
+In the 2nd and 3rd, copy all SRCFILES to DIRECTORY.
+In the 4th, create DIRECTORIES.
+-c (ignored)
+-d create directories instead of installing files.
+-g GROUP $chgrpprog installed files to GROUP.
+-m MODE $chmodprog installed files to MODE.
+-o USER $chownprog installed files to USER.
+-s $stripprog installed files.
+-t DIRECTORY install into DIRECTORY.
+-T report an error if DSTFILE is a directory.
+--help display this help and exit.
+--version display version info and exit.
+Environment variables override the default commands:
+while test -n "$1"; do
+ case $1 in
+ -c) shift
+ continue;;
+ -d) dir_arg=true
+ shift
+ continue;;
+ -g) chgrpcmd="$chgrpprog $2"
+ shift
+ shift
+ continue;;
+ --help) echo "$usage"; exit $?;;
+ -m) chmodcmd="$chmodprog $2"
+ shift
+ shift
+ continue;;
+ -o) chowncmd="$chownprog $2"
+ shift
+ shift
+ continue;;
+ -s) stripcmd=$stripprog
+ shift
+ continue;;
+ -t) dstarg=$2
+ shift
+ shift
+ continue;;
+ -T) no_target_directory=true
+ shift
+ continue;;
+ --version) echo "$0 $scriptversion"; exit $?;;
+ *) # When -d is used, all remaining arguments are directories to create.
+ # When -t is used, the destination is already specified.
+ test -n "$dir_arg$dstarg" && break
+ # Otherwise, the last argument is the destination. Remove it from $@.
+ for arg
+ do
+ if test -n "$dstarg"; then
+ # $@ is not empty: it contains at least $arg.
+ set fnord "$@" "$dstarg"
+ shift # fnord
+ fi
+ shift # arg
+ dstarg=$arg
+ done
+ break;;
+ esac
+if test -z "$1"; then
+ if test -z "$dir_arg"; then
+ echo "$0: no input file specified." >&2
+ exit 1
+ fi
+ # It's OK to call `install-sh -d' without argument.
+ # This can happen when creating conditional directories.
+ exit 0
+for src
+ # Protect names starting with `-'.
+ case $src in
+ -*) src=./$src ;;
+ esac
+ if test -n "$dir_arg"; then
+ dst=$src
+ src=
+ if test -d "$dst"; then
+ mkdircmd=:
+ chmodcmd=
+ else
+ mkdircmd=$mkdirprog
+ fi
+ else
+ # Waiting for this to be detected by the "$cpprog $src $dsttmp" command
+ # might cause directories to be created, which would be especially bad
+ # if $src (and thus $dsttmp) contains '*'.
+ if test ! -f "$src" && test ! -d "$src"; then
+ echo "$0: $src does not exist." >&2
+ exit 1
+ fi
+ if test -z "$dstarg"; then
+ echo "$0: no destination specified." >&2
+ exit 1
+ fi
+ dst=$dstarg
+ # Protect names starting with `-'.
+ case $dst in
+ -*) dst=./$dst ;;
+ esac
+ # If destination is a directory, append the input filename; won't work
+ # if double slashes aren't ignored.
+ if test -d "$dst"; then
+ if test -n "$no_target_directory"; then
+ echo "$0: $dstarg: Is a directory" >&2
+ exit 1
+ fi
+ dst=$dst/`basename "$src"`
+ fi
+ fi
+ # This sed command emulates the dirname command.
+ dstdir=`echo "$dst" | sed -e 's,/*$,,;s,[^/]*$,,;s,/*$,,;s,^$,.,'`
+ # Make sure that the destination directory exists.
+ # Skip lots of stat calls in the usual case.
+ if test ! -d "$dstdir"; then
+ defaultIFS='
+ '
+ IFS="${IFS-$defaultIFS}"
+ # Some sh's can't handle IFS=/ for some reason.
+ IFS='%'
+ set x `echo "$dstdir" | sed -e 's@/@%@g' -e 's@^%@/@'`
+ shift
+ pathcomp=
+ while test $# -ne 0 ; do
+ pathcomp=$pathcomp$1
+ shift
+ if test ! -d "$pathcomp"; then
+ $mkdirprog "$pathcomp"
+ # mkdir can fail with a `File exist' error in case several
+ # install-sh are creating the directory concurrently. This
+ # is OK.
+ test -d "$pathcomp" || exit
+ fi
+ pathcomp=$pathcomp/
+ done
+ fi
+ if test -n "$dir_arg"; then
+ $doit $mkdircmd "$dst" \
+ && { test -z "$chowncmd" || $doit $chowncmd "$dst"; } \
+ && { test -z "$chgrpcmd" || $doit $chgrpcmd "$dst"; } \
+ && { test -z "$stripcmd" || $doit $stripcmd "$dst"; } \
+ && { test -z "$chmodcmd" || $doit $chmodcmd "$dst"; }
+ else
+ dstfile=`basename "$dst"`
+ # Make a couple of temp file names in the proper directory.
+ dsttmp=$dstdir/_inst.$$_
+ rmtmp=$dstdir/_rm.$$_
+ # Trap to clean up those temp files at exit.
+ trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0
+ trap '(exit $?); exit' 1 2 13 15
+ # Copy the file name to the temp name.
+ $doit $cpprog "$src" "$dsttmp" &&
+ # and set any options; do chmod last to preserve setuid bits.
+ #
+ # If any of these fail, we abort the whole thing. If we want to
+ # ignore errors from any of these, just make sure not to ignore
+ # errors from the above "$doit $cpprog $src $dsttmp" command.
+ #
+ { test -z "$chowncmd" || $doit $chowncmd "$dsttmp"; } \
+ && { test -z "$chgrpcmd" || $doit $chgrpcmd "$dsttmp"; } \
+ && { test -z "$stripcmd" || $doit $stripcmd "$dsttmp"; } \
+ && { test -z "$chmodcmd" || $doit $chmodcmd "$dsttmp"; } &&
+ # Now rename the file to the real destination.
+ { $doit $mvcmd -f "$dsttmp" "$dstdir/$dstfile" 2>/dev/null \
+ || {
+ # The rename failed, perhaps because mv can't rename something else
+ # to itself, or perhaps because mv is so ancient that it does not
+ # support -f.
+ # Now remove or move aside any old file at destination location.
+ # We try this two ways since rm can't unlink itself on some
+ # systems and the destination file might be busy for other
+ # reasons. In this case, the final cleanup might fail but the new
+ # file should still install successfully.
+ {
+ if test -f "$dstdir/$dstfile"; then
+ $doit $rmcmd -f "$dstdir/$dstfile" 2>/dev/null \
+ || $doit $mvcmd -f "$dstdir/$dstfile" "$rmtmp" 2>/dev/null \
+ || {
+ echo "$0: cannot unlink or rename $dstdir/$dstfile" >&2
+ (exit 1); exit 1
+ }
+ else
+ :
+ fi
+ } &&
+ # Now rename the file to the real destination.
+ $doit $mvcmd "$dsttmp" "$dstdir/$dstfile"
+ }
+ }
+ fi || { (exit 1); exit 1; }
+# The final little trick to "correctly" pass the exit status to the exit trap.
+ (exit 0); exit 0