search for: icat

Thanks, I have pushed this patch series. Could you consider changing: > + optional = Some "icat"; I think it would be nice to have a single feature, and to call the feature "sleuthkit" or "forensics" or something like that. We don't need to have one feature per API since installation of a single package (sleuthkit) is sufficient to make all the APIs available....

The Sleuth Kit is a filesystem forensic tool for accessing disk volumes and extracting digital evidence from. http://www.sleuthkit.org/ The icat API allows to download a file from a device given its metadata number (inode). It supports multiple filesystem types. The icat command allows to access to otherwise unreachable files such as filesystem data structures and deleted files which content is still partially or totally stored on the devi...

...;. Therefore I am renaming it with a more clear name. At the same go I cleaned up a bit the code following the standards and improved the API documentation. This patch is ready for review. Code available at: https://github.com/noxdafox/libguestfs/tree/download_inode Matteo Cafasso (3): Rename icat command in download_inode Improve download_inode documentation string. Code cleanup in daemon/sleuthkit.c daemon/sleuthkit.c | 50 ++++++++++++++++++++----------------- generator/actions.ml | 10 +++++--- tests/tsk/Makefile.am | 2 +- tests/tsk/test-downl...

"icat" name comes from the employed command line tool which might be replaced later on with a different implementation. The command name is a bit confusing because it's similar to "cat" but act as "donwload". Therefore I am renaming it with a more clear name. At the same ti...

The "icat" name comes from the employed command line tool which might be replaced at any time with a different implementation. The command name is a bit confusing because it's similar to "cat" but act as "donwload". download_inode is more clear and descriptive. Signed-off-by:...

>From 'available icat' to 'available sleuthkit'. Signed-off-by: Matteo Cafasso <noxdafox@gmail.com> --- daemon/tsk.c | 6 +++--- generator/actions.ml | 2 +- tests/tsk/test-icat.sh | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/daemon/tsk.c b/daemon/tsk.c index 647...

...https://www.redhat.com/archives/libguestfs/2016-March/msg00018.html I'd like to add to libguestfs the disk forensics capabilities offered by The Sleuth Kit. http://www.sleuthkit.org/ The two APIs I'm adding with the patch are a simple example of which type of features TSK can enable. The icat API it's very similar to the previously added ntfscat_i but it works with multiple filesystem types and has an interesting added value: it can extract deleted files. The end result heavily depends on the filesystem internals and on how much it has been used. On FAT, Ext2 and NTFS it can recover...

On 07/03/16 21:45, Richard W.M. Jones wrote: > Thanks, I have pushed this patch series. > > Could you consider changing: > >> + optional = Some "icat"; > I think it would be nice to have a single feature, and to call the > feature "sleuthkit" or "forensics" or something like that. We don't > need to have one feature per API since installation of a single > package (sleuthkit) is sufficient to make all th...

...> --- a/generator/actions.ml > +++ b/generator/actions.ml > @@ -12919,6 +12919,39 @@ within the C<$Extend> folder. > The filesystem from which to extract the file must be unmounted, > otherwise the call will fail." }; > > + { defaults with > + name = "icat"; added = (1, 33, 14); > + style = RErr, [Mountable "device"; Int64 "inode"; FileOut "filename"], []; > + proc_nr = Some 464; > + optional = Some "icat"; > + progress = true; cancellable = true; > + shortdesc = "downloa...

...emon/sleuthkit.c +++ b/daemon/sleuthkit.c @@ -29,55 +29,55 @@ #include "actions.h" #include "optgroups.h" -static int file_out (const char *cmd); +int optgroup_sleuthkit_available(void); +static int send_command_output(const char *cmd); -GUESTFSD_EXT_CMD(str_sleuthkit_probe, icat); +GUESTFSD_EXT_CMD(str_icat, icat); -int -optgroup_sleuthkit_available (void) -{ - return prog_exists (str_sleuthkit_probe); -} - -int -do_icat (const mountable_t *mountable, int64_t inode) +/* Has one FileOut parameter. */ +int do_download_inode(const mountable_t *mountable, int64_t inode) {...

...wo APIs I'm adding with the patch are a simple example of which type of features TSK can enable. A few comments in general terms: The current splitting of the commits doesn't make much sense to me. I think it would be better as: - commit to add TSK to the appliance - commit to add the icat API - tests for icat - commit to add the fls0 API - tests for fls0 although it would be fine to combine the tests with the new API, or even have all the tests as a single separate commit (as now). This benefits you because it will allow patches to go upstream earlier. For example, a commit...

...+#include <inttypes.h> +#include <string.h> +#include <unistd.h> + +#include "guestfs_protocol.h" +#include "daemon.h" +#include "actions.h" +#include "optgroups.h" + +static int file_out (const char *cmd); + +GUESTFSD_EXT_CMD(str_tsk_probe, icat); + +int +optgroup_icat_available (void) +{ + return prog_exists (str_tsk_probe); +} + +int +do_icat (const mountable_t *mountable, int64_t inode) +{ + CLEANUP_FREE char *cmd = NULL; + + /* Inode must be greater than 0 */ + if (inode < 0) { + reply_with_error ("inode must be >= 0&...

...+#include <inttypes.h> +#include <string.h> +#include <unistd.h> + +#include "guestfs_protocol.h" +#include "daemon.h" +#include "actions.h" +#include "optgroups.h" + +static int file_out (const char *cmd); + +GUESTFSD_EXT_CMD(str_tsk_probe, icat); + +int +optgroup_icat_available (void) +{ + return prog_exists (str_tsk_probe); +} + +int +do_icat (const mountable_t *mountable, int64_t inode) +{ + CLEANUP_FREE char *cmd = NULL; + + /* Inode must be greater than 0 */ + if (inode < 0) { + reply_with_error ("inode must be >= 0&...

On Mon, Mar 07, 2016 at 08:14:41PM +0200, noxdafox wrote: > As the API documentation says, this is the low level API which I > have provided as an example. > > I took inspiration from the guestfs_ls0 API which does a similar job > storing the content of a directory onto a host file. > > If I understood correctly (the dynamic code generation is still > confusing me a bit),

...are a simple example of which type of features TSK can enable. > A few comments in general terms: > > The current splitting of the commits doesn't make much sense to me. > I think it would be better as: > > - commit to add TSK to the appliance > > - commit to add the icat API > > - tests for icat > > - commit to add the fls0 API > > - tests for fls0 > > although it would be fine to combine the tests with the new API, or > even have all the tests as a single separate commit (as now). > > This benefits you because it will allow p...

...<- .Machine$double.eps^0.9 if (sum(p) > (1.0 + eps) | sum(p) < (1.0 - eps) ) {cat("Sum of P(i) should equal 1.0 ","\n"); break} # Initialize variables ntot <- n sum <- 1.0 ix <- rep(0,ncat) # Generate the observation for (icat in 1:(ncat - 1)) { prob <- p[icat]/sum ix[icat] <- rbinom(1,ntot,prob) ntot <- ntot - ix[icat] if (ntot <= 0) return(ix) sum <- sum - p[icat] } ix[ncat] <- ntot return (ix) } -----Original Message----- From: Mark.Braving...

blkcat allows to extract files given their data units (clusters for NTFS, fragments for ExtX). This API allows to recover files which icat cannot. For example icat often fails retrieving deleted files on Ext3/Ext4 filesystems. As this API works at data unit level, some garbage at the beginning or at the end of the files is expected. An example of blkcat can be found here: http://wiki.sleuthkit.org/index.php?title=FS_Analysis Matte...

...(like the ntfscat-i API). One of the patches I'm talking about would add TSK (The Sleuth Kit) as a dependency within the appliance. This would bring new APIs such as: 'fls' more powerful 'ls' command allowing to get list of deleted files or timelines at a given path. 'icat' similar to ntfscat-i but it supports multiple FS. Yet I'm not sure whether it's desirable as it is for a narrow use case and on my Debian box TSK is a 12Mb binary. > > Rich. >

...ude <inttypes.h> +#include <string.h> +#include <unistd.h> + +#include "guestfs_protocol.h" +#include "daemon.h" +#include "actions.h" +#include "optgroups.h" + +static int file_out (const char *cmd); + +GUESTFSD_EXT_CMD(str_sleuthkit_probe, icat); + +int +optgroup_sleuthkit_available (void) +{ + return prog_exists (str_sleuthkit_probe); +} + +int +do_icat (const mountable_t *mountable, int64_t inode) +{ + CLEANUP_FREE char *cmd = NULL; + + /* Inode must be greater than 0 */ + if (inode < 0) { + reply_with_error ("inode must...

Dear Samba Team, First of all Thank you for Implementing samba4 version with RSAT it was very useful in our environment.we have configured samba4 with RSAT in our college it was working for the past 5 to 6 weeks and then later we are facing the problem in accessing sharing folder i am getting error "security id structure is invalid" is there any solution for this