similar to: low level search for deleted data

Hello everyone, I came back from a long vacation the other day to a RH 7.3 system that would not boot. My situation is similar to Eddy's post "Seriously corrupt ext3 root filesystem - help?" from a couple of days ago. I can mount the drive in read-write and read-only modes. I can get into some of the directories and get certain files off of the disk. But, if I try to access a

Small cosmetic changes. Signed-off-by: Matteo Cafasso <noxdafox@gmail.com> --- daemon/sleuthkit.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/daemon/sleuthkit.c b/daemon/sleuthkit.c index ce738e3..e642731 100644 --- a/daemon/sleuthkit.c +++ b/daemon/sleuthkit.c @@ -47,7 +47,8 @@ do_download_inode (const mountable_t *mountable, int64_t inode) } /*

In order to support the new features I am renaming the file with a better name. The file sleuthkit.c will contain the code depending on the sleuthkit package. The original tsk.c file will contain the logic built using libtsk which is the sleuthkit core library. This patch is ready for review. Code available at: https://github.com/noxdafox/libguestfs/tree/sleuthkit_rename Signed-off-by: Matteo

Thanks, I have pushed this patch series. Could you consider changing: > + optional = Some "icat"; I think it would be nice to have a single feature, and to call the feature "sleuthkit" or "forensics" or something like that. We don't need to have one feature per API since installation of a single package (sleuthkit) is sufficient to make all the APIs

I needed to be able to update stub pointers for hot functions that get recompiled in a lazy JIT that uses CompileOnDemandLayer. In order to do this I added a method that allows pointers to be updated but does not expose any of the other internals of the COD layer. Does anyone have a cleaner way to do this? Has something to facilitate this already been added? Would it be possible to merge this

The command name is a bit confusing because it's similar to "cat" but act as "donwload". Therefore I am renaming it with a more clear name. At the same go I cleaned up a bit the code following the standards and improved the API documentation. This patch is ready for review. Code available at: https://github.com/noxdafox/libguestfs/tree/download_inode Matteo Cafasso (3):

+Lang Hames <lhames at gmail.com>, Master Regent of the Three <No, Two sir> JITs On Thu, Jul 28, 2016 at 12:31 PM Sean Ogden via llvm-dev < llvm-dev at lists.llvm.org> wrote: > I needed to be able to update stub pointers for hot functions that get > recompiled in a lazy JIT that uses CompileOnDemandLayer. In order to do > this I added a method that allows pointers to

Hi Sean, This is great, but it couples LogicalDylib too tightly to CompileOnDemandLayer. Does this alternative implementation of getLogicalModuleResourcesForSymbol work for you (unfortunately I don't have a local test case for this yet): LogicalModuleResources* getLogicalModuleResourcesForSymbol(const std::string &Name, bool

It does work. I just tested it on my JIT. Thanks! As for the part that couples them too tightly, would you recommend I just keep my own specialized version of CompileOnDemandLayer.h that includes this functionality, or do you have any ideas for a cleaner way to do this? I've noticed a couple of people asking for support for updating stub pointers for functions that are optimized at runtime,

v2: - Rebase on top of master Matteo Cafasso (2): New API: download_blocks Added download_blocks API test daemon/sleuthkit.c | 41 ++++++++++++++++++++++++++- generator/actions.ml | 24 ++++++++++++++++ gobject/Makefile.inc | 2 ++ src/MAX_PROC_NR | 2 +- tests/tsk/Makefile.am | 1 +

With this API we complete the set of functions required to extract deleted files/data from most of the available filesystems. The function allows to extract data units (blocks) within a given range from a partition. The tests show an example on how the function can be used to retrieve deleted data. Matteo Cafasso (2): New API: download_blocks Added download_blocks API test

"icat" name comes from the employed command line tool which might be replaced later on with a different implementation. The command name is a bit confusing because it's similar to "cat" but act as "donwload". Therefore I am renaming it with a more clear name. At the same time I cleaned up a bit the code and improved it's readability and code comments. This

On Monday, 19 September 2016 23:26:57 CEST Matteo Cafasso wrote: > The internal_find_block command searches all entries referring to the > given filesystem data block and returns a tsk_dirent structure > for each of them. > > For filesystems such as NTFS which do not delete the block mapping > when removing files, it is possible to get multiple non-allocated > entries for the

Hi Sean, As for the part that couples them too tightly, would you recommend I just > keep my own specialized version of CompileOnDemandLayer.h that includes > this functionality, or do you have any ideas for a cleaner way to do this? My apologies - I wasn't very clear in my description of the issue. The only sense in which your original patch was tightly coupled was that it had

Dear R-list, I have a plot with y-axis corresponding to wind measurments and x-axis with date-time information. When I want to identify some extrem wind events in the wind-curve, I use locator() to get the exact date-information, by clicking in the points in graph I?m interested in. I get in the R console the x and y coordinates. The x coordinates are not in a POSIXct format, I guess R is

Hello everybody, it happened with my RH73 that the same partition (ext3 fs, of course) was mounted onto two different mount points ( "/" and "/mnt/removable" respectively) and a copy of files from one path to another (e.g. "cp /opt/myfile /mnt/removable/opt) reveiled to be an overwriting procedure. Now I have 0 byte size files on /mnt/removable (aka "/")

In a fit of irony, while preparing to burn a CDROM with some software I've been writing for about six months, I did a rm *>o instead of rm *.o on an ext3 filesystem. And I'm well aware that under normal circumstance you can't undelete, especially a ext3 filesystem. However, I need to at least *try* to recover this. I've built lde (linux disk editor) and if I can isolate a

Greetings, I am playing around with the idea of using libguestfs as a forensic tool to investigate VM disk images. Some use cases as example: * Sandbox for malware analysis. * Incident response in cloud environments. Libguestfs is a precious resource in this case as it allows to abstract the disk image internals and expose them as mountable devices. Combined with some state of the art

The Sleuth Kit is a filesystem forensic tool for accessing disk volumes and extracting digital evidence from. http://www.sleuthkit.org/ The icat API allows to download a file from a device given its metadata number (inode). It supports multiple filesystem types. The icat command allows to access to otherwise unreachable files such as filesystem data structures and deleted files which content is

Patch ready for merging. v4: - check return code of tsk_fs_attr_walk - pass TSK_FS_FILE_WALK_FLAG_NOSPARSE as additional flag to tsk_fs_attr_walk After discussing with TSK authors the behaviour is clear. [1] In case of COMPRESSED blocks, the callback will be called for all the attributes no matter whether they are on disk or not (sparse). In such cases, the block address will be 0. [2] So