sleuthkit icon indicating copy to clipboard operation
sleuthkit copied to clipboard
verified publisher icon sleuthkit

HFS+/HFSX: istat yields "Error reading file data fork" for block or character device and FIFO file entry

Open joachimmetz opened this issue 3 years ago • 2 comments

Tested with version 7e801480e03cf023d1c3adc1394f950d46b7e6db

Test file generated with https://github.com/dfirlabs/hfs-specimens

istat -o 40 hfsplus.dmg 38
File Path: /testdir1/blockdev1
Catalog Record: 38
Allocated
Type:	
Mode:	brw-r--r--
Size:	0
uid / gid: 501 / 20
Link count:	402653241

File Name: blockdev1
Device ID:	402653241
Admin flags: 0
Owner flags: 0
File type:	0000      
File creator:	0000      
Text encoding:	0 = MacRoman
Resource fork size:	0

Times:
Created:	2022-07-08 06:42:36 (CEST)
Content Modified:	2022-07-08 06:42:36 (CEST)
Attributes Modified:	2022-07-08 06:42:36 (CEST)
Accessed:	2022-07-08 06:42:36 (CEST)
Backed Up:	0000-00-00 00:00:00 (UTC)

Data Fork Blocks:

Error reading file data fork
Attribute not found in file (tsk_fs_attrlist_get_id: Attribute 4352-0 not found)

Attributes:

The "Error reading file data fork" is unexpected behavior since this is a block device file entry, which should have no in-file system data fork

Also Link count: 402653241 looks off, looks like this type of file entry might not be correctly handled

joachimmetz avatar Jul 08 '22 05:07 joachimmetz

similar behavior for character device file entry

istat -o 40 hfsplus.dmg 39
File Path: /testdir1/chardev1
Catalog Record: 39
Allocated
Type:	
Mode:	crw-r--r--
Size:	0
uid / gid: 501 / 20
Link count:	218103876

File Name: chardev1
Device ID:	218103876
Admin flags: 0
Owner flags: 0
File type:	0000      
File creator:	0000      
Text encoding:	0 = MacRoman
Resource fork size:	0

Times:
Created:	2022-07-08 06:42:36 (CEST)
Content Modified:	2022-07-08 06:42:36 (CEST)
Attributes Modified:	2022-07-08 06:42:36 (CEST)
Accessed:	2022-07-08 06:42:36 (CEST)
Backed Up:	0000-00-00 00:00:00 (UTC)

Data Fork Blocks:

Error reading file data fork
Attribute not found in file (tsk_fs_attrlist_get_id: Attribute 4352-0 not found)

Attributes:

joachimmetz avatar Jul 08 '22 05:07 joachimmetz

And pipe (or FIFO) file entry as well, but link count looks it is handled correctly

istat -o 40 hfsplus.dmg 40
File Path: /testdir1/pipe1
Catalog Record: 40
Allocated
Type:	
Mode:	prw-r--r--
Size:	0
uid / gid: 501 / 20
Link count:	1

File Name: pipe1
Admin flags: 0
Owner flags: 0
File type:	0000      
File creator:	0000      
Text encoding:	0 = MacRoman
Resource fork size:	0

Times:
Created:	2022-07-08 06:42:36 (CEST)
Content Modified:	2022-07-08 06:42:36 (CEST)
Attributes Modified:	2022-07-08 06:42:36 (CEST)
Accessed:	2022-07-08 06:42:36 (CEST)
Backed Up:	0000-00-00 00:00:00 (UTC)

Data Fork Blocks:

Error reading file data fork
Attribute not found in file (tsk_fs_attrlist_get_id: Attribute 4352-0 not found)

Attributes:

joachimmetz avatar Jul 08 '22 05:07 joachimmetz