Package: scrounge-ntfs
Version: 0.9-6 all
When attempting to set an end sector greater than an unsigned int, the
program exits with an error saying end must be greater than start.
Attached is a simple patch for this. I have also added another patch
that allows the program to restart. This is not necessarily a bug per
se, but it is a royal pain if your data set is very large and you have
to restart - the program creates duplicates.
In the second patch, I attempted to clean up the code a bit. There were
two different invocations depending on which OS (Win32 or others) was
built. I also added a -i option that will ignore a file that already
exists on the output.
I've already filed with Ubuntu:
https://bugs.launchpad.net/ubuntu/+source/scrounge-ntfs/+bug/1067817
https://bugs.launchpad.net/ubuntu/+source/scrounge-ntfs/+bug/1067814
I have tested both of these patches with the drive that Windows borked.
Perhaps you want them submitted separately.
Cheers.
-Doug
diff -ru scrounge-ntfs-0.9/src/main.c scrounge-ntfs-0.9.sizefix/src/main.c
--- scrounge-ntfs-0.9/src/main.c 2007-05-26 19:00:05.000000000 -0600
+++ scrounge-ntfs-0.9.sizefix/src/main.c 2012-10-17 10:30:34.000000000 -0600
@@ -77,7 +77,7 @@
int main(int argc, char* argv[])
{
int ch = 0;
- int temp = 0;
+ unsigned long temp = 0;
int mode = 0;
int raw = 0;
partitioninfo pi;
@@ -103,7 +103,7 @@
/* cluster size */
case 'c':
{
- temp = atoi(optarg);
+ temp = atol(optarg);
/* TODO: Check this range */
if(temp <= 0 || temp > 128)
@@ -118,7 +118,7 @@
/* drive number */
case 'd':
{
- temp = atoi(optarg);
+ temp = atol(optarg);
/* TODO: Check this range */
if(temp < 0 || temp > 128)
@@ -142,7 +142,7 @@
/* mft offset */
case 'm':
{
- temp = atoi(optarg);
+ temp = atol(optarg);
/* TODO: Check this range */
if(temp < 0)
@@ -217,14 +217,14 @@
if(argc > 2)
warnx("ignoring extra arguments");
- temp = atoi(argv[0]);
+ temp = atol(argv[0]);
if(temp < 0)
errx(2, "invalid start sector (must be positive)");
pi.first = temp;
- temp = atoi(argv[1]);
- if(temp < 0 || ((unsigned int)temp) <= pi.first)
+ temp = atol(argv[1]);
+ if(temp < 0 || temp <= pi.first)
errx(2, "invalid end sector (must be positive and greater than first)");
pi.end = temp;
diff -ru scrounge-ntfs-0.9/src/compat.h scrounge-ntfs-0.9.patched/src/compat.h
--- scrounge-ntfs-0.9/src/compat.h 2007-05-26 18:59:43.000000000 -0600
+++ scrounge-ntfs-0.9.patched/src/compat.h 2012-10-17 10:25:25.000000000 -0600
@@ -160,6 +160,10 @@
#endif
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
diff -ru scrounge-ntfs-0.9/src/drive.h scrounge-ntfs-0.9.patched/src/drive.h
--- scrounge-ntfs-0.9/src/drive.h 2007-05-26 18:59:50.000000000 -0600
+++ scrounge-ntfs-0.9.patched/src/drive.h 2012-10-17 10:25:25.000000000 -0600
@@ -34,6 +34,7 @@
struct _ntfsx_mftmap;
struct _drivelocks;
+#define OP_FLAG_IGNORE 0x0001 /**Do not copy files that already exist in output. */
typedef struct _partitioninfo
{
uint32 first; /* The first sector (in sectors) */
@@ -41,6 +42,9 @@
uint32 mft; /* Offset into the MFT (in sectors) */
byte cluster; /* Cluster size (in sectors) */
int device; /* A handle to an open device */
+ uint32 flags; /**flags for operation. Ignore, for one */
+ char *logfile; /**Log file for err_set_file */
+ void *fp; /**FILE * for filename, above */
/* Some other context stuff about the drive */
struct _drivelocks* locks;
diff -ru scrounge-ntfs-0.9/src/main.c scrounge-ntfs-0.9.patched/src/main.c
--- scrounge-ntfs-0.9/src/main.c 2007-05-26 19:00:05.000000000 -0600
+++ scrounge-ntfs-0.9.patched/src/main.c 2012-10-17 10:25:25.000000000 -0600
@@ -21,48 +21,6 @@
#include "scrounge.h"
#include "compat.h"
-#ifdef _WIN32
-
-const char kPrintHelp[] = "\
-usage: scrounge -l \n\
- List all drive partition information. \n\
- \n\
-usage: scrounge [-d drive] -s \n\
- Search drive for NTFS partitions. \n\
- \n\
-usage: scrounge [-d drive] [-m mftoffset] [-c clustersize] [-o outdir] start end \n\
- Scrounge data from a partition \n\
- -d Drive number \n\
- -m Offset to mft (in sectors) \n\
- -c Cluster size (in sectors, default of 8) \n\
- -o Directory to put scrounged files in \n\
- start First sector of partition \n\
- end Last sector of partition \n\
- \n\
-";
-
-#else /* Not WIN32 */
-
-const char kPrintHelp[] = "\
-usage: scrounge -l disk \n\
- List all drive partition information. \n\
- \n\
-usage: scrounge -s disk \n\
- Search drive for NTFS partitions. \n\
- \n\
-usage: scrounge [-m mftoffset] [-c clustersize] [-o outdir] disk start end \n\
- Scrounge data from a partition \n\
- -m Offset to mft (in sectors) \n\
- -c Cluster size (in sectors, default of 8) \n\
- -o Directory to put scrounged files in \n\
- disk The raw disk partitios (ie: /dev/hda) \n\
- start First sector of partition \n\
- end Last sector of partition \n\
- \n\
-";
-
-#endif
-
#define MODE_SCROUNGE 1
#define MODE_LIST 2
#define MODE_SEARCH 3
@@ -77,11 +35,12 @@
int main(int argc, char* argv[])
{
int ch = 0;
- int temp = 0;
+ unsigned long temp = 0;
int mode = 0;
int raw = 0;
partitioninfo pi;
char driveName[MAX_PATH + 1];
+ FILE *f=NULL;
#ifdef _WIN32
int drive = 0;
#endif
@@ -91,11 +50,7 @@
/* TODO: We need to be able to autodetect the cluster size */
pi.cluster = 8;
-#ifdef _WIN32
- while((ch = getopt(argc, argv, "c:d:hlm:o:sv")) != -1)
-#else
- while((ch = getopt(argc, argv, "c:hlm:o:sv")) != -1)
-#endif
+ while((ch = getopt(argc, argv, "c:d:e:hilm:o:sv")) != -1)
{
switch(ch)
{
@@ -103,7 +58,7 @@
/* cluster size */
case 'c':
{
- temp = atoi(optarg);
+ temp = atol(optarg);
/* TODO: Check this range */
if(temp <= 0 || temp > 128)
@@ -114,11 +69,12 @@
}
break;
-#ifdef _WIN32
+
/* drive number */
case 'd':
+#ifdef _WIN32
{
- temp = atoi(optarg);
+ temp = atol(optarg);
/* TODO: Check this range */
if(temp < 0 || temp > 128)
@@ -126,8 +82,21 @@
drive = temp;
}
- break;
-#endif
+#else
+ strncpy(driveName, optarg, MAX_PATH);
+ driveName[MAX_PATH] = 0;
+#endif
+ break;
+ /* Log file */
+ case 'e':
+ pi.logfile=strdup(optarg);
+ /** pi.fp=fopen(optarg,"a+");
+ err_set_file((void *)pi.fp);*/
+ break;
+ /* ignore files that already exist in output */
+ case 'i':
+ pi.flags|=OP_FLAG_IGNORE;
+ break;
/* list mode */
case 'l':
@@ -142,7 +111,7 @@
/* mft offset */
case 'm':
{
- temp = atoi(optarg);
+ temp = atol(optarg);
/* TODO: Check this range */
if(temp < 0)
@@ -193,17 +162,6 @@
#ifdef _WIN32
/* Under windows we format the drive number */
makeDriveName(driveName, drive);
-
-#else
- /* Now when not under Windows, it's the drive name */
- if(argc < 1)
- errx(2, "must specify drive name");
-
- strncpy(driveName, argv[0], MAX_PATH);
- driveName[MAX_PATH] = 0;
-
- argv++;
- argc--;
#endif
@@ -217,14 +175,14 @@
if(argc > 2)
warnx("ignoring extra arguments");
- temp = atoi(argv[0]);
+ temp = atol(argv[0]);
if(temp < 0)
errx(2, "invalid start sector (must be positive)");
pi.first = temp;
- temp = atoi(argv[1]);
- if(temp < 0 || ((unsigned int)temp) <= pi.first)
+ temp = atol(argv[1]);
+ if(temp < 0 || temp <= pi.first)
errx(2, "invalid end sector (must be positive and greater than first)");
pi.end = temp;
@@ -271,6 +229,38 @@
void usage()
{
- fprintf(stderr, "%s", kPrintHelp);
+#ifdef _WIN32
+#define D_OPT "drive"
+#define D_DESC "Drive number"
+ fprintf(stderr,"\
+usage: scrounge -l \n\
+ List all drive partition information. \n\
+ \n\
+usage: scrounge [-d drive] -s \n\
+ Search drive for NTFS partitions. \n"
+#else /* Not WIN32 */
+#define D_OPT "disk"
+#define D_DESC "The raw disk partitios (ie: /dev/hda)"
+ fprintf(stderr,"\
+usage: scrounge -l -d disk \n\
+ List all drive partition information. \n\
+ \n\
+usage: scrounge -s -d disk \n\
+ Search drive for NTFS partitions. \n"
+#endif
+"usage: scrounge [-d %s] [-m mftoffset] [-c clustersize] [-o outdir] [-e errfile] [-i] start end \n\
+Scrounge data from a partition \n\
+ -d %s \n\
+ -m Offset to mft (in sectors) \n\
+ -c Cluster size (in sectors, default of 8) \n\
+ -l List sectors/MFT \n\
+ -o Directory to put scrounged files in \n\
+ -i Ignore files that exist in output \n\
+ start First sector of partition \n\
+ end Last sector of partition \n\
+ \n\
+",D_OPT,D_DESC);
exit(2);
}
+/* -e File name for log \n\ */
+
diff -ru scrounge-ntfs-0.9/src/scrounge.c scrounge-ntfs-0.9.patched/src/scrounge.c
--- scrounge-ntfs-0.9/src/scrounge.c 2007-05-26 18:58:31.000000000 -0600
+++ scrounge-ntfs-0.9.patched/src/scrounge.c 2012-10-17 10:25:25.000000000 -0600
@@ -202,8 +202,9 @@
}
}
- printf(flags & PROCESS_MFT_FLAG_SUB ?
- "\\" FC_PRINTF : "\\" FC_PRINTF "\n", basics.filename);
+ /* printf(flags & PROCESS_MFT_FLAG_SUB ?
+ "\\" FC_PRINTF : "\\" FC_PRINTF "\n", basics.filename);*/
+ printf("\\" FC_PRINTF,basics.filename);
/* Directory handling: */
if(header->flags & kNTFS_RecFlagDir)
@@ -251,6 +252,13 @@
else
#endif
{
+ if(pi->flags & OP_FLAG_IGNORE){
+ struct stat buf;
+ if(stat(basics.filename,&buf) == 0) {/* if the file exists, just ignore it */
+ printf(" - Already exists, Not duplicating.\n");
+ goto cleanup;
+ } else printf("\n");
+ }
ofile = fc_open(basics.filename, O_BINARY | O_CREAT | O_EXCL | O_WRONLY, DEF_FILE_MODE);
fcsncpy(filename2, basics.filename, MAX_PATH);
Only in scrounge-ntfs-0.9.patched/src: scrounge.c.orig
_______________________________________________
forensics-devel mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/forensics-devel
