changes.txt

linux下开发的针对所有磁盘的数据恢复的源码

  > 2GB (BUG:  871458)
01/06/04: Mitigation: An error was reported where sorter would error
  that icat was being passed a '-1' argument.  I can't find how that would
  happen, so I added quotes to all arguments so that the next time it 
  occurs, the error is more useful (BUG: 845840).
01/06/04: Update: Incorporated patch from Charles Seeger so that 'cc'
  can be used and compile time warnings are fixed with Sun 'cc'.  
01/06/04: Update: Upgraded file from v3.41 to v4.07


---------------- VERSION 1.66 --------------
09/02/03: Bug Fix: Would not compile under OpenBSD 3 because fs_tools.h
  & mm_tools was missing a defined statment (reported by Randy - m0th_man)
NOTE: Bugs now will have an entry into the Source Forge bug tracking
  sytem.  
10/13/03: Bug Fix: buffer was not being cleared between uses and length
 incorrectly set in NTFS resulted in false deleted file names being shown
 when the '-r' flag was given.  The extra entries were from the previous
 directory.  (BUG: 823057)
10/13/03: Bug Fix: The results of 'sorter' varied depending on the version
  of Perl and the system.   If the file output matched more than one,
  sorter could not gaurantee which would match.  Therefore, results were
  different for some files and some machines.  'sorter' now enforces the
  ordering based on the order they are in the configuration file.  The
  entries at the end of the file have priority over the first entries
  (generic rules to specific rules).  (BUG: 823057)
10/14/03: Update: 'mmls' prints 'MS LVM' with partition type 0x42 now.
10/25/03: Bug Fix: NTFS could have a null pointer crash if the image
  was very corrupt and $Data was not found for the MFT.  
11/10/03: Bug Fix: NTFS 'ffind' would only report the file name and not
  the attribute  name because the type and id were ignored.  ffind and
  ntfs_dent were updated - found during NTFS keyword search test.
  (Bug: 831579()
11/12/03: Update: added support for Solaris x86 partition tables to 'mmls'
11/12/03: Update: Modified the sparc data structure to add the correct 
  location of the 'sanity' magic value.
11/15/03: Update: Added '-s' flag to 'icat' so that slack space is also
  displayed.

---------------- VERSION 1.65 --------------
08/03/03: Bug Fix: 'sorter' now checks for inode values that are too
  small to avoid 'icat' errors about invalid inode values.  
08/19/03: Update: 'raw' is now a valid type for 'dcat'.
08/21/03: Update: mactime and sorter look for perl5.6.0 first.
08/21/03: Update: Removed NSRL support from 'sorter' until a better
 wany to identify the known good and known bad files is found
08/21/03: Bug Fix: The file path replaces < and > with HTML 
  encoding for HTML output (ils names were not being shown)
08/25/03: Update: Added 'nsrl.txt' describing why the NSRL functionality
  was removed.
08/27/03: Update: Improved code in 'mactime' to reduce warnings when
  '-w' is used with Perl ('exists' checks on arrays).
08/27/03: Update: Improved code in 'sorter' to reduce warnings when
  '-w' is used with Perl (inode_int for NTFS).

---------------- VERSION 1.64 --------------
08/01/03: Docs Fix: The Sun VTOC was documented as Virtual TOC and it
  should be Volume TOC (Jake @ UMASS).
08/02/03: Bug Fix: Some compilers complained about verbose logging
  assignment in 'mmls'  (Ralf Spenneberg).

---------------- VERSION 1.63 --------------
06/13/03; Update: Added 'mmtools' directory with 'dos' partitions
  and 'mmls'.
06/18/03: Update: Updated the documents in the 'doc' directory
06/19/03: Update: Updated error message for EXT3FS magic check
06/27/03: Update: Added slot & table number to mmls
07/08/03: Update: Added mac support to mmtools
07/11/03: Bug Fix: 'sorter' was not processing all unallocated meta
  data structures because of a regexp error.  (reported by Jeff Reava)
07/16/03: Update: Added support for FreeBSD5
07/16/03: Update: Added BSD disk labels to mmtools
07/28/03: Update: Relaxed requirements for DOS directory entries, the wtime
  can be zero (reported by Adam Uccello).  
07/30/03: Update: Added SUN VTOC to mmtools
07/31/03: Update: Added NetBSD support (adam@monkeybyte.org)
08/01/03: Update: Added more sanity checks to FAT so that it would not
  try and process NTFS images that have the same MAGIC value

---------------- VERSION 1.62 --------------
04/11/03: Bug Fix: 'fsstat' for an FFS file system could report data 
  fragments in the last group that were larger than the maximum 
  fragment
04/11/03: Bug Fix: 'ffs' allows the image to not be a multiple of the
  block size.  A read error occured when it tried to read the last
  fragments since a whole block could not be read.
04/15/03: Update: Added debug statements to FAT code.
04/26/03: Update: Added verbose statements to FAT code
04/26/03: Update: Added NOABORT flag to dls -s
04/26/03: Update: Added stderr messages for errors that are not aborted
  because of NOABORT
05/27/03: Update: Added 'mask' field to FATFS_INFO structure and changed
  code in fatfs.c to use it.
05/27/03: Update: isdentry now checks the starting cluster to see if
  it is a valid size.  
05/27/03: Bug Fix: Added a sanitizer to 'sorter' to remove invalid chars
  from the 'file' output and reduce the warnings from Perl.
05/28/03: Bug Fix: Improved sanitize expression in 'sorter'
05/28/03: Update: Added '-d' option to 'mactime' to allow output to be
  given in comma delimited format for importing into a spread sheet or
  other graphing tool
06/09/03: Update: Added hourly summary / indexing to mactime
06/09/03: Bug Fix: sorter would not allow linux-ext3 fstype


---------------- VERSION 1.61 --------------
02/05/03: Update: Started addition of image thumbnails to sorter
03/05/03: Update: Updated 'file' to version 3.41
03/16/03: Update: Added comments and NULL check to 'ifind'
03/16/03: Bug Fix: Added a valid magic of 0 for MFT entries.  This was
  found in an XP image.
03/26/03: Bug Fix: fls would crash for an inode of 0 and a clock skew
  was given.  fixed the bug in fls.c (debug help from Josep Homs)
03/26/03: Update: Added more verbose comments to ntfs_dent.c.
03/26/03: Bug Fix: 'ifind' for a path could return a result that was
  shorter than the requested name (strncmp was used)
03/26/03: Update: Short FAT names can be used in 'ifind -n' and 
  error messages were improved
03/26/03: Bug Fix: A final NTFS Index Buffer was not always processed in 
  ntfs_dent.c, which resulted in files not being shown.  This was fixed
  with debugging help from Matthew Shannon.
03/27/03: Update: Added an 'index.html' for image thumbnails in sorter
  and added a 'details' link from the thumbnail to the images.html file
03/27/03: Update: 'sorter' can now take a directory inode to start 
  processing
03/27/03: Update: added '-z' flag when running 'file' in 'sorter' so that
  compressed file contents are reported
03/27/03: Update: added '-i' flag to 'mactime' that creates a daily
  summary of events
03/27/03: Update: Added support for Version 2 of the NSRL in 'hfind'
04/01/03: Update: Added support for Hash Keeper to 'hfind'
04/01/03: Update: Added '-e' flag to 'hfind' for extended info 
  (currently hashkeeper only)


---------------- VERSION 1.60 --------------
10/31/02: Bug Fix: the unmounting status of EXT2FS in the 'fsstat' command
  was not correct (reported by Stephane Denis).  
11/24/02: Bug Fix: The -v argument was not allowed on istat or fls (Michael
  Stone)
11/24/02: Bug Fix: When doing an 'ifind' on a UNIX fs, it could abort if it
  looked at an unallocated inode with invalid indirect block pointers.
  This was fixed by adding a "NOABORT" flag to the walk code and adding
  error checks in the file system code instead of relying on the fs_io
  code.  (suggested by Micael Stone)
11/26/02: Update: ifind has a '-n' argument that allows one to specify a
  file name it and it searches to find the meta data structure for it
  (suggested by William Salusky).
11/26/02: Update: Now that there is a '-n' flag with 'ifind', the '-d'
  flag was added to specify the data unit address.  The old syntax of
  giving the data_unit at the end is no longer supported.  
11/27/02: Update: Added sanity checks on meta data and data unit addresses
  earlier in the code.
12/12/02: Update: Added additional debug statements to NTFS code
12/19/02: Update: Moved 'hash' directory to 'hashtools'
12/19/02: Update: Started development of 'hfind'
12/31/02: Update: Improved verbose debug statements to show full 64-bit 
  offsets
01/02/03: Update: Finished development of 'hfind' with ability to update
  for next version of NSRL (which may have a different format)
01/05/03: Bug Fix: FFS and EXT2FS symbolic link destinations where not
  properly NULL terminated and some extra chars were appended in 'fls'
  (later reported by Thorsten Zachmann)
01/06/03: Bug Fix: getu64() was not properly masking byte sizes and some
  data was being lost.  This caused incorrect times to be displayed in some
  NTFS files.
01/06/03: Bug Fix: ifind reported incorrect ownership for some UNIX
  file systems if the end fragments were allocated to a different file than
  the first ones were.
01/07/03: Update: Renamed the src/mactime directory to src/timeline.
01/07/03: Update: Updated README and man pages for hfind and sorter
01/12/03: Bug Fix: ntfs_mft_lookup was casting a 64-bit value to a 32-bit
  variable.  This caused MFT Magic errors.  Reported and debugged by 
  Keven Murphy
01/12/03: Update: Added verbose argument to 'fls'
01/12/03: Bug Fix: '-V' argument to 'istat' was doing verbose instead of 
  version
01/13/03: Update: Changed static sizes of OFF_T and DADDR_T in Linux 
  version to the actual 'off_t' and 'daddr_t' types
01/23/03: Update: Changed use of strtok_r to strtok in ifind.c so that
  Mac 10.1 could compile (Dave Goldsmith).
01/28/03: Update: Improved code in 'hfind' and 'sorter' to handle
  files with spaces in the path (Dave Goldsmith).

---------------- VERSION 1.52 --------------
09/24/02: Bug Fix: Memory leak in ntfs_dent_idxentry(), ntfs_find_file(),
  and ntfs_dent_walk()
09/24/02: Update: Removal of index sequences for index buffers is now
  done using upd_off, which will allow for NTFS to move the structure in
  the future.
09/26/02: Update: Added create time for NTFS / STANDARD_INFO to 
  istat output.
09/26/02: Update: Changed the method that the NTFS time is converted
  to UNIX time.  Should be more effecient.
10/09/02: Update: dcat error changed.
10/02/02: Update: Includes a Beta version of 'sorter'


---------------- VERSION 1.51 --------------
09/10/02: Bug Fix: Fixed a design bug that would not allow attribute 
  lists in $MFT.  This bug would generate an error that complained about
  an invalid MFT entry in attribute list.  
09/10/02: Update: The size of files and directories is now calculated
  after each time proc_attrseq() is called so that it is more up to date
  when dealing with attribute lists.  The size has the sizes of all
  $Data, $IDX_ROOT, and $IDX_ALLOC streams. 
09/10/02: Update: The maxinum number of MFT entries is now calculated
  each time an MFT entry is processed while loading the MFT.  This 
  allows us to reflect what the maximum possible MFT entry is at that
  given point based on how many attribute lists have been processed.
09/10/02: Update: Added file version 3.39 to distro (bigger magic files) 
  (Salusky)
09/10/02: Bug Fix: fs_data was wasting memory when it was allocated
09/10/02: Update: added a fs_data_alloc() function
09/12/02: Bug Fix: Do not give an error if an attribute list of an
  unallocated file points to an MFT that no longer claims it is a 
  member of the list.
09/12/02: Update: No longer need version to remove update sequence
  values from on-disk buffers
09/19/02: Bug Fix: fixed memory leak in ntfs_load_ver() 
09/19/02: Bug Fix: Update sequence errors were displayed because of a
  bug that occured when an MFT entry crossed a run in $MFT.  Only occured
  with 512-byte clusters and an odd number of clusters in a run.
09/19/02: Update: New argument to ils, istat, and fls that allows user to
  specify a time skew in seconds of the compromised system.  Originated
  from discussion at DFRWS II.  
09/19/02: Update: Added '-h' argument to mactime to display header info 

---------------- VERSION 1.50 --------------

04/21/02: icat now displays idxroot attribute for NTFS directories
04/21/02: fs_dent_print functions now are passed the FS_DATA structure 
  instead of the extra inode and name strings.  (NTFS)
04/21/02: fs_dent_print functions display alternate data stream size instead
 of the default data size (NTFS)
04/24/02: Fixed bug in istat that displayed too many fragments with ffs images 
04/24/02: Fixed bug in istat that did not display sparse files correctly
04/24/02: fsstat of FFS images now identifies the fragments at the 
  beginning of cyl groups as data fragments.
04/26/02: Fixed bug in ext2fs_dent_parse_block that did not advance the
  directory entry pointer far enough each time
04/26/02: Fixed bug in ext2fs_dent_parse_block so that gave an error if
  a file name was exactly 255 chars
04/29/02: Removed the getX functions from get.c as they are now macros
05/11/02: Added support for lowercase flag in FAT
05/11/02: Added support for sequence values (NTFS)
05/13/02: Added FS_FLAG_META for FAT
05/13/02: Changed ifind so that it looks the block up to identify if it is
  a meta data block when an inode can not be found
05/13/02: Added a conditional to ifind so that it handles sparse files better
05/19/02: Changed icat so that the default attribute type is set in the
  file_walk function
05/20/02: ils and dls now use boundary inode & block values if too large
  or small are given
05/21/02: istat now displays all NTFS times
05/21/02: Created functions to just display date and time
05/24/02: moved istat functionality to the specific file system file
05/25/02: added linux-ext3 flag, but no new features
05/25/02: Added sha1 (so Autopsy can use the NIST SW Database)
05/26/02: Fixed bug with FAT that did not return all slack space on file_walk
05/26/02: Added '-s' flag to dls to extract slack space of FAT and NTFS
06/07/02: fixed _timezone variable so correct times are shown in CYGWIN
06/11/02: *_copy_inode now sets the flags for the inode 
06/11/02: fixed bug in mactimes that displayed a duplicate entry with time 
  because of header entries in body file
06/12/02: Added ntfs.README doc
06/16/02: Added a comment to file Makefile to make it easier to compile for
  an IR CD.
06/18/02: Fixed NTFS bug that showed ADS when only deleted files were supposed
  to be shown (when ADS in directory)
06/19/02: added the day of the week to the mactime output (Tan)
07/09/02: Fixed bug that added extra chars to end of symlink destination
07/17/02: 1.50 Released 



---------------- VERSION 1.00 --------------
- Integrated TCT-1.09 and TCTUTILs-1.01
- Fixed bug in bcat if size is not given with type of swap.
- Added platform indep by including the structures of each file system type
- Added flags for large file support under linux
- blockcalc was off by 1 if calculated using the raw block number and
not the one that lazarus spits out (which start at 1)
- Changed the inode_walk and block_walk functions slightly to return a
value so that a walk can be ended in the middle of it.
- FAT support added
- Improved ifind to better handle fragments
- '-z' flag to fls and istat now use the time zone string instead of 
integer value.
- no longer prepend / in _dent
- verify that '-m' directory in fls ends with a '/' 
- identify the destination of sym links
- fsstat tool added
- fixed caching bug with FAT12 when the value overlapped cache entries
- added mactime
- removed the <inode> value in fls when printing mac format (inode is now printed in mactime)
- renamed src/misc directory to src/hash (it only has md5 and will have sha)
- renamed aux directory to misc (Windows doesn't allow aux as a name ??)
- Added support for Cygwin
- Use the flags in super block of EXT2FS to identify v1 or v2
- removed file system types of linux1 and linux2 and linux
- added file system type of linux-ext2 (as ext3 is becoming more popular)
- bug in file command that reported seek error for object files and STDIN