[Forensics-changes] [SCM] Tools for forensics analysis branch, debian, updated. debian/3.0.1-2-22-gb53e831
Daniel Baumann
daniel at debian.org
Wed Jul 29 17:22:04 UTC 2009
The following commit has been merged in the debian branch:
commit b53e83140830c6f162ad9e634917f309bc044423
Author: Daniel Baumann <daniel at debian.org>
Date: Wed Jul 29 19:21:32 2009 +0200
Rediffing patches with -Naurp for consistency.
diff --git a/debian/patches/01-fix-hfind-manpage.patch b/debian/patches/01-fix-hfind-manpage.patch
index c5870ef..550f33f 100644
--- a/debian/patches/01-fix-hfind-manpage.patch
+++ b/debian/patches/01-fix-hfind-manpage.patch
@@ -1,8 +1,10 @@
Author: Martin A. Godisch <godisch at debian.org>
Description: Adjust a verbose description in hfind(1) (see #411026).
---- a/man/hfind.1
-+++ b/man/hfind.1
-@@ -132,8 +132,9 @@
+
+diff -Naurp sleuthkit.orig/man/hfind.1 sleuthkit/man/hfind.1
+--- sleuthkit.orig/man/hfind.1 2009-07-29 16:35:37.000000000 +0000
++++ sleuthkit/man/hfind.1 2009-07-29 17:20:00.000000000 +0000
+@@ -131,8 +131,9 @@ or
<...>
diff --git a/debian/patches/02-fix-hyphens-manpages.patch b/debian/patches/02-fix-hyphens-manpages.patch
index a3c6113..d63cc49 100644
--- a/debian/patches/02-fix-hyphens-manpages.patch
+++ b/debian/patches/02-fix-hyphens-manpages.patch
@@ -1,596 +1,9 @@
Author: Cristian Greco <cristian.debian at gmail.com>
-Description: fixes various lintian warnings about hyphens used as minus sign.
---- a/man/mactime.1
-+++ b/man/mactime.1
-@@ -16,14 +16,14 @@
- .SH DESCRIPTION
- .B mactime
- creates an ASCII time line of file activity based on the body file
--specified by '-b' or from STDIN. The time line is written to STDOUT.
-+specified by '\-b' or from STDIN. The time line is written to STDOUT.
- The body file must be in the time machine format that is created
--by 'ils -m', 'fls -m', or the mac-robber tool.
-+by 'ils \-m', 'fls \-m', or the mac-robber tool.
-
- .SH ARGUMENTS
- .IP "-b body"
- Specify the location of a body file. This file must be generated by
--a tool such as 'fls -m' or 'ils -m'. The 'mac-robber' and 'grave-robber'
-+a tool such as 'fls \-m' or 'ils \-m'. The 'mac-robber' and 'grave-robber'
- tools can also be used to generate the file.
- .IP "-g group file"
- Specify the location of the group file. mactime will display the group
-@@ -34,7 +34,7 @@
- .IP "-i day|hour index file"
- Specify the location of an index file to write to. The first argument
- specifies the granularity, either an hourly summary or daily. If the
--\'-d\' flag is given, then the summary will be seperated by a ',' to
-+\'\-d\' flag is given, then the summary will be seperated by a ',' to
- import into a spread sheet.
- .IP -d
- Display timeline and index files in comma delimited format. This is used
---- a/man/mmcat.1
-+++ b/man/mmcat.1
-@@ -17,7 +17,7 @@
-
- .SH ARGUMENTS
- .IP "-t mmtype"
--Specify the media management type. Use '-t list' to list the supported types. If not given, autodetection methods are used.
-+Specify the media management type. Use '\-t list' to list the supported types. If not given, autodetection methods are used.
- .IP "-o offset"
- Specify the offset into the image where the volume containing the
- partition system starts. The relative offset of the partition system
-@@ -29,7 +29,7 @@
- .IP -V
- Display version
- .IP "image [images]"
--One (or more if split) disk images whose format is given with '-i'.
-+One (or more if split) disk images whose format is given with '\-i'.
- .IP "part_num"
- Address of partition to process. See the mmls output to determine the address of the partitions.
-
---- a/man/mmls.1
-+++ b/man/mmls.1
-@@ -17,7 +17,7 @@
-
- .SH ARGUMENTS
- .IP "-t mmtype"
--Specify the media management type. Use '-t list' to list the supported types. If not given, autodetection methods are used.
-+Specify the media management type. Use '\-t list' to list the supported types. If not given, autodetection methods are used.
- .IP "-o offset"
- Specify the offset into the image where the volume containing the
- partition system starts. The relative offset of the partition system
-@@ -41,10 +41,10 @@
- .IP -M
- Hide metadata volumes
- .IP "image [images]"
--One (or more if split) disk images whose format is given with '-i'.
-+One (or more if split) disk images whose format is given with '\-i'.
-
- .PP
--\'mmls\' is similar to 'fdisk -lu' in Linux with a few differences.
-+\'mmls\' is similar to 'fdisk \-lu' in Linux with a few differences.
- Namely, it will show which sectors are not being used so that those
- can be searched for hidden data. It also gives the length value so
- that it can be plugged into 'dd' more easily for extracting the
-@@ -52,7 +52,7 @@
- NetBSD and will display the output in sectors and not cylinders.
- Lastly, it works on non-Linux systems.
-
--If none of -a, -A, -m, or -M are given then all volume types will
-+If none of \-a, \-A, \-m, or \-M are given then all volume types will
- be listed. If any of them are given, then only the types specified
- on the command line will be listed. Allocated volumes are those
- that are listed in a partition table in the volume system. Unallocated
-@@ -61,7 +61,7 @@
- the allocated and unallocated volumes and describe where the partition
- tables and other metadata structures are located. In some volume
- systems, these structures are in allocated space and in others they
--are in unallocated space. They can be hidden with -M.
-+are in unallocated space. They can be hidden with \-M.
-
- .SH "EXAMPLES"
- To list the partition table of a Windows system using autodetect:
-@@ -70,7 +70,7 @@
-
- To list the contents of a BSD system that starts in sector 12345 of a split image:
-
--# mmls -t bsd -o 12345 -i split disk-1.dd disk-2.dd
-+# mmls \-t bsd \-o 12345 \-i split disk-1.dd disk-2.dd
-
- .SH AUTHOR
- Brian Carrier <carrier at sleuthkit dot org>
---- a/man/mmstat.1
-+++ b/man/mmstat.1
-@@ -17,7 +17,7 @@
-
- .SH ARGUMENTS
- .IP "-t mmtype"
--Specify the media management type. Use '-t list' to list the supported types. If not given, autodetection methods are used.
-+Specify the media management type. Use '\-t list' to list the supported types. If not given, autodetection methods are used.
- .IP "-o offset"
- Specify the offset into the image where the volume containing the
- partition system starts. The relative offset of the partition system
-@@ -29,7 +29,7 @@
- .IP -V
- Display version
- .IP "image [images]"
--One (or more if split) disk images whose format is given with '-i'.
-+One (or more if split) disk images whose format is given with '\-i'.
-
- .SH AUTHOR
- Brian Carrier <carrier at sleuthkit dot org>
---- a/man/sigfind.1
-+++ b/man/sigfind.1
-@@ -33,15 +33,16 @@
- .IP -V
- Display version
- .IP [hex_signature]
--The binary signature that you are searching for. It must be given in hexadecimal format. This argument must exist if -t is not used.
-+The binary signature that you are searching for. It must be given in
-+hexadecimal format. This argument must exist if \-t is not used.
- .IP file
- Any raw data.
-
- .SH "EXAMPLES"
-
--sigfind -o 510 -l AA55 disk.dd
-+sigfind \-o 510 \-l AA55 disk.dd
-
--sigfind -t fat disk.dd
-+sigfind \-t fat disk.dd
-
-
- .SH AUTHOR
---- a/man/sorter.1
-+++ b/man/sorter.1
-@@ -37,17 +37,17 @@
-
- .SH ARGUMENTS
- The required arguments are as follows. This will analyze one or more
--images and either save the results in the '-d' directory or list
--the results to STDOUT (if '-l' is given).
-+images and either save the results in the '\-d' directory or list
-+the results to STDOUT (if '\-l' is given).
-
- .IP "-d dir"
- Specify the location of where all files should be written. This includes
--the index files and subdirectories if the '-s' flag is given.
--This MUST be given, unless the '-l' list flag is given.
-+the index files and subdirectories if the '\-s' flag is given.
-+This MUST be given, unless the '\-l' list flag is given.
- .IP -l
- List information to STDOUT (no files are ever written). This is useful
- for Incident Response, with the use of 'netcat'. This cannot be used
--if '-d' is used.
-+if '\-d' is used.
- .IP images
- The file names of the image(s) to analyze.
-
-@@ -77,7 +77,7 @@
- Specify the location of the ONLY configuration file. The standard config
- files will not be loaded if this option is given. For example, in the
- \'share/sort\' directory there is a file called 'images.sort'. This file
--contains only rules about graphic images. If it is specified with -C, then
-+contains only rules about graphic images. If it is specified with \-C, then
- only images will be saved about the image.
- .IP "-m mnt"
- Specify the mounting point of the image being analyzed. This is only
-@@ -119,8 +119,8 @@
- Calculate the SHA-1 value for each file and save it in the category file.
- .IP -s
- Save the actual file content to sub-directories in the directory
--specified by '-d'. For example, all JPG and GIF files would actually be
--saved in the 'images' directory. If '-h' is also given, thumbnails of
-+specified by '\-d'. For example, all JPG and GIF files would actually be
-+saved in the 'images' directory. If '\-h' is also given, thumbnails of
- graphic images are also created.
- .IP -v
- Display verbose information
-@@ -136,7 +136,7 @@
- is a Perl script that interacts with other The Sleuth Kit tools. It starts
- by reading the configuration files from the installation directory.
- There is a general configuration file and a specific one for each
--operating system. The specific one is determined from the '-f'
-+operating system. The specific one is determined from the '\-f'
- flag. Each configuration file contains rules for processing the
- output of the 'file' command. One type of line identifies which
- category (i.e. 'images') a given 'file' output belongs to (i.e.
-@@ -157,7 +157,7 @@
- header information).
- The configuration file rules are used to identify which category
- it belongs to. An entry is added to the corresponding category
--file (in the '-d dir' directory). If the '-s' flag is given, then
-+file (in the '\-d dir' directory). If the '\-s' flag is given, then
- a copy of the file is saved in a subdirectory of the same name as
- the category. If the HTML format is used, then hyper-links will
- allow one to easily view saved files and view what is in each
-@@ -168,9 +168,9 @@
- structure that 'file' does not know and 'unknown' is for files with
- a structure that 'file' knows about. These are saved for future
- reference, but the unknown category can be ignored by using
--the '-U' flag.
-+the '\-U' flag.
-
--A copy of the files can be saved by using the '-s' flag. If so,
-+A copy of the files can be saved by using the '\-s' flag. If so,
- then the files are saved in a subdirectory that is named with
- the category name. Each file is named using the file system image
- name followed by the meta data address and the original file
-@@ -207,7 +207,7 @@
- entries for common file types. A specific operating system file also
- exists, which is useful for extensions that are specific to a given OS.
- By default, the default file and the OS specific one will be used. Using
--the '-c' flag, an additional file can be used. If the '-C' flag is used,
-+the '\-c' flag, an additional file can be used. If the '\-C' flag is used,
- then only the supplied configuration file is used.
-
- There are two rule types in the configuration files. Each rule starts
-@@ -262,22 +262,22 @@
- .SH EXAMPLES
- To run sorter with no hash databases, the following can be used:
-
-- # sorter -f ntfs -d data/sorter images/hda1.dd
-+ # sorter \-f ntfs \-d data/sorter images/hda1.dd
-
-- # sorter -d data/sorter images/hda1.dd
-+ # sorter \-d data/sorter images/hda1.dd
-
-- # sorter -i raw -f ntfs -o 63 -d data/sorter images/hda.dd
-+ # sorter \-i raw \-f ntfs \-o 63 \-d data/sorter images/hda.dd
-
- To include the NSRL, an exclude, and an alert hash database:
-
-- # sorter -f ntfs -d data/sorter -a /usr/hash/rootkit.db \
-- -x /usr/hash/win2k.db -n /usr/hash/nsrl/NSRLFile.txt \
-+ # sorter \-f ntfs \-d data/sorter \-a /usr/hash/rootkit.db \
-+ \-x /usr/hash/win2k.db \-n /usr/hash/nsrl/NSRLFile.txt \
- images/hda1.dd
-
- To just identify images using the supplied 'images.sort' file:
-
-- # sorter -f ntfs -C /usr/local/sleuthkit/share/sort/images.sort \
-- -d data/sorter -h -s images/hda1.dd
-+ # sorter \-f ntfs \-C /usr/local/sleuthkit/share/sort/images.sort \
-+ \-d data/sorter \-h \-s images/hda1.dd
-
- .SH REQUIREMENTS
- The NIST National Software Reference Library (NSRL) can be found at
---- a/man/img_cat.1
-+++ b/man/img_cat.1
-@@ -13,13 +13,13 @@
-
- .SH ARGUMENTS
- .IP "-i imgtype"
--Identify the type of image file, such as raw, split, or aff. Use '-i list' to list the supported types. If not given, autodetection methods are used.
-+Identify the type of image file, such as raw, split, or aff. Use '\-i list' to list the supported types. If not given, autodetection methods are used.
- .IP -v
- Verbose output of debugging statements to stderr
- .IP -V
- Display version
- .IP "image [images]"
--One (or more if split) disk or partition images whose format is given with '-i'.
-+One (or more if split) disk or partition images whose format is given with '\-i'.
-
- .SH AUTHOR
- Brian Carrier <carrier at sleuthkit dot org>
---- a/man/img_stat.1
-+++ b/man/img_stat.1
-@@ -12,7 +12,7 @@
-
- .SH ARGUMENTS
- .IP "-i imgtype"
--Identify the type of image file, such as raw or split. Use '-i list' to list the supported types. If not given, autodetection methods are used.
-+Identify the type of image file, such as raw or split. Use '\-i list' to list the supported types. If not given, autodetection methods are used.
- .IP "-t"
- Print the image type only.
- .IP -v
-@@ -20,7 +20,7 @@
- .IP -V
- Display version
- .IP "image [images]"
--One (or more if split) disk or partition images whose format is given with '-i'.
-+One (or more if split) disk or partition images whose format is given with '\-i'.
-
- .SH AUTHOR
- Brian Carrier <carrier at sleuthkit dot org>
---- a/man/istat.1
-+++ b/man/istat.1
-@@ -23,13 +23,13 @@
- unallocated with size 0, but still has block pointers.
- .IP "-f fstype"
- Specify the file system type.
--Use '-f list' to list the supported file system types.
-+Use '\-f list' to list the supported file system types.
- If not given, autodetection methods are used.
- .IP "-s seconds"
- The time skew of the original system in seconds. For example, if the
--original system was 100 seconds slow, this value would be -100.
-+original system was 100 seconds slow, this value would be \-100.
- .IP "-i imgtype"
--Identify the type of image file, such as raw or split. Use '-i list' to list the supported types.
-+Identify the type of image file, such as raw or split. Use '\-i list' to list the supported types.
- If not given, autodetection methods are used.
- .IP "-o imgoffset"
- The sector offset where the file system starts in the image. Non-512 byte
-@@ -43,7 +43,7 @@
- GMT. These strings are defined by the operating system and may
- vary. NOTE: This has changed since TCTUTILs.
- .IP "image [images]"
--One (or more if split) disk or partition images whose format is given with '-i'.
-+One (or more if split) disk or partition images whose format is given with '\-i'.
- .IP inode
- Meta-data number to display stats on
-
---- a/man/jcat.1
-+++ b/man/jcat.1
-@@ -20,9 +20,9 @@
-
- .SH ARGUMENTS
- .IP "-f fstype"
--Specify the file system type. Use '-f list' to list the supported file system types. If not given, autodetection methods are used.
-+Specify the file system type. Use '\-f list' to list the supported file system types. If not given, autodetection methods are used.
- .IP "-i imgtype"
--Identify the type of image file, such as raw or split. Use '-i list' to list the supported types. If not given, autodetection methods are used.
-+Identify the type of image file, such as raw or split. Use '\-i list' to list the supported types. If not given, autodetection methods are used.
- .IP "-o imgoffset"
- The sector offset where the file system starts in the image. Non-512 byte
- sectors can be specified using '@' (32 at 2048).
-@@ -30,8 +30,8 @@
- Display version
- .IP -v
- verbose output
--.IP image [images]
--One (or more if split) disk or partition images whose format is given with '-i'.
-+.IP "image [images]"
-+One (or more if split) disk or partition images whose format is given with '\-i'.
- .IP [inode]
- The inode where the file system journal can be found.
-
-@@ -40,7 +40,7 @@
-
- .SH "EXAMPLES"
-
--jcat -f linux-ext3 img.dd 34 | xxd
-+jcat \-f linux-ext3 img.dd 34 | xxd
-
- .SH AUTHOR
- Brian Carrier <carrier at sleuthkit dot org>
---- a/man/jls.1
-+++ b/man/jls.1
-@@ -17,9 +17,9 @@
- .SH ARGUMENTS
- .IP "-f fstype"
- Specify the file system type.
--Use '-f list' to list the supported file system types. If not given, autodetection methods are used.
-+Use '\-f list' to list the supported file system types. If not given, autodetection methods are used.
- .IP "-i imgtype"
--Identify the type of image file, such as raw or split. Use '-i list' to list the supported types. If not given, autodetection methods are used.
-+Identify the type of image file, such as raw or split. Use '\-i list' to list the supported types. If not given, autodetection methods are used.
- .IP "-o imgoffset"
- The sector offset where the file system starts in the image. Non-512 byte
- sectors can be specified using '@' (32 at 2048).
-@@ -28,13 +28,13 @@
- .IP -v
- verbose output
- .IP "image [images]"
--One (or more if split) disk or partition images whose format is given with '-i'.
-+One (or more if split) disk or partition images whose format is given with '\-i'.
- .IP [inode]
- The inode where the file system journal can be found.
-
- .SH "EXAMPLES"
-
--jls -f linux-ext3 img.dd
-+jls \-f linux-ext3 img.dd
-
- .SH AUTHOR
- Brian Carrier <carrier at sleuthkit dot org>
---- a/man/ifind.1
-+++ b/man/ifind.1
-@@ -17,7 +17,7 @@
- .SH ARGUMENTS
- There are several required and optional arguments. The image file names must be specified each time:
- .IP "image [images]"
--One (or more if split) disk or partition images whose format is given with '-i'..PP
-+One (or more if split) disk or partition images whose format is given with '\-i'..PP
-
- You must also specify what you are looking for and include one of the following:
- .IP "-d data_unit"
-@@ -29,7 +29,7 @@
-
- .IP "-p par_inode"
- Finds the unallocated MFT entries in an NTFS image that have the given
--inode as the parent. Can be used with '-l and -z'.
-+inode as the parent. Can be used with '\-l and \-z'.
-
- .PP
- There are also several optional arguments:
-@@ -37,12 +37,12 @@
- Find all meta-data structures (only works when looking with a data_unit).
- .IP "-f fstype"
- Specify the file system type.
--Use '-f list' to list the supported file system types.
-+Use '\-f list' to list the supported file system types.
- If not given, autodetection methods are used.
- .IP "-l"
--List the details of each file found with '-p', like 'fls -l'.
-+List the details of each file found with '\-p', like 'fls \-l'.
- .IP "-i imgtype"
--Identify the type of image file, such as raw or split. Use '-i list' to list the supported types.
-+Identify the type of image file, such as raw or split. Use '\-i list' to list the supported types.
- If not given, autodetection methods are used.
- .IP "-o imgoffset"
- The sector offset where the file system starts in the image. Non-512 byte
-@@ -51,16 +51,16 @@
- Verbose output to stderr.
- .IP -V
- Display version.
--.IP -z ZONE
--If '-p -l' were given, this will set the timezone for the correct times.
-+.IP "-z ZONE"
-+If '\-p \-l' were given, this will set the timezone for the correct times.
-
- .SH "EXAMPLES"
-
--# ifind -f fat -d 456 fat-img.dd
-+# ifind \-f fat \-d 456 fat-img.dd
-
--# ifind -f linux-ext2 -n "/etc/" linux-img.dd
-+# ifind \-f linux-ext2 \-n "/etc/" linux-img.dd
-
--# ifind -f ntfs -p 5 -l -z EST5EDT ntfs-img.dd
-+# ifind \-f ntfs \-p 5 \-l \-z EST5EDT ntfs-img.dd
-
- .SH AUTHOR
- Brian Carrier <carrier at sleuthkit dot org>
---- a/man/ils.1
-+++ b/man/ils.1
-@@ -36,18 +36,18 @@
- List every inode in the file system.
- .IP "\fB-f\fI fstype\fR"
- Specifies the file system type.
--Use '-f list' to list the supported file system types.
-+Use '\-f list' to list the supported file system types.
- If not given, autodetection methods are used.
- .IP "\fB-s\fI seconds\fR"
- The time skew of the original system in seconds. For example, if the
--original system was 100 seconds slow, this value would be -100.
-+original system was 100 seconds slow, this value would be \-100.
- .IP \fB-m\fR
- Display the inode details in the format that the mactime program reads
- (replaces the ils2mac script from TCT)
- .IP \fB-O\fR
- List only inodes of removed files that are still open or executing.
- This option is short-hand notation for \fB-aL\fR
--"(see the \fBfine controls\fR section below). (this used to be -o).
-+"(see the \fBfine controls\fR section below). (this used to be \-o).
- .IP \fB-p\fR
- Display orphan inodes (unallocated with no file name)
- .IP \fB-r\fR
-@@ -55,7 +55,7 @@
- for \fB-LZ\fR
- (see the \fBfine controls\fR section below).
- .IP "-i imgtype"
--Identify the type of image file, such as raw or split. Use '-i list' to list the supported types.
-+Identify the type of image file, such as raw or split. Use '\-i list' to list the supported types.
- If not given, autodetection methods are used.
- .IP "-o imgoffset"
- The sector offset where the file system starts in the image. Non-512 byte
-@@ -65,7 +65,7 @@
- .IP \fB-V\fR
- Display Version.
- .IP "image [images]"
--One (or more if split) disk or partition images whose format is given with '-i'.
-+One (or more if split) disk or partition images whose format is given with '\-i'.
- .IP "\fIstart-stop\fR"
- Examine the specified inode number or number range.
- .PP
---- a/man/hfind.1
-+++ b/man/hfind.1
-@@ -16,7 +16,7 @@
- Library (NSRL) and the output of 'md5sum'.
-
- Before the database can be used by 'hfind', an index file must be created
--with the '-i' option.
-+with the '\-i' option.
-
- This tool is needed for efficiency. Most text-based databases do
- not have fixed length entries and are sometimes not sorted. The
-@@ -53,7 +53,7 @@
- uses an index file to perform a binary search for a hash value. This
- is much faster than using 'grep', which will do a linear search. Before
- a hash database is used, a corresponding index file must be created.
--This is done with the '-i' option to hfind.
-+This is done with the '\-i' option to hfind.
-
- The resulting index file will be named based on the database file name.
- The name will have the original name following by the hash type (sha1
-@@ -81,7 +81,7 @@
- .SH EXAMPLES
- To create an MD5 index file for NIST NSRL:
-
-- # hfind -i nsrl-md5 /usr/local/hash/nsrl/NSRLFile.txt
-+ # hfind \-i nsrl-md5 /usr/local/hash/nsrl/NSRLFile.txt
-
- To lookup a value in the NSRL:
-
-@@ -91,10 +91,11 @@
-
- You can even do both SHA-1 and MD5 if you want:
-
-- # hfind -i nsrl-sha1 /usr/local/hash/nsrl/NSRLFile.txt
-+ # hfind \-i nsrl-sha1 /usr/local/hash/nsrl/NSRLFile.txt
-
-- # hfind /usr/local/hash/nsrl/NSRLFile.txt
-- 76b1f4de1522c20b67acc132937cf82e 80001A80B3F1B80076B297CEE8805AAA04E1B5BA
-+ # hfind /usr/local/hash/nsrl/NSRLFile.txt
-+ 76b1f4de1522c20b67acc132937cf82e
-+ 80001A80B3F1B80076B297CEE8805AAA04E1B5BA
-
- 76b1f4de1522c20b67acc132937cf82e Hash Not Found
-
-@@ -104,7 +105,7 @@
-
- # md5sum /bin/* /sbin/* /usr/bin/* /usr/bin/* /usr/local/bin/* /usr/local/sbin/* > system.md5
-
-- # hfind -i md5sum system.md5
-+ # hfind \-i md5sum system.md5
-
- To look entries up, the following will work:
-
-@@ -114,7 +115,7 @@
-
- or
-
-- # md5sum -q /bin/* | hfind system.md5
-+ # md5sum \-q /bin/* | hfind system.md5
-
- 928682269cd3edb1acdf9a7f7e606ff2 /bin/bash
-
-@@ -122,9 +123,9 @@
-
- or
-
-- # md5sum -q /bin/* > bin.md5
-+ # md5sum \-q /bin/* > bin.md5
-
-- # hfind -f bin.md5 system.md5
-+ # hfind \-f bin.md5 system.md5
-
- 928682269cd3edb1acdf9a7f7e606ff2 /bin/bash
-
---- a/man/icat.1
-+++ b/man/icat.1
-@@ -21,7 +21,7 @@
- .SH ARGUMENTS
- .IP "-f fstype"
- Specifies the file system type.
--Use '-f list' to list the supported file system types.
-+Use '\-f list' to list the supported file system types.
- If not given, autodetection methods are used.
- .IP -h
- Skip over holes in sparse files, so that absolute address information
-@@ -31,7 +31,7 @@
- .IP -s
- Include the slack space in the output.
- .IP "-i imgtype"
--Identify the type of image file, such as raw or split. Use '-i list' to list the supported types.
-+Identify the type of image file, such as raw or split. Use '\-i list' to list the supported types.
- If not given, autodetection methods are used.
- .IP "-o imgoffset"
- The sector offset where the file system starts in the image. Non-512 byte
-@@ -41,7 +41,7 @@
- .IP -V
- Display version
- .IP "image [images]"
--One (or more if split) disk or partition images whose format is given with '-i'.
-+One (or more if split) disk or partition images whose format is given with '\-i'.
- .IP inode
- Inode number. \fBicat\fR concatenates the contents of all specified
- files.
---- a/man/blkcalc.1
-+++ b/man/blkcalc.1
+Description: Fixes various lintian warnings about hyphens used as minus sign.
+
+diff -Naurp sleuthkit.orig/man/blkcalc.1 sleuthkit/man/blkcalc.1
+--- sleuthkit.orig/man/blkcalc.1 2009-07-29 16:35:37.000000000 +0000
++++ sleuthkit/man/blkcalc.1 2009-07-29 17:20:40.000000000 +0000
@@ -3,8 +3,7 @@
blkcalc \- Converts between unallocated disk unit numbers and regular
disk unit numbers.
@@ -601,7 +14,7 @@ Description: fixes various lintian warnings about hyphens used as minus sign.
.SH DESCRIPTION
.B blkcalc
creates a disk unit number mapping between two images, one normal and
-@@ -34,7 +33,7 @@
+@@ -34,7 +33,7 @@ from
.B -s
option is given, then the
.B unit_addr
@@ -610,7 +23,7 @@ Description: fixes various lintian warnings about hyphens used as minus sign.
The
.B image
is the full, original image (i.e. from dd).
-@@ -44,11 +43,11 @@
+@@ -44,11 +43,11 @@ was called
in TSK versions prior to 3.0.0.
.IP "-f fstype"
@@ -625,7 +38,7 @@ Description: fixes various lintian warnings about hyphens used as minus sign.
If not given, autodetection methods are used.
.IP "-o imgoffset"
The sector offset where the file system starts in the image. Non-512 byte
-@@ -66,7 +65,7 @@
+@@ -66,7 +65,7 @@ This allows one to identify the original
better documentation.
.SH EXAMPLE
@@ -634,9 +47,10 @@ Description: fixes various lintian warnings about hyphens used as minus sign.
.SH "SEE ALSO"
.BR blkls (1),
---- a/man/blkcat.1
-+++ b/man/blkcat.1
-@@ -21,23 +21,23 @@
+diff -Naurp sleuthkit.orig/man/blkcat.1 sleuthkit/man/blkcat.1
+--- sleuthkit.orig/man/blkcat.1 2009-07-29 16:35:37.000000000 +0000
++++ sleuthkit/man/blkcat.1 2009-07-29 17:20:40.000000000 +0000
+@@ -21,23 +21,23 @@ in TSK versions prior to 3.0.0.
.SH ARGUMENTS
.IP -a
Display the contents in ASCII
@@ -665,7 +79,7 @@ Description: fixes various lintian warnings about hyphens used as minus sign.
If not given, autodetection methods are used.
.IP "-o imgoffset"
The sector offset where the file system starts in the image. Non-512 byte
-@@ -49,10 +49,10 @@
+@@ -49,10 +49,10 @@ Display version.
.IP -w
Display the contents in an HTML table format.
.IP "image [images]"
@@ -678,9 +92,10 @@ Description: fixes various lintian warnings about hyphens used as minus sign.
.IP num
Number of data units to display.
---- a/man/blkls.1
-+++ b/man/blkls.1
-@@ -31,16 +31,16 @@
+diff -Naurp sleuthkit.orig/man/blkls.1 sleuthkit/man/blkls.1
+--- sleuthkit.orig/man/blkls.1 2009-07-29 16:35:37.000000000 +0000
++++ sleuthkit/man/blkls.1 2009-07-29 17:20:40.000000000 +0000
+@@ -31,16 +31,16 @@ in TCT.
.IP -e
Copy every block. The output should be similar to dd.
.IP -a
@@ -701,7 +116,7 @@ Description: fixes various lintian warnings about hyphens used as minus sign.
If not given, autodetection methods are used.
.IP "-o imgoffset"
The sector offset where the file system starts in the image. Non-512 byte
-@@ -54,7 +54,7 @@
+@@ -54,7 +54,7 @@ Turn on verbose mode, output to stderr.
.IP -V
Display version.
.IP "image [images]"
@@ -710,9 +125,10 @@ Description: fixes various lintian warnings about hyphens used as minus sign.
.IP "start-stop ..."
Examine the specified block number or number range.
.SH LICENSE
---- a/man/blkstat.1
-+++ b/man/blkstat.1
-@@ -16,10 +16,10 @@
+diff -Naurp sleuthkit.orig/man/blkstat.1 sleuthkit/man/blkstat.1
+--- sleuthkit.orig/man/blkstat.1 2009-07-29 16:35:37.000000000 +0000
++++ sleuthkit/man/blkstat.1 2009-07-29 17:20:40.000000000 +0000
+@@ -16,10 +16,10 @@ in TSK versions prior to 3.0.0.
.SH ARGUMENTS
.IP "-f fstype"
@@ -725,7 +141,7 @@ Description: fixes various lintian warnings about hyphens used as minus sign.
If not given, autodetection methods are used.
.IP "-o imgoffset"
The sector offset where the file system starts in the image. Non-512 byte
-@@ -29,7 +29,7 @@
+@@ -29,7 +29,7 @@ Verbose output of debugging statements t
.IP -V
Display version
.IP "image [images]"
@@ -734,9 +150,10 @@ Description: fixes various lintian warnings about hyphens used as minus sign.
.IP addr
Address to display stats on. This is a fragment for UNIX file systems or
a sector for FAT.
---- a/man/ffind.1
-+++ b/man/ffind.1
-@@ -15,7 +15,7 @@
+diff -Naurp sleuthkit.orig/man/ffind.1 sleuthkit/man/ffind.1
+--- sleuthkit.orig/man/ffind.1 2009-07-29 16:35:37.000000000 +0000
++++ sleuthkit/man/ffind.1 2009-07-29 17:20:40.000000000 +0000
+@@ -15,7 +15,7 @@ some file systems, this will find delete
.SH ARGUMENTS
.IP "image [images]"
@@ -745,7 +162,7 @@ Description: fixes various lintian warnings about hyphens used as minus sign.
.IP inode
Integer of inode to find.
-@@ -26,12 +26,12 @@
+@@ -26,12 +26,12 @@ Find all occurrences of inode.
Find deleted entries only.
.IP "-f fstype"
Identify the file system type of the image.
@@ -760,7 +177,7 @@ Description: fixes various lintian warnings about hyphens used as minus sign.
If not given, autodetection methods are used.
.IP "-o imgoffset"
The sector offset where the file system starts in the image. Non-512 byte
-@@ -48,7 +48,7 @@
+@@ -48,7 +48,7 @@ from a disk unit address using
.BR ifind(1).
.SH EXAMPLE
@@ -769,9 +186,10 @@ Description: fixes various lintian warnings about hyphens used as minus sign.
.SH "SEE ALSO"
.BR ifind (1)
.SH AUTHOR
---- a/man/fls.1
-+++ b/man/fls.1
-@@ -37,7 +37,7 @@
+diff -Naurp sleuthkit.orig/man/fls.1 sleuthkit/man/fls.1
+--- sleuthkit.orig/man/fls.1 2009-07-29 16:35:37.000000000 +0000
++++ sleuthkit/man/fls.1 2009-07-29 17:20:40.000000000 +0000
+@@ -37,7 +37,7 @@ Display deleted entries only
Display directory entries only
.IP "-f fstype"
The type of file system.
@@ -780,7 +198,7 @@ Description: fixes various lintian warnings about hyphens used as minus sign.
If not given, autodetection methods are used.
.IP -F
Display file (all non-directory) entries only.
-@@ -60,10 +60,10 @@
+@@ -60,10 +60,10 @@ Recursively display directories. This w
follow deleted directories, because it can't.
.IP "-s seconds"
The time skew of the original system in seconds. For example, if the
@@ -794,7 +212,7 @@ Description: fixes various lintian warnings about hyphens used as minus sign.
If not given, autodetection methods are used.
.IP "-o imgoffset"
The sector offset where the file system starts in the image. Non-512 byte
-@@ -79,7 +79,7 @@
+@@ -79,7 +79,7 @@ The ASCII string of the time zone of the
example, EST or GMT. These strings must be defined by your operating
system and may vary.
.IP "image [images]"
@@ -803,7 +221,7 @@ Description: fixes various lintian warnings about hyphens used as minus sign.
.PP
Once the inode has been determined, the file can be recovered using
-@@ -94,27 +94,27 @@
+@@ -94,27 +94,27 @@ find what file name belongs to an inode,
.SH EXAMPLES
To get a list of all files and directories in an image use:
@@ -837,9 +255,10 @@ Description: fixes various lintian warnings about hyphens used as minus sign.
.SH "SEE ALSO"
---- a/man/fsstat.1
-+++ b/man/fsstat.1
-@@ -23,10 +23,10 @@
+diff -Naurp sleuthkit.orig/man/fsstat.1 sleuthkit/man/fsstat.1
+--- sleuthkit.orig/man/fsstat.1 2009-07-29 16:35:37.000000000 +0000
++++ sleuthkit/man/fsstat.1 2009-07-29 17:20:40.000000000 +0000
+@@ -23,10 +23,10 @@ Note that the data is in sectors and not
Print the file system type only.
.IP "-f fstype"
Specify the file system type.
@@ -852,7 +271,7 @@ Description: fixes various lintian warnings about hyphens used as minus sign.
If not given, autodetection methods are used.
.IP "-o imgoffset"
The sector offset where the file system starts in the image. Non-512 byte
-@@ -36,7 +36,7 @@
+@@ -36,7 +36,7 @@ Verbose output of debugging statements t
.IP -V
Display version
.IP "image [images]"
@@ -861,3 +280,607 @@ Description: fixes various lintian warnings about hyphens used as minus sign.
.SH AUTHOR
Brian Carrier <carrier at sleuthkit dot org>
+diff -Naurp sleuthkit.orig/man/hfind.1 sleuthkit/man/hfind.1
+--- sleuthkit.orig/man/hfind.1 2009-07-29 16:35:37.000000000 +0000
++++ sleuthkit/man/hfind.1 2009-07-29 17:20:40.000000000 +0000
+@@ -16,7 +16,7 @@ is known or not. It works with the NIST
+ Library (NSRL) and the output of 'md5sum'.
+
+ Before the database can be used by 'hfind', an index file must be created
+-with the '-i' option.
++with the '\-i' option.
+
+ This tool is needed for efficiency. Most text-based databases do
+ not have fixed length entries and are sometimes not sorted. The
+@@ -53,7 +53,7 @@ types of hashes can be given at runtime.
+ uses an index file to perform a binary search for a hash value. This
+ is much faster than using 'grep', which will do a linear search. Before
+ a hash database is used, a corresponding index file must be created.
+-This is done with the '-i' option to hfind.
++This is done with the '\-i' option to hfind.
+
+ The resulting index file will be named based on the database file name.
+ The name will have the original name following by the hash type (sha1
+@@ -81,7 +81,7 @@ and
+ .SH EXAMPLES
+ To create an MD5 index file for NIST NSRL:
+
+- # hfind -i nsrl-md5 /usr/local/hash/nsrl/NSRLFile.txt
++ # hfind \-i nsrl-md5 /usr/local/hash/nsrl/NSRLFile.txt
+
+ To lookup a value in the NSRL:
+
+@@ -91,10 +91,11 @@ To lookup a value in the NSRL:
+
+ You can even do both SHA-1 and MD5 if you want:
+
+- # hfind -i nsrl-sha1 /usr/local/hash/nsrl/NSRLFile.txt
++ # hfind \-i nsrl-sha1 /usr/local/hash/nsrl/NSRLFile.txt
+
+- # hfind /usr/local/hash/nsrl/NSRLFile.txt
+- 76b1f4de1522c20b67acc132937cf82e 80001A80B3F1B80076B297CEE8805AAA04E1B5BA
++ # hfind /usr/local/hash/nsrl/NSRLFile.txt
++ 76b1f4de1522c20b67acc132937cf82e
++ 80001A80B3F1B80076B297CEE8805AAA04E1B5BA
+
+ 76b1f4de1522c20b67acc132937cf82e Hash Not Found
+
+@@ -104,7 +105,7 @@ To make a database of critical binaries
+
+ # md5sum /bin/* /sbin/* /usr/bin/* /usr/bin/* /usr/local/bin/* /usr/local/sbin/* > system.md5
+
+- # hfind -i md5sum system.md5
++ # hfind \-i md5sum system.md5
+
+ To look entries up, the following will work:
+
+@@ -114,7 +115,7 @@ To look entries up, the following will w
+
+ or
+
+- # md5sum -q /bin/* | hfind system.md5
++ # md5sum \-q /bin/* | hfind system.md5
+
+ 928682269cd3edb1acdf9a7f7e606ff2 /bin/bash
+
+@@ -122,9 +123,9 @@ or
+
+ or
+
+- # md5sum -q /bin/* > bin.md5
++ # md5sum \-q /bin/* > bin.md5
+
+- # hfind -f bin.md5 system.md5
++ # hfind \-f bin.md5 system.md5
+
+ 928682269cd3edb1acdf9a7f7e606ff2 /bin/bash
+
+diff -Naurp sleuthkit.orig/man/icat.1 sleuthkit/man/icat.1
+--- sleuthkit.orig/man/icat.1 2009-07-29 16:35:37.000000000 +0000
++++ sleuthkit/man/icat.1 2009-07-29 17:20:40.000000000 +0000
+@@ -21,7 +21,7 @@ number to standard output.
+ .SH ARGUMENTS
+ .IP "-f fstype"
+ Specifies the file system type.
+-Use '-f list' to list the supported file system types.
++Use '\-f list' to list the supported file system types.
+ If not given, autodetection methods are used.
+ .IP -h
+ Skip over holes in sparse files, so that absolute address information
+@@ -31,7 +31,7 @@ Use file recovery techniques if the file
+ .IP -s
+ Include the slack space in the output.
+ .IP "-i imgtype"
+-Identify the type of image file, such as raw or split. Use '-i list' to list the supported types.
++Identify the type of image file, such as raw or split. Use '\-i list' to list the supported types.
+ If not given, autodetection methods are used.
+ .IP "-o imgoffset"
+ The sector offset where the file system starts in the image. Non-512 byte
+@@ -41,7 +41,7 @@ Enable verbose mode, output to stderr.
+ .IP -V
+ Display version
+ .IP "image [images]"
+-One (or more if split) disk or partition images whose format is given with '-i'.
++One (or more if split) disk or partition images whose format is given with '\-i'.
+ .IP inode
+ Inode number. \fBicat\fR concatenates the contents of all specified
+ files.
+diff -Naurp sleuthkit.orig/man/ifind.1 sleuthkit/man/ifind.1
+--- sleuthkit.orig/man/ifind.1 2009-07-29 16:35:37.000000000 +0000
++++ sleuthkit/man/ifind.1 2009-07-29 17:20:40.000000000 +0000
+@@ -17,7 +17,7 @@ the results.
+ .SH ARGUMENTS
+ There are several required and optional arguments. The image file names must be specified each time:
+ .IP "image [images]"
+-One (or more if split) disk or partition images whose format is given with '-i'..PP
++One (or more if split) disk or partition images whose format is given with '\-i'..PP
+
+ You must also specify what you are looking for and include one of the following:
+ .IP "-d data_unit"
+@@ -29,7 +29,7 @@ Finds the meta data structure that is po
+
+ .IP "-p par_inode"
+ Finds the unallocated MFT entries in an NTFS image that have the given
+-inode as the parent. Can be used with '-l and -z'.
++inode as the parent. Can be used with '\-l and \-z'.
+
+ .PP
+ There are also several optional arguments:
+@@ -37,12 +37,12 @@ There are also several optional argument
+ Find all meta-data structures (only works when looking with a data_unit).
+ .IP "-f fstype"
+ Specify the file system type.
+-Use '-f list' to list the supported file system types.
++Use '\-f list' to list the supported file system types.
+ If not given, autodetection methods are used.
+ .IP "-l"
+-List the details of each file found with '-p', like 'fls -l'.
++List the details of each file found with '\-p', like 'fls \-l'.
+ .IP "-i imgtype"
+-Identify the type of image file, such as raw or split. Use '-i list' to list the supported types.
++Identify the type of image file, such as raw or split. Use '\-i list' to list the supported types.
+ If not given, autodetection methods are used.
+ .IP "-o imgoffset"
+ The sector offset where the file system starts in the image. Non-512 byte
+@@ -51,16 +51,16 @@ sectors can be specified using '@' (32 at 2
+ Verbose output to stderr.
+ .IP -V
+ Display version.
+-.IP -z ZONE
+-If '-p -l' were given, this will set the timezone for the correct times.
++.IP "-z ZONE"
++If '\-p \-l' were given, this will set the timezone for the correct times.
+
+ .SH "EXAMPLES"
+
+-# ifind -f fat -d 456 fat-img.dd
++# ifind \-f fat \-d 456 fat-img.dd
+
+-# ifind -f linux-ext2 -n "/etc/" linux-img.dd
++# ifind \-f linux-ext2 \-n "/etc/" linux-img.dd
+
+-# ifind -f ntfs -p 5 -l -z EST5EDT ntfs-img.dd
++# ifind \-f ntfs \-p 5 \-l \-z EST5EDT ntfs-img.dd
+
+ .SH AUTHOR
+ Brian Carrier <carrier at sleuthkit dot org>
+diff -Naurp sleuthkit.orig/man/ils.1 sleuthkit/man/ils.1
+--- sleuthkit.orig/man/ils.1 2009-07-29 16:35:37.000000000 +0000
++++ sleuthkit/man/ils.1 2009-07-29 17:20:40.000000000 +0000
+@@ -36,18 +36,18 @@ Arguments:
+ List every inode in the file system.
+ .IP "\fB-f\fI fstype\fR"
+ Specifies the file system type.
+-Use '-f list' to list the supported file system types.
++Use '\-f list' to list the supported file system types.
+ If not given, autodetection methods are used.
+ .IP "\fB-s\fI seconds\fR"
+ The time skew of the original system in seconds. For example, if the
+-original system was 100 seconds slow, this value would be -100.
++original system was 100 seconds slow, this value would be \-100.
+ .IP \fB-m\fR
+ Display the inode details in the format that the mactime program reads
+ (replaces the ils2mac script from TCT)
+ .IP \fB-O\fR
+ List only inodes of removed files that are still open or executing.
+ This option is short-hand notation for \fB-aL\fR
+-"(see the \fBfine controls\fR section below). (this used to be -o).
++"(see the \fBfine controls\fR section below). (this used to be \-o).
+ .IP \fB-p\fR
+ Display orphan inodes (unallocated with no file name)
+ .IP \fB-r\fR
+@@ -55,7 +55,7 @@ Display orphan inodes (unallocated with
+ for \fB-LZ\fR
+ (see the \fBfine controls\fR section below).
+ .IP "-i imgtype"
+-Identify the type of image file, such as raw or split. Use '-i list' to list the supported types.
++Identify the type of image file, such as raw or split. Use '\-i list' to list the supported types.
+ If not given, autodetection methods are used.
+ .IP "-o imgoffset"
+ The sector offset where the file system starts in the image. Non-512 byte
+@@ -65,7 +65,7 @@ Turn on verbose mode, output to stderr.
+ .IP \fB-V\fR
+ Display Version.
+ .IP "image [images]"
+-One (or more if split) disk or partition images whose format is given with '-i'.
++One (or more if split) disk or partition images whose format is given with '\-i'.
+ .IP "\fIstart-stop\fR"
+ Examine the specified inode number or number range.
+ .PP
+diff -Naurp sleuthkit.orig/man/img_cat.1 sleuthkit/man/img_cat.1
+--- sleuthkit.orig/man/img_cat.1 2009-07-29 16:35:37.000000000 +0000
++++ sleuthkit/man/img_cat.1 2009-07-29 17:20:40.000000000 +0000
+@@ -13,13 +13,13 @@ the appropriate tool.
+
+ .SH ARGUMENTS
+ .IP "-i imgtype"
+-Identify the type of image file, such as raw, split, or aff. Use '-i list' to list the supported types. If not given, autodetection methods are used.
++Identify the type of image file, such as raw, split, or aff. Use '\-i list' to list the supported types. If not given, autodetection methods are used.
+ .IP -v
+ Verbose output of debugging statements to stderr
+ .IP -V
+ Display version
+ .IP "image [images]"
+-One (or more if split) disk or partition images whose format is given with '-i'.
++One (or more if split) disk or partition images whose format is given with '\-i'.
+
+ .SH AUTHOR
+ Brian Carrier <carrier at sleuthkit dot org>
+diff -Naurp sleuthkit.orig/man/img_stat.1 sleuthkit/man/img_stat.1
+--- sleuthkit.orig/man/img_stat.1 2009-07-29 16:35:37.000000000 +0000
++++ sleuthkit/man/img_stat.1 2009-07-29 17:20:40.000000000 +0000
+@@ -12,7 +12,7 @@ and the byte range of each file will be
+
+ .SH ARGUMENTS
+ .IP "-i imgtype"
+-Identify the type of image file, such as raw or split. Use '-i list' to list the supported types. If not given, autodetection methods are used.
++Identify the type of image file, such as raw or split. Use '\-i list' to list the supported types. If not given, autodetection methods are used.
+ .IP "-t"
+ Print the image type only.
+ .IP -v
+@@ -20,7 +20,7 @@ Verbose output of debugging statements t
+ .IP -V
+ Display version
+ .IP "image [images]"
+-One (or more if split) disk or partition images whose format is given with '-i'.
++One (or more if split) disk or partition images whose format is given with '\-i'.
+
+ .SH AUTHOR
+ Brian Carrier <carrier at sleuthkit dot org>
+diff -Naurp sleuthkit.orig/man/istat.1 sleuthkit/man/istat.1
+--- sleuthkit.orig/man/istat.1 2009-07-29 16:35:37.000000000 +0000
++++ sleuthkit/man/istat.1 2009-07-29 17:20:40.000000000 +0000
+@@ -23,13 +23,13 @@ Display the addresses of num disk units.
+ unallocated with size 0, but still has block pointers.
+ .IP "-f fstype"
+ Specify the file system type.
+-Use '-f list' to list the supported file system types.
++Use '\-f list' to list the supported file system types.
+ If not given, autodetection methods are used.
+ .IP "-s seconds"
+ The time skew of the original system in seconds. For example, if the
+-original system was 100 seconds slow, this value would be -100.
++original system was 100 seconds slow, this value would be \-100.
+ .IP "-i imgtype"
+-Identify the type of image file, such as raw or split. Use '-i list' to list the supported types.
++Identify the type of image file, such as raw or split. Use '\-i list' to list the supported types.
+ If not given, autodetection methods are used.
+ .IP "-o imgoffset"
+ The sector offset where the file system starts in the image. Non-512 byte
+@@ -43,7 +43,7 @@ An ASCII string of the original system's
+ GMT. These strings are defined by the operating system and may
+ vary. NOTE: This has changed since TCTUTILs.
+ .IP "image [images]"
+-One (or more if split) disk or partition images whose format is given with '-i'.
++One (or more if split) disk or partition images whose format is given with '\-i'.
+ .IP inode
+ Meta-data number to display stats on
+
+diff -Naurp sleuthkit.orig/man/jcat.1 sleuthkit/man/jcat.1
+--- sleuthkit.orig/man/jcat.1 2009-07-29 16:35:37.000000000 +0000
++++ sleuthkit/man/jcat.1 2009-07-29 17:20:40.000000000 +0000
+@@ -20,9 +20,9 @@ a file system block. The raw output is
+
+ .SH ARGUMENTS
+ .IP "-f fstype"
+-Specify the file system type. Use '-f list' to list the supported file system types. If not given, autodetection methods are used.
++Specify the file system type. Use '\-f list' to list the supported file system types. If not given, autodetection methods are used.
+ .IP "-i imgtype"
+-Identify the type of image file, such as raw or split. Use '-i list' to list the supported types. If not given, autodetection methods are used.
++Identify the type of image file, such as raw or split. Use '\-i list' to list the supported types. If not given, autodetection methods are used.
+ .IP "-o imgoffset"
+ The sector offset where the file system starts in the image. Non-512 byte
+ sectors can be specified using '@' (32 at 2048).
+@@ -30,8 +30,8 @@ sectors can be specified using '@' (32 at 2
+ Display version
+ .IP -v
+ verbose output
+-.IP image [images]
+-One (or more if split) disk or partition images whose format is given with '-i'.
++.IP "image [images]"
++One (or more if split) disk or partition images whose format is given with '\-i'.
+ .IP [inode]
+ The inode where the file system journal can be found.
+
+@@ -40,7 +40,7 @@ The journal block to display.
+
+ .SH "EXAMPLES"
+
+-jcat -f linux-ext3 img.dd 34 | xxd
++jcat \-f linux-ext3 img.dd 34 | xxd
+
+ .SH AUTHOR
+ Brian Carrier <carrier at sleuthkit dot org>
+diff -Naurp sleuthkit.orig/man/jls.1 sleuthkit/man/jls.1
+--- sleuthkit.orig/man/jls.1 2009-07-29 16:35:37.000000000 +0000
++++ sleuthkit/man/jls.1 2009-07-29 17:20:40.000000000 +0000
+@@ -17,9 +17,9 @@ description.
+ .SH ARGUMENTS
+ .IP "-f fstype"
+ Specify the file system type.
+-Use '-f list' to list the supported file system types. If not given, autodetection methods are used.
++Use '\-f list' to list the supported file system types. If not given, autodetection methods are used.
+ .IP "-i imgtype"
+-Identify the type of image file, such as raw or split. Use '-i list' to list the supported types. If not given, autodetection methods are used.
++Identify the type of image file, such as raw or split. Use '\-i list' to list the supported types. If not given, autodetection methods are used.
+ .IP "-o imgoffset"
+ The sector offset where the file system starts in the image. Non-512 byte
+ sectors can be specified using '@' (32 at 2048).
+@@ -28,13 +28,13 @@ Display version
+ .IP -v
+ verbose output
+ .IP "image [images]"
+-One (or more if split) disk or partition images whose format is given with '-i'.
++One (or more if split) disk or partition images whose format is given with '\-i'.
+ .IP [inode]
+ The inode where the file system journal can be found.
+
+ .SH "EXAMPLES"
+
+-jls -f linux-ext3 img.dd
++jls \-f linux-ext3 img.dd
+
+ .SH AUTHOR
+ Brian Carrier <carrier at sleuthkit dot org>
+diff -Naurp sleuthkit.orig/man/mactime.1 sleuthkit/man/mactime.1
+--- sleuthkit.orig/man/mactime.1 2009-07-29 16:35:37.000000000 +0000
++++ sleuthkit/man/mactime.1 2009-07-29 17:20:40.000000000 +0000
+@@ -16,14 +16,14 @@ mactime \- Create an ASCII time line of
+ .SH DESCRIPTION
+ .B mactime
+ creates an ASCII time line of file activity based on the body file
+-specified by '-b' or from STDIN. The time line is written to STDOUT.
++specified by '\-b' or from STDIN. The time line is written to STDOUT.
+ The body file must be in the time machine format that is created
+-by 'ils -m', 'fls -m', or the mac-robber tool.
++by 'ils \-m', 'fls \-m', or the mac-robber tool.
+
+ .SH ARGUMENTS
+ .IP "-b body"
+ Specify the location of a body file. This file must be generated by
+-a tool such as 'fls -m' or 'ils -m'. The 'mac-robber' and 'grave-robber'
++a tool such as 'fls \-m' or 'ils \-m'. The 'mac-robber' and 'grave-robber'
+ tools can also be used to generate the file.
+ .IP "-g group file"
+ Specify the location of the group file. mactime will display the group
+@@ -34,7 +34,7 @@ user name instead of the UID of this is
+ .IP "-i day|hour index file"
+ Specify the location of an index file to write to. The first argument
+ specifies the granularity, either an hourly summary or daily. If the
+-\'-d\' flag is given, then the summary will be seperated by a ',' to
++\'\-d\' flag is given, then the summary will be seperated by a ',' to
+ import into a spread sheet.
+ .IP -d
+ Display timeline and index files in comma delimited format. This is used
+diff -Naurp sleuthkit.orig/man/mmcat.1 sleuthkit/man/mmcat.1
+--- sleuthkit.orig/man/mmcat.1 2009-07-29 16:35:37.000000000 +0000
++++ sleuthkit/man/mmcat.1 2009-07-29 17:20:40.000000000 +0000
+@@ -17,7 +17,7 @@ extract the contents of a partition to a
+
+ .SH ARGUMENTS
+ .IP "-t mmtype"
+-Specify the media management type. Use '-t list' to list the supported types. If not given, autodetection methods are used.
++Specify the media management type. Use '\-t list' to list the supported types. If not given, autodetection methods are used.
+ .IP "-o offset"
+ Specify the offset into the image where the volume containing the
+ partition system starts. The relative offset of the partition system
+@@ -29,7 +29,7 @@ Verbose output of debugging statements t
+ .IP -V
+ Display version
+ .IP "image [images]"
+-One (or more if split) disk images whose format is given with '-i'.
++One (or more if split) disk images whose format is given with '\-i'.
+ .IP "part_num"
+ Address of partition to process. See the mmls output to determine the address of the partitions.
+
+diff -Naurp sleuthkit.orig/man/mmls.1 sleuthkit/man/mmls.1
+--- sleuthkit.orig/man/mmls.1 2009-07-29 16:35:37.000000000 +0000
++++ sleuthkit/man/mmls.1 2009-07-29 17:20:40.000000000 +0000
+@@ -17,7 +17,7 @@ tables and disk labels.
+
+ .SH ARGUMENTS
+ .IP "-t mmtype"
+-Specify the media management type. Use '-t list' to list the supported types. If not given, autodetection methods are used.
++Specify the media management type. Use '\-t list' to list the supported types. If not given, autodetection methods are used.
+ .IP "-o offset"
+ Specify the offset into the image where the volume containing the
+ partition system starts. The relative offset of the partition system
+@@ -41,10 +41,10 @@ Show metadata volumes
+ .IP -M
+ Hide metadata volumes
+ .IP "image [images]"
+-One (or more if split) disk images whose format is given with '-i'.
++One (or more if split) disk images whose format is given with '\-i'.
+
+ .PP
+-\'mmls\' is similar to 'fdisk -lu' in Linux with a few differences.
++\'mmls\' is similar to 'fdisk \-lu' in Linux with a few differences.
+ Namely, it will show which sectors are not being used so that those
+ can be searched for hidden data. It also gives the length value so
+ that it can be plugged into 'dd' more easily for extracting the
+@@ -52,7 +52,7 @@ partitions. It also will show BSD disk
+ NetBSD and will display the output in sectors and not cylinders.
+ Lastly, it works on non-Linux systems.
+
+-If none of -a, -A, -m, or -M are given then all volume types will
++If none of \-a, \-A, \-m, or \-M are given then all volume types will
+ be listed. If any of them are given, then only the types specified
+ on the command line will be listed. Allocated volumes are those
+ that are listed in a partition table in the volume system. Unallocated
+@@ -61,7 +61,7 @@ have not been allocated to a volume. Th
+ the allocated and unallocated volumes and describe where the partition
+ tables and other metadata structures are located. In some volume
+ systems, these structures are in allocated space and in others they
+-are in unallocated space. They can be hidden with -M.
++are in unallocated space. They can be hidden with \-M.
+
+ .SH "EXAMPLES"
+ To list the partition table of a Windows system using autodetect:
+@@ -70,7 +70,7 @@ To list the partition table of a Windows
+
+ To list the contents of a BSD system that starts in sector 12345 of a split image:
+
+-# mmls -t bsd -o 12345 -i split disk-1.dd disk-2.dd
++# mmls \-t bsd \-o 12345 \-i split disk-1.dd disk-2.dd
+
+ .SH AUTHOR
+ Brian Carrier <carrier at sleuthkit dot org>
+diff -Naurp sleuthkit.orig/man/mmstat.1 sleuthkit/man/mmstat.1
+--- sleuthkit.orig/man/mmstat.1 2009-07-29 16:35:37.000000000 +0000
++++ sleuthkit/man/mmstat.1 2009-07-29 17:20:40.000000000 +0000
+@@ -17,7 +17,7 @@ tables and disk labels. Mainly, the typ
+
+ .SH ARGUMENTS
+ .IP "-t mmtype"
+-Specify the media management type. Use '-t list' to list the supported types. If not given, autodetection methods are used.
++Specify the media management type. Use '\-t list' to list the supported types. If not given, autodetection methods are used.
+ .IP "-o offset"
+ Specify the offset into the image where the volume containing the
+ partition system starts. The relative offset of the partition system
+@@ -29,7 +29,7 @@ Verbose output of debugging statements t
+ .IP -V
+ Display version
+ .IP "image [images]"
+-One (or more if split) disk images whose format is given with '-i'.
++One (or more if split) disk images whose format is given with '\-i'.
+
+ .SH AUTHOR
+ Brian Carrier <carrier at sleuthkit dot org>
+diff -Naurp sleuthkit.orig/man/sigfind.1 sleuthkit/man/sigfind.1
+--- sleuthkit.orig/man/sigfind.1 2009-07-29 16:35:37.000000000 +0000
++++ sleuthkit/man/sigfind.1 2009-07-29 17:20:40.000000000 +0000
+@@ -33,15 +33,16 @@ The signature is stored in little-endian
+ .IP -V
+ Display version
+ .IP [hex_signature]
+-The binary signature that you are searching for. It must be given in hexadecimal format. This argument must exist if -t is not used.
++The binary signature that you are searching for. It must be given in
++hexadecimal format. This argument must exist if \-t is not used.
+ .IP file
+ Any raw data.
+
+ .SH "EXAMPLES"
+
+-sigfind -o 510 -l AA55 disk.dd
++sigfind \-o 510 \-l AA55 disk.dd
+
+-sigfind -t fat disk.dd
++sigfind \-t fat disk.dd
+
+
+ .SH AUTHOR
+diff -Naurp sleuthkit.orig/man/sorter.1 sleuthkit/man/sorter.1
+--- sleuthkit.orig/man/sorter.1 2009-07-29 16:35:37.000000000 +0000
++++ sleuthkit/man/sorter.1 2009-07-29 17:20:40.000000000 +0000
+@@ -37,17 +37,17 @@ system.
+
+ .SH ARGUMENTS
+ The required arguments are as follows. This will analyze one or more
+-images and either save the results in the '-d' directory or list
+-the results to STDOUT (if '-l' is given).
++images and either save the results in the '\-d' directory or list
++the results to STDOUT (if '\-l' is given).
+
+ .IP "-d dir"
+ Specify the location of where all files should be written. This includes
+-the index files and subdirectories if the '-s' flag is given.
+-This MUST be given, unless the '-l' list flag is given.
++the index files and subdirectories if the '\-s' flag is given.
++This MUST be given, unless the '\-l' list flag is given.
+ .IP -l
+ List information to STDOUT (no files are ever written). This is useful
+ for Incident Response, with the use of 'netcat'. This cannot be used
+-if '-d' is used.
++if '\-d' is used.
+ .IP images
+ The file names of the image(s) to analyze.
+
+@@ -77,7 +77,7 @@ have priority over the standard files.
+ Specify the location of the ONLY configuration file. The standard config
+ files will not be loaded if this option is given. For example, in the
+ \'share/sort\' directory there is a file called 'images.sort'. This file
+-contains only rules about graphic images. If it is specified with -C, then
++contains only rules about graphic images. If it is specified with \-C, then
+ only images will be saved about the image.
+ .IP "-m mnt"
+ Specify the mounting point of the image being analyzed. This is only
+@@ -119,8 +119,8 @@ This will be done automatically when any
+ Calculate the SHA-1 value for each file and save it in the category file.
+ .IP -s
+ Save the actual file content to sub-directories in the directory
+-specified by '-d'. For example, all JPG and GIF files would actually be
+-saved in the 'images' directory. If '-h' is also given, thumbnails of
++specified by '\-d'. For example, all JPG and GIF files would actually be
++saved in the 'images' directory. If '\-h' is also given, thumbnails of
+ graphic images are also created.
+ .IP -v
+ Display verbose information
+@@ -136,7 +136,7 @@ can be given.
+ is a Perl script that interacts with other The Sleuth Kit tools. It starts
+ by reading the configuration files from the installation directory.
+ There is a general configuration file and a specific one for each
+-operating system. The specific one is determined from the '-f'
++operating system. The specific one is determined from the '\-f'
+ flag. Each configuration file contains rules for processing the
+ output of the 'file' command. One type of line identifies which
+ category (i.e. 'images') a given 'file' output belongs to (i.e.
+@@ -157,7 +157,7 @@ The 'file' command is then run to identi
+ header information).
+ The configuration file rules are used to identify which category
+ it belongs to. An entry is added to the corresponding category
+-file (in the '-d dir' directory). If the '-s' flag is given, then
++file (in the '\-d dir' directory). If the '\-s' flag is given, then
+ a copy of the file is saved in a subdirectory of the same name as
+ the category. If the HTML format is used, then hyper-links will
+ allow one to easily view saved files and view what is in each
+@@ -168,9 +168,9 @@ category and the 'data' category. 'data
+ structure that 'file' does not know and 'unknown' is for files with
+ a structure that 'file' knows about. These are saved for future
+ reference, but the unknown category can be ignored by using
+-the '-U' flag.
++the '\-U' flag.
+
+-A copy of the files can be saved by using the '-s' flag. If so,
++A copy of the files can be saved by using the '\-s' flag. If so,
+ then the files are saved in a subdirectory that is named with
+ the category name. Each file is named using the file system image
+ name followed by the meta data address and the original file
+@@ -207,7 +207,7 @@ The 'default.sort' file is used by any f
+ entries for common file types. A specific operating system file also
+ exists, which is useful for extensions that are specific to a given OS.
+ By default, the default file and the OS specific one will be used. Using
+-the '-c' flag, an additional file can be used. If the '-C' flag is used,
++the '\-c' flag, an additional file can be used. If the '\-C' flag is used,
+ then only the supplied configuration file is used.
+
+ There are two rule types in the configuration files. Each rule starts
+@@ -262,22 +262,22 @@ and I will incorporate them into future
+ .SH EXAMPLES
+ To run sorter with no hash databases, the following can be used:
+
+- # sorter -f ntfs -d data/sorter images/hda1.dd
++ # sorter \-f ntfs \-d data/sorter images/hda1.dd
+
+- # sorter -d data/sorter images/hda1.dd
++ # sorter \-d data/sorter images/hda1.dd
+
+- # sorter -i raw -f ntfs -o 63 -d data/sorter images/hda.dd
++ # sorter \-i raw \-f ntfs \-o 63 \-d data/sorter images/hda.dd
+
+ To include the NSRL, an exclude, and an alert hash database:
+
+- # sorter -f ntfs -d data/sorter -a /usr/hash/rootkit.db \
+- -x /usr/hash/win2k.db -n /usr/hash/nsrl/NSRLFile.txt \
++ # sorter \-f ntfs \-d data/sorter \-a /usr/hash/rootkit.db \
++ \-x /usr/hash/win2k.db \-n /usr/hash/nsrl/NSRLFile.txt \
+ images/hda1.dd
+
+ To just identify images using the supplied 'images.sort' file:
+
+- # sorter -f ntfs -C /usr/local/sleuthkit/share/sort/images.sort \
+- -d data/sorter -h -s images/hda1.dd
++ # sorter \-f ntfs \-C /usr/local/sleuthkit/share/sort/images.sort \
++ \-d data/sorter \-h \-s images/hda1.dd
+
+ .SH REQUIREMENTS
+ The NIST National Software Reference Library (NSRL) can be found at
--
Tools for forensics analysis
More information about the forensics-changes
mailing list