TCT version 1.05 fixes two problems with the grave-robber program.

  - with a machine image consisting of multiple file systems mounted
    over each other (forensic challenge) the deleted inode scan
    looked only at the "root" file system.

  - "df" output with multi-line records was not parsed correctly.

A complete TCT version 1.05 kit will be made available from the
usual places:

	http://www.porcupine.org/forensics
	http://www.fish.com/forensics

Prereq: 1.04
diff -cr ../tct-1.04/patchlevel ./patchlevel
*** ../tct-1.04/patchlevel	Mon Jan 22 11:26:59 2001
--- ./patchlevel	Tue Jan 23 18:46:14 2001
***************
*** 1 ****
! 1.04
--- 1 ----
! 1.05
diff -cr ../tct-1.04/CHANGES ./CHANGES
*** ../tct-1.04/CHANGES	Mon Jan 22 11:26:00 2001
--- ./CHANGES	Tue Jan 23 19:39:43 2001
***************
*** 1,3 ****
--- 1,11 ----
+ Tue Jan 23 18:44:36 EST 2001
+ 
+ o       The grave-robber did not correctly handle multi-line df
+ 	output records (ps_spy.pl, suck_free_inodes.pl).
+ 
+ o       The grave-robber mounted corpse inode scan looked only at
+ 	the corpse's "root" file system (suck_free_inodes.pl).
+ 
  Mon Jan 22 11:23:32 EST 2001
  
  o       grave-robber enabled the default -lPO flags when -c was
diff -cr ../tct-1.04/lib/ps_spy.pl ./lib/ps_spy.pl
*** ../tct-1.04/lib/ps_spy.pl	Sun Jul 30 19:39:20 2000
--- ./lib/ps_spy.pl	Tue Jan 23 20:22:36 2001
***************
*** 543,548 ****
--- 543,549 ----
  
  	while (<DF>) {
  		next if (/Filesystem/);
+ 		$_ .= <DF> unless (/ /);
  		print $_ if $debug;
  		chop;
  		($dev,$x) = split(/\s/, $_);
diff -cr ../tct-1.04/lib/suck_free_inodes.pl ./lib/suck_free_inodes.pl
*** ../tct-1.04/lib/suck_free_inodes.pl	Sun Jul 30 19:39:20 2000
--- ./lib/suck_free_inodes.pl	Tue Jan 23 18:37:47 2001
***************
*** 47,68 ****
  	# parse out things that look like things we can mess with
  	#
  	if ($CORPSE) {
! 		&pipe_command(DF, @df, $CORPSE, "-|");
  		while (<DF>) {
  			next if (/Filesystem/);
  			chop;
  			($dev,$a,$b,$c,$d,$mount_point) = split(/\s+/, $_);
  			print "DF: $dev,$a,$b,$c,$d,$mount_point\n" if $debug;
- 			}
  
! 		print "Corpse love is here to stay!  $dev & $mount_point\n" if $debug;
! 		$dev = &rawdev($dev);
! 		push(@devs, $dev);
  		}
  	else {
  		&pipe_command(DF, @df, "-|");
  		while (<DF>) {
  			next if (/Filesystem/);
  
  			chop;
  
--- 47,86 ----
  	# parse out things that look like things we can mess with
  	#
  	if ($CORPSE) {
! 		# &pipe_command(DF, @df, $CORPSE, "-|");
! 		&pipe_command(DF, @df, "-|");
! 		my($fixed_corpse) = $CORPSE;
! 		$fixed_corpse =~ s@/+$@@;
! 		$fixed_corpse .= "/";
  		while (<DF>) {
  			next if (/Filesystem/);
+ 			$_ .= <DF> unless (/ /);
  			chop;
+ 
  			($dev,$a,$b,$c,$d,$mount_point) = split(/\s+/, $_);
  			print "DF: $dev,$a,$b,$c,$d,$mount_point\n" if $debug;
  
! 			$mount_point =~ s@/+$@@;
! 			$mount_point .= "/";
! 			print "examining $mount_point vs $fixed_corpse\n" if $debug;
! 
! 			#
! 			#   try to get all the dirs including & below the
! 			#  $CORPSE var... this gets, say, /foo, /foo/bar,
! 			# & /foo/foo, if $CORPSE eq /foo.
! 			#  
! 			if ("$mount_point" =~ /^$fixed_corpse/) {
! 				print "Corpse mount - $mount_point\n" if $debug;
! 				$dev = &rawdev($dev);
! 				push(@devs, $dev);
! 				}
! 			}
  		}
  	else {
  		&pipe_command(DF, @df, "-|");
  		while (<DF>) {
  			next if (/Filesystem/);
+ 			$_ .= <DF> unless (/ /);
  
  			chop;