[sleuthkit-users] read $DATA attribute of deleted file
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] read $DATA attribute of deleted file
|
From: John \(support\) <dow...@gm...> - 2012-04-06 16:45:22
|
Hi everyone, I’m a beginner in TSK need help with my deleted file. Using TSK & autopsy in Cygwin on windows 7 ntfs. Here is some istat output on the deleted file $ istat -f ntfs /dev/sdc1 8939-128-3 $FILE_NAME Attribute Values: Name: Private.jbc Parent MFT Entry: 5 Sequence: 5 Allocated Size: 429496729600 Actual Size: 429496729600 ... Type: $DATA (128-3) Name: N/A Non-Resident size: 0 init_size: 0 As you can see file size is 400 GB but the Size is zero for the $DATA. In autopsy the $DATA attribute doesn’t list the clusters allocated by the file. I need to know these cluster runs to extract the file from disk. So is there any way I can find where the $DATA attribute resides in memory on disk to read those clusters from? Like using winhex to view the non-resident $DATA attribute contents. I found the start address in winhex of the file and extracted 400 GB but unfortunately file is fragmented. Also tried $ icat -f ntfs -r /dev/sdc1 8939 > /cygdrive/f/icat/Private.jbc it wrote the file out as 0 bytes. Any good suggestions much appreciated! Gorden. |