Re: [sleuthkit-users] fiwalk output
Brought to you by:
carrier
From: Brian C. <ca...@sl...> - 2013-10-11 19:35:50
|
I'm not sure which e-mail message to reply to at this point, so I'm going back to the original. Basic concepts for background: - For most file systems (all except FAT), there is a file name structure and a metadata structure. - Each of those structures has an allocation status. - TSK data structures (which fiwalk uses) reports if it is allocated or not. - fls has some additional logic in it to detect when a deleted file name points to a metadata structure that is allocated and adds the "(realloc)" string to highlight the fact that the content that this file name points to is probably not the same content that the file name originally pointed to when it was allocated. This isn't always true (i.e. if a file is moved from one folder to another, it's old name will be marked with realloc). For a given file, does DFXML differentiate the allocation status of its file name structure versus its metadata structure? On Oct 11, 2013, at 1:36 PM, Jason Wright <jwr...@gm...> wrote: > All, > > > Does the dfxml output of fiwalk report whether a file object has been reallocated? Fls will (indicated by realloc), but will fiwalk do the same? I've come across this situation for a particular ntfs partition and have found two references for the same inode in fiwalk. In know which one is the allocated entry based off of fls, but I'm not sure of how that can be identified in fiwalk. Does anyone have any suggestions? > > Thanks, > > Jason Wright > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |