Fls recurses into the filesystem nodes in alphabetic order. On Windows systems, most of the forensically interesting files end up being in the Windows folder, toward the end of a recursive listing. When capturing the file system listing over an extremely slow network link (think international iSCSI or multiple sshfs links), when using the recursive option, we are not able to see interesting inodes until the listing is nearly complete.
Of course, one could manually walk the tree of inodes to get to the desired directory, but over extremely high latency links, even a single directory can take minutes to complete. And if a goal is a complete recursive listing, that's duplication of effort that is best avoided.
Giving us a reverse-order (-R?) option to simply reverse the alphabetic sort and retrieve them in the opposite order would get to the later directories earlier and allow icat to collect some files before a recursive fls is complete. It would also allow one to splice together two overlapping partial captures if they're in different sort order. Eg. first FLS output stops partway through (network/host disruption). Start a second in reverse order, and once it reaches the point where the first one stopped, abort it and manually join the two.
Log in to post a comment.