[sleuthkit-developers] extra directory entries found in ext2 by sk
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-developers] extra directory entries found in ext2 by sk
|
From: David C. <dav...@gm...> - 2008-07-05 04:23:07
|
Hi Brian, Sleuthkit (fls) seems to find bogus deleted directory entries in the following (ext2) image: http://www.pyflag.net/testimages/pyflag_stdimage_0.1.e01 The offending entries are the three containing non-printable characters (output appended below). I've opened the same fs in 'debugfs' and it does not find these deleted entries (it does find all the others that sk finds). Can you explain this? Is sk being over zealous in its search for deleted ext2 directory entries? Is it normal to get a few false-positives? Thanks, Dave Here is the output of "fls -r": d/d 11: lost+found r/- * 0: 0000000001289728.jpg r/- * 0: NTUSER.DAT r/r 14: hello.txt d/d 1281: Documents and Settings + d/d 1282: Administrator ++ d/d 1283: Local Settings +++ r/r 1284: index.dat +++ -/- * 0: @"^^��������^ +++ -/r * 20(realloc): ��^^��������������������^ ++ r/r 1285: outlook.pst ++ r/r 13: NTUSER.DAT + -/r * 20(realloc): `,^^�����������������^ r/r 15: rk_044.zip r/r 16: test.txt.gz r/r 17: test.zip r/r 18: dscf1081.jpg r/r 19: dscf1082.jpg r/r 20: dscf1080.jpg r/- * 0: dscf1061.jpg r/r 22: dscf1052.jpg r/- * 0: .DonVittos_private_key.txt.swp r/r 23: DonVittos_private_key.txt |
