[sleuthkit-developers] Need for special RECOVER flag?
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-developers] Need for special RECOVER flag?
|
From: Brian C. <ca...@sl...> - 2008-07-09 14:58:17
|
Currently, there is a TSK_FS_FILE_FLAG_RECOVER flag that can be passed to file_walk so that "special" data recovery techniques are used. This really only has an effect on FAT (because other file systems are either all or nothing and the recovery "guessing" associated with FAT does not exist). If you do not pass the RECOVER flag with a deleted FAT file then you get only the first cluster of the file. If you pass the RECOVER flag, TSK tries to recover the full file and if it can it returns it. If it can't, it returns an error. The caller must then know to try again without the RECOVER flag so that they at least get the first cluster. My open question is if this flag is needed? Should TSK apply recovery techniques to all unallocated files regardless if the flag is given or not? The benefit of this approach is that it simplifies the calling code because they do not need to retry if the RECOVER attempt fails. The downside of this approach is it hides the fact that there is guessing going on behind the scenes with respect to choosing the data, but then again all unallocated files have uncertainty associated with them. Thoughts? brian |
