[sleuthkit-developers] [ sleuthkit-Feature Requests-2509976 ] Use Ext3 journal for file recovery
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-developers] [ sleuthkit-Feature Requests-2509976 ] Use Ext3 journal for file recovery
|
From: SourceForge.net <no...@so...> - 2009-01-15 13:57:07
|
Feature Requests item #2509976, was opened at 2009-01-15 08:57 Message generated for change (Tracker Item Submitted) made by Item Submitter You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2509976&group_id=55685 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: File System Group: None Status: Open Priority: 5 Private: No Submitted By: Brian Carrier (carrier) Assigned to: Nobody/Anonymous (nobody) Summary: Use Ext3 journal for file recovery Initial Comment: The Ext3 journal may contain copies of a file's inode before the file was deleted (Ext3 wipes block pointers when a file is deleted). Searching the journal for inodes may allow deleted files to be recovered. TSK can already parse the journal and cycle through it, but it does not actually use it. It probably should some how. There are obvious questions about usability though and how to identify that you want version X of file Y (where a version could be the current version of the inode or one of the previous versions). The design choice should also be applicable to NTFS because it stores data in a journal as well. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2509976&group_id=55685 |
