Re: [sleuthkit-users] icat and ifind -- Help with -- Please DO NOT hijack threads
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] icat and ifind -- Help with -- Please DO NOT hijack threads
|
From: Theodore P. <te...@gm...> - 2009-11-22 01:18:10
|
The drive letter is assigned by the active operating system when you mount the partition. It's not embedded in the partition so TSK tools don't display it. Given that it's the first NTFS partition, the machine this image came from likely boots from that partition and it's likely assigned letter C:, but to be 100% sure you'd have to examine the Windows Registry in the partition or have booted the machine and observed it. So /Windows/winsxs/Backup likely is C:\Windows\winsxs\Backup Another clue is that this inode has a "Links: 2", which I believe means this file is hard linked in two locations within the file system. \Windows\winsxs is special in this regard as many files underneath are multiply hard linked. See http://blogs.techrepublic.com.com/itdojo/?p=1060 On Sat, Nov 21, 2009 at 6:22 PM, Al Grant <big...@gm...> wrote: > And ffind: > > al@al-ubuntu:~$ sudo ffind -i raw -o 21100544 /dev/sdb 9845-128-4 > /Windows/winsxs/Backup/x86_microsoft-windows-font-truetype-mingliub_31bf3856ad364e35_6.0.6000.16386_none_c6eae5a23b4a0d1e_mingliub.ttc_b8743970 > al@al-ubuntu:~$ > > A little bit of trouble interpreting this result as its not a file name and > path that I am used to seeing. Is it something in > C:\Windows\winsxs\Backup\???? > > Cheers > -Al |
