Re: [sleuthkit-users] icat and ifind -- Help with -- Please DO NOT hijack threads
Brought to you by:
carrier
From: Al G. <big...@gm...> - 2009-11-22 02:02:24
|
Theodore Pham wrote: > > The drive letter is assigned by the active operating system when you > mount the partition. It's not embedded in the partition so TSK tools > don't display it. > > Given that it's the first NTFS partition, the machine this image came > from likely boots from that partition and it's likely assigned letter > C:, but to be 100% sure you'd have to examine the Windows Registry in > the partition or have booted the machine and observed it. > > So /Windows/winsxs/Backup likely is C:\Windows\winsxs\Backup > Ok, I accept at this point that the drive ketter is irrelevant. But what about Name: x86_microsoft-windows-font-truetype-mingliub_31bf3856ad364e35_6.0.6000.16386_none_c6eae5a23b4a0d1e_mingliub.ttc_b8743970 - its quite a long file name, but googling shows that the WinSxS folder does exist. And whats more corruption of it may well result in a failure to boot. Kinda the reason that I am interested in exploring what resides on bad sectors. I am going to continue to experiment in this area :-) Thanks for your detailed instructions Theodore. Cheers -Al -- View this message in context: http://old.nabble.com/icat-and-ifind----Help-with----Please-DO-NOT-hijack-threads-tp26452166p26462205.html Sent from the sleuthkit-users mailing list archive at Nabble.com. |