Re: [sleuthkit-users] BLKLS-like tool to extract NTFS file slack?
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] BLKLS-like tool to extract NTFS file slack?
|
From: Gary F. <ga...@in...> - 2010-05-02 02:26:16
|
On 04/30/10 10:01:29, spencerforhire wrote: > Hello all, > > I'm looking for advice on a tool or method to programmatically extract > file slack from NTFS volumes... associating the file slack with full > paths would be great but I'm wondering if it would even be possible to > simply dump out all the file slack from an entire NTFS volume. The Sleuthkit 'blkls' command might be worth a try. Something like: $ blkls -i raw -o 63 -f ntfs -s image.bin > slack.bin Assuming that you're interested in the first partition on a conventionally formatted drive (image). |
