[sleuthkit-users] Allocated clusters where no corresponding inodes found
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Allocated clusters where no corresponding inodes found
|
From: Lehr, J. <jl...@sl...> - 2010-05-24 22:03:21
|
Hi everyone,
I'm trying to understand an issue I'm finding frequently in the examination of an NTFS file system with MS Vista installed:
I have keyword hits in particular clusters that blkstat reports to be allocated. However, ifind cannot determine what inode has allocated the cluster. Does anyone have an explanation?
$ blkstat -o63 ../images/image_103358.E* 29113862
Cluster: 29113862
Allocated
$ ifind -o63 ../images/image_103358.E* -d 29113862
Inode not found
Thank you,
John
TSK 3.1.2, Ubuntu 10.04
______________________________________
John Lehr
Evidence Technician
San Luis Obispo Police Department
|
