Re: [sleuthkit-users] Allocated clusters where no corresponding inodes found
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Allocated clusters where no corresponding inodes found
|
From: Theodore P. <te...@gm...> - 2010-05-24 22:32:02
|
I think I've seen this before. If the cluster in question belongs to the $MFT (inode 0), then ifind may not report the inode number. On NTFS, small files are stored resident within the MFT record if they fit. So you may end up with a keyword hit inside $MFT's data blocks. Try running istat against inode 0 and see if your cluster number shows up allocated to it. On Mon, May 24, 2010 at 6:02 PM, Lehr, John <jl...@sl...> wrote: > Hi everyone, > > I'm trying to understand an issue I'm finding frequently in the examination > of an NTFS file system with MS Vista installed: > > I have keyword hits in particular clusters that blkstat reports to be > allocated. However, ifind cannot determine what inode has allocated the > cluster. Does anyone have an explanation? > > $ blkstat -o63 ../images/image_103358.E* 29113862 > Cluster: 29113862 > Allocated > > $ ifind -o63 ../images/image_103358.E* -d 29113862 > Inode not found > > Thank you, > John > > TSK 3.1.2, Ubuntu 10.04 > ______________________________________ > John Lehr > > Evidence Technician > San Luis Obispo Police Department > > > ------------------------------------------------------------------------------ > > > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > |
