Re: [sleuthkit-users] Allocated clusters where no corresponding inodesfound
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Allocated clusters where no corresponding inodesfound
|
From: Lehr, J. <jl...@sl...> - 2010-05-25 04:23:57
|
OK, maybe I have an idea on this one, but I'll need someone to confirm (I don't read C too well).
blkstat may rely on $bitmap for allocation status of a ntfs cluster. But ifind is searching $mft for the inode that allocates the data. If the bitmap is allocated, but the mft no longer has a reference, then I get the results I've noted.
Could this be correct? If so, what conditions allow a file to be deleted but the bitmap to continue to show the cluster allocated? This partition show 34mb worth of bad clusters in the $BadClus file. Could drive errors explain this?
Thanks,
John
______________________________________
John Lehr
Evidence Technician
San Luis Obispo Police Department
-----Original Message-----
From: Lehr, John [mailto:jl...@sl...]
Sent: Mon 5/24/2010 3:02 PM
To: sle...@li...
Subject: [sleuthkit-users] Allocated clusters where no corresponding inodesfound
Hi everyone,
I'm trying to understand an issue I'm finding frequently in the examination of an NTFS file system with MS Vista installed:
I have keyword hits in particular clusters that blkstat reports to be allocated. However, ifind cannot determine what inode has allocated the cluster. Does anyone have an explanation?
$ blkstat -o63 ../images/image_103358.E* 29113862
Cluster: 29113862
Allocated
$ ifind -o63 ../images/image_103358.E* -d 29113862
Inode not found
Thank you,
John
TSK 3.1.2, Ubuntu 10.04
______________________________________
John Lehr
Evidence Technician
San Luis Obispo Police Department
|
