Re: [sleuthkit-developers] unique identifier for TSK_FS_NAME
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-developers] unique identifier for TSK_FS_NAME
|
From: Brian C. <ca...@sl...> - 2010-07-27 17:24:11
|
On Jul 21, 2010, at 11:12 PM, Jon Stewart wrote: > The primary use case is to have an identifier that uniquely identifies > a TSK_FS_NAME record, which ideally would be compact and stable-ish > (if the fs interpretation changed slightly, most records would be > unaffected). The secondary use case is to give folks a pointer to > where the relevant record may be on disk (e.g., MFT record), while > obviously making allowances for filesystem variations. > > My understanding is that a path may not be unique as a > deleted&recoverable file may have the same path as an allocated file. > There would be separate TSK_FS_NAME records but they'd have the same > paths. (Please correct me if I'm mistaken in how tsk handles this > situation.) TSK will de-duplicate files if they have the same name and metadata address. So, yes an allocated file and a deleted file could have the same name if they refer to different metadata structures. > What I'd propose is an unsigned int in the TSK_FS_NAME struct, which > would hold the byte offset of the record on disk, thereby > distinguishing it. Not sure what to put for orphan files, but those > are easy enough to determine, and we know they can be identified > uniquely via the metadata address (right?). When in doubt, MAX_INT. I suppose we could also just use the address of the metadata structure as long as it is clear to the user that this is to be treated only as a unique identifier and not as the offset to the name. Can you add this to the feature request tracker? http://sourceforge.net/tracker/?atid=477892&group_id=55685 thanks, brian |
