[sleuthkit-developers] [ sleuthkit-Bugs-3031168 ] Problem with Ext3 recovered files and directories
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-developers] [ sleuthkit-Bugs-3031168 ] Problem with Ext3 recovered files and directories
|
From: SourceForge.net <no...@so...> - 2010-08-13 16:21:43
|
Bugs item #3031168, was opened at 2010-07-18 04:27 Message generated for change (Comment added) made by carrier You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=3031168&group_id=55685 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: File System Tools Group: None >Status: Closed >Resolution: Invalid Priority: 5 Private: No Submitted By: Negin Ahmadian (negin99) Assigned to: Nobody/Anonymous (nobody) Summary: Problem with Ext3 recovered files and directories Initial Comment: Hi! I tried TSK with a test image of 4.9MB Ext3 file system. This image has five deleted files and two directories (see attached excel file for files' description). The files rang from single block files to multiple blocks. No data structures were also modified. They were created in Fedora 8.0, deleted in Fedora 8.0 and imaged in Fedora 8.0. After deletion, size of all the deleted files becomes 0 and they will not be accessible. (CR01-1 picture shows what happens, there is no link available for dir1!) I tried FAT images and it seems that they work fine. All of the deleted files could be recovered after deletion. ---------------------------------------------------------------------- >Comment By: Brian Carrier (carrier) Date: 2010-08-13 11:21 Message: Different files systems have different ways of deleting files. With Ext3, the pointers to the file content and the file size are wiped. With FAT, many of the pointers are wiped, but the first pointer isn't and the size isn't. So, recovery is sometimes possible with FAT, but it isn't with Ext3 if you want to rely only on file system data. Ext3 requires either using the journal or file carving techniques. TSK doesn't use these recovery techniques. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=3031168&group_id=55685 |
