[sleuthkit-developers] [ sleuthkit-Feature Requests-3178368 ] handle multiple $FILE_NAME attr
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-developers] [ sleuthkit-Feature Requests-3178368 ] handle multiple $FILE_NAME attr
|
From: SourceForge.net <no...@so...> - 2011-02-11 15:13:04
|
Feature Requests item #3178368, was opened at 2011-02-11 15:13 Message generated for change (Tracker Item Submitted) made by prosaic You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477892&aid=3178368&group_id=55685 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: File System Group: None Status: Open Priority: 5 Private: No Submitted By: prosaic (prosaic) Assigned to: Nobody/Anonymous (nobody) Summary: handle multiple $FILE_NAME attr Initial Comment: In NTFS, an inode can have multiple $FILE_NAME attributes. This usually occurs with just long and short file names if the system needs/wants to keep an 8.3 compatible file name, but can also happen if the system creates a hard link giving that inode a new name in a new directory. Also, as times in $FILE_NAME attributes are only updated if that attribute was updated, it is possible for the times in each $FILE_NAME to be different, giving further clues as to actions taken on that file. It would be very handy if istat parsed and displayed all of the $FILE_NAME attributes instead of just the first one, so that we could see the name, parent inode, and times associated with the others as well. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477892&aid=3178368&group_id=55685 |
