[sleuthkit-developers] Question about resident files & tsk_loaddb
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-developers] Question about resident files & tsk_loaddb
|
From: Andrew C. <at...@gm...> - 2011-11-11 06:25:12
|
Hello, I was writing as I am attempting to write a script that can take an offset in a partition, such as the location of a file found by Scalpel, and then automatically determine which file in the filesystem it belongs to (if any). My algorithm is to get the partition offset, divide by the block size (to get the block number), and use this as the starting block in tsk_fs_blocks, and then use that information to query in tsk_fs_files.This works very well except for the case of small (resident) files that are stored in the MFT. For these files, the resulting report, which lists the file names, says that the hit was found in the MFT instead of the actual file. I looked into the issue and it seems that no tsk_fs_blocks row is created for resident files. So I am kind of stuck at this point.... I don't see a way using only the information in tsk_loaddb to handle this situation, and would greatly appreciate any pointers... Thanks, Andrew |
