[sleuthkit-developers] [ sleuthkit-Feature Requests-3436562 ] New DB to support resident files
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-developers] [ sleuthkit-Feature Requests-3436562 ] New DB to support resident files
|
From: SourceForge.net <no...@so...> - 2011-11-11 15:46:26
|
Feature Requests item #3436562, was opened at 2011-11-11 07:46 Message generated for change (Tracker Item Submitted) made by carrier You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477892&aid=3436562&group_id=55685 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Auto Group: None Status: Open Priority: 5 Private: No Submitted By: Brian Carrier (carrier) Assigned to: Nobody/Anonymous (nobody) Summary: New DB to support resident files Initial Comment: It would be nice if the new DB schema would allow queries to map resident files to their file. fs_file_layout is byte-oriented, so this could work if TSK provided the specific byte-offset of resident files (a request that has come up a few times before). The challenge is that the same byte sequence would be in fs_file_layout twice. Once for $MFT and another for the resident file... This could be confusing. But, it is also possible for there to be multiple overlapping carved files, so perhaps there isn't a requirement that fs_file_layout have only one entry for a given byte sequence. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477892&aid=3436562&group_id=55685 |
