Re: [sleuthkit-users] (no subject)
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] (no subject)
|
From: Stefan K. <sk...@bf...> - 2012-03-20 11:24:00
|
Judson, > The reason for this (the long answer) is that HFS+ does not use a > mark-as-deleted system for deleting files. In HFS+, both file metadata and > the disk's entire directory structure are stored in a b-tree file, the > Catalog B-Tree. (Technically, in the leaf nodes of the b-tree.) When files > [...] Thanks a lot for sharing that information. Do you have a source for that info, or to put it differently, are there any (current) forensics books on HFS+? Cheers, Stefan. -- Stefan Kelm <sk...@bf...> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstrasse 100 Tel: +49-721-96201-1 D-76133 Karlsruhe Fax: +49-721-96201-99 |
