Re: [sleuthkit-users] (no subject)
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] (no subject)
|
From: Greg F. <gre...@gm...> - 2012-03-20 11:37:41
|
http://www.dfrws.org/2008/proceedings/p76-burghardt.pdf On Mar 20, 2012 7:25 AM, "Stefan Kelm" <sk...@bf...> wrote: > Judson, > > > The reason for this (the long answer) is that HFS+ does not use a > > mark-as-deleted system for deleting files. In HFS+, both file metadata > and > > the disk's entire directory structure are stored in a b-tree file, the > > Catalog B-Tree. (Technically, in the leaf nodes of the b-tree.) When > files > > [...] > > Thanks a lot for sharing that information. Do you have a source for that > info, or to put it differently, are there any (current) forensics books > on HFS+? > > Cheers, > > Stefan. > > -- > Stefan Kelm <sk...@bf...> > BFK edv-consulting GmbH http://www.bfk.de/ > Kriegsstrasse 100 Tel: +49-721-96201-1 > D-76133 Karlsruhe Fax: +49-721-96201-99 > > > ------------------------------------------------------------------------------ > This SF email is sponsosred by: > Try Windows Azure free for 90 days Click Here > http://p.sf.net/sfu/sfd2d-msazure > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > |
