[sleuthkit-users] icat -s and resident files
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] icat -s and resident files
|
From: Andrew C. <at...@gm...> - 2012-07-29 19:14:00
|
Hello, I am confused about how 'icat -s' treats resident files. I was testing the -s flag with NTFS, and for resident files, it did not pull any "slack space" out. From my testing it seems like once the file data starts ($DATA) that it will always have until the end of the MFT entry to occupy. Is there a reason that with '-s' that icat cannot simply just recover from the beginning of $DATA until the end of the MFT entry? Is there a way to do this that I missed? I had to resort to manually pulling out an MFT entry with 'dd' in order to get the slack space out (this required calculations with fsstat and istat). Thanks, Andrew |