Re: [sleuthkit-users] icat -s and resident files
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] icat -s and resident files
|
From: Brian C. <ca...@sl...> - 2012-07-30 18:14:27
|
Hey Andrew, MFT slack is a hard question about how to represent. Consider these scenarios: - You have two $DATA attribute. The final one in sorted order would have the slack and the first one wouldn't. Not entirely bad, but also not deterministic from the user in terms of when to expect slack or not. - You have an Attribute List attribute with extended MFT entries. In that case, each extended MFT entry could have its own slack space. Where do you assign those? I agree that there should be a better way to get MFT slack space, but I'm not sure of adding it onto a $DATA attribute is the best... We could also make a fake attribute that occupies the unused space (like we do for volumes). brian On Jul 29, 2012, at 3:13 PM, Andrew Case wrote: > Hello, > > I am confused about how 'icat -s' treats resident files. I was testing > the -s flag with NTFS, and for resident files, it did not pull any > "slack space" out. From my testing it seems like once the file data > starts ($DATA) that it will always have until the end of the MFT entry > to occupy. > > Is there a reason that with '-s' that icat cannot simply just recover > from the beginning of $DATA until the end of the MFT entry? Is there a > way to do this that I missed? I had to resort to manually pulling out > an MFT entry with 'dd' in order to get the slack space out (this > required calculations with fsstat and istat). > > Thanks, > Andrew > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |