Re: [sleuthkit-users] icat -s and resident files
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] icat -s and resident files
|
From: Andrew C. <at...@gm...> - 2012-07-30 22:39:11
|
Hello again, Thanks for the response, and I assumed my testing would miss more complicated cases like those that you listed, which is why I wanted to ask about it. I think the fake attribute sounds like a great idea assuming it wouldn't break other processing. I would be happy to perform any beta testing of that feature in the future if needed. Thanks, Andrew On Mon, Jul 30, 2012 at 1:14 PM, Brian Carrier <ca...@sl...>wrote: > Hey Andrew, > > MFT slack is a hard question about how to represent. Consider these > scenarios: > - You have two $DATA attribute. The final one in sorted order would have > the slack and the first one wouldn't. Not entirely bad, but also not > deterministic from the user in terms of when to expect slack or not. > - You have an Attribute List attribute with extended MFT entries. In that > case, each extended MFT entry could have its own slack space. Where do you > assign those? > > I agree that there should be a better way to get MFT slack space, but I'm > not sure of adding it onto a $DATA attribute is the best... We could also > make a fake attribute that occupies the unused space (like we do for > volumes). > > brian > > > On Jul 29, 2012, at 3:13 PM, Andrew Case wrote: > > > Hello, > > > > I am confused about how 'icat -s' treats resident files. I was testing > > the -s flag with NTFS, and for resident files, it did not pull any > > "slack space" out. From my testing it seems like once the file data > > starts ($DATA) that it will always have until the end of the MFT entry > > to occupy. > > > > Is there a reason that with '-s' that icat cannot simply just recover > > from the beginning of $DATA until the end of the MFT entry? Is there a > > way to do this that I missed? I had to resort to manually pulling out > > an MFT entry with 'dd' in order to get the slack space out (this > > required calculations with fsstat and istat). > > > > Thanks, > > Andrew > > > > > ------------------------------------------------------------------------------ > > Live Security Virtual Conference > > Exclusive live event will cover all the ways today's security and > > threat landscape has changed and how IT managers can respond. Discussions > > will include endpoint security, mobile security and the latest in malware > > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > _______________________________________________ > > sleuthkit-users mailing list > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > http://www.sleuthkit.org > > |