Re: [sleuthkit-users] Question about TASK
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Question about TASK
|
From: Brian C. <bca...@at...> - 2002-09-17 20:00:29
|
Skip Duckwall - TXDC Sysadmin (Tue, Sep 17, 2002 at 02:34:35PM -0500): > During some security reading that I am fond of doing avery now and > again, I found in phrack# 59 this article > http://www.phrack.com/show.php?p=59&a=6 > which talks about using the bad block inode to hide data that > conventional tools such as TCT and TASK cannot locate. I was wondering > if this had been fixed or even read by the maintainers of TASK... It was actually never a problem with TASK. The design from TCT was changed when NTFS was introduced because NTFS starts with MFT entry 0 and the root directory is #5. So, the other file systems were changed in the process. > I was > also wondering if there was planned support for some of the new > filesystems that are available on linux, such as ext3, xfs, jfs, etc (or > veritas support for that matter).. ext3 is sort of supported. It it is the same on-disk structure as ext2, just the addition of the journal. There is currently no support to dump the journal contents in an intelligent mannor though. Additional file systems depend on available time... brian |
