[sleuthkit-users] A few NTFS questions
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] A few NTFS questions
|
From: Chris B. <ch...@cc...> - 2003-02-10 15:14:03
|
I'm a little confused about fls' output regarding ntfs partitions, I get lots of records with duplicate inode numbers with (realloc) appended to the inode number. Where is the (ralloc'ed) meta data comming from? I'd have thought the allocated file's metadata would have replaced the realloc'ed one. Is it safe to ignore the realloc entries? On ntfs drives fls generates records that look like: /+ r/- * 0: deletedregularfile/ Inode 0 is the MFT on a ntfs drive so I assume inode 0 in this case indicates the file has no inode surely this means the inode doesn't have a file either! Can these entries be ignored also? Thanks for a great set of tools! Chris B |
