Re: [sleuthkit-users] using sorter to recover files from unallocated inodes, not just r emoved ones
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] using sorter to recover files from unallocated inodes, not just r emoved ones
|
From: Brian C. <ca...@sl...> - 2003-07-11 03:36:52
|
> Using ils and icat (ver 1.62) on an NTFS partition image I was able to > identify and recover an additional 20 files that sorter did not > automatically bring back. > > It seems that since sorter's call to "fls -rp" doesn't see these "lost" > files, sorter won't try to retrieve them from the output of ils. It would be > great to be able to recover these unallocated inodes en masse with sorter in > the same way that removed inodes are handled. How are you defining unallocated inodes versus removed inodes? Did you mean removed files? > > Before I go further, is this possible within the current structure of > sorter, or will a different approach be needed? I'm not quite sure what you are looking for. What inodes did you identify using 'ils' that 'sorter' did not find? 'sorter' runs 'ils -m' on the image to identify the unallocated used inodes. The same code processes the 'ils' file as the 'fls' files (except extension checks aren't done ...). The last issue of The Sleuth Kit Informer gives a detailed design overview of 'sorter' if you are interested: http://www.sleuthkit.org/informer/sleuthkit-informer-5.html#internals brian |
