Re: [sleuthkit-users] Extract data stream from ext2 directory
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Extract data stream from ext2 directory
|
From: Brian C. <ca...@sl...> - 2003-10-19 15:11:04
|
On Saturday, October 18, 2003, at 05:56 PM, SecMan wrote: > I am analyzing a dd of an ext2 (linux) file system that has a "hidden" > data > stream in a subordinate director (/adir) > after teh file names conatined in the directory there is a bunch of > data - > how can I extract it for firther analysis? Do you mean that after the directory entries in the directory fragments that there is data that you are interested in? I've never heard of that before. How do you know it is there? Well, if it is the case that it follows the directory entries, then find out the inode number of the directory (it should be the same inode as the '.' entry) within '/adir'. Then use 'icat' or the Meta Data mode of autopsy and plug in that address. You'll have to parse out the directory entries from the data block, but your data should be there. brian |
