Re: [sleuthkit-users] File attributes on a Linux second extended file system
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] File attributes on a Linux second extended file system
|
From: Brian C. <ca...@sl...> - 2004-01-09 22:25:22
|
On Friday, January 9, 2004, at 04:44 PM, McMillon, Matt wrote: > I have a file that I believe was deleted after setting chattr +s on it. > Is there any way to confirm this? You can look for a fragment that has all zeros in it .. :) > Some scripts were found that show > that the user knew how to do this, but can't confirm that it was done > on > a particular file. If you have an older version of LInux where the block pointers are not wiped, then you can see if the file points to blocks that have zeros. If you can figure out the inode that the file used, then you can try 'istat' or the Meta Data mode of Autopsy and see if it says "Secure Delete". I'm not sure if the attribute flags are cleared when the file is deleted. brian |
