Re: [sleuthkit-users] Using dls
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Using dls
|
From: Brian C. <ca...@ce...> - 2004-02-03 23:57:08
|
On Feb 3, 2004, at 1:22 PM, Thanh Tran wrote: > Hi Brian, > According to dls man page: > "By default, dls copies unallocated data blocks only" > > Does this mean that dls copy all unallocated data > blocks whether or not the block was once allocated > (i.e deleted)? Yes. dls only knows the current allocation status of the block. it doesn't know if it was allocated before or not. > Is there a way for dls to copy only > unallocated blocks that associate with deleted stuff > (I don't mean for a particular deleted file but any > deleted file)? no, dls can't do that. But, the bigger question is how can you tell that a block has deleted stuff in it? Maybe a block of all zeros is really part of a file and then the carving tool would not find it and the resulting file would be corrupt. > The reason I ask because for large > drive with not much data, most of the unallocated > blocks really are empty. What would you do with the data even w/out the empty blocks? Some of the carving and searching tools would run faster (if they weren't indexed), but then you are faced with the problem of tying the data back to the original sector location on the disk. brian |
