Re: [sleuthkit-users] two directory entries for same deleted file in FAT16
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] two directory entries for same deleted file in FAT16
|
From: Alan <ts...@as...> - 2005-03-01 12:28:22
|
Hello Brian, Thanks for the reply. I just want to say you have done something invaluable for the infosec community by writing the tsk and autopsy tools, and contributing them open-source. One little suggestion. When tsk/autopsy is creating the timeline from a FAT image, it sets the a-time to 00:00. When looking at this for the first time, I was mystified. Was the system left on overnight and somehow Windows touches all the files at midnight? It wasn't until I read the FAT spec that it turned out there is no field for the a-time, just the a-date. There is really no a-time information at all. One could argue that putting the 00:00 time could compromise something if opposing counsel says, hey this timeline says the file was accessed at midnight and my client isn't at the office at midnight. Of course you could explain that as I did above. But if I were to create my own timeline I would denote the a-date with a-time unknown. Alan At 01:09 3/1/2005, you wrote: >On Feb 27, 2005, at 6:03 PM, Alan wrote: > >>Some deleted files have two directory entries. I'm not talking about LFN >>entries, I see those too. But the entries I'm talking about have >>attribute value 0x20 (archive). These entries are very similar, both have >>the deleted 0x2E flag at byte 0. The dates are different, but the kicker >>is one of the entries has the six least significant bits (cluster address >>and file size) set to all zeros. The other entry has real values that >>were the cluster address and file size of the file. >> >>Why does this happen? Does it have to do with LFN or something about file >>deletion? Why are there two attribute 0x20 entries for the same file? > >I noticed this same behavior when I was looking at the various FAT >allocation strategies for the FSFA book. I found that Windows XP >applications would create the basic entry with zero size and starting >address and then create a second entry with the size and starting >address. Creating a file from the command line or drag and dropping >wouldn't do it, but creating the file from a 'save' in an application would. > >brian > > > > >------------------------------------------------------- >SF email is sponsored by - The IT Product Guide >Read honest & candid reviews on hundreds of IT Products from real users. >Discover which products truly live up to the hype. Start reading now. >http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click >_______________________________________________ >sleuthkit-users mailing list >https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >http://www.sleuthkit.org > |
