Re: [sleuthkit-users] ISTAT output question
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] ISTAT output question
|
From: Brian C. <ca...@sl...> - 2005-04-25 21:53:57
|
On Apr 25, 2005, at 3:30 PM, Jaime Chang wrote: > Hello everybody, > > In the following istat output, [...] > Sectors: > 1545 1546 1547 1548 > > Recovery: > 1545 1546 1547 1548 1549 1550 1551 1552 > 1553 1554 1555 1556 1557 1558 1559 1560 > 1561 1562 1563 1564 1565 1566 1567 1568 > > Does anyone know what might be the difference, if any, between the > sectors in the "Sectors:" section and the sectors in the "Recovery:" > section. In most of the deleted files I have been trying, the sectors > from the "Sectors:" section is always included in the "Recovery:" > section. Is there a case where this might not be true? The sectors in the "Sectors:" section are the ones in the starting cluster of the file. Because the file is unallocated and we know only the starting cluster (sectors), TSK tries to determine the remaining sectors. Those are listed in the recovery section. So, yes the "Recovery" section will always contain the sectors from the "Sectors" section. They are separated to show which addresses we have more confidence in. We know the 1545-1548 addresses are correct for the file because they are referenced by the directory entry, but the other addresses could be incorrect if the original file was fragmented and TSK couldn't determine the original layout. brian |
