Re: [sleuthkit-users] NTFS, files with no permissions
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] NTFS, files with no permissions
|
From: Barry J. G. <bg...@im...> - 2005-06-24 13:42:09
|
On Fri, 2005-06-24 at 15:12 +0200, fu...@gm... wrote: > Once more, I'm looking at a NTFS-Disk. When I mount ro the disk, I can see > in a directory the File archive2005.pst with the following permission: > > -r-------- 1 0 2005-06-06 08:30 archive2004.pst > > So file size is 0, the rest seems okay. But when I go to the directory in > Autopsy, the file does not appear. What did happen here? Any information I > can provide you? I use Autopsy 2.05 and sleuthkit 2.01 on a Debian Sarge. I have not seen this sort of thing before, so maybe someone with more experience can give you specific details, but until a better answer comes along, I'm curious: What does the output of "stat" give you on the mounted disk for each of those files? Compare that to the output of istat (maybe with -b ?). I'm wondering if the inode returned by stat will have any info that istat can see from the MFT. Do the $STANDARD_INFORMATION attributes match, and do the $FILE_NAME attributes match? Or does istat return the entry as unallocated? It's possible that none of this will answer your question, and maybe someone else has a direct answer, but until then... -- /*************************************** Special Agent Barry J. Grundy NASA Office of Inspector General Computer Crimes Division Goddard Space Flight Center Code 190 Greenbelt Rd. Greenbelt, MD 20771 (301)286-3358 **************************************/ |
