[sleuthkit-users] file analysis in autopsy
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] file analysis in autopsy
|
From: youcef b. <ybi...@ya...> - 2005-07-29 22:36:38
|
Hi, I got a couple of questions regarding file analysis in autopsy. When conduction a file type analysis using the undelete images test #6 I came up with a summary where: Files (27) Files Skipped (9) 1- Can I assume that the skipped files in FAT system would be used to list the directory & volume entries, in other word any directory entry structure that's not a file? 2- Also under the mismatch section I've seen a zero hit even though there is an image on the image system with a dll extension, like in the volume lable test image #9. How does autopsy detect mistmach. Does it need a hash database or can it use the file command instead? 2- Looking at the saved files in the data category, I've seen a lot of files with a dead suffix like: data/6-fat-undel.dd-4-dead data/6-fat-undel.dd-5-dead data/6-fat-undel.dd-6-dead Interestingly enough the same inodes are also used for recovered files like: C:/_rag1.dat data/6-fat-undel.dd-4.dat C:/_rag2.dat data/6-fat-undel.dd-5.dat C:/_ing.dat data/6-fat-undel.dd-6.dat What are these files? and Why they are considered dead when they already appear as undeleted? Regards Youcef ___________________________________________________________ To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com |