[sleuthkit-developers] [ sleuthkit-Feature Requests-3608637 ] add reverse-order option for fls
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-developers] [ sleuthkit-Feature Requests-3608637 ] add reverse-order option for fls
|
From: SourceForge.net <no...@so...> - 2013-03-20 18:37:58
|
Feature Requests item #3608637, was opened at 2013-03-20 11:37 Message generated for change (Tracker Item Submitted) made by petiepooo You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477892&aid=3608637&group_id=55685 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: File System Group: None Status: Open Priority: 5 Private: No Submitted By: Pete (petiepooo) Assigned to: Nobody/Anonymous (nobody) Summary: add reverse-order option for fls Initial Comment: Fls recurses into the filesystem nodes in alphabetic order. On Windows systems, most of the forensically interesting files end up being in the Windows folder, toward the end of a recursive listing. When capturing the file system listing over an extremely slow network link (think international iSCSI or multiple sshfs links), when using the recursive option, we are not able to see interesting inodes until the listing is nearly complete. Of course, one could manually walk the tree of inodes to get to the desired directory, but over extremely high latency links, even a single directory can take minutes to complete. And if a goal is a complete recursive listing, that's duplication of effort that is best avoided. Giving us a reverse-order (-R?) option to simply reverse the alphabetic sort and retrieve them in the opposite order would get to the later directories earlier and allow icat to collect some files before a recursive fls is complete. It would also allow one to splice together two overlapping partial captures if they're in different sort order. Eg. first FLS output stops partway through (network/host disruption). Start a second in reverse order, and once it reaches the point where the first one stopped, abort it and manually join the two. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477892&aid=3608637&group_id=55685 |
