Re: [sleuthkit-users] body file records walking ntfs images
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] body file records walking ntfs images
|
From: Alex N. <ajn...@cs...> - 2013-09-25 20:40:40
|
On the multiple names: There is potentially a name in both of those spots, yes. I'm not sure offhand what happens with a multiple-hard-link file, though, and TSK's name resolution. It appears istat outputs the $FILE_NAME attribute from only the MFT, and not from the parent directory's btree. I think this is worth a little more exploration; maybe a DFXML extension? https://github.com/dfxml-working-group/dfxml_schema/issues/12 Or did I conceptually blow it? Stuart seems correct by my mental recollection of the NTFS chapters. --Alex On Wed, Sep 25, 2013 at 2:37 PM, <st...@ap...> wrote: > When e.g. fls in its body-file producing mode walks an NTFS filesystem, > from which attributes of each 'file' (MFT entry) are each of the body file > record fields produced? > > On a related note, even after numerous readings of the 3 NTFS chapters of > Brian's book, I am still in the dark about the relationship between > directories and files. Are files named BOTH by a 'name attribute' within > the MFT entry AND named by a 'slot' from the parent directory (in an index > tree???) ? > > Any clarification appreciated. > > Stuart > > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > |
