Re: [sleuthkit-users] fiwalk output
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] fiwalk output
|
From: Alex N. <ajn...@cs...> - 2013-10-11 18:20:50
|
Jason, if you actually meant the multiple hard-link situation, then TSK should be able to expose this as finding multiple directory entries (I forgot the struct name, but it's an abstract-sounding "Name" struct). In the TSK API, you would encounter this during a directory hierarchy walk, and I think you'd have to retain this in your own structure. Currently, Fiwalk indirectly records multiple paths referencing the same MFT entry by using the <inode> and <parent_object> elements. It's theoretically possible to record a file's name with from where the name came: https://github.com/dfxml-working-group/dfxml_schema/issues/12 That's engineering that is awaiting (1) free time and (2) a little discussion for whether it's something worth doing, and whether what's in that Issue is the right way to go about it. Of course, if I'm guessing wrong and you mean only one of the entries was actually allocated (which seems so, now that I've re-read your original message), that's a different matter. --Alex On Oct 11, 2013, at 14:08 , Simson Garfinkel <si...@ac...> wrote: > The real question is this — how does SleuthKit handle it, and how do you want to indicate it? > > On Oct 11, 2013, at 1:46 PM, Alex Nelson <ajn...@cs...> wrote: > >> That's interesting. It might, but I don't understand the whole situation you're describing. What are indicators of reallocation for a disk image at a single point in time? Do you mean multiple hard-links to the same file exist and are legitimate files? Or do you mean a file was unlinked somewhere and reallocated, but the file system was imaged in an inconsistent state? >> >> --Alex >> >> >> On Oct 11, 2013, at 13:36 , Jason Wright <jwr...@gm...> wrote: >> >>> All, >>> >>> >>> Does the dfxml output of fiwalk report whether a file object has been reallocated? Fls will (indicated by realloc), but will fiwalk do the same? I've come across this situation for a particular ntfs partition and have found two references for the same inode in fiwalk. In know which one is the allocated entry based off of fls, but I'm not sure of how that can be identified in fiwalk. Does anyone have any suggestions? >>> >>> Thanks, >>> >>> Jason Wright >>> ------------------------------------------------------------------------------ >>> October Webinars: Code for Performance >>> Free Intel webinars can help you accelerate application performance. >>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from >>> the latest Intel processors and coprocessors. See abstracts and register > >>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk_______________________________________________ >>> sleuthkit-users mailing list >>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>> http://www.sleuthkit.org >> >> ------------------------------------------------------------------------------ >> October Webinars: Code for Performance >> Free Intel webinars can help you accelerate application performance. >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from >> the latest Intel processors and coprocessors. See abstracts and register > >> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk_______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org > |
