Re: [sleuthkit-users] fiwalk output
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] fiwalk output
|
From: Alex N. <ajn...@cs...> - 2013-10-11 18:36:07
|
Whoops, looks like you beat me to a response. But yes, that clarifies your question. I think your question boils down to recording allocation status. Do you have DFXML output from Fiwalk? Are there <alloc> or <unalloc> elements for the fileobjects that you're looking at? --Alex On Oct 11, 2013, at 14:16 , Jason Wright <jwr...@gm...> wrote: > Thanks, Alex. What I've come across is two references for the same inode in the fiwalk output for a particular drive. Both are on the same partition. One is for the allocated file the other is for the unallocated state for the filename of the file that previously used the inode. > > If running fls and looking for inode 79456, for example, you may get these two outputs > +++ r/r 79456-128-3: filename1.ext > ++++++++ r/r 79456-128-3(realloc): filename2.ext > > So, in this case filename2.ext is a reference for a file that once used inode 79456 and the file that currently uses the inode is filename1.ext. > > What I'm interested in is a possible reference in the dfxml fiwalk output that would differentiate the two references? > > Hopefully, that helps explain it a little better. > > R/ > > Jason > > > > > On Fri, Oct 11, 2013 at 1:46 PM, Alex Nelson <ajn...@cs...> wrote: > That's interesting. It might, but I don't understand the whole situation you're describing. What are indicators of reallocation for a disk image at a single point in time? Do you mean multiple hard-links to the same file exist and are legitimate files? Or do you mean a file was unlinked somewhere and reallocated, but the file system was imaged in an inconsistent state? > > --Alex > > > On Oct 11, 2013, at 13:36 , Jason Wright <jwr...@gm...> wrote: > >> All, >> >> >> Does the dfxml output of fiwalk report whether a file object has been reallocated? Fls will (indicated by realloc), but will fiwalk do the same? I've come across this situation for a particular ntfs partition and have found two references for the same inode in fiwalk. In know which one is the allocated entry based off of fls, but I'm not sure of how that can be identified in fiwalk. Does anyone have any suggestions? >> >> Thanks, >> >> Jason Wright >> ------------------------------------------------------------------------------ >> October Webinars: Code for Performance >> Free Intel webinars can help you accelerate application performance. >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from >> the latest Intel processors and coprocessors. See abstracts and register > >> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk_______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org > > |
