Re: [sleuthkit-users] fiwalk output
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] fiwalk output
|
From: Simson G. <si...@ac...> - 2013-10-11 18:37:21
|
The real question is this — how does SleuthKit handle it, and how do you want to indicate it? On Oct 11, 2013, at 1:46 PM, Alex Nelson <ajn...@cs...> wrote: > That's interesting. It might, but I don't understand the whole situation you're describing. What are indicators of reallocation for a disk image at a single point in time? Do you mean multiple hard-links to the same file exist and are legitimate files? Or do you mean a file was unlinked somewhere and reallocated, but the file system was imaged in an inconsistent state? > > --Alex > > > On Oct 11, 2013, at 13:36 , Jason Wright <jwr...@gm...> wrote: > >> All, >> >> >> Does the dfxml output of fiwalk report whether a file object has been reallocated? Fls will (indicated by realloc), but will fiwalk do the same? I've come across this situation for a particular ntfs partition and have found two references for the same inode in fiwalk. In know which one is the allocated entry based off of fls, but I'm not sure of how that can be identified in fiwalk. Does anyone have any suggestions? >> >> Thanks, >> >> Jason Wright >> ------------------------------------------------------------------------------ >> October Webinars: Code for Performance >> Free Intel webinars can help you accelerate application performance. >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from >> the latest Intel processors and coprocessors. See abstracts and register > >> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk_______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
