Re: [sleuthkit-users] fiwalk output
Brought to you by:
carrier
From: Alex N. <ajn...@cs...> - 2013-10-11 18:41:07
|
It's a shame that causes confusion...maybe it'd be worth including an XML comment next to <unalloc>? <!--This file was marked as deleted-->? The (un)alloc elements are sufficient information to display allocation status for scripts, but I suppose are easy to overlook with eyes. --Alex On Oct 11, 2013, at 14:21 , Simson Garfinkel <si...@ac...> wrote: > From Jason's description it sounds like he has an allocated file and a deleted file that use the same filenode. This has caused confusion for others. The deleted "file" is probably just an old deleted directory entry. > > On Oct 11, 2013, at 2:17 PM, Alex Nelson <ajn...@cs...> wrote: > >> Jason, if you actually meant the multiple hard-link situation, then TSK should be able to expose this as finding multiple directory entries (I forgot the struct name, but it's an abstract-sounding "Name" struct). In the TSK API, you would encounter this during a directory hierarchy walk, and I think you'd have to retain this in your own structure. >> >> Currently, Fiwalk indirectly records multiple paths referencing the same MFT entry by using the <inode> and <parent_object> elements. >> >> It's theoretically possible to record a file's name with from where the name came: >> https://github.com/dfxml-working-group/dfxml_schema/issues/12 >> That's engineering that is awaiting (1) free time and (2) a little discussion for whether it's something worth doing, and whether what's in that Issue is the right way to go about it. >> >> Of course, if I'm guessing wrong and you mean only one of the entries was actually allocated (which seems so, now that I've re-read your original message), that's a different matter. >> >> --Alex >> >> >> On Oct 11, 2013, at 14:08 , Simson Garfinkel <si...@ac...> wrote: >> >>> The real question is this — how does SleuthKit handle it, and how do you want to indicate it? >>> >>> On Oct 11, 2013, at 1:46 PM, Alex Nelson <ajn...@cs...> wrote: >>> >>>> That's interesting. It might, but I don't understand the whole situation you're describing. What are indicators of reallocation for a disk image at a single point in time? Do you mean multiple hard-links to the same file exist and are legitimate files? Or do you mean a file was unlinked somewhere and reallocated, but the file system was imaged in an inconsistent state? >>>> >>>> --Alex >>>> >>>> >>>> On Oct 11, 2013, at 13:36 , Jason Wright <jwr...@gm...> wrote: >>>> >>>>> All, >>>>> >>>>> >>>>> Does the dfxml output of fiwalk report whether a file object has been reallocated? Fls will (indicated by realloc), but will fiwalk do the same? I've come across this situation for a particular ntfs partition and have found two references for the same inode in fiwalk. In know which one is the allocated entry based off of fls, but I'm not sure of how that can be identified in fiwalk. Does anyone have any suggestions? >>>>> >>>>> Thanks, >>>>> >>>>> Jason Wright >>>>> ------------------------------------------------------------------------------ >>>>> October Webinars: Code for Performance >>>>> Free Intel webinars can help you accelerate application performance. >>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from >>>>> the latest Intel processors and coprocessors. See abstracts and register > >>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk_______________________________________________ >>>>> sleuthkit-users mailing list >>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>>>> http://www.sleuthkit.org >>>> >>>> ------------------------------------------------------------------------------ >>>> October Webinars: Code for Performance >>>> Free Intel webinars can help you accelerate application performance. >>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from >>>> the latest Intel processors and coprocessors. See abstracts and register > >>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk_______________________________________________ >>>> sleuthkit-users mailing list >>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>>> http://www.sleuthkit.org >>> >> > |