Re: [sleuthkit-users] fiwalk output
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] fiwalk output
|
From: Jason W. <jwr...@gm...> - 2013-10-11 18:43:32
|
Unfortunately, in this case both entries only contain the <alloc> field and both are marked 1. The confusion started because I have it scripted to look out for the unalloc field, but there wasn't one. On Fri, Oct 11, 2013 at 2:38 PM, Alex Nelson <ajn...@cs...> wrote: > It's a shame that causes confusion...maybe it'd be worth including an XML > comment next to <unalloc>? <!--This file was marked as deleted-->? The > (un)alloc elements are sufficient information to display allocation status > for scripts, but I suppose are easy to overlook with eyes. > > --Alex > > > > On Oct 11, 2013, at 14:21 , Simson Garfinkel <si...@ac...> wrote: > > From Jason's description it sounds like he has an allocated file and a > deleted file that use the same filenode. This has caused confusion for > others. The deleted "file" is probably just an old deleted directory entry. > > On Oct 11, 2013, at 2:17 PM, Alex Nelson <ajn...@cs...> wrote: > > Jason, if you actually meant the multiple hard-link situation, then TSK > should be able to expose this as finding multiple directory entries (I > forgot the struct name, but it's an abstract-sounding "Name" struct). In > the TSK API, you would encounter this during a directory hierarchy walk, > and I think you'd have to retain this in your own structure. > > Currently, Fiwalk indirectly records multiple paths referencing the same > MFT entry by using the <inode> and <parent_object> elements. > > It's theoretically possible to record a file's name with from where the > name came: > https://github.com/dfxml-working-group/dfxml_schema/issues/12 > That's engineering that is awaiting (1) free time and (2) a little > discussion for whether it's something worth doing, and whether what's in > that Issue is the right way to go about it. > > Of course, if I'm guessing wrong and you mean only one of the entries was > actually allocated (which seems so, now that I've re-read your original > message), that's a different matter. > > --Alex > > > On Oct 11, 2013, at 14:08 , Simson Garfinkel <si...@ac...> wrote: > > The real question is this — how does SleuthKit handle it, and how do you > want to indicate it? > > On Oct 11, 2013, at 1:46 PM, Alex Nelson <ajn...@cs...> wrote: > > That's interesting. It might, but I don't understand the whole situation > you're describing. What are indicators of reallocation for a disk image at > a single point in time? Do you mean multiple hard-links to the same file > exist and are legitimate files? Or do you mean a file was unlinked > somewhere and reallocated, but the file system was imaged in an > inconsistent state? > > --Alex > > > On Oct 11, 2013, at 13:36 , Jason Wright <jwr...@gm...> wrote: > > All, > > > Does the dfxml output of fiwalk report whether a file object has been > reallocated? Fls will (indicated by realloc), but will fiwalk do the same? > I've come across this situation for a particular ntfs partition and have > found two references for the same inode in fiwalk. In know which one is the > allocated entry based off of fls, but I'm not sure of how that can be > identified in fiwalk. Does anyone have any suggestions? > > Thanks, > > Jason Wright > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > from > the latest Intel processors and coprocessors. See abstracts and register > > > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > from > the latest Intel processors and coprocessors. See abstracts and register > > > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > > > > > |
