[sleuthkit-users] TSK_FS_NAME par_addr question
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] TSK_FS_NAME par_addr question
|
From: Jon S. <jo...@li...> - 2014-02-13 15:31:50
|
TSK_FS_NAME now has the par_addr field, which contains the meta address (inode number/file ID) of the parent. This is a welcome addition, so, first, thanks for adding it. I know that if you do a full walk of the filesystem you may get some TSK_FS_FILE structs which only have a TSK_FS_NAME struct/do not have a TSK_FS_META struct, remembrances of files past. In such cases TSK was not able to associate the directory entry with an inode and meta_addr is more of a historical curiosity than anything (mmmmaybe you can find a trace of the old file in that inode's slack). So far, so good. The question is: if I get a TSK_FS_FILE struct that only has a TSK_FS_NAME struct, is there a guarantee that par_addr will point to a valid, correct inode... or is that suspect, too? Put another way (I think this is isomorphic), can you have one of these no-meta TSK_FS_FILE structs whose parent directory is also a no-meta TSK_FS_FILE? TIA, Jon -- Jon Stewart, Principal (646) 719-0317 | jo...@li... | Arlington, VA |
