Re: [sleuthkit-users] body file + checksum - any tools?
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] body file + checksum - any tools?
|
From: Alex N. <ajn...@cs...> - 2014-03-15 22:38:38
|
If you would like to show multiple time attributes using DFXML and Fiwalk, we would need to first design what the XML would look like. A Python API for reading the multiple timestamps wouldn't be hard to write after the design's done. I just took a stab at designing some extension attributes, and would appreciate feedback: https://github.com/dfxml-working-group/dfxml_schema/issues/16 By the way, to my knowledge, there are this many timestamp sets (four timestamps per set) available per file: * 1 from $STANDARD_INFORMATION. * 1 from each $FILE_NAME. * 1 from each directory entry that references the file. So, that's a median of 12-16 timestamps for files (noting that NTFS does make use of multiple hard links). Unfortunately, I think the multiplicities make extending the bodyfile format impractical. I welcome corrections to this reasoning if you have them; I did that design from memory of the File System Forensic Analysis book, and some NTFS docs I googled. --Alex On Mar 14, 2014, at 10:10 , RB <ao...@gm...> wrote: > On Fri, Mar 14, 2014 at 7:27 AM, Brian Carrier <ca...@sl...> wrote: >> tsk_gettimes will display two lines for each file. One with times from STD_INFO and one from $FILE_NAME. It has the limitation that if there are multiple $FILE_NAME attributes, it shows only one. > > I see that, and that's pretty cool - regardless of the limitation > that's extremely useful. Looks like "fls -arpm/" may be permanently > replaced for me now. > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
