Re: [sleuthkit-users] JNI for getting specific file allocated clusters/sectors
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] JNI for getting specific file allocated clusters/sectors
|
From: Luís F. N. <lfc...@gm...> - 2014-08-25 02:38:35
|
Ok, I have found another solution without the asked feature. i have just found the offset parameter of AbstractFile.read(...) method, which allows to read the file from the passed offset. So we can save the parent file id and the carved file start offset to later read the carved content without exporting it to anywhere before. Regards, Luis Nassif 2014-08-22 15:55 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>: > We wonder if it was possible to expose such feature to java developers, > but I do not known enough about sleuthkit C code to evaluate if it is too > difficult or not. Can some sleuthkit expert give some direction? We are > developing a java carving tool and this feature would be very useful, > because we can only mark the carved file range in the image, instead of > exporting the carved file contents to somewhere (much slower), as we have > already successfully done with unallocated clusters accessed through > sleuthkit java bindings after populating sqlite db. But we want to do this > lightweight carving on pagefile, hiberfil, shadow copies and other > allocated files, which file ranges are not currently accessible through > java bindings TSK api. We think this great feature could be very useful for > scalpel and other forensic applications too. > > Regards, > Luis Nassif > |
