Re: [sleuthkit-users] hashing a file system
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] hashing a file system
|
From: Luís F. N. <lfc...@gm...> - 2014-09-05 23:37:29
|
Hi Stuart, Yes, I think so. I can read file contents from some starting offset within the file, but did not know how to query the file data runs. The API enables to convert a virtual file (eg. unallocated) offset to an image offset, but not a regular file offset. I think the idea to sort by file starting offset before doing any king of processing with the files will result in great speedups when ingesting images stored into spinning magnetic drives, as said by Simson. Luis 2014-09-05 20:53 GMT-03:00 Stuart Maclean <st...@ap...>: > On 09/05/2014 04:02 PM, Luís Filipe Nassif wrote: > >> Hi Simson, >> >> I have had thoughts about implementing this "sort by sector number of >> first run" approach in a forensic tool based on TskJavaBindings, but I did >> not see how to get the file first sector number through the API. Do you >> know if it is possible with tsk java bindings? >> >> Hi Luis, I have slowly been developing my own set of Java bindings to > tsk. The ones that exist seem to only be for extraction of data from some > db?? I wanted to use Java in the actual data acquisition phase. I have > yet to upload it to github but will do so shortly. > > Stuart > > |
