Re: [sleuthkit-users] hashing a file system
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] hashing a file system
|
From: Brian C. <ca...@sl...> - 2014-09-10 02:13:10
|
The FILLER entries are there for basic record keeping because NTFS makes not guarantees that the runs will be stored in consecutive order. TSK adds the FILLER entries when it gets runs out of order and pops them out as it finds them. Is the data you are describing below from the same Ext4 image you mentioned before? brian On Sep 5, 2014, at 1:46 PM, Stuart Maclean <st...@ap...> wrote: > Hi all, I'm glad to have provoked some conversation on the merits (or > otherwise!) of md5 sums as useful representations of the state of a file > system. > > Can anyone enlighten me as to the meaning of the 'flags' member in a > TSK_FS_ATTR_RUN? Specifically, what does this comment mean? > > TSK_FS_ATTR_RUN_FLAG_FILLER = 0x01, ///< Entry is a filler for a run > that has not been seen yet in the processing (or has been lost) > > In a fs I am walking and inspecting the runs for, I am seeing run > structs with addr 0 and flags 1. I was under the impression that any > run address of 0 represented a 'missing run' i.e. that this part of the > file content is N zeros, where N = run.length * fs.blocksize. I presume > that would be the case were the run flags value 2: > > TSK_FS_ATTR_RUN_FLAG_SPARSE = 0x02 ///< Entry is a sparse run where > all data in the run is zeros > > If I use istat, I can see inodes which have certain 'Direct Blocks' of > value 0, and when I see M consecutive 0 blocks that matches up to a > 'missing run' when inspecting the runs using the tsk lib (actually my > tsk4jJava binding, which is now finally showing its worth since I can do > all data structure manipulation in Java, nicer than in C, for me at least). > > I am worried at being 'filler' and not 'sparse', the partial file > content represented by the run(s) with addr 0 is not necessarily a > sequence of zeros. > > Anyone shed light on this? Brian? > > Thanks > > Stuart > > ------------------------------------------------------------------------------ > Slashdot TV. > Video for Nerds. Stuff that matters. > http://tv.slashdot.org/ > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
