[sleuthkit-users] Basic fls questions
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Basic fls questions
|
From: olcay y. <olc...@gm...> - 2015-11-13 23:02:34
|
Hi, I am a phd student in forensic science and I have started to work on tsk/fls about a project. I have some basic questions about fls and I appreciate if you could answer my questions. 1-) We have a very active ext3 filesystem which has 4 directories inside it. Around 100 thousand files are created and deleted inside this filesystem daily. Is it possible to recover filenames (or actual files) which are deleted more than one year ago? 2-) How long does it last for a command like "fls /dev/sdb1 -p -r -d" to give an output on the above active filesystem? Since new files are created/deleted while the fls command runs, how is the fls command affected with this situation? Does it handle deleted files which are deleted after the start of its first execution? 3-) Does it have any side effects to run fls on a live filesystem (if we can not unmount the filesystem)? 4-) Is the evidence admissable in courtrooms which are collected with fls on live filesystems (without unmounting the filesystem)? 5-) If we use the "-l (long format)" parameter, we can list the mod_time, acc_time, chg_time and cre_time of the files. Can we trust these time values? I mean are these time values really belong to the filename which is listed in the output or is it overriden by other files' time values? 6-) Can fls detect any anomalies in the filesystem? I mean if someone (with ill will) changes the system time and adds a file in the filesystem as if the file was created and deleted at some time in the past, is it possible to detect this manipulation with fls or with any other forensic tool? Thanks in advance. |
