[sleuthkit-users] Detect overwritten files
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Detect overwritten files
|
From: Lloyd <llo...@gm...> - 2015-12-08 06:12:31
|
Hi, Using the function 'tsk_fs_file_open_meta()' the contents of existing and deleted files could be read. Considering the following cases: 1. We have created a text file(1 KB) and added some content to it. Later deleted it and created a new text file(1 KB) with the same file name and a different content(less number of bytes). Now when we try to read the files, the deleted file displays the content of the new file followed by zeros. The size of deleted file is shown correctly. 2. We created a text file(3 KB) and added some content to it. Later deleted it and created a new text file(1 KB) with the same file name and a different content. Now when we try to read the files, the deleted file displays the content of the new file followed by zeros in the first 1 KB portion and the actual content content in the remaining 2 KB portions. So the deleted file is being overwritten somehow. Using 'TSK_FS_META_FLAG_ALLOC' and 'TSK_FS_META_FLAG_UNALLOC' flags, it can be understood whether the file is existing or deleted respectively. But could not find any information regarding whether the file is overwritten is or not. Is there any mechanism available for detecting the overwritten files? Thanks, Lloyd |
