Re: [sleuthkit-users] Different results between tsk_loaddb and java AddImageProcess
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Different results between tsk_loaddb and java AddImageProcess
|
From: Luís F. N. <lfc...@gm...> - 2016-03-31 22:39:23
|
Hi, Any updates here? I can submit a patch to add a command line option to group non adjacent unallocated blocks without changing default behaviour. Regards, Luis 2015-12-09 19:30 GMT-02:00 Luís Filipe Nassif <lfc...@gm...>: > I AM exactly doing that in a forensic APP I developed: breaking big > virtual unallocated files into smaller ones to do multithreaded carving and > to do fast indexed searches and highlighting. > > Att. > Luís Nassif > Em 09/12/2015 13:40, "Brian Carrier" <ca...@sl...> escreveu: > >> We could change the default behavior and add a command line argument to >> change it. >> >> Any objections to grouping unallocated space? >> >> As a side note (and we recently ran into this with some images in >> Autopsy) is that the current algorithm will break the groups of unallocated >> space at a sector boundary with an allocated sector. If there is 100GB of >> contagious unallocated space, the resulting file will be 100GB. We will >> probably change the algorithm to do something like try to break it at 500MB >> at a natural boundary, but definitely stop 10% later if there isn’t one. >> >> >> >> >> >> > On Dec 8, 2015, at 6:58 AM, Luís Filipe Nassif <lfc...@gm...> >> wrote: >> > >> > Hi, >> > >> > Those 2 commands are populating the sqlite database with different >> number of unallocated entries. Reading the code, the java command was >> configured to group non adjacent unallocated clusters up to 500 MB, while >> tsk_loaddb groups only adjacent blocks. Tsk_loaddb produced a sqlite with >> 26 millions of unallocated entries in a specific case. I think those 2 >> commands should return the same output, and I prefer the java one, because >> it makes caving fragmented files easier. >> > >> > Regards, >> > Luis Nassif >> > >> ------------------------------------------------------------------------------ >> > Go from Idea to Many App Stores Faster with Intel(R) XDK >> > Give your users amazing mobile app experiences with Intel(R) XDK. >> > Use one codebase in this all-in-one HTML5 development environment. >> > Design, debug & build mobile apps & 2D/3D high-impact games for >> multiple OSs. >> > >> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140_______________________________________________ >> > sleuthkit-users mailing list >> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> > http://www.sleuthkit.org >> >> |
