Re: [sleuthkit-users] TSK-4.4 and SlackFiles

[Luís F. N. <lfc...@gm...>]

Hi Brian,

Thank you very much for your attention. The output of
FsContent.getMetaDataText() (equals to istat right?) is below. The
system.LOG-slack size is 2.026.496 bytes and system.LOG size is 1024 bytes.

details of /img_PC-HP.dd/vol_vol2/WINDOWS/system32/config/system.LOG-slack

MFT Entry Header Values:
Entry: 4106        Sequence: 1
$LogFile Sequence Number: 79246281526
Allocated File
Links: 1

$STANDARD_INFORMATION Attribute Values:
Flags: Hidden, Archive
Owner ID: 0
Security ID: 281  (S-1-5-32-544)
Last User Journal Update Sequence Number: 105272096
Created: 2004-09-02 08:00:12.000000000 (Hora oficial do Brasil)
File Modified: 2011-09-16 14:33:38.375000000 (Hora oficial do Brasil)
MFT Modified: 2011-09-16 14:33:38.375000000 (Hora oficial do Brasil)
Accessed: 2011-09-16 14:33:38.187500000 (Hora oficial do Brasil)

$FILE_NAME Attribute Values:
Flags: Hidden, Archive
Name: system.LOG
Parent MFT Entry: 3982 Sequence: 2
Allocated Size: 4096   Actual Size: 1024
Created: 2004-09-02 08:00:12.000000000 (Hora oficial do Brasil)
File Modified: 2004-09-02 08:00:12.000000000 (Hora oficial do Brasil)
MFT Modified: 2004-09-02 08:00:12.000000000 (Hora oficial do Brasil)
Accessed: 2004-09-02 08:00:12.000000000 (Hora oficial do Brasil)

$ATTRIBUTE_LIST Attribute Values:
Type: 16-0 MFT Entry: 4106 VCN: 0
Type: 48-4 MFT Entry: 4106 VCN: 0
Type: 128-0 MFT Entry: 40678 VCN: 0

Attributes:
Type: $STANDARD_INFORMATION (16-0)   Name: N/A   Resident   size: 72
Type: $ATTRIBUTE_LIST (32-5)   Name: N/A   Resident   size: 96
Type: $FILE_NAME (48-4)   Name: N/A   Resident   size: 86
Type: $DATA (128-6)   Name: N/A   Non-Resident   size: 1024  init_size: 1024
847844 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0

2017-01-31 12:56 GMT-02:00 Brian Carrier <ca...@sl...>:

> Hi Luis,
>
> My guess is that it's a file that has preallocated a large amount of
> space, but that has not fully used it yet. NTFS allows this.  If you read
> the file, TSK will only show you the space that is used.  Reading the
> slack, gives you the rest.
>
> If you run 'istat' on one of these files and send it along, we can confirm.
>
> thanks,
> brian
>
>
> On Tue, Jan 31, 2017 at 7:04 AM, Luís Filipe Nassif <lfc...@gm...>
> wrote:
>
>> Hi folks,
>>
>> I am upgrading to tsk-4.4 to benefit from the new support to slackfiles
>> from java bindings. But I noticed some slackfiles larger than the cluster
>> size (4k) are created in database. Some of them have megabytes of size and
>> its contents are accessible. Is it expected to have slackfiles larger than
>> cluster size? Could someone explain?
>>
>> Thanks,
>> Luis Nassif
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
>>
>>
>