Re: [sleuthkit-users] too many false positives
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] too many false positives
|
From: Brian C. <ca...@sl...> - 2006-03-03 17:15:22
|
They are deleted files and the clusters that they previously used =20 have been reallocated. fls has no way of knowing if they have been =20 reallocated or not (and actually you don't either because there could =20= be MPEGs and HTML files with a .doc extension). brian On Mar 2, 2006, at 2:31 PM, "" <gim...@we...> <gim...@we...> =20 wrote: > Hi, > > does anyone know, why calling > > fls -f fat -p -r image.img > > and > > icat -f fat -r zippad.img (both used in script) > > brings up so many false positives? > > Look here: > > $file > ... > _FCHEN~1.DOC: data > _U=E1BAK~1.DOC: MPEG ADTS, AAC, v4 Main, 96 kHz > _UFA1E~1.DOC: COM executable for MS-DOS > _DNKTE~1.DOC: ASCII HTML document text > ... > > What can i do to get better results? > > Does anyone know the trick? > > regards > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting =20 > language > that extends applications into web and mobile media. Attend the =20 > live webcast > and join the prime developer group breaking into this new coding =20 > territory! > http://sel.as-us.falkag.net/sel?=20 > cmd_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
