Re: [sleuthkit-users] too many false positives
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] too many false positives
|
From: <gim...@we...> - 2006-03-06 12:26:40
|
On Fri, 3 Mar 2006 12:15:03 -0500 Brian Carrier <ca...@sl...> wrote: > They are deleted files and the clusters that they previously used > have been reallocated. fls has no way of knowing if they have been > reallocated or not (and actually you don't either because there > could be MPEGs and HTML files with a .doc extension). So i used file utility to check this. Is there any tool or magicfile database which does this check better in mind of forensic analyzes? file will check by magic key, but perhaps files do have more characteristics file doesn't check because it doesn't need to. regards |
