Re: SPAM: 99.9: Re: [sleuthkit-users] too many false positives
Brought to you by:
carrier
Menu
▾
▴
Re: SPAM: 99.9: Re: [sleuthkit-users] too many false positives
|
From: Brian C. <ca...@sl...> - 2006-03-07 01:26:40
|
On Mar 6, 2006, at 7:24 AM, "" <gim...@we...> <gim...@we...> wrote: > On Fri, 3 Mar 2006 12:15:03 -0500 > Brian Carrier <ca...@sl...> wrote: > >> They are deleted files and the clusters that they previously used >> have been reallocated. fls has no way of knowing if they have been >> reallocated or not (and actually you don't either because there >> could be MPEGs and HTML files with a .doc extension). > > > So i used file utility to check this. > Is there any tool or magicfile database which does this check > better in > mind of forensic analyzes? > file will check by magic key, but perhaps files do have more > characteristics file doesn't check because it doesn't need to. The sorter tool will compare the output of 'file' with a database of extensions. brian |
