Re: [sleuthkit-users] Error in sorter - what am I missing?
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Error in sorter - what am I missing?
|
From: DePriest, J. R. <jrd...@gm...> - 2006-04-19 22:57:00
|
Reading the NTFS entry in Wikipedia states that NTFS compresses uses the same compression algorithm as regular Zip files (LZ77): http://en.wikipedia.org/wiki/Ntfs That article had a link to the Microsoft website here: http://msdn.microsoft.com/library/default.asp?url=3D/library/en-us/fileio/f= s/file_compression_and_decompression.asp The site is pretty high level and doesn't really give much more detail than what apps or functions to call to perform an operation. It looks like someone would need to recreate the functionality of LzExpand.dll in an open source manner and I have no idea if any development is being done on this. I also don't know what the existing NTFS drivers and bolt-ons for Linux can already do natively. You could always note the files that cannot be decompressed, manually pull them out of the image and then use a Windows system to decompress them. Of course, that would compromise your evidence, but it is an idea. -Jason On 4/19/06, Jennifer Smith <> wrote: > Ok, I got the offset from mmls (thanks Barry, that was exactly what I nee= ded to do!) and now sorter is running beautifully, with just one hangup. > > It appears that there are some file system compressed files in this image= and when sorter gets to them it throws out an error that it can not access= NTFS compressed files and then it aborts trying to access that particular = file. These appear to be file system compressed files, not standard archive= files, since it was able to sort and catalog .cab, .dat, and .zip files wi= th no problem. > > According to some research on this end, it seems that NTFS uses something= similar to DriveSpace3 for it's compression (please correct me if I'm wron= g) - has anyone found/created any method to work through this error with so= rter so that instead of aborting the file, it uncompresses it and sorts it = as intended? > > farmer dude, thanks for the response - any suggestions on sites to look f= or practice images (especially if they include a "results" list, so I know = if I actually find everything); also, is there a how-to anywhere on creatin= g images for practicing? > > Thanks again for all the help, > gg > > |
