Re: [sleuthkit-users] dls
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] dls
|
From: Brian C. <ca...@sl...> - 2006-05-10 21:26:00
|
Geert VAN ACKER wrote: > Dear brian and list members, > > two little questions about dls. > > 1. dls extracts all unallocated data blocks (addressable disk units) > Assumption: dls also copies the slack space of an image, as long as > these are addressable disk units. > Question: What about the bytes between the last byte of a regular file > and the beginning of the next data block? Is there a way to copy them out? They are only copied out if you use the '-s' flag, in which case only the slack space blocks are copied out (and the file data is zeroed out). > 2. What is the file structure of a dls output file. dls keeps the byte > offset of the fragment, so is it something like: > 254: data_of_the_block 289: data_of_another_block ... ? the default output of dls is a raw data file that is block aligned. I.e. if the first unallocated block is block 50 then it would be the first block in the output. You can use dcalc to link between dls addresses and normal addresses. 'dls -l' will also give you that information. brian |
