[sleuthkit-users] fls reporting existing files in NTFS as deleted

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello everyone,

I'm experiencing an issue with running fls on an NTFS file system. It
reports many of the existing files as reallocated, even though they are =
not
deleted, and can be viewed in Windows. See example below.  This is on a
dual-boot machine where I run fls from TSK 2.05 on a Fedora Core 5
installation against the Win XP installation on another disk on the same
machine.

I want to investigate this further, but I just wanted to check if this =
is a
known issue, or perhaps I'm missing something out completely?

--
Svein Willassen
Researcher, Norwegian Institute of Science and Technology

Excerpt from fls output:

r/r 4-128-4:	$AttrDef
r/r 8-128-2:	$BadClus
r/r 8-128-1:	$BadClus:$Bad
r/r 6-128-1:	$Bitmap
r/r 7-128-1:	$Boot
d/d 11-144-4:	$Extend
r/r 2-128-1:	$LogFile
r/r 0-128-1:	$MFT
r/r 1-128-1:	$MFTMirr
r/r 9-144-17:	$Secure:$SDH
r/r 9-144-16:	$Secure:$SII
r/r 9-128-0:	$Secure:$SDS
r/r 10-128-1:	$UpCase
d/d 67623-144-1:	$VAULT$.AVG
r/r 3-128-3:	$Volume
r/r 120570-128-4:	%backup%~
d/d 120527-144-1:	.emacs.d
r/r 44644-128-4:	ADMINPAK-README.TXT
d/d 130722-144-1:	artikkeltest
r/r 6950-128-1:	AUTOEXEC.BAT
r/r 44646-128-0:	B3-web-version-adminpak.msi
r/r * 87596-128-1(realloc):	ErrorLog.txt
d/d * 44474-144-6(realloc):	etc
r/r * 88890-128-3(realloc):	faq.htm
r/r * 71520-128-3(realloc):	faq.zip
r/r * 65787-128-3(realloc):	gustav.pdf
r/r * 87463-128-3(realloc):	index2.php
r/r * 87515-128-3(realloc):	index3.php
r/r * 54974-128-4(realloc):	insideout.zip
r/r * 6951-128-1(realloc):	IO.SYS
d/d * 118408-144-1(realloc):	localtexmf
r/r 69116-128-3:	makeinst.c
r/r 61369-128-3:	makeinst.c~
r/r 69140-128-3:	makekey.c
r/r 58203-128-3:	makekey.c~
r/r 14294-128-3:	MPMSetup.log

The same file system as seen from XP:

C:\>dir
 Volumet i stasjon C er uten navn.
 Volumserienummeret er 9095-66B8

 Innhold i C:\

11.10.2005  16:08             7=A0809 %backup%~
04.04.2005  20:16    <DIR>          .emacs.d
20.06.2005  11:12    <DIR>          artikkeltest
09.09.2004  21:56                 0 AUTOEXEC.BAT
16.03.2006  10:16            18=A0581 buy.zip
16.03.2006  10:34             1=A0677 callback.php
03.08.2005  22:05         1=A0073=A0152 CCS.exe
09.09.2004  21:56                 0 CONFIG.SYS
23.03.2006  14:47            13=A0439 Country.xls
17.06.2005  14:26    <DIR>          dest
30.10.2005  20:40    <DIR>          Documents and Settings
20.06.2005  12:56    <DIR>          empty
17.04.2005  20:47    <DIR>          emulator_configurations
29.03.2005  15:53               364 ErrorLog.txt   <---
28.12.2004  22:15    <DIR>          etc            <---
02.04.2005  19:26             4=A0406 faq.htm        <---
25.02.2005  23:12           167=A0864 faq.zip        <---
20.06.2005  13:16    <DIR>          filer
20.06.2005  12:42               992 filer.tgz
17.08.2005  21:27    <DIR>          fotoknudsen
10.04.2005  20:26           231=A0921 gustav.pdf     <---
06.11.2002  14:51         1=A0505=A0792 heltsikkert.ppt
24.08.2005  19:06        14=A0293=A0063 HomeGallery.zip
08.05.2005  22:16    <DIR>          img
01.08.2005  13:18             2=A0981 index.htm.htm
29.03.2005  15:29             2=A0305 index2.php     <---
29.03.2005  15:29             2=A0632 index3.php     <---
15.08.2005  15:14    <DIR>          insideout
10.11.2004  22:00            22=A0503 insideout.zip  <---
16.08.2005  11:59             4=A0125 iobott.gif
26.07.2005  12:50             2=A0039 kannel.conf
26.07.2005  12:43             1=A0935 kannel.conf~