Re: [sleuthkit-users] fls reporting existing files in NTFS as deleted

[Brian C. <ca...@sl...>]

This is because of the way that NTFS file names are stored.  They are  
stored in a sorted fashion in a B-tree and when files are deleted and  
created, the tree moves around.  So, files move to different nodes so  
that they stay in a sorted order and the file names can be found in  
the unallocated space of directories.  Autopsy uses the fls flags so  
that only allocated NTFS files are shown and then it uses 'ifind -p'  
to find the unallocated names that are part of that directory.

brian


On Aug 14, 2006, at 1:48 PM, Svein Yngvar Willassen wrote:

> Hello everyone,
>
> I'm experiencing an issue with running fls on an NTFS file system. It
> reports many of the existing files as reallocated, even though they  
> are not
> deleted, and can be viewed in Windows. See example below.  This is  
> on a
> dual-boot machine where I run fls from TSK 2.05 on a Fedora Core 5
> installation against the Win XP installation on another disk on the  
> same
> machine.
>
> I want to investigate this further, but I just wanted to check if  
> this is a
> known issue, or perhaps I'm missing something out completely?
>
> --
> Svein Willassen
> Researcher, Norwegian Institute of Science and Technology
>
>
> Excerpt from fls output:
>
> r/r 4-128-4:	$AttrDef
> r/r 8-128-2:	$BadClus
> r/r 8-128-1:	$BadClus:$Bad
> r/r 6-128-1:	$Bitmap
> r/r 7-128-1:	$Boot
> d/d 11-144-4:	$Extend
> r/r 2-128-1:	$LogFile
> r/r 0-128-1:	$MFT
> r/r 1-128-1:	$MFTMirr
> r/r 9-144-17:	$Secure:$SDH
> r/r 9-144-16:	$Secure:$SII
> r/r 9-128-0:	$Secure:$SDS
> r/r 10-128-1:	$UpCase
> d/d 67623-144-1:	$VAULT$.AVG
> r/r 3-128-3:	$Volume
> r/r 120570-128-4:	%backup%~
> d/d 120527-144-1:	.emacs.d
> r/r 44644-128-4:	ADMINPAK-README.TXT
> d/d 130722-144-1:	artikkeltest
> r/r 6950-128-1:	AUTOEXEC.BAT
> r/r 44646-128-0:	B3-web-version-adminpak.msi
> r/r * 87596-128-1(realloc):	ErrorLog.txt
> d/d * 44474-144-6(realloc):	etc
> r/r * 88890-128-3(realloc):	faq.htm
> r/r * 71520-128-3(realloc):	faq.zip
> r/r * 65787-128-3(realloc):	gustav.pdf
> r/r * 87463-128-3(realloc):	index2.php
> r/r * 87515-128-3(realloc):	index3.php
> r/r * 54974-128-4(realloc):	insideout.zip
> r/r * 6951-128-1(realloc):	IO.SYS
> d/d * 118408-144-1(realloc):	localtexmf
> r/r 69116-128-3:	makeinst.c
> r/r 61369-128-3:	makeinst.c~
> r/r 69140-128-3:	makekey.c
> r/r 58203-128-3:	makekey.c~
> r/r 14294-128-3:	MPMSetup.log
>
>
> The same file system as seen from XP:
>
> C:\>dir
>  Volumet i stasjon C er uten navn.
>  Volumserienummeret er 9095-66B8
>
>  Innhold i C:\
>
> 11.10.2005  16:08             7 809 %backup%~
> 04.04.2005  20:16    <DIR>          .emacs.d
> 20.06.2005  11:12    <DIR>          artikkeltest
> 09.09.2004  21:56                 0 AUTOEXEC.BAT
> 16.03.2006  10:16            18 581 buy.zip
> 16.03.2006  10:34             1 677 callback.php
> 03.08.2005  22:05         1 073 152 CCS.exe
> 09.09.2004  21:56                 0 CONFIG.SYS
> 23.03.2006  14:47            13 439 Country.xls
> 17.06.2005  14:26    <DIR>          dest
> 30.10.2005  20:40    <DIR>          Documents and Settings
> 20.06.2005  12:56    <DIR>          empty
> 17.04.2005  20:47    <DIR>          emulator_configurations
> 29.03.2005  15:53               364 ErrorLog.txt   <---
> 28.12.2004  22:15    <DIR>          etc            <---
> 02.04.2005  19:26             4 406 faq.htm        <---
> 25.02.2005  23:12           167 864 faq.zip        <---
> 20.06.2005  13:16    <DIR>          filer
> 20.06.2005  12:42               992 filer.tgz
> 17.08.2005  21:27    <DIR>          fotoknudsen
> 10.04.2005  20:26           231 921 gustav.pdf     <---
> 06.11.2002  14:51         1 505 792 heltsikkert.ppt
> 24.08.2005  19:06        14 293 063 HomeGallery.zip
> 08.05.2005  22:16    <DIR>          img
> 01.08.2005  13:18             2 981 index.htm.htm
> 29.03.2005  15:29             2 305 index2.php     <---
> 29.03.2005  15:29             2 632 index3.php     <---
> 15.08.2005  15:14    <DIR>          insideout
> 10.11.2004  22:00            22 503 insideout.zip  <---
> 16.08.2005  11:59             4 125 iobott.gif
> 26.07.2005  12:50             2 039 kannel.conf
> 26.07.2005  12:43             1 935 kannel.conf~
>
>
> ---------------------------------------------------------------------- 
> ---
> Using Tomcat but need to do more? Need to support web services,  
> security?
> Get stuff done quickly with pre-integrated technology to make your  
> job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache  
> Geronimo
> http://sel.as-us.falkag.net/sel? 
> cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org