Re: [sleuthkit-users] fls reporting existing files in NTFS as deleted
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] fls reporting existing files in NTFS as deleted
|
From: Svein Y. W. <sv...@wi...> - 2006-08-15 14:18:04
|
Thanks Brian! I've done some homework now... ;) What I'm actually interested in is the time stamps of each file entry. I've made some slight changes to ntfs.c so I get the 64-bit FILETIME value as output from 'istat' an not the time_t value through ctime(). This way I get the time stamps from the $STANDARD_INFORMATION and $FILE_NAME attributes in the MFT entry. But how do I get the time stamps from the $FILE_NAME attribute in the directory? 'fls -l' (or 'fls -m') gives time stamps (although for NTFS, the creation time is missing), but in ntfs_dent_copy() (in ntfs_dent.c) it seems these are taken from the MFT entry as well. Should I modify ntfs_dent_copy() to copy the time stamps from the ntfs_attr_fname ? It seems this could have unwanted side effects, since other parts of the program may depend on the current implementation of this function. Regards, Svein > -----Original Message----- > From: Brian Carrier [mailto:ca...@sl...] > Sent: 15. august 2006 05:28 > To: Svein Yngvar Willassen > Cc: sle...@li... > Subject: Re: [sleuthkit-users] fls reporting existing files in NTFS as > deleted > > This is because of the way that NTFS file names are stored. They are > stored in a sorted fashion in a B-tree and when files are deleted and > created, the tree moves around. So, files move to different nodes so > that they stay in a sorted order and the file names can be found in > the unallocated space of directories. Autopsy uses the fls flags so > that only allocated NTFS files are shown and then it uses 'ifind -p' > to find the unallocated names that are part of that directory. > > brian > > > On Aug 14, 2006, at 1:48 PM, Svein Yngvar Willassen wrote: > > > Hello everyone, > > > > I'm experiencing an issue with running fls on an NTFS file system. It > > reports many of the existing files as reallocated, even though they > > are not > > deleted, and can be viewed in Windows. See example below. This is > > on a > > dual-boot machine where I run fls from TSK 2.05 on a Fedora Core 5 > > installation against the Win XP installation on another disk on the > > same > > machine. > > > > I want to investigate this further, but I just wanted to check if > > this is a > > known issue, or perhaps I'm missing something out completely? > > > > -- > > Svein Willassen > > Researcher, Norwegian Institute of Science and Technology > > > > > > Excerpt from fls output: > > > > r/r 4-128-4: $AttrDef > > r/r 8-128-2: $BadClus > > r/r 8-128-1: $BadClus:$Bad > > r/r 6-128-1: $Bitmap > > r/r 7-128-1: $Boot > > d/d 11-144-4: $Extend > > r/r 2-128-1: $LogFile > > r/r 0-128-1: $MFT > > r/r 1-128-1: $MFTMirr > > r/r 9-144-17: $Secure:$SDH > > r/r 9-144-16: $Secure:$SII > > r/r 9-128-0: $Secure:$SDS > > r/r 10-128-1: $UpCase > > d/d 67623-144-1: $VAULT$.AVG > > r/r 3-128-3: $Volume > > r/r 120570-128-4: %backup%~ > > d/d 120527-144-1: .emacs.d > > r/r 44644-128-4: ADMINPAK-README.TXT > > d/d 130722-144-1: artikkeltest > > r/r 6950-128-1: AUTOEXEC.BAT > > r/r 44646-128-0: B3-web-version-adminpak.msi > > r/r * 87596-128-1(realloc): ErrorLog.txt > > d/d * 44474-144-6(realloc): etc > > r/r * 88890-128-3(realloc): faq.htm > > r/r * 71520-128-3(realloc): faq.zip > > r/r * 65787-128-3(realloc): gustav.pdf > > r/r * 87463-128-3(realloc): index2.php > > r/r * 87515-128-3(realloc): index3.php > > r/r * 54974-128-4(realloc): insideout.zip > > r/r * 6951-128-1(realloc): IO.SYS > > d/d * 118408-144-1(realloc): localtexmf > > r/r 69116-128-3: makeinst.c > > r/r 61369-128-3: makeinst.c~ > > r/r 69140-128-3: makekey.c > > r/r 58203-128-3: makekey.c~ > > r/r 14294-128-3: MPMSetup.log > > > > > > The same file system as seen from XP: > > > > C:\>dir > > Volumet i stasjon C er uten navn. > > Volumserienummeret er 9095-66B8 > > > > Innhold i C:\ > > > > 11.10.2005 16:08 7 809 %backup%~ > > 04.04.2005 20:16 <DIR> .emacs.d > > 20.06.2005 11:12 <DIR> artikkeltest > > 09.09.2004 21:56 0 AUTOEXEC.BAT > > 16.03.2006 10:16 18 581 buy.zip > > 16.03.2006 10:34 1 677 callback.php > > 03.08.2005 22:05 1 073 152 CCS.exe > > 09.09.2004 21:56 0 CONFIG.SYS > > 23.03.2006 14:47 13 439 Country.xls > > 17.06.2005 14:26 <DIR> dest > > 30.10.2005 20:40 <DIR> Documents and Settings > > 20.06.2005 12:56 <DIR> empty > > 17.04.2005 20:47 <DIR> emulator_configurations > > 29.03.2005 15:53 364 ErrorLog.txt <--- > > 28.12.2004 22:15 <DIR> etc <--- > > 02.04.2005 19:26 4 406 faq.htm <--- > > 25.02.2005 23:12 167 864 faq.zip <--- > > 20.06.2005 13:16 <DIR> filer > > 20.06.2005 12:42 992 filer.tgz > > 17.08.2005 21:27 <DIR> fotoknudsen > > 10.04.2005 20:26 231 921 gustav.pdf <--- > > 06.11.2002 14:51 1 505 792 heltsikkert.ppt > > 24.08.2005 19:06 14 293 063 HomeGallery.zip > > 08.05.2005 22:16 <DIR> img > > 01.08.2005 13:18 2 981 index.htm.htm > > 29.03.2005 15:29 2 305 index2.php <--- > > 29.03.2005 15:29 2 632 index3.php <--- > > 15.08.2005 15:14 <DIR> insideout > > 10.11.2004 22:00 22 503 insideout.zip <--- > > 16.08.2005 11:59 4 125 iobott.gif > > 26.07.2005 12:50 2 039 kannel.conf > > 26.07.2005 12:43 1 935 kannel.conf~ > > > > > > ---------------------------------------------------------------------- > > --- > > Using Tomcat but need to do more? Need to support web services, > > security? > > Get stuff done quickly with pre-integrated technology to make your > > job easier > > Download IBM WebSphere Application Server v.1.0.1 based on Apache > > Geronimo > > http://sel.as-us.falkag.net/sel? > > cmd=lnk&kid=120709&bid=263057&dat=121642 > > _______________________________________________ > > sleuthkit-users mailing list > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > http://www.sleuthkit.org > |
