Re: [sleuthkit-users] fls reporting existing files in NTFS asdeleted
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] fls reporting existing files in NTFS asdeleted
|
From: Svein Y. W. <sv...@wi...> - 2006-08-16 07:22:53
|
> Should I modify ntfs_dent_copy() to copy the time stamps from the > ntfs_attr_fname ? It seems this could have unwanted side effects, since > other parts of the program may depend on the current implementation of > this > function. Just a followup on this: I just did what I suggested here and the observed results are: - For existing files, time stamps in the $FILE_NAME attribute of the index match those in the $STANDARD_INFORMATION attribute in the MFT entry. - For deleted file pointers in the index, time stamps in the $FILE_NAME attribute _do not necessarily_ match the time stamps in the MFT entry. Obviously, when the file pointers are not a part of the file system anymore, it's time stamps will not be updated. These are the results I expected, and what I was looking for. Svein Willassen -- Researcer, Dept. of Telematics, Norwegian University of Science and Technology |
