Re: [sleuthkit-users] how to find deleted files in ntfs by sleuthkit?
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] how to find deleted files in ntfs by sleuthkit?
|
From: Brian C. <ca...@sl...> - 2007-10-24 02:00:39
|
On Oct 20, 2007, at 3:23 AM, Zhou Ronan wrote: > How to find deleted files in ntfs by Sleuthkit? > > The function "ntfs_dent_walk" in sleuthkit seems to be able to find > those deleted files under a directory. > > "ntfs_dent_walk" walks a directory according to its Index Root and > Index Allocation properties, when a file is deleted, its index > entry could be deleted too. So I think I can't get deleted files > through "ntfs_dent_walk". > > Anybody willing to tell me? Hi Zhou, Can you be more specific? Are you trying to use the library or the command line tools? The basic approach that I use with the library and NTFS is to use ntfs_dent_walk to get the allocated file and directory names. For each directory, I then use ntfs_inode_walk to find deleted files whose parent directory is that directory. brian |
