Re: [sleuthkit-developers] dls questions
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-developers] dls questions
|
From: Brian C. <ca...@sl...> - 2004-08-06 02:19:29
|
On Aug 5, 2004, at 2:23 PM, Epsilon wrote:
> Greetings,
>
> When running dls, what is the difference between running dls alone (to
> extract unallocated sectors) and running dls with the "-s" option ("to
> copy only the slack space of the image")?
>
> What exactly is the "-s" option doing? Does it capture file slack or
> filesystem slack (unallocated sectors)? Or are filesystem slack and
> unallocated sectors different things?
The -s behavior changed with 1.71, so I'll describe that one. Normal
dls extracts out the contents of each unallocated block / cluster etc.
'dls -s' extracts the data at the end of the last block / cluster of a
file. It does this by reading the last data unit of each file,
clearing the actual content of the file and then writing the full data
unit. So, the output will be a multiple of a data unit (cluster /
block), but only the slack space will be non-zero. You can convert
between the address in the slack space image and the original image
with dcalc.
brian
|
