Re: [sleuthkit-developers] File sizes reported by sleuthkit
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-developers] File sizes reported by sleuthkit
|
From: Brian C. <ca...@sl...> - 2007-07-24 01:38:48
|
On Jul 20, 2007, at 4:20 PM, David Kennedy wrote: > Hi all, > > A couple questions on file sizes calculated by TSK: > > 1) In NTFS, is the file metadata from MFT record(s) included in a > file's reported size? If so, unused space in a record is ignored, > correct? Generically, does file metadata from other file systems work > into a file's reported size? With NTFS, each attribute has a size. The reported size should be of only the file content -- not any metadata. > 2) What goes into calculating the reported size of directories? Typically, it is the number of bytes allocated to the directory. > 3) I'm running some comparisons between file sizes reported between > sleuthkit 2.07, encase 5, and windows. Uncommonly, some non-directory > file sizes are off. For example, a test NTFS hard drive of around 30k > files shows several hundred files with mismatched size, and 90% of > those are off by 26 bytes. Any ideas what might account for those 26 > bytes? Who is reporting what? What type of files are they? brian |
