sleuthkit-users

[sleuthkit-users] BLKLS-like tool to extract NTFS file slack?

[spencerforhire <spe...@gm...>]

Hello all,

I'm looking for advice on a tool or method to programmatically extract
file slack from NTFS volumes... associating the file slack with full
paths would be great but I'm wondering if it would even be possible to
simply dump out all the file slack from an entire NTFS volume.

Thanks!

Re: [sleuthkit-users] BLKLS-like tool to extract NTFS file slack?

[Gary F. <ga...@in...>]

On 04/30/10 10:01:29, spencerforhire wrote:
> Hello all,
> 
> I'm looking for advice on a tool or method to programmatically extract
> file slack from NTFS volumes... associating the file slack with full
> paths would be great but I'm wondering if it would even be possible to
> simply dump out all the file slack from an entire NTFS volume.

The Sleuthkit 'blkls' command might be worth a try.

Something like:

  $ blkls -i raw -o 63 -f ntfs -s image.bin  > slack.bin

Assuming that you're interested in the first partition
on a conventionally formatted drive (image).