sleuthkit-users

[sleuthkit-users] Problem with delete file and TASK

[Mario de F. D. <ma...@ca...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi everyone!

I'm new in this list and a n00b using forensics tools and making
forensics analysis. I hope that i learn a lot in this list!

My question is: I have a deleted file that it inode had been realocated
but with the istat command i only obtain the following information:

Inode Times:
Accessed:       Tue Mar 21 00:00:15 2006
File Modified:  Mon Mar 20 12:08:04 2006
Inode Modified: Mon Mar 20 12:08:04 2006

In other unllocated inodes i have the following information:

Inode Times:
Accessed:       Wed Feb  8 00:00:15 2006
File Modified:  Thu Feb 16 18:41:37 2006
Inode Modified: Thu Feb 16 18:41:37 2006
Deleted:        Thu Feb 16 18:41:37 2006

How can i obtain the "deleted" info in the first inode?

Thank you and sorry for my "bad english"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFENNN9bPPtxT8v/3wRAh0vAJ9QQYUBS2t1BZSdOaIRJ6dAiLaOLwCfcny1
xwAtNE9KpYz6wfEv2KThsmY=
=OrR/
-----END PGP SIGNATURE-----

Re: [sleuthkit-users] Problem with delete file and TASK

[Brian C. <ca...@sl...>]

Are they both the same file system?  Only Ext2 and Ext3 have the deleted 
time, so if the first file is on a different type then it will not have 
that time.

brian



Mario de Frutos Dieguez wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi everyone!
> 
> I'm new in this list and a n00b using forensics tools and making
> forensics analysis. I hope that i learn a lot in this list!
> 
> My question is: I have a deleted file that it inode had been realocated
> but with the istat command i only obtain the following information:
> 
> Inode Times:
> Accessed:       Tue Mar 21 00:00:15 2006
> File Modified:  Mon Mar 20 12:08:04 2006
> Inode Modified: Mon Mar 20 12:08:04 2006
> 
> In other unllocated inodes i have the following information:
> 
> Inode Times:
> Accessed:       Wed Feb  8 00:00:15 2006
> File Modified:  Thu Feb 16 18:41:37 2006
> Inode Modified: Thu Feb 16 18:41:37 2006
> Deleted:        Thu Feb 16 18:41:37 2006
> 
> How can i obtain the "deleted" info in the first inode?
> 
> Thank you and sorry for my "bad english"
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFENNN9bPPtxT8v/3wRAh0vAJ9QQYUBS2t1BZSdOaIRJ6dAiLaOLwCfcny1
> xwAtNE9KpYz6wfEv2KThsmY=
> =OrR/
> -----END PGP SIGNATURE-----
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting language
> that extends applications into web and mobile media. Attend the live webcast
> and join the prime developer group breaking into this new coding territory!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org