Thread: Re: [sleuthkit-users] $I30 file
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users
|
From: Wes A. \(N5WA\) <wes...@be...> - 2010-09-09 22:10:47
|
I have a situation where a particular file named $I30 is of interest. It
appears to be some sort of index file but I can't find much info about it.
Even Brian's book, File System Forensic Analysis, doesn't list it in the
index.
Can anyone offer some information about this file (or type of file)?
------------------ Wes Attaway (N5WA) ------------------
1138 Waters Edge Circle - Shreveport, LA 71106
318-797-4972 (office) - 318-393-3289 (cell)
Computer Consulting and Forensics
-------------- EnCase Certified Examiner ---------------
|
|
From: Karl B. <kar...@gm...> - 2010-09-09 22:18:46
|
What file system is it in? Probably a meta-data file, like an inode or MFT file. You won't necessarily find the file name in the index, but will more likely see the class/type of file. Karl Bernard On Thu, Sep 9, 2010 at 5:10 PM, Wes Attaway (N5WA) <wes...@be... > wrote: > I have a situation where a particular file named $I30 is of interest. It > appears to be some sort of index file but I can’t find much info about it. > Even Brian’s book, File System Forensic Analysis, doesn’t list it in the > index. > > > > Can anyone offer some information about this file (or type of file)? > > > > > > ------------------ Wes Attaway (N5WA) ------------------ > > 1138 Waters Edge Circle - Shreveport, LA 71106 > > 318-797-4972 (office) - 318-393-3289 (cell) > > Computer Consulting and Forensics > > -------------- EnCase Certified Examiner --------------- > > > > > > > ------------------------------------------------------------------------------ > Automate Storage Tiering Simply > Optimize IT performance and efficiency through flexible, powerful, > automated storage tiering capabilities. View this brief to learn how > you can reduce costs and improve performance. > http://p.sf.net/sfu/dell-sfdev2dev > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > |
|
From: Wes A. \(N5WA\) <wes...@be...> - 2010-09-09 22:28:26
|
Sorry for the omission. It is in NTFS (WinXP machine). I know the $I30
designation pops up when CHKDSK runs into an indexing problem for a file,
but I think the file might actually be associated with some kind of indexing
of words.
------------------ Wes Attaway (N5WA) ------------------
1138 Waters Edge Circle - Shreveport, LA 71106
318-797-4972 (office) - 318-393-3289 (cell)
Computer Consulting and Forensics
-------------- EnCase Certified Examiner ---------------
_____
From: Karl Bernard [mailto:kar...@gm...]
Sent: Thursday, September 09, 2010 5:19 PM
To: Wes Attaway (N5WA)
Cc: sle...@li...
Subject: Re: [sleuthkit-users] $I30 file
What file system is it in? Probably a meta-data file, like an inode or MFT
file. You won't necessarily find the file name in the index, but will more
likely see the class/type of file.
Karl Bernard
On Thu, Sep 9, 2010 at 5:10 PM, Wes Attaway (N5WA)
<wes...@be...> wrote:
I have a situation where a particular file named $I30 is of interest. It
appears to be some sort of index file but I can't find much info about it.
Even Brian's book, File System Forensic Analysis, doesn't list it in the
index.
Can anyone offer some information about this file (or type of file)?
------------------ Wes Attaway (N5WA) ------------------
1138 Waters Edge Circle - Shreveport, LA 71106
318-797-4972 (office) - 318-393-3289 (cell)
Computer Consulting and Forensics
-------------- EnCase Certified Examiner ---------------
----------------------------------------------------------------------------
--
Automate Storage Tiering Simply
Optimize IT performance and efficiency through flexible, powerful,
automated storage tiering capabilities. View this brief to learn how
you can reduce costs and improve performance.
http://p.sf.net/sfu/dell-sfdev2dev
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
|
|
From: Paul D. B. <pau...@po...> - 2010-09-09 23:32:06
|
On 9/9/2010 6:10 PM, Wes Attaway (N5WA) wrote: > I have a situation where a particular file named $I30 is of interest. > It appears to be some sort of index file but I can’t find much info > about it. Even Brian’s book, File System Forensic Analysis, doesn’t list > it in the index. > > Can anyone offer some information about this file (or type of file)? Wes Attaway, This file type ($I30) was recently discussed on another forensics mailing list, to wit: http://tech.groups.yahoo.com/group/win4n6/ Here are some of the best posts in the relevant thread of discussion (ToD) thereon: A) http://tech.groups.yahoo.com/group/win4n6/message/2447 B) http://tech.groups.yahoo.com/group/win4n6/message/2471 You can find other messages that were posted in this ToD by searching Yahoo, thus: C) http://tech.groups.yahoo.com/group/win4n6/msearch?date=after&DM=5&DD=1&DY=2010&DM2=------------&DD2=----&DY2=----&AM=contains&AT=&SM=contains&ST=%24I30&MM=contains&MT=&charset=UTF-8 This last URL may not work for you unless you are logged into your user account on groups.Yahoo.com. There were about 17 or 18 messages posted in this ToD, most of them in mid-June 2010. Oh. One more link that I nearly forgot: D) http://www.amazon.com/exec/obidos/ISBN=0879304375 HTH. Sincerely, Paul Bain > ------------------ Wes Attaway (N5WA) ------------------ > > 1138 Waters Edge Circle - Shreveport, LA 71106 > > 318-797-4972 (office) - 318-393-3289 (cell) > > Computer Consulting and Forensics |
|
From: Brian C. <ca...@sl...> - 2010-09-10 13:22:48
|
Hi Wes, As many have indicated, $I30 is typically the name of one of the attributes that are used to make up a NTFS directory. That begs the question about why it is of interest. Did it have a keyword hit in it for a file name? I'm just curious about the use case of wanting access to this attribute. thanks, brian On Sep 9, 2010, at 6:10 PM, Wes Attaway (N5WA) wrote: > I have a situation where a particular file named $I30 is of interest. It appears to be some sort of index file but I can’t find much info about it. Even Brian’s book, File System Forensic Analysis, doesn’t list it in the index. > > Can anyone offer some information about this file (or type of file)? > > > ------------------ Wes Attaway (N5WA) ------------------ > 1138 Waters Edge Circle - Shreveport, LA 71106 > 318-797-4972 (office) - 318-393-3289 (cell) > Computer Consulting and Forensics > -------------- EnCase Certified Examiner --------------- > > > ------------------------------------------------------------------------------ > Automate Storage Tiering Simply > Optimize IT performance and efficiency through flexible, powerful, > automated storage tiering capabilities. View this brief to learn how > you can reduce costs and improve performance. > http://p.sf.net/sfu/dell-sfdev2dev_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: Wes A. \(N5WA\) <wes...@be...> - 2010-09-10 13:53:16
|
Thanks to everyone for all the info!
Brian.... the examiner on the other side of my case got some keyword search
hits that he says came from within this particular file. He described the
file as "some type of index file". At this point all I have is a printed
page of text data that he says came from within the $I30 file. He was using
FTK.
I'll eventually get a chance to examine the drive but for now am just trying
to get some idea of what the $I30 file actually does and what, if anything,
has been indexed. I'm basically trying to do some homework. Finding
keywords is one thing and correctly explaining them in the context of where
they were found is something else.
It looks like I have plenty of reading to do in your book and elsewhere.
------------------ Wes Attaway (N5WA) ------------------
1138 Waters Edge Circle - Shreveport, LA 71106
318-797-4972 (office) - 318-393-3289 (cell)
Computer Consulting and Forensics
-------------- EnCase Certified Examiner ---------------
-----Original Message-----
From: Brian Carrier [mailto:ca...@sl...]
Sent: Friday, September 10, 2010 8:22 AM
To: Wes Attaway (N5WA)
Cc: sle...@li...
Subject: Re: [sleuthkit-users] $I30 file
Hi Wes,
As many have indicated, $I30 is typically the name of one of the attributes
that are used to make up a NTFS directory. That begs the question about why
it is of interest. Did it have a keyword hit in it for a file name? I'm
just curious about the use case of wanting access to this attribute.
thanks,
brian
On Sep 9, 2010, at 6:10 PM, Wes Attaway (N5WA) wrote:
> I have a situation where a particular file named $I30 is of interest. It
appears to be some sort of index file but I can't find much info about it.
Even Brian's book, File System Forensic Analysis, doesn't list it in the
index.
>
> Can anyone offer some information about this file (or type of file)?
>
>
> ------------------ Wes Attaway (N5WA) ------------------
> 1138 Waters Edge Circle - Shreveport, LA 71106
> 318-797-4972 (office) - 318-393-3289 (cell)
> Computer Consulting and Forensics
> -------------- EnCase Certified Examiner ---------------
>
>
>
----------------------------------------------------------------------------
--
> Automate Storage Tiering Simply
> Optimize IT performance and efficiency through flexible, powerful,
> automated storage tiering capabilities. View this brief to learn how
> you can reduce costs and improve performance.
>
http://p.sf.net/sfu/dell-sfdev2dev__________________________________________
_____
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
|
|
From: Stefan K. <sk...@bf...> - 2013-01-09 15:50:44
|
All, I don't suppose anyone out there has any recommendations as to how to automagically extract all $I30 attributes out of an image? I've been using icat but this doesn't scale, I'm afraid. Thankful for any hints. Cheers, Stefan. -- Stefan Kelm <sk...@bf...> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstrasse 100 Tel: +49-721-96201-1 D-76133 Karlsruhe Fax: +49-721-96201-99 |
|
From: Willi B. <wil...@gm...> - 2013-01-09 16:59:54
|
Stefan, Sorry, here's an updated version which fixes a few bugs. Also, its linked to my account so I can update it in response to suggestions. https://gist.github.com/4494779 Willi On 01/09/2013 11:46 AM, Willi Ballenthin wrote: > Stefan > > Here's a first go at a Bash script which simply uses TSK utilities > (`icat` included) to extract all the INDX_ROOT and INDX_ALLOCATION > attributes from an NTFS image. > > https://gist.github.com/4494657 > > Willi > > > > On 01/09/2013 11:38 AM, Michael Cohen wrote: >> Script it in python using pytsk? >> >> http://code.google.com/p/pytsk/ >> >> >> On 9 January 2013 16:50, Stefan Kelm <sk...@bf...> wrote: >>> All, >>> >>> I don't suppose anyone out there has any recommendations as to >>> how to automagically extract all $I30 attributes out of an image? >>> I've been using icat but this doesn't scale, I'm afraid. >>> >>> Thankful for any hints. >>> >>> Cheers, >>> >>> Stefan. >>> >>> -- >>> Stefan Kelm <sk...@bf...> >>> BFK edv-consulting GmbH http://www.bfk.de/ >>> Kriegsstrasse 100 Tel: +49-721-96201-1 >>> D-76133 Karlsruhe Fax: +49-721-96201-99 >>> >>> ------------------------------------------------------------------------------ >>> >>> Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery >>> and much more. Keep your Java skills current with LearnJavaNow - >>> 200+ hours of step-by-step video tutorials by Java experts. >>> SALE $49.99 this month only -- learn more at: >>> http://p.sf.net/sfu/learnmore_122612 >>> _______________________________________________ >>> sleuthkit-users mailing list >>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>> http://www.sleuthkit.org >> ------------------------------------------------------------------------------ >> >> Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery >> and much more. Keep your Java skills current with LearnJavaNow - >> 200+ hours of step-by-step video tutorials by Java experts. >> SALE $49.99 this month only -- learn more at: >> http://p.sf.net/sfu/learnmore_122612 >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org > |
|
From: Stefan K. <sk...@bf...> - 2013-01-10 11:10:34
|
> Sorry, here's an updated version which fixes a few bugs. Also, its > linked to my account so I can update it in response to suggestions. Awesome, Willi, much appreciated! Will definitely give it a try. Cheers, Stefan. -- Stefan Kelm <sk...@bf...> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstrasse 100 Tel: +49-721-96201-1 D-76133 Karlsruhe Fax: +49-721-96201-99 |
|
From: Michael C. <scu...@gm...> - 2013-01-09 16:38:29
|
Script it in python using pytsk? http://code.google.com/p/pytsk/ On 9 January 2013 16:50, Stefan Kelm <sk...@bf...> wrote: > All, > > I don't suppose anyone out there has any recommendations as to > how to automagically extract all $I30 attributes out of an image? > I've been using icat but this doesn't scale, I'm afraid. > > Thankful for any hints. > > Cheers, > > Stefan. > > -- > Stefan Kelm <sk...@bf...> > BFK edv-consulting GmbH http://www.bfk.de/ > Kriegsstrasse 100 Tel: +49-721-96201-1 > D-76133 Karlsruhe Fax: +49-721-96201-99 > > ------------------------------------------------------------------------------ > Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery > and much more. Keep your Java skills current with LearnJavaNow - > 200+ hours of step-by-step video tutorials by Java experts. > SALE $49.99 this month only -- learn more at: > http://p.sf.net/sfu/learnmore_122612 > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: Willi B. <wil...@gm...> - 2013-01-09 16:46:09
|
Stefan Here's a first go at a Bash script which simply uses TSK utilities (`icat` included) to extract all the INDX_ROOT and INDX_ALLOCATION attributes from an NTFS image. https://gist.github.com/4494657 Willi On 01/09/2013 11:38 AM, Michael Cohen wrote: > Script it in python using pytsk? > > http://code.google.com/p/pytsk/ > > > On 9 January 2013 16:50, Stefan Kelm <sk...@bf...> wrote: >> All, >> >> I don't suppose anyone out there has any recommendations as to >> how to automagically extract all $I30 attributes out of an image? >> I've been using icat but this doesn't scale, I'm afraid. >> >> Thankful for any hints. >> >> Cheers, >> >> Stefan. >> >> -- >> Stefan Kelm <sk...@bf...> >> BFK edv-consulting GmbH http://www.bfk.de/ >> Kriegsstrasse 100 Tel: +49-721-96201-1 >> D-76133 Karlsruhe Fax: +49-721-96201-99 >> >> ------------------------------------------------------------------------------ >> Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery >> and much more. Keep your Java skills current with LearnJavaNow - >> 200+ hours of step-by-step video tutorials by Java experts. >> SALE $49.99 this month only -- learn more at: >> http://p.sf.net/sfu/learnmore_122612 >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org > ------------------------------------------------------------------------------ > Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery > and much more. Keep your Java skills current with LearnJavaNow - > 200+ hours of step-by-step video tutorials by Java experts. > SALE $49.99 this month only -- learn more at: > http://p.sf.net/sfu/learnmore_122612 > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X