On Saturday, October 18, 2003, at 05:56 PM, SecMan wrote:
> I am analyzing a dd of an ext2 (linux) file system that has a "hidden"
> data
> stream in a subordinate director (/adir)
> after teh file names conatined in the directory there is a bunch of
> data -
> how can I extract it for firther analysis?
Do you mean that after the directory entries in the directory fragments
that there is data that you are interested in? I've never heard of
that before. How do you know it is there?
Well, if it is the case that it follows the directory entries, then
find out the inode number of the directory (it should be the same inode
as the '.' entry) within '/adir'. Then use 'icat' or the Meta Data
mode of autopsy and plug in that address. You'll have to parse out the
directory entries from the data block, but your data should be there.
brian
|
