They are deleted files and the clusters that they previously used =20
have been reallocated. fls has no way of knowing if they have been =20
reallocated or not (and actually you don't either because there could =20=
be MPEGs and HTML files with a .doc extension).
brian
On Mar 2, 2006, at 2:31 PM, "" <gim...@we...> <gim...@we...> =20
wrote:
> Hi,
>
> does anyone know, why calling
>
> fls -f fat -p -r image.img
>
> and
>
> icat -f fat -r zippad.img (both used in script)
>
> brings up so many false positives?
>
> Look here:
>
> $file
> ...
> _FCHEN~1.DOC: data
> _U=E1BAK~1.DOC: MPEG ADTS, AAC, v4 Main, 96 kHz
> _UFA1E~1.DOC: COM executable for MS-DOS
> _DNKTE~1.DOC: ASCII HTML document text
> ...
>
> What can i do to get better results?
>
> Does anyone know the trick?
>
> regards
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting =20
> language
> that extends applications into web and mobile media. Attend the =20
> live webcast
> and join the prime developer group breaking into this new coding =20
> territory!
> http://sel.as-us.falkag.net/sel?=20
> cmd_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
|
