[prev in list] [next in list] [prev in thread] [next in thread]
List: sleuthkit-users
Subject: Re: [sleuthkit-users] TSK-4.4 and SlackFiles
From: Luís_Filipe_Nassif <lfcnassif () gmail ! com>
Date: 2017-02-01 17:47:07
Message-ID: CACknrh1daEUScS7QxwGVup7ShrxiuCJwtAPt3de3d5cwHb5MqQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
I've just confirmed VSC content is now accessible through slack files with
the patch!
2017-02-01 15:30 GMT-02:00 Lu=C3=ADs Filipe Nassif <lfcnassif@gmail.com>:
> Thank you, Brian, for the change! I think VSC file content will be
> accessible now!
>
> And to clarify, I was a bit confused about the slack size of 2.026.496
> bytes, because the allocated size of the system.LOG file was not shown in
> istat output. But I confirmed with another tool that the allocated size o=
f
> system.LOG is 2.027.520 bytes and with only 1024 bytes of logical size
> that give us 2.026.496 bytes for the slack size. So everything was ok!
>
> Thanks again!
> Luis
>
> 2017-02-01 15:06 GMT-02:00 Brian Carrier <carrier@sleuthkit.org>:
>
>> This fix is now in the develop-4.4 branch. We'll merge it into develop
>> after we do a few other minor things on this branch.
>>
>>
>> On Wed, Feb 1, 2017 at 11:38 AM, Brian Carrier <carrier@sleuthkit.org>
>> wrote:
>>
>>> Ughh. I need to better start documenting these scenarios because I
>>> always get confused by them too.
>>>
>>> I think you've found an issue and I created #756 (
>>> https://github.com/sleuthkit/sleuthkit/issues/756) to address this.
>>>
>>> The summary of your specific questions are:
>>> - VSC is strange because WIndows seems to treat it differently and lies
>>> about initsize. It has initsize of 0, but a file size that is equal to=
the
>>> allocsize.
>>> - In the log file case, 4096 has been initialized, but the allocated
>>> size of the file is 2MB.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Tue, Jan 31, 2017 at 7:26 PM, Lu=C3=ADs Filipe Nassif <lfcnassif@gma=
il.com
>>> > wrote:
>>>
>>>> Thank you, Brian, for your explanation! No problem for our application=
,
>>>> just curious to know if it was a bug or, if not, why it is there.
>>>>
>>>> But, currently, no slack files are created for VSC files and other
>>>> files with initsize smaller than allocated size. I thought slack is cr=
eated
>>>> only when allocated > logical size (based on line 1001 of db_sqlite.cp=
p)
>>>>
>>>> And is the allocated size 4096 from istat output? I do not know where
>>>> the slack size of 2.026.496 bytes came from...
>>>>
>>>> 2017-01-31 18:05 GMT-02:00 Brian Carrier <carrier@sleuthkit.org>:
>>>>
>>>>> Actually, making this decision could incur some significant overhead
>>>>> for a step that (at least in Autopsy) we try to keep as fast as possi=
ble.
>>>>> Is your application impacted by the fact that there is a large and em=
pty
>>>>> slack file or were you just curious if it was a bug?
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Jan 31, 2017 at 2:54 PM, Brian Carrier <carrier@sleuthkit.org=
>
>>>>> wrote:
>>>>>
>>>>>> Yea, this looks like "VDL Slack". Same general idea as in Issue 466=
(
>>>>>> https://github.com/sleuthkit/sleuthkit/issues/466), but in this case
>>>>>> the file has 1K of initialized size.
>>>>>>
>>>>>> I suppose this "slack" file is a bit wasted though because no blocks
>>>>>> were allocated to it. So, there will be no real content for it.
>>>>>>
>>>>>> I'll make an internal story to keep track of this and maybe Ann will
>>>>>> be able to take a look at not making these if they are going to be a=
ll for
>>>>>> address 0.
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Tue, Jan 31, 2017 at 10:55 AM, Lu=C3=ADs Filipe Nassif <
>>>>>> lfcnassif@gmail.com> wrote:
>>>>>>
>>>>>>> Hi Brian,
>>>>>>>
>>>>>>> Thank you very much for your attention. The output of
>>>>>>> FsContent.getMetaDataText() (equals to istat right?) is below. The
>>>>>>> system.LOG-slack size is 2.026.496 bytes and system.LOG size is 102=
4 bytes.
>>>>>>>
>>>>>>> details of /img_PC-HP.dd/vol_vol2/WINDOWS
>>>>>>> /system32/config/system.LOG-slack
>>>>>>>
>>>>>>> MFT Entry Header Values:
>>>>>>> Entry: 4106 Sequence: 1
>>>>>>> $LogFile Sequence Number: 79246281526
>>>>>>> Allocated File
>>>>>>> Links: 1
>>>>>>>
>>>>>>> $STANDARD_INFORMATION Attribute Values:
>>>>>>> Flags: Hidden, Archive
>>>>>>> Owner ID: 0
>>>>>>> Security ID: 281 (S-1-5-32-544)
>>>>>>> Last User Journal Update Sequence Number: 105272096
>>>>>>> Created: 2004-09-02 08:00:12.000000000 (Hora oficial do Brasil)
>>>>>>> File Modified: 2011-09-16 14:33:38.375000000 (Hora oficial do
>>>>>>> Brasil)
>>>>>>> MFT Modified: 2011-09-16 14:33:38.375000000 (Hora oficial do Brasil=
)
>>>>>>> Accessed: 2011-09-16 14:33:38.187500000 (Hora oficial do Brasil)
>>>>>>>
>>>>>>> $FILE_NAME Attribute Values:
>>>>>>> Flags: Hidden, Archive
>>>>>>> Name: system.LOG
>>>>>>> Parent MFT Entry: 3982 Sequence: 2
>>>>>>> Allocated Size: 4096 Actual Size: 1024
>>>>>>> Created: 2004-09-02 08:00:12.000000000 (Hora oficial do Brasil)
>>>>>>> File Modified: 2004-09-02 08:00:12.000000000 (Hora oficial do
>>>>>>> Brasil)
>>>>>>> MFT Modified: 2004-09-02 08:00:12.000000000 (Hora oficial do Brasil=
)
>>>>>>> Accessed: 2004-09-02 08:00:12.000000000 (Hora oficial do Brasil)
>>>>>>>
>>>>>>> $ATTRIBUTE_LIST Attribute Values:
>>>>>>> Type: 16-0 MFT Entry: 4106 VCN: 0
>>>>>>> Type: 48-4 MFT Entry: 4106 VCN: 0
>>>>>>> Type: 128-0 MFT Entry: 40678 VCN: 0
>>>>>>>
>>>>>>> Attributes:
>>>>>>> Type: $STANDARD_INFORMATION (16-0) Name: N/A Resident size: 7=
2
>>>>>>> Type: $ATTRIBUTE_LIST (32-5) Name: N/A Resident size: 96
>>>>>>> Type: $FILE_NAME (48-4) Name: N/A Resident size: 86
>>>>>>> Type: $DATA (128-6) Name: N/A Non-Resident size: 1024
>>>>>>> init_size: 1024
>>>>>>> 847844 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0 0
>>>>>>> 0 0 0 0 0 0 0
>>>>>>>
>>>>>>> 2017-01-31 12:56 GMT-02:00 Brian Carrier <carrier@sleuthkit.org>:
>>>>>>>
>>>>>>>> Hi Luis,
>>>>>>>>
>>>>>>>> My guess is that it's a file that has preallocated a large amount
>>>>>>>> of space, but that has not fully used it yet. NTFS allows this. I=
f you
>>>>>>>> read the file, TSK will only show you the space that is used. Rea=
ding the
>>>>>>>> slack, gives you the rest.
>>>>>>>>
>>>>>>>> If you run 'istat' on one of these files and send it along, we can
>>>>>>>> confirm.
>>>>>>>>
>>>>>>>> thanks,
>>>>>>>> brian
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tue, Jan 31, 2017 at 7:04 AM, Lu=C3=ADs Filipe Nassif <
>>>>>>>> lfcnassif@gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Hi folks,
>>>>>>>>>
>>>>>>>>> I am upgrading to tsk-4.4 to benefit from the new support to
>>>>>>>>> slackfiles from java bindings. But I noticed some slackfiles larg=
er than
>>>>>>>>> the cluster size (4k) are created in database. Some of them have =
megabytes
>>>>>>>>> of size and its contents are accessible. Is it expected to have s=
lackfiles
>>>>>>>>> larger than cluster size? Could someone explain?
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> Luis Nassif
>>>>>>>>>
>>>>>>>>> ------------------------------------------------------------
>>>>>>>>> ------------------
>>>>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>>>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>>>>>>>> _______________________________________________
>>>>>>>>> sleuthkit-users mailing list
>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>>>>>>>> http://www.sleuthkit.org
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
[Attachment #5 (text/html)]
<div dir="ltr">I've just confirmed VSC content is now accessible through slack \
files with the patch!</div><div class="gmail_extra"><br><div \
class="gmail_quote">2017-02-01 15:30 GMT-02:00 Luís Filipe Nassif <span \
dir="ltr"><<a href="mailto:lfcnassif@gmail.com" \
target="_blank">lfcnassif@gmail.com</a>></span>:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr">Thank you, Brian, for the change! I think VSC \
file content will be accessible now!<div><br></div><div>And to clarify, I was a bit \
confused about the slack size of <span \
style="color:rgb(80,0,80);font-size:12.8px">2.026.496 bytes, because the allocated \
size of the system.LOG file was not shown in istat output. But I confirmed with \
another tool that the allocated size of system.LOG is </span><font \
color="#500050"><span style="font-size:12.8px">2.027.520 bytes and with only 1024 \
bytes of logical size that give us </span></font><span \
style="color:rgb(80,0,80);font-size:12.8px">2.026.496 bytes for the slack size. So \
everything was ok!</span></div><div><span \
style="color:rgb(80,0,80);font-size:12.8px"><br></span></div><div><span \
style="color:rgb(80,0,80);font-size:12.8px">Thanks again!</span></div><div><span \
style="color:rgb(80,0,80);font-size:12.8px">Luis</span></div><div><div \
class="h5"><div class="gmail_extra"><br><div class="gmail_quote">2017-02-01 15:06 \
GMT-02:00 Brian Carrier <span dir="ltr"><<a href="mailto:carrier@sleuthkit.org" \
target="_blank">carrier@sleuthkit.org</a>></span>:<br><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr">This fix is now in the develop-4.4 \
branch. We'll merge it into develop after we do a few other minor things on this \
branch.<br><br></div><div class="m_6187475015678389671gmail-HOEnZb"><div \
class="m_6187475015678389671gmail-h5"><div class="gmail_extra"><br><div \
class="gmail_quote">On Wed, Feb 1, 2017 at 11:38 AM, Brian Carrier <span \
dir="ltr"><<a href="mailto:carrier@sleuthkit.org" \
target="_blank">carrier@sleuthkit.org</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div><div><div><div><div><div \
class="gmail_extra">Ughh. I need to better start documenting these scenarios \
because I always get confused by them too. <br><br></div><div class="gmail_extra">I \
think you've found an issue and I created #756 (<a \
href="https://github.com/sleuthkit/sleuthkit/issues/756" \
target="_blank">https://github.com/sleuthkit/<wbr>sleuthkit/issues/756</a>) to \
address this.<br><br></div><div class="gmail_extra">The summary of your specific \
questions are:<br></div><div class="gmail_extra">- VSC is strange because WIndows \
seems to treat it differently and lies about initsize. It has initsize of 0, but a \
file size that is equal to the allocsize.<br></div><div class="gmail_extra">- In the \
log file case, 4096 has been initialized, but the allocated size of the file is \
2MB.<br><br></div><div><div \
class="m_6187475015678389671gmail-m_-2847560509324942801h5"><div \
class="gmail_extra"><br><br><br><br><br><br><br><div class="gmail_quote">On Tue, Jan \
31, 2017 at 7:26 PM, Luís Filipe Nassif <span dir="ltr"><<a \
href="mailto:lfcnassif@gmail.com" target="_blank">lfcnassif@gmail.com</a>></span> \
wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Thank \
you, Brian, for your explanation! No problem for our application, just curious to \
know if it was a bug or, if not, why it is there.<div><br></div><div>But, currently, \
no slack files are created for VSC files and other files with initsize smaller than \
allocated size. I thought slack is created only when allocated > logical size \
(based on line 1001 of db_sqlite.cpp)</div><div><br></div><div>And is the allocated \
size 4096 from istat output? I do not know where the slack size of <span \
style="font-size:12.8px">2.026.496 bytes came from...</span></div></div><div \
class="m_6187475015678389671gmail-m_-2847560509324942801m_-8014623214103846524gmail-HOEnZb"><div \
class="m_6187475015678389671gmail-m_-2847560509324942801m_-8014623214103846524gmail-h5"><div \
class="gmail_extra"><br><div class="gmail_quote">2017-01-31 18:05 GMT-02:00 Brian \
Carrier <span dir="ltr"><<a href="mailto:carrier@sleuthkit.org" \
target="_blank">carrier@sleuthkit.org</a>></span>:<br><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr">Actually, making this decision \
could incur some significant overhead for a step that (at least in Autopsy) we try to \
keep as fast as possible. Is your application impacted by the fact that there is a \
large and empty slack file or were you just curious if it was a \
bug?<br><br><br></div><div \
class="m_6187475015678389671gmail-m_-2847560509324942801m_-8014623214103846524gmail-m_7285659895711506116HOEnZb"><div \
class="m_6187475015678389671gmail-m_-2847560509324942801m_-8014623214103846524gmail-m_7285659895711506116h5"><div \
class="gmail_extra"><br><div class="gmail_quote">On Tue, Jan 31, 2017 at 2:54 PM, \
Brian Carrier <span dir="ltr"><<a href="mailto:carrier@sleuthkit.org" \
target="_blank">carrier@sleuthkit.org</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div>Yea, this looks like \
"VDL Slack". Same general idea as in Issue 466 (<a \
href="https://github.com/sleuthkit/sleuthkit/issues/466" \
target="_blank">https://github.com/sleuthkit/<wbr>sleuthkit/issues/466</a>), but in \
this case the file has 1K of initialized size. <br><br></div>I suppose this \
"slack" file is a bit wasted though because no blocks were allocated to it. \
So, there will be no real content for it.<br><br></div>I'll make an internal \
story to keep track of this and maybe Ann will be able to take a look at not making \
these if they are going to be all for address 0. \
<br><div><div><br><br></div></div></div><div \
class="m_6187475015678389671gmail-m_-2847560509324942801m_-8014623214103846524gmail-m_7285659895711506116m_8962393040401079149HOEnZb"><div \
class="m_6187475015678389671gmail-m_-2847560509324942801m_-8014623214103846524gmail-m_7285659895711506116m_8962393040401079149h5"><div \
class="gmail_extra"><br><div class="gmail_quote">On Tue, Jan 31, 2017 at 10:55 AM, \
Luís Filipe Nassif <span dir="ltr"><<a href="mailto:lfcnassif@gmail.com" \
target="_blank">lfcnassif@gmail.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi Brian,<div><br></div><div>Thank \
you very much for your attention. The output of FsContent.getMetaDataText() (equals \
to istat right?) is below. The system.LOG-slack size is 2.026.496 bytes and \
system.LOG size is 1024 bytes.</div><div><br></div><div><div>details of \
/img_PC-HP.dd/vol_vol2/WINDOWS<wbr>/system32/config/system.LOG-sl<wbr>ack</div><div><br></div><div>MFT \
Entry Header Values:</div><div>Entry: 4106 Sequence: 1</div><div>$LogFile \
Sequence Number: 79246281526</div><div>Allocated File</div><div>Links: \
1</div><div><br></div><div>$STANDARD_INFORMATION Attribute Values:</div><div>Flags: \
Hidden, Archive</div><div>Owner ID: 0</div><div>Security ID: 281 \
(S-1-5-32-544)</div><div>Last User Journal Update Sequence Number: \
105272096</div><div>Created:<span \
class="m_6187475015678389671gmail-m_-2847560509324942801m_-8014623214103846524gmail-m_ \
7285659895711506116m_8962393040401079149m_-533905933029436640m_-7368516198760402557gmail-Apple-tab-span" \
style="white-space:pre-wrap"> </span>2004-09-02 08:00:12.000000000 (Hora oficial do \
Brasil)</div><div>File Modified:<span \
class="m_6187475015678389671gmail-m_-2847560509324942801m_-8014623214103846524gmail-m_ \
7285659895711506116m_8962393040401079149m_-533905933029436640m_-7368516198760402557gmail-Apple-tab-span" \
style="white-space:pre-wrap"> </span>2011-09-16 14:33:38.375000000 (Hora oficial do \
Brasil)</div><div>MFT Modified:<span \
class="m_6187475015678389671gmail-m_-2847560509324942801m_-8014623214103846524gmail-m_ \
7285659895711506116m_8962393040401079149m_-533905933029436640m_-7368516198760402557gmail-Apple-tab-span" \
style="white-space:pre-wrap"> </span>2011-09-16 14:33:38.375000000 (Hora oficial do \
Brasil)</div><div>Accessed:<span \
class="m_6187475015678389671gmail-m_-2847560509324942801m_-8014623214103846524gmail-m_ \
7285659895711506116m_8962393040401079149m_-533905933029436640m_-7368516198760402557gmail-Apple-tab-span" \
style="white-space:pre-wrap"> </span>2011-09-16 14:33:38.187500000 (Hora oficial do \
Brasil)</div><div><br></div><div>$FILE_NAME Attribute Values:</div><div>Flags: \
Hidden, Archive</div><div>Name: system.LOG</div><div>Parent MFT Entry: 3982 <span \
class="m_6187475015678389671gmail-m_-2847560509324942801m_-8014623214103846524gmail-m_ \
7285659895711506116m_8962393040401079149m_-533905933029436640m_-7368516198760402557gmail-Apple-tab-span" \
style="white-space:pre-wrap"> </span>Sequence: 2</div><div>Allocated Size: 4096 \
<span class="m_6187475015678389671gmail-m_-2847560509324942801m_-8014623214103846524gm \
ail-m_7285659895711506116m_8962393040401079149m_-533905933029436640m_-7368516198760402557gmail-Apple-tab-span" \
style="white-space:pre-wrap"> </span>Actual Size: 1024</div><div>Created:<span \
class="m_6187475015678389671gmail-m_-2847560509324942801m_-8014623214103846524gmail-m_ \
7285659895711506116m_8962393040401079149m_-533905933029436640m_-7368516198760402557gmail-Apple-tab-span" \
style="white-space:pre-wrap"> </span>2004-09-02 08:00:12.000000000 (Hora oficial do \
Brasil)</div><div>File Modified:<span \
class="m_6187475015678389671gmail-m_-2847560509324942801m_-8014623214103846524gmail-m_ \
7285659895711506116m_8962393040401079149m_-533905933029436640m_-7368516198760402557gmail-Apple-tab-span" \
style="white-space:pre-wrap"> </span>2004-09-02 08:00:12.000000000 (Hora oficial do \
Brasil)</div><div>MFT Modified:<span \
class="m_6187475015678389671gmail-m_-2847560509324942801m_-8014623214103846524gmail-m_ \
7285659895711506116m_8962393040401079149m_-533905933029436640m_-7368516198760402557gmail-Apple-tab-span" \
style="white-space:pre-wrap"> </span>2004-09-02 08:00:12.000000000 (Hora oficial do \
Brasil)</div><div>Accessed:<span \
class="m_6187475015678389671gmail-m_-2847560509324942801m_-8014623214103846524gmail-m_ \
7285659895711506116m_8962393040401079149m_-533905933029436640m_-7368516198760402557gmail-Apple-tab-span" \
style="white-space:pre-wrap"> </span>2004-09-02 08:00:12.000000000 (Hora oficial do \
Brasil)</div><div><br></div><div>$ATTRIBUTE_LIST Attribute Values:</div><div>Type: \
16-0 <span class="m_6187475015678389671gmail-m_-2847560509324942801m_-8014623214103846 \
524gmail-m_7285659895711506116m_8962393040401079149m_-533905933029436640m_-7368516198760402557gmail-Apple-tab-span" \
style="white-space:pre-wrap"> </span>MFT Entry: 4106 <span \
class="m_6187475015678389671gmail-m_-2847560509324942801m_-8014623214103846524gmail-m_ \
7285659895711506116m_8962393040401079149m_-533905933029436640m_-7368516198760402557gmail-Apple-tab-span" \
style="white-space:pre-wrap"> </span>VCN: 0</div><div>Type: 48-4 <span \
class="m_6187475015678389671gmail-m_-2847560509324942801m_-8014623214103846524gmail-m_ \
7285659895711506116m_8962393040401079149m_-533905933029436640m_-7368516198760402557gmail-Apple-tab-span" \
style="white-space:pre-wrap"> </span>MFT Entry: 4106 <span \
class="m_6187475015678389671gmail-m_-2847560509324942801m_-8014623214103846524gmail-m_ \
7285659895711506116m_8962393040401079149m_-533905933029436640m_-7368516198760402557gmail-Apple-tab-span" \
style="white-space:pre-wrap"> </span>VCN: 0</div><div>Type: 128-0 <span \
class="m_6187475015678389671gmail-m_-2847560509324942801m_-8014623214103846524gmail-m_ \
7285659895711506116m_8962393040401079149m_-533905933029436640m_-7368516198760402557gmail-Apple-tab-span" \
style="white-space:pre-wrap"> </span>MFT Entry: 40678 <span \
class="m_6187475015678389671gmail-m_-2847560509324942801m_-8014623214103846524gmail-m_ \
7285659895711506116m_8962393040401079149m_-533905933029436640m_-7368516198760402557gmail-Apple-tab-span" \
style="white-space:pre-wrap"> </span>VCN: 0</div><div><br></div><div>Attributes: \
</div><div>Type: $STANDARD_INFORMATION (16-0) Name: N/A Resident size: \
72</div><div>Type: $ATTRIBUTE_LIST (32-5) Name: N/A Resident size: \
96</div><div>Type: $FILE_NAME (48-4) Name: N/A Resident size: \
86</div><div>Type: $DATA (128-6) Name: N/A Non-Resident size: 1024 \
init_size: 1024</div><div>847844 0 0 0 0 0 0 0 </div><div>0 0 0 0 0 0 0 0 \
</div><div>0 0 0 0 0 0 0 0 </div><div>0 0 0 0 0 0 0 0 </div><div>0 0 0 0 0 0 0 0 \
</div><div>0 0 0 0 0 0 0 0 </div><div>0 0 0 0 0 0 0 0 </div><div>0 0 0 0 0 0 0 0 \
</div><div>0 0 0 0 0 0 0 0 </div><div>0 0 0 0 0 0 0 0 </div><div>0 0 0 0 0 0 0 0 \
</div><div>0 0 0 0 0 0 0 0 </div><div>0 0 0 0 0 0 0 0 </div><div>0 0 0 0 0 0 0 0 \
</div><div>0 0 0 0 0 0 0 0 </div><div>0 0 0 0 0 0 0 0 </div><div>0 0 0 0 0 0 0 0 \
</div><div>0 0 0 0 0 0 0 0 </div><div>0 0 0 0 0 0 0 0 </div><div>0 0 0 0 0 0 0 0 \
</div><div>0 0 0 0 0 0 0 0 </div><div>0 0 0 0 0 0 0 0 </div><div>0 0 0 0 0 0 0 0 \
</div><div>0 0 0 0 0 0 0 0 </div><div>0 0 0 0 0 0 0 0 </div><div>0 0 0 0 0 0 0 0 \
</div><div>0 0 0 0 0 0 0 0 </div><div>0 0 0 0 0 0 0 0 </div><div>0 0 0 0 0 0 0 0 \
</div><div>0 0 0 0 0 0 0 0 </div><div>0 0 0 0 0 0 0 0 </div><div>0 0 0 0 0 0 0 0 \
</div><div>0 0 0 0 0 0 0 0 </div><div>0 0 0 0 0 0 0 0 </div><div>0 0 0 0 0 0 0 0 \
</div><div>0 0 0 0 0 0 0 0 </div><div>0 0 0 0 0 0 0 0 </div><div>0 0 0 0 0 0 0 0 \
</div><div>0 0 0 0 0 0 0 0 </div><div>0 0 0 0 0 0 0 0 </div><div>0 0 0 0 0 0 0 0 \
</div><div>0 0 0 0 0 0 0 0 </div><div>0 0 0 0 0 0 0 0 </div><div>0 0 0 0 0 0 0 0 \
</div><div>0 0 0 0 0 0 0 0 </div><div>0 0 0 0 0 0 0 0 </div><div>0 0 0 0 0 0 0 0 \
</div><div>0 0 0 0 0 0 0 0 </div><div>0 0 0 0 0 0 0 0 </div><div>0 0 0 0 0 0 0 0 \
</div><div>0 0 0 0 0 0 0 0 </div><div>0 0 0 0 0 0 0 0 </div><div>0 0 0 0 0 0 0 0 \
</div><div>0 0 0 0 0 0 0 0 </div><div>0 0 0 0 0 0 0 0 </div><div>0 0 0 0 0 0 0 0 \
</div><div>0 0 0 0 0 0 0 0 </div><div>0 0 0 0 0 0 0 0 </div><div>0 0 0 0 0 0 0 0 \
</div><div>0 0 0 0 0 0 0 0 </div><div>0 0 0 0 0 0 0 0 </div><div>0 0 0 0 0 0 0 \
</div></div></div><div \
class="m_6187475015678389671gmail-m_-2847560509324942801m_-8014623214103846524gmail-m_7285659895711506116m_8962393040401079149m_-533905933029436640HOEnZb"><div \
class="m_6187475015678389671gmail-m_-2847560509324942801m_-8014623214103846524gmail-m_7285659895711506116m_8962393040401079149m_-533905933029436640h5"><div \
class="gmail_extra"><br><div class="gmail_quote">2017-01-31 12:56 GMT-02:00 Brian \
Carrier <span dir="ltr"><<a href="mailto:carrier@sleuthkit.org" \
target="_blank">carrier@sleuthkit.org</a>></span>:<br><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div><div><div>Hi \
Luis,<br><br></div>My guess is that it's a file that has preallocated a large \
amount of space, but that has not fully used it yet. NTFS allows this. If you read \
the file, TSK will only show you the space that is used. Reading the slack, gives \
you the rest. <br><br></div>If you run 'istat' on one of these files and send \
it along, we can confirm.<br><br></div>thanks,<br></div>brian<br><br></div><div \
class="gmail_extra"><br><div class="gmail_quote"><div><div \
class="m_6187475015678389671gmail-m_-2847560509324942801m_-8014623214103846524gmail-m_ \
7285659895711506116m_8962393040401079149m_-533905933029436640m_-7368516198760402557h5">On \
Tue, Jan 31, 2017 at 7:04 AM, Luís Filipe Nassif <span dir="ltr"><<a \
href="mailto:lfcnassif@gmail.com" target="_blank">lfcnassif@gmail.com</a>></span> \
wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div \
<br></div></div>------------------------------<wbr>------------------------------<wbr>------------------<br>
Check out the vibrant tech community on one of the world's most<br>
engaging tech sites, SlashDot.org! <a href="http://sdm.link/slashdot" \
rel="noreferrer" target="_blank">http://sdm.link/slashdot</a><br>______________________________<wbr>_________________<br>
sleuthkit-users mailing list<br>
<a href="https://lists.sourceforge.net/lists/listinfo/sleuthkit-users" \
rel="noreferrer" target="_blank">https://lists.sourceforge.net/<wbr>lists/listinfo/sleuthkit-users</a><br>
<a href="http://www.sleuthkit.org" rel="noreferrer" \
target="_blank">http://www.sleuthkit.org</a><br> <br></blockquote></div><br></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div></div></div></div></div></div></div></div></div></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div></div></div></div>
</blockquote></div><br></div>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic