I am definetly new to TSK and I am using it for finding, in an NTFS partition, the sectors where files are allocated.
I am currently using the command
- Code: Select all
fls -pro xxxxx datadump.dd
(where xxxxx is the starting offset of the NTFS partition inside datadump.dd) and I get a list of rows, one for each file, containing a metadata address and the filename.
Then using the command
- Code: Select all
istat -o xxxxx datadump.dd metadata_address
I can get the details of each file and the list of clusters where it is allocated. This is perfectly ok for non-resident files, but for resident ones I would like to be able to locate their MFT entry. Is there a way for doing that?
Thank you so much
Lucio