How to map a metadata address into a sector number

Tool requests, development, and troubleshooting topics related to TSK.

Moderator: carrier

How to map a metadata address into a sector number

Postby lucio.bonetto » Tue Oct 17, 2017 3:20 pm

Dear all,
I am definetly new to TSK and I am using it for finding, in an NTFS partition, the sectors where files are allocated.
I am currently using the command
Code: Select all
fls -pro xxxxx datadump.dd

(where xxxxx is the starting offset of the NTFS partition inside datadump.dd) and I get a list of rows, one for each file, containing a metadata address and the filename.

Then using the command
Code: Select all
istat -o xxxxx datadump.dd metadata_address

I can get the details of each file and the list of clusters where it is allocated. This is perfectly ok for non-resident files, but for resident ones I would like to be able to locate their MFT entry. Is there a way for doing that?

Thank you so much
Lucio
lucio.bonetto
 
Posts: 1
Joined: Tue Oct 17, 2017 3:11 pm

Return to The Sleuth Kit (TSK)

Who is online

Users browsing this forum: No registered users and 1 guest