Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add resident $DATA of NTFS to tsk_file_layout #2871

Open
wants to merge 5 commits into
base: develop
Choose a base branch
from
Open

Add resident $DATA of NTFS to tsk_file_layout #2871

wants to merge 5 commits into from

Conversation

paul1278
Copy link

@paul1278 paul1278 commented Sep 22, 2023
edited

When using loaddb, all files of an NTFS file-system will be available on the tsk_file_layout table. Except for resident-files, they are missing there. I noticed this while I was working with this table and needed to extract the location for all files.

This PR adds those files to the tsk_file-layout-table, the byte_start & byte_len will point directly to the resident $DATA-buffer, the sequence is always 0. This allows complete transparent processing of those file-layouts, including extractions of files from the image.

It does this by calculating the offset in bytes relative to the start of the file-system (TSK_FS_ATTR.rd.offset) on NTFS file-systems. When I introduced new parameters to heavily used functions, I made an override for them to maintain compatibility.

This implementation works for my cases, I don't know if it works on all edge cases though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@paul1278