How to list the con...
 
Notifications
Clear all

How to list the contents of the live file on a NTFS system?

11 Posts
7 Users
0 Likes
481 Views
(@chopperbrury)
Posts: 4
New Member
Topic starter
 

Hi
I have a raw image with two partitions, fat16 and NTFS…
Need to list the contents of the live file system on the NTFS partition..
any suggestions on how using sleuthkit?
or where it would be found using ftk/autopsy?

sorry very new to this game - plz be patient )

 
Posted : 05/05/2015 3:09 am
(@rampage)
Posts: 354
Reputable Member
 

what do you mean by "live filesystem" ?

 
Posted : 05/05/2015 5:23 am
(@chopperbrury)
Posts: 4
New Member
Topic starter
 

not being smart but do not know..its a task I was asked to accomplish..but am at a loss to what or how you retrieve contents of the live file system on a partition.
it is a image of a disk drive and there are two partitions Linux (0x83) and NTFS (07)..the live content is in the NTFS??

 
Posted : 05/05/2015 5:39 am
Passmark
(@passmark)
Posts: 376
Reputable Member
 

A live file system normally refers to a machine that is booted up and running, with the operating system using the file system in question.

If you working on a disk image, then it isn't a live file system. Maybe you mean it was a formerly live file system.

If you just want a file listing then it is pretty trivial & there are lots of options.

For example, mount the partition with a drive letter then do a dir . /s command from the command line.

If you want more than just a simple file listing (e.g. SHA1 hashes of the file content, dates, sizes, ignoring NTFS file permissions, full paths, listing of Emails, zip file contents, etc..) then you need a forensics tool. Like this,
http//www.osforensics.com/faqs-and-tutorials/how-to-list-all-files-emails-on-disk.html

 
Posted : 05/05/2015 6:33 am
TuckerHST
(@tuckerhst)
Posts: 175
Estimable Member
 

Hi
I have a raw image with two partitions, fat16 and NTFS…
Need to list the contents of the live file system on the NTFS partition..
any suggestions on how using sleuthkit?
or where it would be found using ftk/autopsy?

sorry very new to this game - plz be patient )

As the other posters have pointed out, you have a contradiction in terms. If it's a disk image, then the file system isn't "live." Ignoring that word, if I wanted to list the contents of an NTFS volume, I would probably brute force it by dumping the MFT with a tool such as https://pypi.python.org/pypi/analyzeMFT

 
Posted : 05/05/2015 8:31 pm
(@chopperbrury)
Posts: 4
New Member
Topic starter
 

hey guys
thanks for your replies, yes im confused with the question, and would be of the same opinion..
it is for a assignment and basically we are given a image of hard disk drive and that is one of the questions..List the contents of the live file system on Partition 2?? I will muddle on through it..

Any tips on retrieving data that maybe in orphan files?

thanks for all the replies and patience..

 
Posted : 06/05/2015 1:31 am
Passmark
(@passmark)
Posts: 376
Reputable Member
 

Maybe it is a trick question & the correct answer to the assignment is that there is no spoon (I mean, live file system)

 
Posted : 06/05/2015 3:47 am
(@chopperbrury)
Posts: 4
New Member
Topic starter
 

Passmark you maybe onto something 😉
much appreciated….
thanks again for replies..

 
Posted : 06/05/2015 4:30 am
Adam10541
(@adam10541)
Posts: 550
Honorable Member
 

My experience with University lecturers would make me lean more towards a mistake in the wording of the question rather than a trick question.

I'm not sure how it is in other parts of the world (and the cynic in me assumes it's the same all over) but in Perth we have many 'forensic experts' lecturing and teaching in Universities who are purely self taught and don't know the first thing about the field.

 
Posted : 06/05/2015 5:47 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

My experience with University lecturers would make me lean more towards a mistake in the wording of the question rather than a trick question.

I'm not sure how it is in other parts of the world (and the cynic in me assumes it's the same all over) but in Perth we have many 'forensic experts' lecturing and teaching in Universities who are purely self taught and don't know the first thing about the field.

Please consider how "self taught" does not in any way equate to "don't know the first thing about the field" maybe you made a mistake in the wording…. wink

jaclaz

 
Posted : 06/05/2015 4:16 pm
Page 1 / 2
Share: