--- "Forensics @ TracingEmails" <> wrote:
> Windows & inodes??
Well, ls and inodes ;-)
> Are these the 'hidden' (system) files that windows has? Do you get
> the same output if you were to boot an image of the drive and opt
(using windows
> explorer) - to alter [tools, view, 'show the hidden files &
> folders']?
Not quite. They're part of the ntfs filesystem as Brian described.
If you mount an ntfs drive under linux using something like
mount -t ntfs -o show_sys_files=true /dev/hda1 /mnt/windows
You'll see the $files like $MFT via the ls command: ls -l \$MFT or ls
-l \$*
Or you can use ntfsinfo to see the MFT:
ntfsinfo -f -d /dev/hda1 -i 0
Jeff.
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
> Windows & inodes??
Well, ls and inodes ;-)
> Are these the 'hidden' (system) files that windows has? Do you get
> the same output if you were to boot an image of the drive and opt
(using windows
> explorer) - to alter [tools, view, 'show the hidden files &
> folders']?
Not quite. They're part of the ntfs filesystem as Brian described.
If you mount an ntfs drive under linux using something like
mount -t ntfs -o show_sys_files=true /dev/hda1 /mnt/windows
You'll see the $files like $MFT via the ls command: ls -l \$MFT or ls
-l \$*
Or you can use ntfsinfo to see the MFT:
ntfsinfo -f -d /dev/hda1 -i 0
Jeff.
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
[ reply ]