Loading ...
Sorry, an error occurred while loading the content.

Re: $I30 files

Expand Messages
  • keydet89
    Thanks for all the responses I got in this thread. Using Brian s book, I wrote a parser for the $I30 files...mostly by starting on pg 371, and jumping back to
    Message 1 of 18 , Jun 23, 2010
    View Source
    • 0 Attachment
      Thanks for all the responses I got in this thread. Using Brian's book, I wrote a parser for the $I30 files...mostly by starting on pg 371, and jumping back to pg 362 for specifics on the $FILE_NAME attr structure.

      As a side note, I was asked to assist in parsing an $I30 file for which the index record header indicated that there were no records in the file, but we could see filenames, etc. I modified the parser to address the issue and pulled out filenames, sizes, and MACB times...which were very valuable to the analyst.

      Thanks!
    • Jean-Francois Gingras
      Nice to hear you work it out. Unallocated entries in the $I30 are quite usefull. I use thé following technic to retreive those entires: 1- look for what could
      Message 2 of 18 , Jun 23, 2010
      View Source
      • 0 Attachment
        Nice to hear you work it out.
        Unallocated entries in the $I30 are quite usefull. I use thé following technic to retreive those entires:

        1- look for what could be filename in unallocated space of the idx record
        2- work backward to rebuild :
             a- the $FILE_NAME (whats left of it)
             b- the idx entry (not that usefull in general, for me anyway)

        Envoyé de mon iPhone

        Le 2010-06-23 à 11:05, keydet89 <keydet89@...> a écrit :

         

        Thanks for all the responses I got in this thread. Using Brian's book, I wrote a parser for the $I30 files...mostly by starting on pg 371, and jumping back to pg 362 for specifics on the $FILE_NAME attr structure.

        As a side note, I was asked to assist in parsing an $I30 file for which the index record header indicated that there were no records in the file, but we could see filenames, etc. I modified the parser to address the issue and pulled out filenames, sizes, and MACB times...which were very valuable to the analyst.

        Thanks!

      Your message has been successfully submitted and would be delivered to recipients shortly.