AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Timeline image tool4/7/2023 ![]() A HPA could be used to hide data so that it would not be copied during an acquisition. These tools can be used to detect and remove a Host Protected Area (HPA) in an ATA disk. img_cat: This tool will show the raw contents of an image file.img_stat: tool will show the details of the image format.For example, if the image format is a split image or a compressed image. This layer contains tools for the image file format. mmcat: Extracts the contents of a specific volume to STDOUT.mmstat: Display details about a volume system (typically only the type).mmls: Displays the layout of a disk, including the unallocated spaces.The media management tools support DOS partitions, BSD disk labels, Sun VTOC, and Mac TheseĬan be used find hidden data between partitions and to identify the file system offset for The Sleuth Kit tools. Examples include DOS partitions, BSD disk labels, and the Sun Volume Table of Contents (VTOC). ![]() These tools take a disk (or other media) image as input and analyze its partition structures. jls: List the entries in the file system journal.jcat: Display the contents of a specific journal block.Examples of file systems with journals include Ext3 and NTFS. This could help recover recently deleted data. The journal records the metadata (and sometimes content) updates that are made. These file system tools process the journal that some file systems have. This is used when evidence is found in unallocated space. blkcalc: Calculates where data in the unallocated space image (from blkls) exists in the original image.blkstat: Displays the statistics about a given data unit in an easy to read format. ![]() ![]()
0 Comments
Read More
Leave a Reply. |