chad131 wrote:
Have you considered using the FTK Imager file listing to actually recreate the file system? I've done this in the past.
Just loop through the csv file and create 0 byte files retaining the directory structure and file names/extensions. If you want, you can even set the MAC times of the files so they match the csv.
It's not as clean as a separate app that will read the csv, but it does allow someone to browse around a file/directory structure and it takes virtually no space.This would be an interesting approach, but how will the user be able to view (besides the directory structure) the actual data in the "source" .csv.
IF <img src="images/smiles/icon_question.gif" alt="Question" title="Question" /> the data in the .csv is within the limits of the available space, see:
http://www.forensicfocus.com/Forums/viewtopic/t=10403/
one could use a NTFS filesystem and store the data in the same $MFT entry, i.e. using 1024 bytes per record, and if it would be possible to make a NTFS filesystem with the $MFT starting on cluster 2 (16 sectors before for the $boot), as I have seen a few examples recently (but without a definite answer on what OS/tool can make them) we could have a volume which is made of just the NTFS filesystem "standard" $-prefixed files.
As a matter of fact a filesystem is a database and viceversa, in theory one could make a "filesystem driver" to mount directly the .csv as if it was a volume, as Francesco mentioned before.
jaclaz
↧