jaclaz wrote:
Can you upload *somewhere* or add into the tool download a "sample" .csv file?
I would like to have a look a such a .csv to explore in a non-FTK creation of the .csv and/or following the idea chad131 hinted.
jaclaz
You can create filelists from FTK imager without having to create a forensic image: when you right-click a mounted physical/logical drive in the evidence tree you can generate a filelist from it. I uploaded a small example filelist here. It's easy to generate a real filesystem tree from the filelist but eventually you'll run in issues with the windows path limit (260 characters). You could store all the tree in a ZIP archive to work around the path length limit but then you'd run in other problems with deleted and duplicated entries: there can be several different versions of files and folders, however it seems to be impossible to associate the correct file to every folder revision since they're not printed in order (that and files with streams being printed just like directories seem to be two major issues in the FTK filelist format).
↧