Metadata Address

From SleuthKitWiki
Revision as of 08:49, 4 February 2009 by Carrier (Talk | contribs)

Jump to: navigation, search

Overview

Metadata Address is a term that is used in TSK as a generic term for the addresses of file system-specific data structures that store file metadata. Each file system has a different name for the structure(s) that store the metadata, including:

The metadata address can be used in TSK to specify the files to analyze.

Format

In general, each metadata structure is given a single numerical address. Some file systems, such as FAT, do not assign the structures an address, but TSK makes them up (see FAT Implementation Notes).

Some file systems, such as NTFS and HFS, allow a file to have multiple notions of content. NTFS files can have multiple $Data attributes and each is basically an independent file. To allow the user to access each attribute, special metadata addresses are used. These addresses take the form of ADDR-TYPE or ADDR-TYPE-ID. ADDR is the metadata address, TYPE is the attribute type, and ID is the attribute id.

The TYPE number specifies the type of data being stored in the attribute (such as file content, directory contents, or file metadata). These numbers are file system-specific. The ID number allows you to differentiate between different instances of the same attribute type. Each attribute in a file will have a unique ID value. Refer to the NTFS Implementation Notes for examples.

In general, if you want TSK to choose the default data attribute (or if the file system does not support the notion of attributes), give TSK only the metadata address. If you want to specify an attribute and you know there is only one of them, use ADDR-TYPE. If there are multiple attributes of the same type, then also specify an ID. Typically, the istat output will show which attributes are defined for a file.