Difference between revisions of "Metadata Address"

From SleuthKitWiki
Jump to: navigation, search
(Created first version.)
 
(Added more details about the NTFS formats.)
Line 1: Line 1:
 +
= Overview =
 
Metadata Address is a term that is used in [[TSK]] as a generic term for the addresses of file system-specific [[data structures]] that store [[file metadata]].  Each file system has a different name for the structure(s) that store the metadata, including:
 
Metadata Address is a term that is used in [[TSK]] as a generic term for the addresses of file system-specific [[data structures]] that store [[file metadata]].  Each file system has a different name for the structure(s) that store the metadata, including:
 
* [[FAT]]: Directory entry
 
* [[FAT]]: Directory entry
Line 7: Line 8:
  
 
The metadata address can be used in TSK to specify the files to analyze.
 
The metadata address can be used in TSK to specify the files to analyze.
 +
 +
= Format =
 +
In general, each metadata structure is given a single numerical address. Some file systems, such as FAT, do not assign the structures an address, but TSK makes them up (see [[FAT Implementation Notes]]).
 +
 +
Some file systems, such as NTFS and HFS, allow a file to have multiple notions of content. NTFS files can have multiple $Data attributes and each is basically an independent file.  To allow the user to access each attribute, special metadata addresses are used.  These addresses take the form of <tt>ADDR-TYPE</tt> or <tt>ADDR-TYPE-ID</tt>.  <tt>ADDR</tt> is the metadata address, <tt>TYPE</tt> is the attribute type, and <tt>ID</tt> is the attribute id.
 +
 +
The <tt>TYPE</tt> number specifies the type of data being stored in the attribute (such as file content, directory contents, or file metadata).  These numbers are file system-specific. The <tt>ID</tt> number allows you to differentiate between different instances of the same attribute type. Each attribute in a file will have a unique <tt>ID</tt> value. Refer to the [[NTFS Implementation Notes]] for examples.
 +
 +
In general, if you want TSK to choose the default data attribute (or if the file system does not support the notion of attributes), give TSK only the metadata address.  If you want to specify an attribute and you know there is only one of them, use <tt>ADDR-TYPE</tt>.  If there are multiple attributes of the same type, then also specify an <tt>ID</tt>.  Typically, the [[istat]] output will show which attributes are defined for a file.

Revision as of 09:49, 4 February 2009

Overview

Metadata Address is a term that is used in TSK as a generic term for the addresses of file system-specific data structures that store file metadata. Each file system has a different name for the structure(s) that store the metadata, including:

The metadata address can be used in TSK to specify the files to analyze.

Format

In general, each metadata structure is given a single numerical address. Some file systems, such as FAT, do not assign the structures an address, but TSK makes them up (see FAT Implementation Notes).

Some file systems, such as NTFS and HFS, allow a file to have multiple notions of content. NTFS files can have multiple $Data attributes and each is basically an independent file. To allow the user to access each attribute, special metadata addresses are used. These addresses take the form of ADDR-TYPE or ADDR-TYPE-ID. ADDR is the metadata address, TYPE is the attribute type, and ID is the attribute id.

The TYPE number specifies the type of data being stored in the attribute (such as file content, directory contents, or file metadata). These numbers are file system-specific. The ID number allows you to differentiate between different instances of the same attribute type. Each attribute in a file will have a unique ID value. Refer to the NTFS Implementation Notes for examples.

In general, if you want TSK to choose the default data attribute (or if the file system does not support the notion of attributes), give TSK only the metadata address. If you want to specify an attribute and you know there is only one of them, use ADDR-TYPE. If there are multiple attributes of the same type, then also specify an ID. Typically, the istat output will show which attributes are defined for a file.