Hello Reader,
I'm working on changing up Hal's mlocator and mlocate-time scripts to work to recover and parse unallocated mlocate entries. I'm having a bit of success as you can see with the following scrren shot that I am successfully recovering dates associated with file entries from hits found by mlocator.
Right now I'm running two scripts to do this, Hal's mlocator modified to convert the hex back to ascii and then writing it out to a file and then Hal's mlcoate-time modified to not look for the beginning of a mlocate database. I'm having some success but it's hanging 1/9 of the way through the 9mbs of mlocate data recovered just from group 33. This is good because my current mlocate database is only 3mb!
I'll keep on working on this and provide another update tomorrow with the ultimate goal of combining the two scripts into one that can be used to carve all mlocate database entries from a disk and print the parsed output.
I'm working on changing up Hal's mlocator and mlocate-time scripts to work to recover and parse unallocated mlocate entries. I'm having a bit of success as you can see with the following scrren shot that I am successfully recovering dates associated with file entries from hits found by mlocator.
Right now I'm running two scripts to do this, Hal's mlocator modified to convert the hex back to ascii and then writing it out to a file and then Hal's mlcoate-time modified to not look for the beginning of a mlocate database. I'm having some success but it's hanging 1/9 of the way through the 9mbs of mlocate data recovered just from group 33. This is good because my current mlocate database is only 3mb!
I'll keep on working on this and provide another update tomorrow with the ultimate goal of combining the two scripts into one that can be used to carve all mlocate database entries from a disk and print the parsed output.
Also Read:
Post a Comment