File Types

This page describes the various types of files which may be encountered in PyFlag displays.

Background

It is important to have a basic understanding of how filesystems work to understand this page. In particular, the concepts of inodes and directory entries and how they are linked. This is not covered here, I recommend the book "File System Forensic Analysis" by Brian Carrier.

Allocated Files

allocated files are normal files which currently exist in the filesystem. These will have the 'tick' icon in the Del column of the file viewer.

Deleted Files

deleted files are those which have been removed and no longer exist within the filesystem. Depending on the filesystem being analysed, there are several types of deleted files which can be recovered to various degrees.

  • Deleted Inodes are inodes which are marked as unused by the filesystem but still contain metadata such as file size, timestamps and block allocations. Depending on the filesystem, deleted inodes may or may not have a filename linked to them.

    • Where no filename is available, the deleted inode will appear in pyflag in the _deleted_ sub-directory under the pyflag mountpoint of the filesystem.

    • Where a filename is available, the deleted inode will be accessible from its original filename path (see below).

  • Deleted Directory Entries. These are directory entries which have been recovered from unused directory space. Deleted directory entries may or may not contain an intact inode link. Furthermore, this inode link may point to an alloctated or unallocated inode.

    • Inode unknown. In this case, the inode link in the recovered directory entry has been lost. It is no longer possible to link the filename to an inode on the filesystem. In this case, the filename will be displayed in pyflag as '0'. In some filesystems where directory entries are unlinked, this filename may have originally belonged to one of the deleted inodes in the _deleted_ directory (see above), though this is impossible to prove.

    • Inode allocated. In this case the inode is said to be 'reallocated', meaning it now belongs to a different (allocated) file. It no longer contains metadata relating to the deleted directory entry, rather, it contains metadata relating to the new file. These realloc inodes are displayed in pyflag with a '*' at the end (e.g. 1223-128-4*). It is possible to view such files in pyflag, but it MUST be realized that the data displayed is no longer relates to the current file. In such cases, it is possible that the file slack-space *may* have belonged to the previous filename, but this is highly dependant on filesystem behaviour and would be impossible to prove. These entries are show in pyflag with the 'round arrow' icon.

    • Inode unallocated. In this case, the inode link points to a currently unused inode. In this case, the metadata and data associated with that inode *may* have once belonged to this deleted filename. It is possible however that the unused inode was more recently used to hold another (now deleted) file. These entries are shown in pyflag with the 'cross' icon.