Re: [sleuthkit-users] Windows file owner/groups
Brought to you by:
carrier
From: Brian C. <ca...@sl...> - 2008-02-29 14:13:09
|
On Feb 29, 2008, at 1:12 AM, Tim wrote: >> I don't think that we need new code. All of the code that we need is >> there. > > Just so I'm sure I understand, which code are you referring to? The > code I'm talking about will take raw ACLs and ACEs and parse them up > reasonably well, sans the mapping of SIDs to user names. Is there > already some code in the TSK that can do this? There is some code in TSK that was contributed, but has been commented out. It was causing crashes and I didn't have the cycles to clean it up. The code was "removed" from the default build by surrounding it with #defines for TSK_USE_SID. The relevant code is in tsk/fs/ntfs.c and tsk/fs/tsk_ntfs.h. brian |