Re: [sleuthkit-users] Windows file owner/groups
Brought to you by:
carrier
From: Simson G. <si...@ac...> - 2008-02-29 05:38:03
|
I don't think that we need new code. All of the code that we need is there. What I need is a clear description of how to read the various security files to turn them into usable ACLs. I might be able to get a student to do it, if I can get a clear specification... On Feb 28, 2008, at 6:25 PM, Tim wrote: > Hi Simson, > >> I am interested in modifying Sleuthkit to retrieve the Windows >> permissions. I've looked at this before and it should be possible, >> but I >> have never gotten to really get into it. Anybody interested in >> helping? > > > I too have noticed this lacking feature in the SleuthKit. I believe > the > format of the ACL/ACEs would be the same as exists in the Windows > registry. Since I've got code in RegLookup to do that, I was going to > write a tool to parse the structures that TSK can dump. > > The only sticky issue is that much of the nitty gritty parsing code in > RegLookup comes from the Samba project and is GPLed. TSK is already > weighted down with enough licenses as it is and this code wouldn't be > compatible. My plan was just to write a command line tool that could > take the raw binary data and kick out a human-readable ACL. > > Perhaps there's some BSD licensed code out there that could be used > instead though. > > cheers, > tim > |