Re: [sleuthkit-users] Fiwalk clam scripts miss boot sector virus
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Fiwalk clam scripts miss boot sector virus
|
From: Christie P. <cpe...@jh...> - 2014-08-20 19:12:22
|
Hi Alex, Thanks for the response & the explanation of how Fiwalk runs plugins. From the Fiwalk XML output, it looks like $MBR, $FAT1, $FAT2 and $OrphanFiles are being exposed as virtual files, but the plugin is not running over them. I don’t have anything called $Boot. Christie From: Alex Nelson [mailto:ajn...@cs...] Sent: Tuesday, August 19, 2014 11:21 AM To: Christie Peterson Cc: sle...@li... Subject: Re: [sleuthkit-users] Fiwalk clam scripts miss boot sector virus Fiwalk runs plugins against individual files, not against the entire disk image. For your floppy, is the boot sector being exposed as a virtual file, like a FAT file system's allocation table is exposed as $FAT1 or $FAT2? (Offhand I recall Fiwalk doesn't do this for floppies, but I don't have a floppy handy to test. Fiwalk usually creates all its virtual and non-virtual files starting at the scope of the file system, after the partition table is processed.) If the boot sector isn't exposed as a virtual file, Fiwalk won't clamscan it. Could you post the names of files with a $ at the beginning? The boot sector would be $Boot or something similar if it existed. --Alex On Mon, Aug 18, 2014 at 3:35 PM, Christie Peterson <cpe...@jh...<mailto:cpe...@jh...>> wrote: I have some floppy disks known to be infected with the boot sector virus AntiCMOS.B but when I run ficlam.sh/clamconfig.txt<http://ficlam.sh/clamconfig.txt> (https://github.com/sleuthkit/sleuthkit/tree/master/tools/fiwalk/plugins) against images of these disks, it returns nothing found. I’m wondering if this is because of how fiwalk “walks” disk images – would a malware scan using fiwalk to access the contents of a disk image ever find something in the boot sector? I’d appreciate any explanation that you could provide. Thanks in advance, Christie Peterson ------------------------------------------------------------------------------ _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org |
