Re: [sleuthkit-users] Fiwalk clam scripts miss boot sector virus
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Fiwalk clam scripts miss boot sector virus
|
From: Christie P. <cpe...@jh...> - 2014-08-20 20:29:40
|
Actually, I take that back – the adjustment part, not the thanks part. I realized after clicking send that you were pointing to an adjustment to be made in Fiwalk, not in the plugin. I’m afraid C++ is beyond both my skills and my ambition at this point. Best, Christie From: Christie Peterson Sent: Wednesday, August 20, 2014 4:13 PM To: 'Alex Nelson' Cc: sle...@li... Subject: RE: [sleuthkit-users] Fiwalk clam scripts miss boot sector virus Thanks for catching that, Alex! Going to the script was my next step, once I got a better handle on how Fiwalk was actually running. I will definitely submit the adjustment, though it could be a while before I manage to do it. Best, Christie From: Alex Nelson [mailto:ajn...@cs...] Sent: Wednesday, August 20, 2014 4:10 PM To: Christie Peterson Cc: sle...@li...<mailto:sle...@li...> Subject: Re: [sleuthkit-users] Fiwalk clam scripts miss boot sector virus That file object looks fine (though I could be highly pedantic and argue that $MBR semantically has neither parent nor fs_offset). I did find why the plugin didn't run, though. Note that <name_type> is v, which TSK uses for virtual files. There is a specific check in place to only run plugins on "Regular" files: https://github.com/sleuthkit/sleuthkit/blob/develop/tools/fiwalk/src/fiwalk_tsk.cpp#L345 The correct revision for scanning the MBR would be to add a third boolean into L347 based on the file's type and name, tweaking the test at L345 to set the boolean based on matching name. Would you like to submit that adjustment? --Alex On Wed, Aug 20, 2014 at 3:40 PM, Christie Peterson <cpe...@jh...<mailto:cpe...@jh...>> wrote: Here is the full <fileobject> for $MBR: <fileobject> <parent_object> <inode>2</inode> </parent_object> <filename>$MBR</filename> <partition>1</partition> <id>36</id> <name_type>v</name_type> <filesize>512</filesize> <alloc>1</alloc> <used>1</used> <inode>11443</inode> <meta_type>10</meta_type> <mode>0</mode> <nlink>1</nlink> <uid>0</uid> <gid>0</gid> <byte_runs> <byte_run file_offset="0" fs_offset="0" img_offset="0" len="512"/> </byte_runs> <hashdigest type="md5">2094c4ac8d687f7c1476a5ce675229e4</hashdigest> <hashdigest type="sha1">ad3220057082bae3090202d8b1675406304d5d91</hashdigest> </fileobject> If the plugin had run, there would be an entry after the <hashdigest> entries. Christie |
