Re: [sleuthkit-users] Fiwalk clam scripts miss boot sector virus
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Fiwalk clam scripts miss boot sector virus
|
From: Alex N. <ajn...@cs...> - 2014-08-20 20:36:56
|
That file object looks fine (though I could be highly pedantic and argue that $MBR semantically has neither parent nor fs_offset). I did find why the plugin didn't run, though. Note that <name_type> is v, which TSK uses for virtual files. There is a specific check in place to only run plugins on "Regular" files: https://github.com/sleuthkit/sleuthkit/blob/develop/tools/fiwalk/src/fiwalk_tsk.cpp#L345 The correct revision for scanning the MBR would be to add a third boolean into L347 based on the file's type and name, tweaking the test at L345 to set the boolean based on matching name. Would you like to submit that adjustment? --Alex On Wed, Aug 20, 2014 at 3:40 PM, Christie Peterson <cpe...@jh...> wrote: > Here is the full <fileobject> for $MBR: > > > > <fileobject> > > <parent_object> > > <inode>2</inode> > > </parent_object> > > <filename>$MBR</filename> > > <partition>1</partition> > > <id>36</id> > > <name_type>v</name_type> > > <filesize>512</filesize> > > <alloc>1</alloc> > > <used>1</used> > > <inode>11443</inode> > > <meta_type>10</meta_type> > > <mode>0</mode> > > <nlink>1</nlink> > > <uid>0</uid> > > <gid>0</gid> > > <byte_runs> > > <byte_run file_offset="0" fs_offset="0" img_offset="0" len="512"/> > > </byte_runs> > > <hashdigest type="md5">2094c4ac8d687f7c1476a5ce675229e4</hashdigest> > > <hashdigest > type="sha1">ad3220057082bae3090202d8b1675406304d5d91</hashdigest> > > </fileobject> > > > > If the plugin had run, there would be an entry after the <hashdigest> > entries. > > > > Christie > > > > > |
