Re: [sleuthkit-users] Fiwalk clam scripts miss boot sector virus
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Fiwalk clam scripts miss boot sector virus
|
From: Alex N. <ajn...@cs...> - 2014-08-20 20:41:39
|
Ah, ok. I can make that adjustment, but I have a few things on my queue to get to first. --Alex On Wed, Aug 20, 2014 at 4:29 PM, Christie Peterson <cpe...@jh...> wrote: > Actually, I take that back – the adjustment part, not the thanks part. > > > > I realized after clicking send that you were pointing to an adjustment to > be made in Fiwalk, not in the plugin. I’m afraid C++ is beyond both my > skills and my ambition at this point. > > > > Best, > > > > Christie > > > > *From:* Christie Peterson > *Sent:* Wednesday, August 20, 2014 4:13 PM > *To:* 'Alex Nelson' > *Cc:* sle...@li... > *Subject:* RE: [sleuthkit-users] Fiwalk clam scripts miss boot sector > virus > > > > Thanks for catching that, Alex! Going to the script was my next step, once > I got a better handle on how Fiwalk was actually running. > > > > I will definitely submit the adjustment, though it could be a while before > I manage to do it. > > > > Best, > > > > Christie > > > > > > *From:* Alex Nelson [mailto:ajn...@cs... <ajn...@cs...>] > *Sent:* Wednesday, August 20, 2014 4:10 PM > *To:* Christie Peterson > *Cc:* sle...@li... > *Subject:* Re: [sleuthkit-users] Fiwalk clam scripts miss boot sector > virus > > > > That file object looks fine (though I could be highly pedantic and argue > that $MBR semantically has neither parent nor fs_offset). > > > > I did find why the plugin didn't run, though. Note that <name_type> is v, > which TSK uses for virtual files. There is a specific check in place to > only run plugins on "Regular" files: > > > > > https://github.com/sleuthkit/sleuthkit/blob/develop/tools/fiwalk/src/fiwalk_tsk.cpp#L345 > > > > The correct revision for scanning the MBR would be to add a third boolean > into L347 based on the file's type and name, tweaking the test at L345 to > set the boolean based on matching name. > > > > Would you like to submit that adjustment? > > > > --Alex > > > > On Wed, Aug 20, 2014 at 3:40 PM, Christie Peterson <cpe...@jh...> > wrote: > > Here is the full <fileobject> for $MBR: > > > > <fileobject> > > <parent_object> > > <inode>2</inode> > > </parent_object> > > <filename>$MBR</filename> > > <partition>1</partition> > > <id>36</id> > > <name_type>v</name_type> > > <filesize>512</filesize> > > <alloc>1</alloc> > > <used>1</used> > > <inode>11443</inode> > > <meta_type>10</meta_type> > > <mode>0</mode> > > <nlink>1</nlink> > > <uid>0</uid> > > <gid>0</gid> > > <byte_runs> > > <byte_run file_offset="0" fs_offset="0" img_offset="0" len="512"/> > > </byte_runs> > > <hashdigest type="md5">2094c4ac8d687f7c1476a5ce675229e4</hashdigest> > > <hashdigest > type="sha1">ad3220057082bae3090202d8b1675406304d5d91</hashdigest> > > </fileobject> > > > > If the plugin had run, there would be an entry after the <hashdigest> > entries. > > > > Christie > > > > > > > |
