Re: [sleuthkit-users] Fiwalk clam scripts miss boot sector virus
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Fiwalk clam scripts miss boot sector virus
|
From: Simson G. <si...@ac...> - 2014-08-20 21:01:43
|
Christie, It seems like you're going through a huge amount of work to get this to work. WHy don't you just use 'dd' and copy out the MBR into a file, and then run clamav on the resulting file? Is there some reason you need to do this within fiwalk? On Aug 20, 2014, at 4:41 PM, Alex Nelson <ajn...@cs...> wrote: > Ah, ok. I can make that adjustment, but I have a few things on my queue to get to first. > > --Alex > > > On Wed, Aug 20, 2014 at 4:29 PM, Christie Peterson <cpe...@jh...> wrote: > Actually, I take that back – the adjustment part, not the thanks part. > > > > I realized after clicking send that you were pointing to an adjustment to be made in Fiwalk, not in the plugin. I’m afraid C++ is beyond both my skills and my ambition at this point. > > > > Best, > > > > Christie > > > > From: Christie Peterson > Sent: Wednesday, August 20, 2014 4:13 PM > To: 'Alex Nelson' > Cc: sle...@li... > Subject: RE: [sleuthkit-users] Fiwalk clam scripts miss boot sector virus > > > > Thanks for catching that, Alex! Going to the script was my next step, once I got a better handle on how Fiwalk was actually running. > > > > I will definitely submit the adjustment, though it could be a while before I manage to do it. > > > > Best, > > > > Christie > > > > > > From: Alex Nelson [mailto:ajn...@cs...] > > Sent: Wednesday, August 20, 2014 4:10 PM > To: Christie Peterson > Cc: sle...@li... > Subject: Re: [sleuthkit-users] Fiwalk clam scripts miss boot sector virus > > > > That file object looks fine (though I could be highly pedantic and argue that $MBR semantically has neither parent nor fs_offset). > > > > I did find why the plugin didn't run, though. Note that <name_type> is v, which TSK uses for virtual files. There is a specific check in place to only run plugins on "Regular" files: > > > > https://github.com/sleuthkit/sleuthkit/blob/develop/tools/fiwalk/src/fiwalk_tsk.cpp#L345 > > > > The correct revision for scanning the MBR would be to add a third boolean into L347 based on the file's type and name, tweaking the test at L345 to set the boolean based on matching name. > > > > Would you like to submit that adjustment? > > > > --Alex > > > > On Wed, Aug 20, 2014 at 3:40 PM, Christie Peterson <cpe...@jh...> wrote: > > Here is the full <fileobject> for $MBR: > > > > <fileobject> > > <parent_object> > > <inode>2</inode> > > </parent_object> > > <filename>$MBR</filename> > > <partition>1</partition> > > <id>36</id> > > <name_type>v</name_type> > > <filesize>512</filesize> > > <alloc>1</alloc> > > <used>1</used> > > <inode>11443</inode> > > <meta_type>10</meta_type> > > <mode>0</mode> > > <nlink>1</nlink> > > <uid>0</uid> > > <gid>0</gid> > > <byte_runs> > > <byte_run file_offset="0" fs_offset="0" img_offset="0" len="512"/> > > </byte_runs> > > <hashdigest type="md5">2094c4ac8d687f7c1476a5ce675229e4</hashdigest> > > <hashdigest type="sha1">ad3220057082bae3090202d8b1675406304d5d91</hashdigest> > > </fileobject> > > > > If the plugin had run, there would be an entry after the <hashdigest> entries. > > > > Christie > > > > > > > > > ------------------------------------------------------------------------------ > Slashdot TV. > Video for Nerds. Stuff that matters. > http://tv.slashdot.org/_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
