Re: [sleuthkit-users] Fiwalk clam scripts miss boot sector virus
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Fiwalk clam scripts miss boot sector virus
|
From: Alex N. <ajn...@cs...> - 2014-08-21 20:07:00
|
Hi Christie, I've developed a patch that compiles, and I think will do what you want, but I haven't tested it yet. Could you test it and see if running this modified Fiwalk, clamscan on your disk, and clamscan on your disk's dd'd boot sector report what you're looking for? https://github.com/ajnelson/sleuthkit/tree/testing/fiwalk_plugins_on_virtuals (Feel free to email me off-list for any testing logistics.) --Alex On Wed, Aug 20, 2014 at 4:59 PM, Christie Peterson <cpe...@jh...> wrote: > My goal is to use fiwalk to automate a number of functions (including > virus scan) over a collection of disk images, building off of the python > scripts that can be found at https://github.com/anarchivist/fiwalk-dgi > > > > As I was testing pyclam, though, I realized it was not catching a known > BSV, which led to this thread. > > > > Thanks, > > > > Christie > > > > *From:* Simson Garfinkel [mailto:si...@ac...] > *Sent:* Wednesday, August 20, 2014 4:44 PM > *To:* Alex Nelson > *Cc:* Christie Peterson; sle...@li... > > *Subject:* Re: [sleuthkit-users] Fiwalk clam scripts miss boot sector > virus > > > > Christie, > > > > It seems like you're going through a huge amount of work to get this to > work. WHy don't you just use 'dd' and copy out the MBR into a file, and > then run clamav on the resulting file? Is there some reason you need to do > this within fiwalk? > > > > On Aug 20, 2014, at 4:41 PM, Alex Nelson <ajn...@cs...> wrote: > > > > Ah, ok. I can make that adjustment, but I have a few things on my queue > to get to first. > > > > --Alex > > > > On Wed, Aug 20, 2014 at 4:29 PM, Christie Peterson <cpe...@jh...> > wrote: > > Actually, I take that back – the adjustment part, not the thanks part. > > > > I realized after clicking send that you were pointing to an adjustment to > be made in Fiwalk, not in the plugin. I’m afraid C++ is beyond both my > skills and my ambition at this point. > > > > Best, > > > > Christie > > > > *From:* Christie Peterson > *Sent:* Wednesday, August 20, 2014 4:13 PM > *To:* 'Alex Nelson' > *Cc:* sle...@li... > *Subject:* RE: [sleuthkit-users] Fiwalk clam scripts miss boot sector > virus > > > > Thanks for catching that, Alex! Going to the script was my next step, once > I got a better handle on how Fiwalk was actually running. > > > > I will definitely submit the adjustment, though it could be a while before > I manage to do it. > > > > Best, > > > > Christie > > > > > > *From:* Alex Nelson [mailto:ajn...@cs... <ajn...@cs...>] > > *Sent:* Wednesday, August 20, 2014 4:10 PM > > *To:* Christie Peterson > *Cc:* sle...@li... > *Subject:* Re: [sleuthkit-users] Fiwalk clam scripts miss boot sector > virus > > > > > > That file object looks fine (though I could be highly pedantic and argue > that $MBR semantically has neither parent nor fs_offset). > > > > I did find why the plugin didn't run, though. Note that <name_type> is v, > which TSK uses for virtual files. There is a specific check in place to > only run plugins on "Regular" files: > > > > > https://github.com/sleuthkit/sleuthkit/blob/develop/tools/fiwalk/src/fiwalk_tsk.cpp#L345 > > > > The correct revision for scanning the MBR would be to add a third boolean > into L347 based on the file's type and name, tweaking the test at L345 to > set the boolean based on matching name. > > > > Would you like to submit that adjustment? > > > > --Alex > > > > On Wed, Aug 20, 2014 at 3:40 PM, Christie Peterson <cpe...@jh...> > wrote: > > Here is the full <fileobject> for $MBR: > > > > <fileobject> > > <parent_object> > > <inode>2</inode> > > </parent_object> > > <filename>$MBR</filename> > > <partition>1</partition> > > <id>36</id> > > <name_type>v</name_type> > > <filesize>512</filesize> > > <alloc>1</alloc> > > <used>1</used> > > <inode>11443</inode> > > <meta_type>10</meta_type> > > <mode>0</mode> > > <nlink>1</nlink> > > <uid>0</uid> > > <gid>0</gid> > > <byte_runs> > > <byte_run file_offset="0" fs_offset="0" img_offset="0" len="512"/> > > </byte_runs> > > <hashdigest type="md5">2094c4ac8d687f7c1476a5ce675229e4</hashdigest> > > <hashdigest > type="sha1">ad3220057082bae3090202d8b1675406304d5d91</hashdigest> > > </fileobject> > > > > If the plugin had run, there would be an entry after the <hashdigest> > entries. > > > > Christie > > > > > > > > > > > ------------------------------------------------------------------------------ > Slashdot TV. > Video for Nerds. Stuff that matters. > http://tv.slashdot.org/_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > > |
