Re: [sleuthkit-users] Wrong results when reading System Volume Shadow Files
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Wrong results when reading System Volume Shadow Files
|
From: Alex N. <ajn...@cs...> - 2014-10-06 15:54:04
|
Hi Luis, Which of the TSK tools are you using to extract those files? Could you provide an example command? (I'd forgotten TSK could do anything with volume shadow copies.) --Alex On Oct 5, 2014, at 21:47 , Luís Filipe Nassif <lfc...@gm...> wrote: > Hi, > > We are getting incorrect results with sleuthkit 4.1.3 and 4.2.0 when reading the contents of a lot of windows volume shadow copy files from many disk images. The contents of these files are being reported as zeroed files by sleuthkit. But they are not zeroed files, as reported by other forensic tools. So we are not being able to carve these files using sleuthkit. If we can provide more info to help addressing the issue, please let us know. > > Any help will be appreciated, > Luis Nassif > ------------------------------------------------------------------------------ > Slashdot TV. Videos for Nerds. Stuff that Matters. > http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
