Re: [sleuthkit-users] Wrong results when reading System Volume Shadow Files
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Wrong results when reading System Volume Shadow Files
|
From: Luís F. N. <lfc...@gm...> - 2014-10-06 16:31:56
|
Hi Alex, I am using the Autopsy 3.1 interface to view the files and the sleuthkit java bindings api within a custom java application to extract its contents through the ReadContentInputStream class. Thanks Luis 2014-10-06 12:38 GMT-03:00 Alex Nelson <ajn...@cs...>: > Hi Luis, > > Which of the TSK tools are you using to extract those files? Could you > provide an example command? (I'd forgotten TSK could do anything with > volume shadow copies.) > > --Alex > > > On Oct 5, 2014, at 21:47 , Luís Filipe Nassif <lfc...@gm...> wrote: > > > Hi, > > > > We are getting incorrect results with sleuthkit 4.1.3 and 4.2.0 when > reading the contents of a lot of windows volume shadow copy files from many > disk images. The contents of these files are being reported as zeroed files > by sleuthkit. But they are not zeroed files, as reported by other forensic > tools. So we are not being able to carve these files using sleuthkit. If we > can provide more info to help addressing the issue, please let us know. > > > > Any help will be appreciated, > > Luis Nassif > > > ------------------------------------------------------------------------------ > > Slashdot TV. Videos for Nerds. Stuff that Matters. > > > http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk_______________________________________________ > > sleuthkit-users mailing list > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > http://www.sleuthkit.org > > |
