Re: [sleuthkit-users] Wrong results when reading System Volume Shadow Files

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Another useful information: the contents of those files are rendered with a
blue color by the hex viewer of Encase, so it means they are special in
some way. Does anyone know what it means?

2014-10-06 13:31 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>:

> Hi Alex,
>
> I am using the Autopsy 3.1 interface to view the files and the sleuthkit
> java bindings api within a custom java application to extract its contents
> through the ReadContentInputStream class.
>
> Thanks
> Luis
>
> 2014-10-06 12:38 GMT-03:00 Alex Nelson <ajn...@cs...>:
>
>> Hi Luis,
>>
>>
>> Which of the TSK tools are you using to extract those files?  Could you
>> provide an example command?  (I'd forgotten TSK could do anything with
>> volume shadow copies.)
>>
>> --Alex
>>
>>
>> On Oct 5, 2014, at 21:47 , Luís Filipe Nassif <lfc...@gm...>
>> wrote:
>>
>> > Hi,
>> >
>> > We are getting incorrect results with sleuthkit 4.1.3 and 4.2.0 when
>> reading the contents of a lot of windows volume shadow copy files from many
>> disk images. The contents of these files are being reported as zeroed files
>> by sleuthkit. But they are not zeroed files, as reported by other forensic
>> tools. So we are not being able to carve these files using sleuthkit. If we
>> can provide more info to help addressing the issue, please let us know.
>> >
>> > Any help will be appreciated,
>> > Luis Nassif
>> >
>> ------------------------------------------------------------------------------
>> > Slashdot TV.  Videos for Nerds.  Stuff that Matters.
>> >
>> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk_______________________________________________
>> > sleuthkit-users mailing list
>> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> > http://www.sleuthkit.org
>>
>>
>