Re: [sleuthkit-users] Wrong results when reading System Volume Shadow Files
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Wrong results when reading System Volume Shadow Files
|
From: Luís F. N. <lfc...@gm...> - 2014-10-08 21:40:25
|
The blue color are also used to render the contents of $BadClus·$Bad files... 2014-10-08 18:34 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>: > Another useful information: the contents of those files are rendered with > a blue color by the hex viewer of Encase, so it means they are special in > some way. Does anyone know what it means? > > 2014-10-06 13:31 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>: > > Hi Alex, >> >> I am using the Autopsy 3.1 interface to view the files and the sleuthkit >> java bindings api within a custom java application to extract its contents >> through the ReadContentInputStream class. >> >> Thanks >> Luis >> >> 2014-10-06 12:38 GMT-03:00 Alex Nelson <ajn...@cs...>: >> >>> Hi Luis, >>> >>> >>> Which of the TSK tools are you using to extract those files? Could you >>> provide an example command? (I'd forgotten TSK could do anything with >>> volume shadow copies.) >>> >>> --Alex >>> >>> >>> On Oct 5, 2014, at 21:47 , Luís Filipe Nassif <lfc...@gm...> >>> wrote: >>> >>> > Hi, >>> > >>> > We are getting incorrect results with sleuthkit 4.1.3 and 4.2.0 when >>> reading the contents of a lot of windows volume shadow copy files from many >>> disk images. The contents of these files are being reported as zeroed files >>> by sleuthkit. But they are not zeroed files, as reported by other forensic >>> tools. So we are not being able to carve these files using sleuthkit. If we >>> can provide more info to help addressing the issue, please let us know. >>> > >>> > Any help will be appreciated, >>> > Luis Nassif >>> > >>> ------------------------------------------------------------------------------ >>> > Slashdot TV. Videos for Nerds. Stuff that Matters. >>> > >>> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk_______________________________________________ >>> > sleuthkit-users mailing list >>> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>> > http://www.sleuthkit.org >>> >>> >> > |
