Re: [sleuthkit-users] Wrong results when reading System Volume Shadow Files

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

In tsk_loaddb, resident files don't get into tsk_file_layout (and 
sometimes there are two series of sequences to one file, but that's 
another problem).
Maybe the same thing is happening here too?

On 08-10-2014 18:34, Luís Filipe Nassif wrote:
> Another useful information: the contents of those files are rendered 
> with a blue color by the hex viewer of Encase, so it means they are 
> special in some way. Does anyone know what it means?
>
> 2014-10-06 13:31 GMT-03:00 Luís Filipe Nassif <lfc...@gm... 
> <mailto:lfc...@gm...>>:
>
>     Hi Alex,
>
>     I am using the Autopsy 3.1 interface to view the files and the
>     sleuthkit java bindings api within a custom java application to
>     extract its contents through the ReadContentInputStream class.
>
>     Thanks
>     Luis
>
>     2014-10-06 12:38 GMT-03:00 Alex Nelson <ajn...@cs...
>     <mailto:ajn...@cs...>>:
>
>         Hi Luis,
>
>
>         Which of the TSK tools are you using to extract those files? 
>         Could you provide an example command?  (I'd forgotten TSK
>         could do anything with volume shadow copies.)
>
>         --Alex
>
>
>         On Oct 5, 2014, at 21:47 , Luís Filipe Nassif
>         <lfc...@gm... <mailto:lfc...@gm...>> wrote:
>
>         > Hi,
>         >
>         > We are getting incorrect results with sleuthkit 4.1.3 and
>         4.2.0 when reading the contents of a lot of windows volume
>         shadow copy files from many disk images. The contents of these
>         files are being reported as zeroed files by sleuthkit. But
>         they are not zeroed files, as reported by other forensic
>         tools. So we are not being able to carve these files using
>         sleuthkit. If we can provide more info to help addressing the
>         issue, please let us know.
>         >
>         > Any help will be appreciated,
>         > Luis Nassif
>         >
>         ------------------------------------------------------------------------------
>         > Slashdot TV.  Videos for Nerds.  Stuff that Matters.
>         >
>         http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk_______________________________________________
>         > sleuthkit-users mailing list
>         > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>         > http://www.sleuthkit.org
>
>
>
>
>
> ------------------------------------------------------------------------------
> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
>
>
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org