Re: [sleuthkit-users] Wrong results when reading System Volume Shadow Files
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Wrong results when reading System Volume Shadow Files
|
From: Luís F. N. <lfc...@gm...> - 2014-10-09 13:32:25
|
I think tsk_file_layout is only populated with virtual files, like unallocated clusters, and allocated files do not have entries in that table. 2014-10-09 9:58 GMT-03:00 Atila <ati...@dp...>: > In tsk_loaddb, resident files don't get into tsk_file_layout (and > sometimes there are two series of sequences to one file, but that's another > problem). > Maybe the same thing is happening here too? > > > On 08-10-2014 18:34, Luís Filipe Nassif wrote: > > Another useful information: the contents of those files are rendered with > a blue color by the hex viewer of Encase, so it means they are special in > some way. Does anyone know what it means? > > 2014-10-06 13:31 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>: > >> Hi Alex, >> >> I am using the Autopsy 3.1 interface to view the files and the >> sleuthkit java bindings api within a custom java application to extract its >> contents through the ReadContentInputStream class. >> >> Thanks >> Luis >> >> 2014-10-06 12:38 GMT-03:00 Alex Nelson <ajn...@cs...>: >> >>> Hi Luis, >>> >>> >>> Which of the TSK tools are you using to extract those files? Could you >>> provide an example command? (I'd forgotten TSK could do anything with >>> volume shadow copies.) >>> >>> --Alex >>> >>> >>> On Oct 5, 2014, at 21:47 , Luís Filipe Nassif <lfc...@gm...> >>> wrote: >>> >>> > Hi, >>> > >>> > We are getting incorrect results with sleuthkit 4.1.3 and 4.2.0 when >>> reading the contents of a lot of windows volume shadow copy files from many >>> disk images. The contents of these files are being reported as zeroed files >>> by sleuthkit. But they are not zeroed files, as reported by other forensic >>> tools. So we are not being able to carve these files using sleuthkit. If we >>> can provide more info to help addressing the issue, please let us know. >>> > >>> > Any help will be appreciated, >>> > Luis Nassif >>> > >>> ------------------------------------------------------------------------------ >>> > Slashdot TV. Videos for Nerds. Stuff that Matters. >>> > >>> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk_______________________________________________ >>> > sleuthkit-users mailing list >>> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>> > http://www.sleuthkit.org >>> >>> >> > > > ------------------------------------------------------------------------------ > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzerhttp://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk > > > > _______________________________________________ > sleuthkit-users mailing listhttps://lists.sourceforge.net/lists/listinfo/sleuthkit-usershttp://www.sleuthkit.org > > > > > ------------------------------------------------------------------------------ > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer > > http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > |
