Re: [sleuthkit-users] Wrong results when reading System Volume Shadow Files
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Wrong results when reading System Volume Shadow Files
|
From: Luís F. N. <lfc...@gm...> - 2014-10-11 00:49:21
|
Jon Stewart has pointed that $BadClus·$Bad files are sparse files. Does
anyone know if that is the case with the {xxxxxxx-xxxx-xxxx-xxxx-
xxxxxxxxxxxx}{3808876b-c176-4e48-b7ae-04046e6cc752} volume shadow files?
If yes, does sleuthkit have support for ntfs sparse files?
Thanks,
Luis
2014-10-08 18:40 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>:
> The blue color are also used to render the contents of $BadClus·$Bad
> files...
>
> 2014-10-08 18:34 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>:
>
> Another useful information: the contents of those files are rendered with
>> a blue color by the hex viewer of Encase, so it means they are special in
>> some way. Does anyone know what it means?
>>
>> 2014-10-06 13:31 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>:
>>
>> Hi Alex,
>>>
>>> I am using the Autopsy 3.1 interface to view the files and the sleuthkit
>>> java bindings api within a custom java application to extract its contents
>>> through the ReadContentInputStream class.
>>>
>>> Thanks
>>> Luis
>>>
>>> 2014-10-06 12:38 GMT-03:00 Alex Nelson <ajn...@cs...>:
>>>
>>>> Hi Luis,
>>>>
>>>>
>>>> Which of the TSK tools are you using to extract those files? Could you
>>>> provide an example command? (I'd forgotten TSK could do anything with
>>>> volume shadow copies.)
>>>>
>>>> --Alex
>>>>
>>>>
>>>> On Oct 5, 2014, at 21:47 , Luís Filipe Nassif <lfc...@gm...>
>>>> wrote:
>>>>
>>>> > Hi,
>>>> >
>>>> > We are getting incorrect results with sleuthkit 4.1.3 and 4.2.0 when
>>>> reading the contents of a lot of windows volume shadow copy files from many
>>>> disk images. The contents of these files are being reported as zeroed files
>>>> by sleuthkit. But they are not zeroed files, as reported by other forensic
>>>> tools. So we are not being able to carve these files using sleuthkit. If we
>>>> can provide more info to help addressing the issue, please let us know.
>>>> >
>>>> > Any help will be appreciated,
>>>> > Luis Nassif
>>>> >
>>>> ------------------------------------------------------------------------------
>>>> > Slashdot TV. Videos for Nerds. Stuff that Matters.
>>>> >
>>>> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk_______________________________________________
>>>> > sleuthkit-users mailing list
>>>> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>>> > http://www.sleuthkit.org
>>>>
>>>>
>>>
>>
>
|
