Re: [sleuthkit-users] Wrong results when reading System Volume Shadow Files
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Wrong results when reading System Volume Shadow Files
|
From: Brian C. <ca...@sl...> - 2014-10-16 03:21:29
|
TSK/Autopsy support sparse files. If you can run the 'istat' TSK tool on the files, it would be interesting to see what it reports as the layout of the file. this info is not currently available in Autopsy because:
1) We don't populate the layout table in the SQLite table because it is slow and makes the initial ingest take much longer (and we don't really need it because we use the TSK code each time we read the file content, not the DB layout details).
2) We don't display the 'istat' output in Autopsy. But, we really should.
On Oct 10, 2014, at 8:49 PM, Luís Filipe Nassif <lfc...@gm...> wrote:
> Jon Stewart has pointed that $BadClus·$Bad files are sparse files. Does anyone know if that is the case with the {xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}{3808876b-c176-4e48-b7ae-04046e6cc752} volume shadow files?
>
> If yes, does sleuthkit have support for ntfs sparse files?
>
> Thanks,
> Luis
>
> 2014-10-08 18:40 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>:
> The blue color are also used to render the contents of $BadClus·$Bad files...
>
> 2014-10-08 18:34 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>:
>
> Another useful information: the contents of those files are rendered with a blue color by the hex viewer of Encase, so it means they are special in some way. Does anyone know what it means?
>
> 2014-10-06 13:31 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>:
>
> Hi Alex,
>
> I am using the Autopsy 3.1 interface to view the files and the sleuthkit java bindings api within a custom java application to extract its contents through the ReadContentInputStream class.
>
> Thanks
> Luis
>
> 2014-10-06 12:38 GMT-03:00 Alex Nelson <ajn...@cs...>:
> Hi Luis,
>
>
> Which of the TSK tools are you using to extract those files? Could you provide an example command? (I'd forgotten TSK could do anything with volume shadow copies.)
>
> --Alex
>
>
> On Oct 5, 2014, at 21:47 , Luís Filipe Nassif <lfc...@gm...> wrote:
>
> > Hi,
> >
> > We are getting incorrect results with sleuthkit 4.1.3 and 4.2.0 when reading the contents of a lot of windows volume shadow copy files from many disk images. The contents of these files are being reported as zeroed files by sleuthkit. But they are not zeroed files, as reported by other forensic tools. So we are not being able to carve these files using sleuthkit. If we can provide more info to help addressing the issue, please let us know.
> >
> > Any help will be appreciated,
> > Luis Nassif
> > ------------------------------------------------------------------------------
> > Slashdot TV. Videos for Nerds. Stuff that Matters.
> > http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk_______________________________________________
> > sleuthkit-users mailing list
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > http://www.sleuthkit.org
>
>
>
>
>
> ------------------------------------------------------------------------------
> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
> http://p.sf.net/sfu/Zoho_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
|
