Re: [sleuthkit-users] Wrong results when reading System Volume Shadow Files
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Wrong results when reading System Volume Shadow Files
|
From: Luís F. N. <lfc...@gm...> - 2014-11-08 14:38:03
|
Hi,
Did someone take a look at the istat output? It is very strange, with a lot
of zeros being the sectors used by the file.
Luis
2014-10-16 17:43 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>:
> Another smaller output...
>
>
> 2014-10-16 17:22 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>:
>
> Hi Brian,
>>
>> I have attached the output of istat (sleuthkit 4.1.3) after executed on
>> one of those files.
>>
>> Thank you,
>> Luis
>>
>> 2014-10-16 0:21 GMT-03:00 Brian Carrier <ca...@sl...>:
>>
>> TSK/Autopsy support sparse files. If you can run the 'istat' TSK tool on
>>> the files, it would be interesting to see what it reports as the layout of
>>> the file. this info is not currently available in Autopsy because:
>>>
>>> 1) We don't populate the layout table in the SQLite table because it is
>>> slow and makes the initial ingest take much longer (and we don't really
>>> need it because we use the TSK code each time we read the file content, not
>>> the DB layout details).
>>> 2) We don't display the 'istat' output in Autopsy. But, we really should.
>>>
>>>
>>> On Oct 10, 2014, at 8:49 PM, Luís Filipe Nassif <lfc...@gm...>
>>> wrote:
>>>
>>> > Jon Stewart has pointed that $BadClus·$Bad files are sparse files.
>>> Does anyone know if that is the case with the
>>> {xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}{3808876b-c176-4e48-b7ae-04046e6cc752}
>>> volume shadow files?
>>> >
>>> > If yes, does sleuthkit have support for ntfs sparse files?
>>> >
>>> > Thanks,
>>> > Luis
>>> >
>>> > 2014-10-08 18:40 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>:
>>> > The blue color are also used to render the contents of $BadClus·$Bad
>>> files...
>>> >
>>> > 2014-10-08 18:34 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>:
>>> >
>>> > Another useful information: the contents of those files are rendered
>>> with a blue color by the hex viewer of Encase, so it means they are special
>>> in some way. Does anyone know what it means?
>>> >
>>> > 2014-10-06 13:31 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>:
>>> >
>>> > Hi Alex,
>>> >
>>> > I am using the Autopsy 3.1 interface to view the files and the
>>> sleuthkit java bindings api within a custom java application to extract its
>>> contents through the ReadContentInputStream class.
>>> >
>>> > Thanks
>>> > Luis
>>> >
>>> > 2014-10-06 12:38 GMT-03:00 Alex Nelson <ajn...@cs...>:
>>> > Hi Luis,
>>> >
>>> >
>>> > Which of the TSK tools are you using to extract those files? Could
>>> you provide an example command? (I'd forgotten TSK could do anything with
>>> volume shadow copies.)
>>> >
>>> > --Alex
>>> >
>>> >
>>> > On Oct 5, 2014, at 21:47 , Luís Filipe Nassif <lfc...@gm...>
>>> wrote:
>>> >
>>> > > Hi,
>>> > >
>>> > > We are getting incorrect results with sleuthkit 4.1.3 and 4.2.0 when
>>> reading the contents of a lot of windows volume shadow copy files from many
>>> disk images. The contents of these files are being reported as zeroed files
>>> by sleuthkit. But they are not zeroed files, as reported by other forensic
>>> tools. So we are not being able to carve these files using sleuthkit. If we
>>> can provide more info to help addressing the issue, please let us know.
>>> > >
>>> > > Any help will be appreciated,
>>> > > Luis Nassif
>>> > >
>>> ------------------------------------------------------------------------------
>>> > > Slashdot TV. Videos for Nerds. Stuff that Matters.
>>> > >
>>> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk_______________________________________________
>>> > > sleuthkit-users mailing list
>>> > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>> > > http://www.sleuthkit.org
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> ------------------------------------------------------------------------------
>>> > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
>>> > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS
>>> Reports
>>> > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
>>> > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
>>> >
>>> http://p.sf.net/sfu/Zoho_______________________________________________
>>> > sleuthkit-users mailing list
>>> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>> > http://www.sleuthkit.org
>>>
>>>
>>
>
|
