Re: [sleuthkit-users] Fiwalk clam scripts miss boot sector virus
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Fiwalk clam scripts miss boot sector virus
|
From: Alex N. <ajn...@cs...> - 2014-12-12 15:25:21
|
Hello all, Wrapping up this thread: Christie and I carried out testing off-list. With a pull request being merged yesterday, Fiwalk now runs plugins on the boot sector. https://github.com/sleuthkit/sleuthkit/pull/358 --Alex On Aug 21, 2014, at 16:06 , Alex Nelson <ajn...@cs...> wrote: > Hi Christie, > > I've developed a patch that compiles, and I think will do what you want, but I haven't tested it yet. Could you test it and see if running this modified Fiwalk, clamscan on your disk, and clamscan on your disk's dd'd boot sector report what you're looking for? > > https://github.com/ajnelson/sleuthkit/tree/testing/fiwalk_plugins_on_virtuals > > (Feel free to email me off-list for any testing logistics.) > > --Alex > > > On Wed, Aug 20, 2014 at 4:59 PM, Christie Peterson <cpe...@jh...> wrote: > My goal is to use fiwalk to automate a number of functions (including virus scan) over a collection of disk images, building off of the python scripts that can be found at https://github.com/anarchivist/fiwalk-dgi > > > > As I was testing pyclam, though, I realized it was not catching a known BSV, which led to this thread. > > > > Thanks, > > > > Christie > > > > From: Simson Garfinkel [mailto:si...@ac...] > Sent: Wednesday, August 20, 2014 4:44 PM > To: Alex Nelson > Cc: Christie Peterson; sle...@li... > > > Subject: Re: [sleuthkit-users] Fiwalk clam scripts miss boot sector virus > > > > Christie, > > > > It seems like you're going through a huge amount of work to get this to work. WHy don't you just use 'dd' and copy out the MBR into a file, and then run clamav on the resulting file? Is there some reason you need to do this within fiwalk? > > > > On Aug 20, 2014, at 4:41 PM, Alex Nelson <ajn...@cs...> wrote: > > > > > Ah, ok. I can make that adjustment, but I have a few things on my queue to get to first. > > > > --Alex > > > > On Wed, Aug 20, 2014 at 4:29 PM, Christie Peterson <cpe...@jh...> wrote: > > Actually, I take that back – the adjustment part, not the thanks part. > > > > I realized after clicking send that you were pointing to an adjustment to be made in Fiwalk, not in the plugin. I’m afraid C++ is beyond both my skills and my ambition at this point. > > > > Best, > > > > Christie > > > > From: Christie Peterson > Sent: Wednesday, August 20, 2014 4:13 PM > To: 'Alex Nelson' > Cc: sle...@li... > Subject: RE: [sleuthkit-users] Fiwalk clam scripts miss boot sector virus > > > > Thanks for catching that, Alex! Going to the script was my next step, once I got a better handle on how Fiwalk was actually running. > > > > I will definitely submit the adjustment, though it could be a while before I manage to do it. > > > > Best, > > > > Christie > > > > > > From: Alex Nelson [mailto:ajn...@cs...] > > Sent: Wednesday, August 20, 2014 4:10 PM > > To: Christie Peterson > Cc: sle...@li... > Subject: Re: [sleuthkit-users] Fiwalk clam scripts miss boot sector virus > > > > > > That file object looks fine (though I could be highly pedantic and argue that $MBR semantically has neither parent nor fs_offset). > > > > I did find why the plugin didn't run, though. Note that <name_type> is v, which TSK uses for virtual files. There is a specific check in place to only run plugins on "Regular" files: > > > > https://github.com/sleuthkit/sleuthkit/blob/develop/tools/fiwalk/src/fiwalk_tsk.cpp#L345 > > > > The correct revision for scanning the MBR would be to add a third boolean into L347 based on the file's type and name, tweaking the test at L345 to set the boolean based on matching name. > > > > Would you like to submit that adjustment? > > > > --Alex > > > > On Wed, Aug 20, 2014 at 3:40 PM, Christie Peterson <cpe...@jh...> wrote: > > Here is the full <fileobject> for $MBR: > > > > <fileobject> > > <parent_object> > > <inode>2</inode> > > </parent_object> > > <filename>$MBR</filename> > > <partition>1</partition> > > <id>36</id> > > <name_type>v</name_type> > > <filesize>512</filesize> > > <alloc>1</alloc> > > <used>1</used> > > <inode>11443</inode> > > <meta_type>10</meta_type> > > <mode>0</mode> > > <nlink>1</nlink> > > <uid>0</uid> > > <gid>0</gid> > > <byte_runs> > > <byte_run file_offset="0" fs_offset="0" img_offset="0" len="512"/> > > </byte_runs> > > <hashdigest type="md5">2094c4ac8d687f7c1476a5ce675229e4</hashdigest> > > <hashdigest type="sha1">ad3220057082bae3090202d8b1675406304d5d91</hashdigest> > > </fileobject> > > > > If the plugin had run, there would be an entry after the <hashdigest> entries. > > > > Christie > > > > > > > > > > ------------------------------------------------------------------------------ > Slashdot TV. > Video for Nerds. Stuff that matters. > http://tv.slashdot.org/_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > > > |
