Re: [sleuthkit-users] Wrong results when reading System Volume Shadow Files
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Wrong results when reading System Volume Shadow Files
|
From: Gabriel F. <gab...@gm...> - 2016-01-16 22:17:00
|
Hi, I'm having problems too with Volume Shadow files at the TSK (icat, istat), including TSK 4.2 (same behaviour indicated by Nassif). The problem with this type of file is caused by the attribute "initialized stream size" or "Valid Data Length size" (VDL size). Apparently, Microsoft has forced it's value to zero to make these files "invisible" to the normal Windows Backup process (https://secureartisan.wordpress.com/2011/01/29/dc3-2011-day-2-and-3/). I don't have much familiarity with the TSK code, but I wrote one possible solution to this problem, altering the "tsk/fs/ntfs.c" file, at the "ntfs_proc_attrseq" funtion, adding a test to set "initsize" to "ssize" when "initsize" it's equal to zero. But I don't know if this solution will cause problems with other types of files (like sparse or virtual files) in NTFS. I didn't find a way to limit this test only to the Volume Shadow Files, but it worked properly in my few test images. I'm sending the patch attached only to illustrate my message, because I think that other users or TSK developers could implement a better solution to this problem. Other references related to this problem: https://github.com/sleuthkit/sleuthkit/issues/466 - [Windows Volume Shadow Copy Files incorrectly decoded] http://sourceforge.net/p/sleuthkit/mailman/message/22341633/ - ([sleuthkit-developers] [ sleuthkit-Bugs-2367426 ] Fix NTFS VDL Slack bug) https://secureartisan.wordpress.com/2011/01/29/dc3-2011-day-2-and-3/ - [VDL Slack in NTFS – David G Ferguson] Gabriel On Wed, Jan 7, 2015 at 2:32 PM, Luís Filipe Nassif <lfc...@gm...> wrote: > Did someone have time to look at the istat output? It is attached again. > > Thank you, > Luis > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming! The Go Parallel Website, > sponsored by Intel and developed in partnership with Slashdot Media, is your > hub for all things parallel software development, from weekly thought > leadership blogs to news, videos, case studies, tutorials and more. Take a > look and join the conversation now. http://goparallel.sourceforge.net > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > |
