Re: [sleuthkit-users] Wrong results when reading System Volume Shadow Files
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Wrong results when reading System Volume Shadow Files
|
From: Luís F. N. <lfc...@gm...> - 2016-01-18 11:11:57
|
Hum, maybe testing the file name for the presence of
{3808876b-c176-4e48-b7ae-04046e6cc752} can restrict the patch only to VSS
files?
Luis
2016-01-16 20:16 GMT-02:00 Gabriel Francisco <gab...@gm...>:
> Hi,
>
> I'm having problems too with Volume Shadow files at the TSK (icat,
> istat), including TSK 4.2 (same behaviour indicated by Nassif). The
> problem with this type of file is caused by the attribute "initialized
> stream size" or "Valid Data Length size" (VDL size). Apparently,
> Microsoft has forced it's value to zero to make these files
> "invisible" to the normal Windows Backup process
> (https://secureartisan.wordpress.com/2011/01/29/dc3-2011-day-2-and-3/).
>
> I don't have much familiarity with the TSK code, but I wrote one
> possible solution to this problem, altering the "tsk/fs/ntfs.c" file,
> at the "ntfs_proc_attrseq" funtion, adding a test to set "initsize" to
> "ssize" when "initsize" it's equal to zero. But I don't know if this
> solution will cause problems with other types of files (like sparse or
> virtual files) in NTFS. I didn't find a way to limit this test only to
> the Volume Shadow Files, but it worked properly in my few test images.
>
> I'm sending the patch attached only to illustrate my message, because
> I think that other users or TSK developers could implement a better
> solution to this problem.
>
> Other references related to this problem:
> https://github.com/sleuthkit/sleuthkit/issues/466 - [Windows Volume
> Shadow Copy Files incorrectly decoded]
> http://sourceforge.net/p/sleuthkit/mailman/message/22341633/ -
> ([sleuthkit-developers] [ sleuthkit-Bugs-2367426 ] Fix NTFS VDL Slack
> bug)
> https://secureartisan.wordpress.com/2011/01/29/dc3-2011-day-2-and-3/ -
> [VDL Slack in NTFS – David G Ferguson]
>
> Gabriel
>
>
> On Wed, Jan 7, 2015 at 2:32 PM, Luís Filipe Nassif <lfc...@gm...>
> wrote:
> > Did someone have time to look at the istat output? It is attached again.
> >
> > Thank you,
> > Luis
> >
> >
> ------------------------------------------------------------------------------
> > Dive into the World of Parallel Programming! The Go Parallel Website,
> > sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> > hub for all things parallel software development, from weekly thought
> > leadership blogs to news, videos, case studies, tutorials and more. Take
> a
> > look and join the conversation now. http://goparallel.sourceforge.net
> > _______________________________________________
> > sleuthkit-users mailing list
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > http://www.sleuthkit.org
> >
>
|
