Re: [sleuthkit-users] Wrong results when reading System Volume Shadow Files
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Wrong results when reading System Volume Shadow Files
|
From: Luís F. N. <lfc...@gm...> - 2016-01-26 01:06:33
|
Could a NTFS expert kindly take a look at Gabriel's patch? I think it is
important to have a fix, so VSS files could be properly hashed, indexed,
carved, etc.
Luis
2016-01-18 9:11 GMT-02:00 Luís Filipe Nassif <lfc...@gm...>:
> Hum, maybe testing the file name for the presence of
> {3808876b-c176-4e48-b7ae-04046e6cc752} can restrict the patch only to VSS
> files?
>
> Luis
>
> 2016-01-16 20:16 GMT-02:00 Gabriel Francisco <gab...@gm...>:
>
>> Hi,
>>
>> I'm having problems too with Volume Shadow files at the TSK (icat,
>> istat), including TSK 4.2 (same behaviour indicated by Nassif). The
>> problem with this type of file is caused by the attribute "initialized
>> stream size" or "Valid Data Length size" (VDL size). Apparently,
>> Microsoft has forced it's value to zero to make these files
>> "invisible" to the normal Windows Backup process
>> (https://secureartisan.wordpress.com/2011/01/29/dc3-2011-day-2-and-3/).
>>
>> I don't have much familiarity with the TSK code, but I wrote one
>> possible solution to this problem, altering the "tsk/fs/ntfs.c" file,
>> at the "ntfs_proc_attrseq" funtion, adding a test to set "initsize" to
>> "ssize" when "initsize" it's equal to zero. But I don't know if this
>> solution will cause problems with other types of files (like sparse or
>> virtual files) in NTFS. I didn't find a way to limit this test only to
>> the Volume Shadow Files, but it worked properly in my few test images.
>>
>> I'm sending the patch attached only to illustrate my message, because
>> I think that other users or TSK developers could implement a better
>> solution to this problem.
>>
>> Other references related to this problem:
>> https://github.com/sleuthkit/sleuthkit/issues/466 - [Windows Volume
>> Shadow Copy Files incorrectly decoded]
>> http://sourceforge.net/p/sleuthkit/mailman/message/22341633/ -
>> ([sleuthkit-developers] [ sleuthkit-Bugs-2367426 ] Fix NTFS VDL Slack
>> bug)
>> https://secureartisan.wordpress.com/2011/01/29/dc3-2011-day-2-and-3/ -
>> [VDL Slack in NTFS – David G Ferguson]
>>
>> Gabriel
>>
>>
>> On Wed, Jan 7, 2015 at 2:32 PM, Luís Filipe Nassif <lfc...@gm...>
>> wrote:
>> > Did someone have time to look at the istat output? It is attached again.
>> >
>> > Thank you,
>> > Luis
>> >
>> >
>> ------------------------------------------------------------------------------
>> > Dive into the World of Parallel Programming! The Go Parallel Website,
>> > sponsored by Intel and developed in partnership with Slashdot Media, is
>> your
>> > hub for all things parallel software development, from weekly thought
>> > leadership blogs to news, videos, case studies, tutorials and more.
>> Take a
>> > look and join the conversation now. http://goparallel.sourceforge.net
>> > _______________________________________________
>> > sleuthkit-users mailing list
>> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> > http://www.sleuthkit.org
>> >
>>
>
>
|
