Re: [sleuthkit-users] Wrong results when reading System Volume Shadow Files
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Wrong results when reading System Volume Shadow Files
|
From: Luís F. N. <lfc...@gm...> - 2016-05-03 16:27:45
|
Any chance of reviewing and committing Gabriel's patch before the next
release?
Luis
2016-01-25 23:06 GMT-02:00 Luís Filipe Nassif <lfc...@gm...>:
> Could a NTFS expert kindly take a look at Gabriel's patch? I think it is
> important to have a fix, so VSS files could be properly hashed, indexed,
> carved, etc.
>
> Luis
>
> 2016-01-18 9:11 GMT-02:00 Luís Filipe Nassif <lfc...@gm...>:
>
>> Hum, maybe testing the file name for the presence of
>> {3808876b-c176-4e48-b7ae-04046e6cc752} can restrict the patch only to VSS
>> files?
>>
>> Luis
>>
>> 2016-01-16 20:16 GMT-02:00 Gabriel Francisco <gab...@gm...>
>> :
>>
>>> Hi,
>>>
>>> I'm having problems too with Volume Shadow files at the TSK (icat,
>>> istat), including TSK 4.2 (same behaviour indicated by Nassif). The
>>> problem with this type of file is caused by the attribute "initialized
>>> stream size" or "Valid Data Length size" (VDL size). Apparently,
>>> Microsoft has forced it's value to zero to make these files
>>> "invisible" to the normal Windows Backup process
>>> (https://secureartisan.wordpress.com/2011/01/29/dc3-2011-day-2-and-3/).
>>>
>>> I don't have much familiarity with the TSK code, but I wrote one
>>> possible solution to this problem, altering the "tsk/fs/ntfs.c" file,
>>> at the "ntfs_proc_attrseq" funtion, adding a test to set "initsize" to
>>> "ssize" when "initsize" it's equal to zero. But I don't know if this
>>> solution will cause problems with other types of files (like sparse or
>>> virtual files) in NTFS. I didn't find a way to limit this test only to
>>> the Volume Shadow Files, but it worked properly in my few test images.
>>>
>>> I'm sending the patch attached only to illustrate my message, because
>>> I think that other users or TSK developers could implement a better
>>> solution to this problem.
>>>
>>> Other references related to this problem:
>>> https://github.com/sleuthkit/sleuthkit/issues/466 - [Windows Volume
>>> Shadow Copy Files incorrectly decoded]
>>> http://sourceforge.net/p/sleuthkit/mailman/message/22341633/ -
>>> ([sleuthkit-developers] [ sleuthkit-Bugs-2367426 ] Fix NTFS VDL Slack
>>> bug)
>>> https://secureartisan.wordpress.com/2011/01/29/dc3-2011-day-2-and-3/ -
>>> [VDL Slack in NTFS – David G Ferguson]
>>>
>>> Gabriel
>>>
>>>
>>> On Wed, Jan 7, 2015 at 2:32 PM, Luís Filipe Nassif <lfc...@gm...>
>>> wrote:
>>> > Did someone have time to look at the istat output? It is attached
>>> again.
>>> >
>>> > Thank you,
>>> > Luis
>>> >
>>> >
>>> ------------------------------------------------------------------------------
>>> > Dive into the World of Parallel Programming! The Go Parallel Website,
>>> > sponsored by Intel and developed in partnership with Slashdot Media,
>>> is your
>>> > hub for all things parallel software development, from weekly thought
>>> > leadership blogs to news, videos, case studies, tutorials and more.
>>> Take a
>>> > look and join the conversation now. http://goparallel.sourceforge.net
>>> > _______________________________________________
>>> > sleuthkit-users mailing list
>>> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>> > http://www.sleuthkit.org
>>> >
>>>
>>
>>
>
|
