Re: [sleuthkit-users] Wrong results when reading System Volume Shadow Files
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Wrong results when reading System Volume Shadow Files
|
From: Brian C. <ca...@sl...> - 2016-05-11 14:03:26
|
I posted my comments on the github issue to have a central place for this: https://github.com/sleuthkit/sleuthkit/issues/466 Basic take away is that the data is available right now if you use ‘icat -s’ to look at slack space (at least it was on my system). Autopsy does not let you view this though, so this could bump that feature up in priority. The suggested patch as it stands is too broad and would get rid of the idea of VDL slack for all files, which would be confusing. It should be restricted to just VSS files (as was already suggested), but then it could cause confusion between tools if those tools are reporting the initialized size as 0. > On May 3, 2016, at 12:27 PM, Luís Filipe Nassif <lfc...@gm...> wrote: > > Any chance of reviewing and committing Gabriel's patch before the next release? > > Luis > > 2016-01-25 23:06 GMT-02:00 Luís Filipe Nassif <lfc...@gm...>: > Could a NTFS expert kindly take a look at Gabriel's patch? I think it is important to have a fix, so VSS files could be properly hashed, indexed, carved, etc. > > Luis > > 2016-01-18 9:11 GMT-02:00 Luís Filipe Nassif <lfc...@gm...>: > Hum, maybe testing the file name for the presence of {3808876b-c176-4e48-b7ae-04046e6cc752} can restrict the patch only to VSS files? > > Luis > > 2016-01-16 20:16 GMT-02:00 Gabriel Francisco <gab...@gm...>: > Hi, > > I'm having problems too with Volume Shadow files at the TSK (icat, > istat), including TSK 4.2 (same behaviour indicated by Nassif). The > problem with this type of file is caused by the attribute "initialized > stream size" or "Valid Data Length size" (VDL size). Apparently, > Microsoft has forced it's value to zero to make these files > "invisible" to the normal Windows Backup process > (https://secureartisan.wordpress.com/2011/01/29/dc3-2011-day-2-and-3/). > > I don't have much familiarity with the TSK code, but I wrote one > possible solution to this problem, altering the "tsk/fs/ntfs.c" file, > at the "ntfs_proc_attrseq" funtion, adding a test to set "initsize" to > "ssize" when "initsize" it's equal to zero. But I don't know if this > solution will cause problems with other types of files (like sparse or > virtual files) in NTFS. I didn't find a way to limit this test only to > the Volume Shadow Files, but it worked properly in my few test images. > > I'm sending the patch attached only to illustrate my message, because > I think that other users or TSK developers could implement a better > solution to this problem. > > Other references related to this problem: > https://github.com/sleuthkit/sleuthkit/issues/466 - [Windows Volume > Shadow Copy Files incorrectly decoded] > http://sourceforge.net/p/sleuthkit/mailman/message/22341633/ - > ([sleuthkit-developers] [ sleuthkit-Bugs-2367426 ] Fix NTFS VDL Slack > bug) > https://secureartisan.wordpress.com/2011/01/29/dc3-2011-day-2-and-3/ - > [VDL Slack in NTFS – David G Ferguson] > > Gabriel > > > On Wed, Jan 7, 2015 at 2:32 PM, Luís Filipe Nassif <lfc...@gm...> wrote: > > Did someone have time to look at the istat output? It is attached again. > > > > Thank you, > > Luis > > > > ------------------------------------------------------------------------------ > > Dive into the World of Parallel Programming! The Go Parallel Website, > > sponsored by Intel and developed in partnership with Slashdot Media, is your > > hub for all things parallel software development, from weekly thought > > leadership blogs to news, videos, case studies, tutorials and more. Take a > > look and join the conversation now. http://goparallel.sourceforge.net > > _______________________________________________ > > sleuthkit-users mailing list > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > http://www.sleuthkit.org > > > > > > ------------------------------------------------------------------------------ > Find and fix application performance issues faster with Applications Manager > Applications Manager provides deep performance insights into multiple tiers of > your business applications. It resolves application problems quickly and > reduces your MTTR. Get your free trial! > https://ad.doubleclick.net/ddm/clk/302982198;130105516;z_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
