Re: [sleuthkit-users] Wrong results when reading System Volume Shadow Files
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Wrong results when reading System Volume Shadow Files
|
From: Luís F. N. <lfc...@gm...> - 2016-05-11 15:42:12
|
Thank you Brian for the great explanation. I posted my comments at github issue too. Luis 2016-05-11 11:03 GMT-03:00 Brian Carrier <ca...@sl...>: > I posted my comments on the github issue to have a central place for this: > > https://github.com/sleuthkit/sleuthkit/issues/466 > > Basic take away is that the data is available right now if you use ‘icat > -s’ to look at slack space (at least it was on my system). Autopsy does > not let you view this though, so this could bump that feature up in > priority. The suggested patch as it stands is too broad and would get rid > of the idea of VDL slack for all files, which would be confusing. It should > be restricted to just VSS files (as was already suggested), but then it > could cause confusion between tools if those tools are reporting the > initialized size as 0. > > > > > > On May 3, 2016, at 12:27 PM, Luís Filipe Nassif <lfc...@gm...> > wrote: > > > > Any chance of reviewing and committing Gabriel's patch before the next > release? > > > > Luis > > > > 2016-01-25 23:06 GMT-02:00 Luís Filipe Nassif <lfc...@gm...>: > > Could a NTFS expert kindly take a look at Gabriel's patch? I think it is > important to have a fix, so VSS files could be properly hashed, indexed, > carved, etc. > > > > Luis > > > > 2016-01-18 9:11 GMT-02:00 Luís Filipe Nassif <lfc...@gm...>: > > Hum, maybe testing the file name for the presence of > {3808876b-c176-4e48-b7ae-04046e6cc752} can restrict the patch only to VSS > files? > > > > Luis > > > > 2016-01-16 20:16 GMT-02:00 Gabriel Francisco <gab...@gm... > >: > > Hi, > > > > I'm having problems too with Volume Shadow files at the TSK (icat, > > istat), including TSK 4.2 (same behaviour indicated by Nassif). The > > problem with this type of file is caused by the attribute "initialized > > stream size" or "Valid Data Length size" (VDL size). Apparently, > > Microsoft has forced it's value to zero to make these files > > "invisible" to the normal Windows Backup process > > (https://secureartisan.wordpress.com/2011/01/29/dc3-2011-day-2-and-3/). > > > > I don't have much familiarity with the TSK code, but I wrote one > > possible solution to this problem, altering the "tsk/fs/ntfs.c" file, > > at the "ntfs_proc_attrseq" funtion, adding a test to set "initsize" to > > "ssize" when "initsize" it's equal to zero. But I don't know if this > > solution will cause problems with other types of files (like sparse or > > virtual files) in NTFS. I didn't find a way to limit this test only to > > the Volume Shadow Files, but it worked properly in my few test images. > > > > I'm sending the patch attached only to illustrate my message, because > > I think that other users or TSK developers could implement a better > > solution to this problem. > > > > Other references related to this problem: > > https://github.com/sleuthkit/sleuthkit/issues/466 - [Windows Volume > > Shadow Copy Files incorrectly decoded] > > http://sourceforge.net/p/sleuthkit/mailman/message/22341633/ - > > ([sleuthkit-developers] [ sleuthkit-Bugs-2367426 ] Fix NTFS VDL Slack > > bug) > > https://secureartisan.wordpress.com/2011/01/29/dc3-2011-day-2-and-3/ - > > [VDL Slack in NTFS – David G Ferguson] > > > > Gabriel > > > > > > On Wed, Jan 7, 2015 at 2:32 PM, Luís Filipe Nassif <lfc...@gm...> > wrote: > > > Did someone have time to look at the istat output? It is attached > again. > > > > > > Thank you, > > > Luis > > > > > > > ------------------------------------------------------------------------------ > > > Dive into the World of Parallel Programming! The Go Parallel Website, > > > sponsored by Intel and developed in partnership with Slashdot Media, > is your > > > hub for all things parallel software development, from weekly thought > > > leadership blogs to news, videos, case studies, tutorials and more. > Take a > > > look and join the conversation now. http://goparallel.sourceforge.net > > > _______________________________________________ > > > sleuthkit-users mailing list > > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > > http://www.sleuthkit.org > > > > > > > > > > > > ------------------------------------------------------------------------------ > > Find and fix application performance issues faster with Applications > Manager > > Applications Manager provides deep performance insights into multiple > tiers of > > your business applications. It resolves application problems quickly and > > reduces your MTTR. Get your free trial! > > > https://ad.doubleclick.net/ddm/clk/302982198;130105516;z_______________________________________________ > > sleuthkit-users mailing list > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > http://www.sleuthkit.org > > |
