Re: [sleuthkit-developers] Update Sequence Number Journal support
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-developers] Update Sequence Number Journal support
|
From: noxdafox <nox...@gm...> - 2016-09-14 18:34:25
|
Hello, I've been working on the feature for a while and I'd say it's ready for review. https://github.com/sleuthkit/sleuthkit/pull/689 The PR comments explain the feature and the reason behind the implementation choices. I'd postpone the support to journal records version 3 and 4: * Hard to find examples out there, it's an early-stage feature. * They are not enabled by default. https://msdn.microsoft.com/en-us/library/windows/desktop/dn302075%28v=vs.85%29.aspx * In case of v3 and v4 records, the logic will skip them warning the user. On 09/07/16 06:47, Brian Carrier wrote: > Hello, > > Sorry for the very late replies. I certainly think it would be of interest to the TSK users. My 2 cents would be to take a look at the existing journal infrastructure in TSK that was not designed with the knowledge of NTFS structures (so it maybe too limited). But, it would be good to try to enhance that versus adding in a parallel journal infrastructure. Examples of it can be found in ext2fs_journal.c and hfs_journal.c and it provides callbacks for each entry. > > thanks, > brian > >> On Jun 28, 2016, at 12:49 PM, noxdafox <nox...@gm...> wrote: >> >> Greetings, >> >> recently I've been playing around with NTFS Update Sequence Number >> Journals which I find a fairly good instrument for extracting timelines >> from NTFS drives. >> >> I have been writing few parsers for it, the last one been written in C. >> >> I was thinking about porting it to sleuthkit. Do you think it would be >> beneficial for the library? >> >> The idea would be to expose a visitor API (in similar fashion as for >> tsk_fs_dir_walk) and then a command line tool built on top of it. >> >> More info about UsnJrnl files: >> https://msdn.microsoft.com/en-us/library/windows/desktop/aa365722%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396# >> >> >> ------------------------------------------------------------------------------ >> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San >> Francisco, CA to explore cutting-edge tech and listen to tech luminaries >> present their vision of the future. This family event has something for >> everyone, including kids. Get more information and register today. >> http://sdm.link/attshape >> _______________________________________________ >> sleuthkit-developers mailing list >> sle...@li... >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers |
