Thread: [sleuthkit-developers] Update Sequence Number Journal support
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-developers
|
From: noxdafox <nox...@gm...> - 2016-06-28 16:49:20
|
Greetings, recently I've been playing around with NTFS Update Sequence Number Journals which I find a fairly good instrument for extracting timelines from NTFS drives. I have been writing few parsers for it, the last one been written in C. I was thinking about porting it to sleuthkit. Do you think it would be beneficial for the library? The idea would be to expose a visitor API (in similar fashion as for tsk_fs_dir_walk) and then a command line tool built on top of it. More info about UsnJrnl files: https://msdn.microsoft.com/en-us/library/windows/desktop/aa365722%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396# |
|
From: Brian C. <ca...@sl...> - 2016-07-09 03:47:53
|
Hello, Sorry for the very late replies. I certainly think it would be of interest to the TSK users. My 2 cents would be to take a look at the existing journal infrastructure in TSK that was not designed with the knowledge of NTFS structures (so it maybe too limited). But, it would be good to try to enhance that versus adding in a parallel journal infrastructure. Examples of it can be found in ext2fs_journal.c and hfs_journal.c and it provides callbacks for each entry. thanks, brian > On Jun 28, 2016, at 12:49 PM, noxdafox <nox...@gm...> wrote: > > Greetings, > > recently I've been playing around with NTFS Update Sequence Number > Journals which I find a fairly good instrument for extracting timelines > from NTFS drives. > > I have been writing few parsers for it, the last one been written in C. > > I was thinking about porting it to sleuthkit. Do you think it would be > beneficial for the library? > > The idea would be to expose a visitor API (in similar fashion as for > tsk_fs_dir_walk) and then a command line tool built on top of it. > > More info about UsnJrnl files: > https://msdn.microsoft.com/en-us/library/windows/desktop/aa365722%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396# > > > ------------------------------------------------------------------------------ > Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San > Francisco, CA to explore cutting-edge tech and listen to tech luminaries > present their vision of the future. This family event has something for > everyone, including kids. Get more information and register today. > http://sdm.link/attshape > _______________________________________________ > sleuthkit-developers mailing list > sle...@li... > https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers |
|
From: noxdafox <nox...@gm...> - 2016-07-09 08:35:46
|
Is there any specific reason why the APIs contained in the two files are not exposed? At least I could not find any reference in the documentation. On 09/07/16 06:47, Brian Carrier wrote: > Hello, > > Sorry for the very late replies. I certainly think it would be of interest to the TSK users. My 2 cents would be to take a look at the existing journal infrastructure in TSK that was not designed with the knowledge of NTFS structures (so it maybe too limited). But, it would be good to try to enhance that versus adding in a parallel journal infrastructure. Examples of it can be found in ext2fs_journal.c and hfs_journal.c and it provides callbacks for each entry. > > thanks, > brian > >> On Jun 28, 2016, at 12:49 PM, noxdafox <nox...@gm...> wrote: >> >> Greetings, >> >> recently I've been playing around with NTFS Update Sequence Number >> Journals which I find a fairly good instrument for extracting timelines >> from NTFS drives. >> >> I have been writing few parsers for it, the last one been written in C. >> >> I was thinking about porting it to sleuthkit. Do you think it would be >> beneficial for the library? >> >> The idea would be to expose a visitor API (in similar fashion as for >> tsk_fs_dir_walk) and then a command line tool built on top of it. >> >> More info about UsnJrnl files: >> https://msdn.microsoft.com/en-us/library/windows/desktop/aa365722%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396# >> >> >> ------------------------------------------------------------------------------ >> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San >> Francisco, CA to explore cutting-edge tech and listen to tech luminaries >> present their vision of the future. This family event has something for >> everyone, including kids. Get more information and register today. >> http://sdm.link/attshape >> _______________________________________________ >> sleuthkit-developers mailing list >> sle...@li... >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers |
|
From: noxdafox <nox...@gm...> - 2016-09-14 18:34:25
|
Hello, I've been working on the feature for a while and I'd say it's ready for review. https://github.com/sleuthkit/sleuthkit/pull/689 The PR comments explain the feature and the reason behind the implementation choices. I'd postpone the support to journal records version 3 and 4: * Hard to find examples out there, it's an early-stage feature. * They are not enabled by default. https://msdn.microsoft.com/en-us/library/windows/desktop/dn302075%28v=vs.85%29.aspx * In case of v3 and v4 records, the logic will skip them warning the user. On 09/07/16 06:47, Brian Carrier wrote: > Hello, > > Sorry for the very late replies. I certainly think it would be of interest to the TSK users. My 2 cents would be to take a look at the existing journal infrastructure in TSK that was not designed with the knowledge of NTFS structures (so it maybe too limited). But, it would be good to try to enhance that versus adding in a parallel journal infrastructure. Examples of it can be found in ext2fs_journal.c and hfs_journal.c and it provides callbacks for each entry. > > thanks, > brian > >> On Jun 28, 2016, at 12:49 PM, noxdafox <nox...@gm...> wrote: >> >> Greetings, >> >> recently I've been playing around with NTFS Update Sequence Number >> Journals which I find a fairly good instrument for extracting timelines >> from NTFS drives. >> >> I have been writing few parsers for it, the last one been written in C. >> >> I was thinking about porting it to sleuthkit. Do you think it would be >> beneficial for the library? >> >> The idea would be to expose a visitor API (in similar fashion as for >> tsk_fs_dir_walk) and then a command line tool built on top of it. >> >> More info about UsnJrnl files: >> https://msdn.microsoft.com/en-us/library/windows/desktop/aa365722%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396# >> >> >> ------------------------------------------------------------------------------ >> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San >> Francisco, CA to explore cutting-edge tech and listen to tech luminaries >> present their vision of the future. This family event has something for >> everyone, including kids. Get more information and register today. >> http://sdm.link/attshape >> _______________________________________________ >> sleuthkit-developers mailing list >> sle...@li... >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers |
|
From: Jon S. <JSt...@St...> - 2016-06-28 17:26:39
|
My company released NTFS-Linker last year, which links with libtsk and Joachim Metz's libvshadow to parse $UsnJrnl and $LogFile entries on all volume shadow copies and the current state of the volume and organizes them into a unified timeline in a sqlite database. More information is here: http://strozfriedberg.github.io/ntfs-linker/ Cheers, Jon > -----Original Message----- > From: noxdafox [mailto:nox...@gm...] > Sent: Tuesday, June 28, 2016 12:49 PM > To: sle...@li... > Subject: [sleuthkit-developers] Update Sequence Number Journal support > > Greetings, > > recently I've been playing around with NTFS Update Sequence Number > Journals which I find a fairly good instrument for extracting timelines > from NTFS drives. > > I have been writing few parsers for it, the last one been written in C. > > I was thinking about porting it to sleuthkit. Do you think it would be > beneficial for the library? > > The idea would be to expose a visitor API (in similar fashion as for > tsk_fs_dir_walk) and then a command line tool built on top of it. > > More info about UsnJrnl files: > https://msdn.microsoft.com/en- > us/library/windows/desktop/aa365722%28v=vs.85%29.aspx?f=255&MSPPErr > or=-2147217396# > > > ------------------------------------------------------------------------------ > Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San > Francisco, CA to explore cutting-edge tech and listen to tech luminaries > present their vision of the future. This family event has something for > everyone, including kids. Get more information and register today. > http://sdm.link/attshape > _______________________________________________ > sleuthkit-developers mailing list > sle...@li... > https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers |
|
From: noxdafox <nox...@gm...> - 2016-06-28 17:12:15
|
There are few open source and commercial solutions which rely on NTFS internals in order to retrieve data useful to build timelines of events. My point is that sleuthkit is missing such a capability and I was wondering if the community would be interested in such a feature. I'd rather ask than come with a pull request out of the blue :) On 28/06/16 20:06, Jon Stewart wrote: > My company released NTFS-Linker last year, which links with libtsk and Joachim Metz's libvshadow to parse $UsnJrnl and $LogFile entries on all volume shadow copies and the current state of the volume and organizes them into a unified timeline in a sqlite database. > > More information is here: http://strozfriedberg.github.io/ntfs-linker/ > > Cheers, > > Jon > >> -----Original Message----- >> From: noxdafox [mailto:nox...@gm...] >> Sent: Tuesday, June 28, 2016 12:49 PM >> To: sle...@li... >> Subject: [sleuthkit-developers] Update Sequence Number Journal support >> >> Greetings, >> >> recently I've been playing around with NTFS Update Sequence Number >> Journals which I find a fairly good instrument for extracting timelines >> from NTFS drives. >> >> I have been writing few parsers for it, the last one been written in C. >> >> I was thinking about porting it to sleuthkit. Do you think it would be >> beneficial for the library? >> >> The idea would be to expose a visitor API (in similar fashion as for >> tsk_fs_dir_walk) and then a command line tool built on top of it. >> >> More info about UsnJrnl files: >> https://msdn.microsoft.com/en- >> us/library/windows/desktop/aa365722%28v=vs.85%29.aspx?f=255&MSPPErr >> or=-2147217396# >> >> >> ------------------------------------------------------------------------------ >> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San >> Francisco, CA to explore cutting-edge tech and listen to tech luminaries >> present their vision of the future. This family event has something for >> everyone, including kids. Get more information and register today. >> http://sdm.link/attshape >> _______________________________________________ >> sleuthkit-developers mailing list >> sle...@li... >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X