search for: fiwalk

Thank you all for your suggestions! Richard W.M. Jones: > I keep meaning to write a comprehensive "virt-diff" tool. I needed it > myself just yesterday. Most interesting. I guess there are two reasons for creating such a tool: just compare the images (show the diff) and/or check for malicious additions in the other image. Did you consider implementing the former or both? Do

Hi all, Piping in here as someone who has worked on file system and Registry differencing for a few years now. Taking diffs of a storage system is not a straightforward task. Hopefully, this message saves you some re-implementation heartache. In the forensics world, there is a tool called Fiwalk, which enumerates the contents of a file system and its metadata (with some basic data summaries, including libmagic and checksums). The tool "idifference" compares file system states and enumerates differences, using the Digital Forensics XML output from Fiwalk. A research publication...

...istry hive. Although this may seem verbose, it makes processing the data significantly easier. Is working with the hivexml system in a production environment? If so, do you have any thoughts on this matter? You can find an example of the digital forensics XML at: http://www.forensicswiki.org/wiki/Fiwalk Regards, Simson Garfinkel

...y: Alex Nelson <ajnelson at cs.ucsc.edu> --- xml/hivexml.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) diff --git a/xml/hivexml.c b/xml/hivexml.c index cf11676..5030c24 100644 --- a/xml/hivexml.c +++ b/xml/hivexml.c @@ -169,6 +169,10 @@ main (int argc, char *argv[]) * fiwalk.cpp. * * The caller should free the returned buffer. + * + * This function returns NULL on a 0 input. In the context of + * hives, which only have mtimes, 0 will always be a complete + * absence of data. */ #define WINDOWS_TICK 10000000LL @@ -182,6 +186,9 @@ filetime_to_8601 (int64_t wind...

...0LL +#define SEC_TO_UNIX_EPOCH 11644473600LL +/** + * Convert Windows filetime to ISO 8601 format. + * Source for filetime->time_t conversion: http://stackoverflow.com/questions/6161776/convert-windows-filetime-to-second-in-unix-linux/6161842#6161842 + * Source for time_t->char* conversion: Fiwalk version 0.6.14's fiwalk.cpp. + * @param windows_ticks Expected to not have any remaining Endian issues. + */ +int +filetime_to_8601 (char *buf, int bufsize, uint64_t windows_ticks) +{ + if (buf == NULL) { + fprintf (stderr, "filetime_to_8601: Received null output buffer, unable to proc...

...0LL +#define SEC_TO_UNIX_EPOCH 11644473600LL +/** + * Convert Windows filetime to ISO 8601 format. + * Source for filetime->time_t conversion: http://stackoverflow.com/questions/6161776/convert-windows-filetime-to-second-in-unix-linux/6161842#6161842 + * Source for time_t->char* conversion: Fiwalk version 0.6.14's fiwalk.cpp. + * @param windows_ticks Expected to not have any remaining Endian issues. + * + * Caller is responsible for freeing non-null returned buffer. + */ +char * +filetime_to_8601 (int64_t windows_ticks) +{ + char *ret = calloc (1 + TIMESTAMP_BUF_LEN, sizeof (char)); +...

...0LL +#define SEC_TO_UNIX_EPOCH 11644473600LL +/** + * Convert Windows filetime to ISO 8601 format. + * Source for filetime->time_t conversion: http://stackoverflow.com/questions/6161776/convert-windows-filetime-to-second-in-unix-linux/6161842#6161842 + * Source for time_t->char* conversion: Fiwalk version 0.6.14's fiwalk.cpp. + * @param windows_ticks Expected to not have any remaining Endian issues. + */ +int +filetime_to_8601 (char *buf, int bufsize, uint64_t windows_ticks) +{ + if (buf == NULL) { + fprintf (stderr, "filetime_to_8601: Received null output buffer, unable to proc...