search for: ntfscat

Displaying 20 results from an estimated 30 matches for "ntfscat".

2016 Feb 29
0
[PATCH 2/2] added ntfscat_i tests
Test is based on file signature, it checks whether the extracted file is the $MFT. Signed-off-by: Matteo Cafasso <noxdafox@gmail.com> --- Makefile.am | 1 + configure.ac | 1 + generator/actions.ml | 6 ++++- tests/ntfscat/Makefile.am | 26 +++++++++++++++++++++ tests/ntfscat/test-ntfscat.sh | 53 +++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 86 insertions(+), 1 deletion(-) create mode 100644 tests/ntfscat/Makefile.am create mode 100755 tests/ntfscat/test-ntfscat.sh diff --git a/Makefile.am b/Ma...
2016 Feb 29
2
[PATCH 1/2] added ntfscat_i api
Adding ntfscat_i command for downloading files based on their inode number. This allows the dowload of files unaccessible otherwise from a NTFS guest disk image. Signed-off-by: Matteo Cafasso <noxdafox@gmail.com> --- daemon/ntfs.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++ generato...
2016 Mar 01
1
[PATCH] tests: move ntfs tests in a single directory
Move test-ntfscat.sh and test-ntfsclone.sh in a single ntfs directory, much like the tests for other filesystems. --- Makefile.am | 3 +- configure.ac | 3 +- tests/ntfs/Makefile.am | 27 +++++++++++++++++ tests/ntfs/test-ntfscat.sh | 53 +++++++++++++++...
2016 Mar 02
2
Re: Libguestfs as filesystem forensic tool
...nd especially hivex) are > already used in this way. > > Anyhow you're free to fork libguestfs provided you obey the license. > It may be easier/less work if you submit patches upstream where they > make sense for the upstream project, such as generally useful APIs > (like the ntfscat-i API). One of the patches I'm talking about would add TSK (The Sleuth Kit) as a dependency within the appliance. This would bring new APIs such as: 'fls' more powerful 'ls' command allowing to get list of deleted files or timelines at a given path. 'icat' similar...
2016 Feb 02
2
Re: extract NTFS Master File Table for analysis
On Tue, Feb 02, 2016 at 07:40:12PM +0200, noxdafox wrote: > Greetings, > > I'm playing around an idea and I'd like to ask you some questions. > > I'd like to extract the MFT table from a disk image file. The idea > is to employ it to build a sort of reverse lookup table which, given > a cluster, could retrieve the corresponding file with the related >
2016 Mar 02
2
Libguestfs as filesystem forensic tool
Greetings, I am playing around with the idea of using libguestfs as a forensic tool to investigate VM disk images. Some use cases as example: * Sandbox for malware analysis. * Incident response in cloud environments. Libguestfs is a precious resource in this case as it allows to abstract the disk image internals and expose them as mountable devices. Combined with some state of the art
2016 Mar 02
0
[PATCH] daemon: ntfs: fix format strings
...h from asprintf_nowarn to asprintf, since no custom formats (eg %Q, %R) are used. --- daemon/ntfs.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/daemon/ntfs.c b/daemon/ntfs.c index 92088f7..e555c63 100644 --- a/daemon/ntfs.c +++ b/daemon/ntfs.c @@ -282,8 +282,8 @@ do_ntfscat_i (const mountable_t *mountable, int64_t inode) } /* Construct the command. */ - if (asprintf_nowarn (&cmd, "ntfscat -i %ld %s", - inode, mountable->device) == -1) { + if (asprintf (&cmd, "ntfscat -i %" PRIi64 " %s", +...
2016 Mar 02
1
Re: Libguestfs as filesystem forensic tool
...add TSK (The Sleuth Kit) >> as a dependency within the appliance. >> >> This would bring new APIs such as: >> 'fls' more powerful 'ls' command allowing to get list of deleted >> files or timelines at a given path. >> 'icat' similar to ntfscat-i but it supports multiple FS. >> >> Yet I'm not sure whether it's desirable as it is for a narrow use >> case and on my Debian box TSK is a 12Mb binary. > Yes that's a rather large dependency. > > However it's possible to use optgroups ["optional&quo...
2016 Feb 18
0
Re: extract NTFS Master File Table for analysis
...F and C:\$LogFile, it can list C:\$Extend content but it cannot access those files. Curiously enough, stat() syscall on C:\$Extend\$UsnJrnl seems to work and returns the correct inode number. Yet the size is wrong as it reports 0 while the real one is > 9Mb. The next step I tried was to use ntfscat command in the following manner: ntfscat -i <UsnJrnl inode number> /dev/sdXX and it worked flawlessly. So I proceeded adding such API to libguestfs and I could extract the journal without any issue. The UsnJrnl file is very handy to check what changes were made on disk. Not only it's...
2016 Feb 21
2
[PATCH] added ntfscat_i api
Adding ntfscat_i command for downloading files based on their inode number. This allows the dowload of files unaccessible otherwise from a NTFS guest disk image. --- daemon/ntfs.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++ generator/actions.ml | 15 +++++++++++++ 2 files changed, 77 inse...
2016 May 19
0
[PATCH 1/3] tests: specify the image format when possible
...-img.pl | 6 +++--- tests/gdisk/test-expand-gpt.pl | 4 ++-- tests/md/test-inspect-fstab-md.sh | 6 +++--- tests/md/test-inspect-fstab.sh | 8 ++++---- tests/md/test-list-md-devices.sh | 2 +- tests/mountable/test-mountable-inspect.sh | 4 ++-- tests/ntfs/test-ntfscat.sh | 2 +- tests/ntfs/test-ntfsclone.sh | 2 +- tests/regressions/rhbz1011907-1165785.sh | 4 ++-- tests/regressions/rhbz1054761.sh | 2 +- tests/regressions/rhbz1174551.sh | 2 +- tests/regressions/rhbz1285847.sh | 2 +- tests/regressions/rhb...
2016 Feb 22
2
Re: [PATCH] added ntfscat_i api
On 22/02/16 17:26, Richard W.M. Jones wrote: > On Sun, Feb 21, 2016 at 11:22:23PM +0200, Matteo Cafasso wrote: >> Adding ntfscat_i command for downloading files based on their inode number. >> >> This allows the dowload of files unaccessible otherwise from a NTFS guest disk image. > The patch seems fine, but it really needs a test otherwise this > feature could silently break. I was thinking the same but I...
2016 May 19
6
[PATCH 0/3] misc tests-only changes
...pl | 6 +++--- tests/gdisk/test-expand-gpt.pl | 4 ++-- tests/md/test-inspect-fstab-md.sh | 6 +++--- tests/md/test-inspect-fstab.sh | 8 +++---- tests/md/test-list-md-devices.sh | 2 +- tests/mountable/test-mountable-inspect.sh | 4 ++-- tests/ntfs/test-ntfscat.sh | 2 +- tests/ntfs/test-ntfsclone.sh | 2 +- tests/regressions/rhbz1011907-1165785.sh | 4 ++-- tests/regressions/rhbz1054761.sh | 2 +- tests/regressions/rhbz1174551.sh | 2 +- tests/regressions/rhbz1285847.sh | 2 +- tests/regressio...
2016 Mar 02
0
Re: Libguestfs as filesystem forensic tool
...elieve parts of libguestfs (and especially hivex) are already used in this way. Anyhow you're free to fork libguestfs provided you obey the license. It may be easier/less work if you submit patches upstream where they make sense for the upstream project, such as generally useful APIs (like the ntfscat-i API). Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com Fedora Windows cross-compiler. Compile Windows programs, test, and build Windows installers. Over 100 libraries supported. http://...
2016 Mar 02
0
Re: Libguestfs as filesystem forensic tool
...#39;m talking about would add TSK (The Sleuth Kit) > as a dependency within the appliance. > > This would bring new APIs such as: > 'fls' more powerful 'ls' command allowing to get list of deleted > files or timelines at a given path. > 'icat' similar to ntfscat-i but it supports multiple FS. > > Yet I'm not sure whether it's desirable as it is for a narrow use > case and on my Debian box TSK is a 12Mb binary. Yes that's a rather large dependency. However it's possible to use optgroups ["optional" field in generator/ac...
2016 Feb 22
0
Re: [PATCH] added ntfscat_i api
On Sun, Feb 21, 2016 at 11:22:23PM +0200, Matteo Cafasso wrote: > Adding ntfscat_i command for downloading files based on their inode number. > > This allows the dowload of files unaccessible otherwise from a NTFS guest disk image. The patch seems fine, but it really needs a test otherwise this feature could silently break. Have a look at the tests/ntfsclone/ subdirect...
2012 Dec 16
1
read-write in LIBGUESTFS 1.20
How can i open a virtual disk in read-write mode ? # guestmount --rw -d winxp -m /dev/sda1 /media/ # rm -f /media/pagefile.sys rm: cannot remove ?/media/pagefile.sys?: Operation not permitted # cd /media && touch file touch: cannot touch ?file?: Permission denied # cd && fusermount -u /media I've tried with guestfish also. I have compiled libguestfs with this conf:
2016 Feb 22
0
Re: [PATCH] added ntfscat_i api
On Mon, Feb 22, 2016 at 07:23:45PM +0200, noxdafox wrote: > On 22/02/16 17:26, Richard W.M. Jones wrote: > >On Sun, Feb 21, 2016 at 11:22:23PM +0200, Matteo Cafasso wrote: > >>Adding ntfscat_i command for downloading files based on their inode number. > >> > >>This allows the dowload of files unaccessible otherwise from a NTFS guest disk image. > >The patch seems fine, but it really needs a test otherwise this > >feature could silently break. > I was th...
2016 Mar 06
5
[PATCH 0/2] added icat and fls0 APIs for deleted files recovery
...sg00018.html I'd like to add to libguestfs the disk forensics capabilities offered by The Sleuth Kit. http://www.sleuthkit.org/ The two APIs I'm adding with the patch are a simple example of which type of features TSK can enable. The icat API it's very similar to the previously added ntfscat_i but it works with multiple filesystem types and has an interesting added value: it can extract deleted files. The end result heavily depends on the filesystem internals and on how much it has been used. On FAT, Ext2 and NTFS it can recover part or the whole file pretty easily as long as it's...
2016 Feb 22
2
Re: [PATCH] added ntfscat_i api
On 22/02/16 19:43, Richard W.M. Jones wrote: > On Mon, Feb 22, 2016 at 07:23:45PM +0200, noxdafox wrote: >> On 22/02/16 17:26, Richard W.M. Jones wrote: >>> On Sun, Feb 21, 2016 at 11:22:23PM +0200, Matteo Cafasso wrote: >>>> Adding ntfscat_i command for downloading files based on their inode number. >>>> >>>> This allows the dowload of files unaccessible otherwise from a NTFS guest disk image. >>> The patch seems fine, but it really needs a test otherwise this >>> feature could silently break...