search for: ntfscat

Test is based on file signature, it checks whether the extracted file is the $MFT. Signed-off-by: Matteo Cafasso <noxdafox@gmail.com> --- Makefile.am | 1 + configure.ac | 1 + generator/actions.ml | 6 ++++- tests/ntfscat/Makefile.am | 26 +++++++++++++++++++++ tests/ntfscat/test-ntfscat.sh | 53 +++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 86 insertions(+), 1 deletion(-) create mode 100644 tests/ntfscat/Makefile.am create mode 100755 tests/ntfscat/test-ntfscat.sh diff --git a/Makefile.am b/Ma...

Adding ntfscat_i command for downloading files based on their inode number. This allows the dowload of files unaccessible otherwise from a NTFS guest disk image. Signed-off-by: Matteo Cafasso <noxdafox@gmail.com> --- daemon/ntfs.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++ generato...

Move test-ntfscat.sh and test-ntfsclone.sh in a single ntfs directory, much like the tests for other filesystems. --- Makefile.am | 3 +- configure.ac | 3 +- tests/ntfs/Makefile.am | 27 +++++++++++++++++ tests/ntfs/test-ntfscat.sh | 53 +++++++++++++++...

...nd especially hivex) are > already used in this way. > > Anyhow you're free to fork libguestfs provided you obey the license. > It may be easier/less work if you submit patches upstream where they > make sense for the upstream project, such as generally useful APIs > (like the ntfscat-i API). One of the patches I'm talking about would add TSK (The Sleuth Kit) as a dependency within the appliance. This would bring new APIs such as: 'fls' more powerful 'ls' command allowing to get list of deleted files or timelines at a given path. 'icat' similar...

On Tue, Feb 02, 2016 at 07:40:12PM +0200, noxdafox wrote: > Greetings, > > I'm playing around an idea and I'd like to ask you some questions. > > I'd like to extract the MFT table from a disk image file. The idea > is to employ it to build a sort of reverse lookup table which, given > a cluster, could retrieve the corresponding file with the related >

Greetings, I am playing around with the idea of using libguestfs as a forensic tool to investigate VM disk images. Some use cases as example: * Sandbox for malware analysis. * Incident response in cloud environments. Libguestfs is a precious resource in this case as it allows to abstract the disk image internals and expose them as mountable devices. Combined with some state of the art

...h from asprintf_nowarn to asprintf, since no custom formats (eg %Q, %R) are used. --- daemon/ntfs.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/daemon/ntfs.c b/daemon/ntfs.c index 92088f7..e555c63 100644 --- a/daemon/ntfs.c +++ b/daemon/ntfs.c @@ -282,8 +282,8 @@ do_ntfscat_i (const mountable_t *mountable, int64_t inode) } /* Construct the command. */ - if (asprintf_nowarn (&cmd, "ntfscat -i %ld %s", - inode, mountable->device) == -1) { + if (asprintf (&cmd, "ntfscat -i %" PRIi64 " %s", +...

...add TSK (The Sleuth Kit) >> as a dependency within the appliance. >> >> This would bring new APIs such as: >> 'fls' more powerful 'ls' command allowing to get list of deleted >> files or timelines at a given path. >> 'icat' similar to ntfscat-i but it supports multiple FS. >> >> Yet I'm not sure whether it's desirable as it is for a narrow use >> case and on my Debian box TSK is a 12Mb binary. > Yes that's a rather large dependency. > > However it's possible to use optgroups ["optional&quo...

...F and C:\$LogFile, it can list C:\$Extend content but it cannot access those files. Curiously enough, stat() syscall on C:\$Extend\$UsnJrnl seems to work and returns the correct inode number. Yet the size is wrong as it reports 0 while the real one is > 9Mb. The next step I tried was to use ntfscat command in the following manner: ntfscat -i <UsnJrnl inode number> /dev/sdXX and it worked flawlessly. So I proceeded adding such API to libguestfs and I could extract the journal without any issue. The UsnJrnl file is very handy to check what changes were made on disk. Not only it's...

Adding ntfscat_i command for downloading files based on their inode number. This allows the dowload of files unaccessible otherwise from a NTFS guest disk image. --- daemon/ntfs.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++ generator/actions.ml | 15 +++++++++++++ 2 files changed, 77 inse...

...-img.pl | 6 +++--- tests/gdisk/test-expand-gpt.pl | 4 ++-- tests/md/test-inspect-fstab-md.sh | 6 +++--- tests/md/test-inspect-fstab.sh | 8 ++++---- tests/md/test-list-md-devices.sh | 2 +- tests/mountable/test-mountable-inspect.sh | 4 ++-- tests/ntfs/test-ntfscat.sh | 2 +- tests/ntfs/test-ntfsclone.sh | 2 +- tests/regressions/rhbz1011907-1165785.sh | 4 ++-- tests/regressions/rhbz1054761.sh | 2 +- tests/regressions/rhbz1174551.sh | 2 +- tests/regressions/rhbz1285847.sh | 2 +- tests/regressions/rhb...

On 22/02/16 17:26, Richard W.M. Jones wrote: > On Sun, Feb 21, 2016 at 11:22:23PM +0200, Matteo Cafasso wrote: >> Adding ntfscat_i command for downloading files based on their inode number. >> >> This allows the dowload of files unaccessible otherwise from a NTFS guest disk image. > The patch seems fine, but it really needs a test otherwise this > feature could silently break. I was thinking the same but I...

...pl | 6 +++--- tests/gdisk/test-expand-gpt.pl | 4 ++-- tests/md/test-inspect-fstab-md.sh | 6 +++--- tests/md/test-inspect-fstab.sh | 8 +++---- tests/md/test-list-md-devices.sh | 2 +- tests/mountable/test-mountable-inspect.sh | 4 ++-- tests/ntfs/test-ntfscat.sh | 2 +- tests/ntfs/test-ntfsclone.sh | 2 +- tests/regressions/rhbz1011907-1165785.sh | 4 ++-- tests/regressions/rhbz1054761.sh | 2 +- tests/regressions/rhbz1174551.sh | 2 +- tests/regressions/rhbz1285847.sh | 2 +- tests/regressio...

...elieve parts of libguestfs (and especially hivex) are already used in this way. Anyhow you're free to fork libguestfs provided you obey the license. It may be easier/less work if you submit patches upstream where they make sense for the upstream project, such as generally useful APIs (like the ntfscat-i API). Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com Fedora Windows cross-compiler. Compile Windows programs, test, and build Windows installers. Over 100 libraries supported. http://...

...#39;m talking about would add TSK (The Sleuth Kit) > as a dependency within the appliance. > > This would bring new APIs such as: > 'fls' more powerful 'ls' command allowing to get list of deleted > files or timelines at a given path. > 'icat' similar to ntfscat-i but it supports multiple FS. > > Yet I'm not sure whether it's desirable as it is for a narrow use > case and on my Debian box TSK is a 12Mb binary. Yes that's a rather large dependency. However it's possible to use optgroups ["optional" field in generator/ac...

On Sun, Feb 21, 2016 at 11:22:23PM +0200, Matteo Cafasso wrote: > Adding ntfscat_i command for downloading files based on their inode number. > > This allows the dowload of files unaccessible otherwise from a NTFS guest disk image. The patch seems fine, but it really needs a test otherwise this feature could silently break. Have a look at the tests/ntfsclone/ subdirect...

How can i open a virtual disk in read-write mode ? # guestmount --rw -d winxp -m /dev/sda1 /media/ # rm -f /media/pagefile.sys rm: cannot remove ?/media/pagefile.sys?: Operation not permitted # cd /media && touch file touch: cannot touch ?file?: Permission denied # cd && fusermount -u /media I've tried with guestfish also. I have compiled libguestfs with this conf:

On Mon, Feb 22, 2016 at 07:23:45PM +0200, noxdafox wrote: > On 22/02/16 17:26, Richard W.M. Jones wrote: > >On Sun, Feb 21, 2016 at 11:22:23PM +0200, Matteo Cafasso wrote: > >>Adding ntfscat_i command for downloading files based on their inode number. > >> > >>This allows the dowload of files unaccessible otherwise from a NTFS guest disk image. > >The patch seems fine, but it really needs a test otherwise this > >feature could silently break. > I was th...

...sg00018.html I'd like to add to libguestfs the disk forensics capabilities offered by The Sleuth Kit. http://www.sleuthkit.org/ The two APIs I'm adding with the patch are a simple example of which type of features TSK can enable. The icat API it's very similar to the previously added ntfscat_i but it works with multiple filesystem types and has an interesting added value: it can extract deleted files. The end result heavily depends on the filesystem internals and on how much it has been used. On FAT, Ext2 and NTFS it can recover part or the whole file pretty easily as long as it's...

On 22/02/16 19:43, Richard W.M. Jones wrote: > On Mon, Feb 22, 2016 at 07:23:45PM +0200, noxdafox wrote: >> On 22/02/16 17:26, Richard W.M. Jones wrote: >>> On Sun, Feb 21, 2016 at 11:22:23PM +0200, Matteo Cafasso wrote: >>>> Adding ntfscat_i command for downloading files based on their inode number. >>>> >>>> This allows the dowload of files unaccessible otherwise from a NTFS guest disk image. >>> The patch seems fine, but it really needs a test otherwise this >>> feature could silently break...