Closed keydet89 closed 1 year ago
gregorygui
commented
1 year ago Hi,
I'm not sure to understand your issue. Could you please provide the full definition of your artefact ?
Additionally, ForensicArtifacts repository already has a definition for the MFT, Logfile and UsnJrnl files
keydet89
commented
1 year ago Okay, thank you. At the time I submitted this issue, only the following was available in the ntfs.yaml file:
name: NTFSMFTFiles doc: | The NTFS $MFT and $MFTMirr file system metadata files.
GRR collection note: you currently need to specify 'use tsk' and 'ignore download size limits' for this artifact to work. This will go away in the future. sources:
type: FILE attributes: paths:
name: NTFSLogFile doc: | The NTFS $LogFile file system metadata file.
GRR collection note: you currently need to specify 'use tsk' and 'ignore download size limits' for this artifact to work. This will go away in the future. sources:
gregorygui
commented
1 year ago Based on your artifact and the difference with the official repository, I could say your separator value does not match the one used in paths definition
name: NTFSLogFile
doc: The NTFS $LogFile file system metadata file.
sources:
- type: FILE
attributes:
paths: ['%%environ_systemdrive%%\$LogFile']
separator: '\'
urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/file_systems/NTFS.html']
supported_os: [Windows]
I'd like to add "- '%%environ_systemdrive%%\$Extend\$UsnJrnl:$J'" to the NTFSMFTFiles definition (which I did, adding the line to the ntfs.yaml file), but be able to actually collect it.
Running fastir_artifacts -i NTFSMFTfiles -d .\share\artifacts -o ., I can collect the MFT and MFT Mirror files, but not the USN Change Journal.
Thanks.