scudette
commented
1 year ago Thanks for this - I didnt look at the flags because I was not sure which is the more authoritative source - the flags or the presence of IDX streams. I am happy to take your guidance that the flags are better.
This fix makes it possible to use glob() to just read the $SDS stream . To read the index stream we need to go into the more complete stream reading API but that's expected. I added the KapeFiles $SDS target back now.
For some unknown reason, the
Stat()function in easy.go was not using the MFT header flag to determine if an entry represents a directory. Instead it was setting an entry to be a directory if it had an INDEX_ROOT or INDEXALLOCATION attribute, which is not guaranteed to be correct. Usually the INDEX entries are $I30 streams, but not always, such as in the case of $SDS file (which does not have $I30 streams but has $SDH and $SDI streams which are INDEX_ type).This has now been fixed to just use the MFT header flag, which is the definitive source. With this change, the Velociraptor project will no longer need special treatment for fetching $SDS files, ie, no need for Windows.Triage.SDS.