scudette
commented
1 month ago This is interesting as the lazy_ntfs is just an alias to the regular ntfs accessor these days (they used to be different in the distant past).
Open hunt3vil opened 2 months ago
scudette
commented
1 month ago This is interesting as the lazy_ntfs is just an alias to the regular ntfs accessor these days (they used to be different in the distant past).
hunt3vil
commented
1 month ago OK. So my report is incorrect because inside the KapeFile artifact it is the "auto" accessor that is used by default for everything set to "lazy_ntfs". Updated the issue title
We use an offline collector with the KapeFiles artifact. With default configuration the collector uses lazy_ntfs for registry hives and does not pull Windows\System32\config\SOFTWARE for example. However, when I changed the accessor to ntfs the collector correctly pulled the SOFTWARE registry hive file.