Closed Fierry137 closed 3 months ago
Did some more testing with target-mount in both versions:
Dissect 3.13 only exposes the sysvol-folder when navigating to the fs folder Dissect 3.12 exposes both the c: and sysvol folders
Thanks for reporting this, we have someone internally who has done FOR508 recently, but unfortunately he doesn't have the same image, which makes debugging a bit more difficult.
I have a suspicion on what breaks, but would like to know a bit more about the image. The name suggests it's an image of just the C drive, can you confirm if that's the case? Meaning it doesn't have a partition table, but starts immediately with the NTFS header.
That does indeed seem to be the case:
base-rd04/mounting/disks# xxd disk_0 | head -n 20
00000000: eb52 904e 5446 5320 2020 2000 0208 0000 .R.NTFS .....
00000010: 0000 0000 00f8 0000 3f00 ff00 00a8 0f00 ........?.......
00000020: 0000 0000 8000 8000 ff4f f003 0000 0000 .........O......
00000030: 0000 0c00 0000 0000 0200 0000 0000 0000 ................
00000040: f600 0000 0100 0000 c37c 4b42 854b 4282 .........|KB.KB.
00000050: 0000 0000 fa33 c08e d0bc 007c fb68 c007 .....3.....|.h..
00000060: 1f1e 6866 00cb 8816 0e00 6681 3e03 004e ..hf......f.>..N
00000070: 5446 5375 15b4 41bb aa55 cd13 720c 81fb TFSu..A..U..r...
00000080: 55aa 7506 f7c1 0100 7503 e9dd 001e 83ec U.u.....u.......
00000090: 1868 1a00 b448 8a16 0e00 8bf4 161f cd13 .h...H..........
000000a0: 9f83 c418 9e58 1f72 e13b 060b 0075 dba3 .....X.r.;...u..
000000b0: 0f00 c12e 0f00 041e 5a33 dbb9 0020 2bc8 ........Z3... +.
000000c0: 66ff 0611 0003 160f 008e c2ff 0616 00e8 f...............
000000d0: 4b00 2bc8 77ef b800 bbcd 1a66 23c0 752d K.+.w......f#.u-
000000e0: 6681 fb54 4350 4175 2481 f902 0172 1e16 f..TCPAu$....r..
000000f0: 6807 bb16 6852 1116 6809 0066 5366 5366 h...hR..h..fSfSf
00000100: 5516 1616 68b8 0166 610e 07cd 1a33 c0bf U...h..fa....3..
00000110: 0a13 b9f6 0cfc f3aa e9fe 0190 9066 601e .............f`.
00000120: 0666 a111 0066 0306 1c00 1e66 6800 0000 .f...f.....fh...
00000130: 0066 5006 5368 0100 6810 00b4 428a 160e .fP.Sh..h...B...
The acquisition log is also included:
Created By AccessData® FTK® Imager 4.2.0.13
Case Information:
Acquired using: ADI4.2.0.13
Case Number: 20180905-001
Evidence Number:
Unique description: base-rd-04 C-Drive
Examiner: Clint Barton
Notes: Acquired over network via F-Response
--------------------------------------------------------------
Information for D:\disk-images\base-rd-04\base-rd-04_c-drive:
Physical Evidentiary Item (Source) Information:
[Device Info]
Source Type: Physical
[Drive Geometry]
Cylinders: 4,113
Tracks per Cylinder: 255
Sectors per Track: 63
Bytes per Sector: 512
Sector Count: 66,080,768
[Physical Drive Information]
Drive Model: f-switch 0FA2BEEA30DEC1FE SCSI Disk Device
Drive Serial Number: vol-C
Drive Interface Type: SCSI
Removable drive: False
Source data size: 32266 MB
Sector count: 66080768
[Computed Hashes]
MD5 checksum: f0030ba5109c524a9fe2aa1144e6e7a9
SHA1 checksum: aa4e287d18f27ae8e9db947af088e06b0352f5fd
Image Information:
Acquisition started: Thu Sep 6 23:14:39 2018
Acquisition finished: Fri Sep 7 00:00:30 2018
Segment list:
D:\disk-images\base-rd-04\base-rd-04_c-drive.E01
Image Verification Results:
Verification started: Fri Sep 7 00:00:31 2018
Verification finished: Fri Sep 7 00:16:55 2018
MD5 checksum: f0030ba5109c524a9fe2aa1144e6e7a9 : verified
SHA1 checksum: aa4e287d18f27ae8e9db947af088e06b0352f5fd : verified
Thanks, that confirms my suspicion. I'll create some local test data to verify and will create a PR to fix it shortly!
This has been automatically closed by #671, but it would be nice if you could verify on your end if this indeed fixed the problem.
Just confirmed that recyclebins works again with dissect v3.14
target-query -f recyclebin base-rd-04-cdrive.E01 |rdump -j
[reading from stdin]
2024-05-21T20:05:14.427934Z [warning ] <Target base-rd-04-cdrive.E01>: Can't identify volume system or no volumes found, adding as raw volume instead: <EwfContainer size=33833353216 vs=None> [dissect.target.target]
{
"hostname": "BASE-RD-04",
"domain": "shieldbase.lan",
"ts": "2018-08-28T21:38:03.028999+00:00",
"path": "C:\\Users\\spsql\\Documents\\20180827\\PowerShell_transcript.BASE-RD-04.UQlzsLK+.20180827162849.txt",
"filesize": 13617,
"deleted_path": "c:\\$recycle.bin\\S-1-5-21-3445421715-2530590580-3149308974-1193\\$I276F68.txt",
"source": "c:/$recycle.bin/S-1-5-21-3445421715-2530590580-3149308974-1193/$I276F68.txt",
"username": "spsql",
"user_id": "S-1-5-21-3445421715-2530590580-3149308974-1193",
"user_group": null,
"user_home": "C:\\Users\\spsql",
"_source": "base-rd-04-cdrive.E01",
"_classification": null,
"_generated": "2024-05-21T20:05:14.588243+00:00",
"_version": 1
}
While testing with a couple of SANS FOR508 images I tried extracting the Recycle Bin for pertinent information.
The following output was generated by the latest version of Dissect:
pip listing is included below:
Meanwhile Dissect v3.12 is able to parse it correctly:
pip listing for this version is also included below: