Closed its5Q closed 2 months ago
Thanks for reporting. We do support alternate data streams. There was a specific issue with the embedded virtual disk specific module, because of the colon in the file name. Please share your test image, so we can reproduce the issue and test a possible fix on your whole test image, looking for other potential issues.
PS: You can also disable processEmbeddedDisks
option in IPEDConfig.txt to disable the problematic module.
The image is available here: https://dl.ctf.do/BelkaCTF_6_CASE240405_FILE2.zip Password: RJtWAZfsB1wMCNDebVWY
Thanks.
Actually I anticipated this issue when #2099 was fixed by PR sent by a contributor. My fault for accepting an incomplete fix.
Fixed by commit 91a23ba.
A snapshot with the fix will be created in 10min here: https://github.com/sepinf-inc/IPED/actions/runs/8636057320
I've tried to test this toolkit with a disk image from a recently finished competition BelkaCTF 6, and it appears there are problems with
severalpluginsthat depend on thegetCanonicalFile()
function to canonicalize paths. In my case, IPED completely crashes on processing a file calleddesktop.ini:vault.vhdx
, which is a BitLocker vault hidden inside an alternate data stream. The plugin callsgetCanonicalFile
on that path and crashes, because it seems like Java's native library doesn't support canonicalization for ADS paths.The stacktrace: