jonstewart
commented
2 years ago Got it.
On Jan 29, 2022, at 2:09 PM, Simson L. Garfinkel @.***> wrote:
From analysis of nps-2011-2tb.E01
BE1.6:
-rw-r--r-- 1 simsong 100.6M Jan 29 06:31 winpe.txt drwxr-xr-x 3 simsong 96 Jan 29 02:26 winpe_carved -rw-r--r-- 1 simsong 6.9k Jan 29 06:31 winpe_carved.txt -rw-r--r-- 1 simsong 5.4M Jan 29 02:52 winprefetch.txt BE2.0:
-rw-r--r-- 1 simsong 100.3M Jan 29 12:40 winpe.txt drwxr-xr-x 19 simsong 608 Jan 29 10:07 winpe_carved -rw-r--r-- 1 simsong 7M Jan 29 12:40 winpe_carved.txt -rw-r--r-- 1 simsong 0 Jan 29 09:39 winprefetch.txt Obtain a test vector for winprefetch.txt (see below) Add test vector to tests/ directory Add test to test_be.cpp Fix the scanner Here is a bit of the first feature, so we can easily grab it from the 2TB file with a bit of work:
47245049344 RUNDLL32.EXE
Windows XP RUNDLL32.EXE 152 2008-02-05T20:15:09Z <ru\ ns>1\x5CDEVICE\x5CHARDDISKVOLUME1\x5CWINDOWS\x5CSYSTEM32\x5CNTDLL.DLL \x5CDEVICE\x5CHARDDISKVOLUME1\x5CWINDOWS\x5CSYSTEM32\x5C\ KERNEL32.DLL \x5CDEVICE\x5CHARDDISKVOLUME1\x5CWINDOWS\x5CSYSTEM32\x5CUNICODE.NLS \x5CDEVICE\x5CHARDDISKVOLUME1\x5CWINDOWS\x5CSYSTEM32\x5CL\ OCALE.NLS \x5CDEVICE\x5CHAR — Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you are subscribed to this thread.
From analysis of nps-2011-2tb.E01
BE1.6:
BE2.0:
Here is a bit of the first feature, so we can easily grab it from the 2TB file with a bit of work: