Joachim Metz
Joachim Metz
Some file systems, such as XFS, allow to store large amounts of data in extended attributes. In pyxattr I only see `getxattr` to retrieve attribute value data, which returns all...
https://github.com/dfirlabs/ntfs-specimens/blob/master/generate-specimens-behavior.bat#L282 The ntfs_file_name_list.vhd image contains an MFT entry with $FILE_NAME attributes stored in an $ATTRIBUTE_LIST. Rough outline of the file system hierarchy. ``` testdir1 testdir1\testfile1 testdir10 testdir10\hardlink9 testdir11 testdir11\hardlink10 testdir12...
FYI: Codebase and documentation not in compliance with MITRE ATT&CK® legal trademark requirements
Have a look at the legal section on "How should I reference the name ATT&CK?" https://attack.mitre.org/resources/faq/ ``` Both MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation. *...
``` 0|/SUHDLOG.DAT|6|r/r--x--x--x|0|0|5166|1362870000|1362920466|0|0 ``` ``` istat -o 63 fuse/qcow1 6 Directory Entry: 6 Allocated File Attributes: File, Read Only, Hidden Size: 5166 Name: SUHDLOG.DAT Directory Entry Times: Written: 2013-03-10 14:01:06 (CET)...
Test files generated with: https://github.com/dfirlabs/fat-specimens Tested with: https://github.com/sleuthkit/sleuthkit/commit/e2c2570a456fb2ca5635e613bfd89d1fac9cb063 ``` fls -o 128 fat12.vhd r/r 3: TESTVOLUME (Volume Label Entry) r/r 5: emptyfile d/d 6: testdir1 r/r 11: My long, very...
Tested with version https://github.com/sleuthkit/sleuthkit/commit/7e801480e03cf023d1c3adc1394f950d46b7e6db Test file generated with https://github.com/dfirlabs/apfs-specimens Unlike other file systems, such as HFS+ (also see https://github.com/sleuthkit/sleuthkit/issues/2720) "Device ID" is not provided for APFS ``` istat -B 119...
Tested with version 7e801480e03cf023d1c3adc1394f950d46b7e6db Test file generated with https://github.com/dfirlabs/hfs-specimens ``` istat -o 40 hfsplus.dmg 38 File Path: /testdir1/blockdev1 Catalog Record: 38 Allocated Type: Mode: brw-r--r-- Size: 0 uid / gid:...
Test files created with https://github.com/dfirlabs/fat-specimens tested with e1c80caca4c888fd59a57121af262228c7e6f7ef ``` istat -o 128 10.0/fat12.vhd 5 Directory Entry: 5 Allocated File Attributes: File, Archive Size: 0 Name: EMPTYF~1 Directory Entry Times: Written:...
Observed on macOS Monterey 12.0 with e1c80caca4c888fd59a57121af262228c7e6f7ef ``` pstat -o 409640 fuse/phdi1 ... +-> Volume 9770c423-633e-400d-ba34-e08da8458b29 | =========================================== | APSB Block Number: 659906 | APSB oid: 1293 | APSB xid:...
pstat is unable to handle a (logical) volume without root directory, and will report `General pool error (APFSBtreeNode: invalid object type)` instead of the volume information. Seen on the "Updates"...