Rép. : Re: [Vol-users] Alternate Data Stream and Volatility

Thanks you so much guys for this answer! (Keep in mind, im pretty newbee with volatility.) I didnt find in version; Volatile Systems Volatility Framework 2.1 any automatic plugin to dump the $MFT file, I "filescan" and find the $Mft file is foundable at offset; 0x0253e5e0 3 0 RWD--- \$Mft How can i extract this file from the memory, its the good way to do this? Thanks alot all for your help! That's definitely one way that you can do it. I think someone was going to extend the mftparser plugin to extract ADS as well, or at least someone had approached me about it. It is possible to extend that plugin to do it without having to use other tools, I think I might already have the vtypes defined as well though I'm not sure. I don't have the time to extend it myself until sometime after blackhat is over, however. All the best, -gleeda On Thu, Jul 25, 2013 at 9:03 AM, David Kovar <dkovar(a)gmail.com> wrote: data, push stores $DATA changed to figure the -- PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92 _______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users