Skip to content

Remove fslib and upgrade go-ntfs. Implement low level read ourselves #49763

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
brian-mckinney wants to merge 3 commits into
base: main
Choose a base branch
from
+140 −39
Open

Remove fslib and upgrade go-ntfs. Implement low level read ourselves #49763

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d374ad0
Remove fslib and upgrade go-ntfs. Implement low level read ourselves
brian-mckinney Mar 28, 2026
9637945
add changelog
brian-mckinney Mar 29, 2026
3680629
go fmt and coderabbit review fix
brian-mckinney Mar 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 45 additions & 0 deletions changelog/fragments/1774802490-remove_fslib_dep.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
# REQUIRED
# Kind can be one of:
# - breaking-change: a change to previously-documented behavior
# - deprecation: functionality that is being removed in a later release
# - bug-fix: fixes a problem in a previous version
# - enhancement: extends functionality but does not break or fix existing behavior
# - feature: new functionality
# - known-issue: problems that we are aware of in a given version
# - security: impacts on the security of a product or a user’s deployment.
# - upgrade: important information for someone upgrading from a prior version
# - other: does not fit into any of the other categories
kind: feature

# REQUIRED for all kinds
# Change summary; a 80ish characters long description of the change.
summary: Removes the dependency on fslib and implements the functionality using go-ntfs instead

# REQUIRED for breaking-change, deprecation, known-issue
# Long description; in case the summary is not enough to describe the change
# this field accommodate a description without length limits.
# description:

# REQUIRED for breaking-change, deprecation, known-issue
# impact:

# REQUIRED for breaking-change, deprecation, known-issue
# action:

# REQUIRED for all kinds
# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc.
component: osquerybeat

# AUTOMATED
# OPTIONAL to manually add other PR URLs
# PR URL: A link the PR that added the changeset.
# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
# Please provide it if you are adding a fragment for a different PR.
# pr: https://github.com/owner/repo/1234

# AUTOMATED
# OPTIONAL to manually add other issue URLs
# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
# If not present is automatically filled by the tooling with the issue linked to the PR number.
# issue: https://github.com/owner/repo/1234
8 changes: 4 additions & 4 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -235,7 +235,6 @@ require (
github.com/cilium/ebpf v0.20.0
github.com/coder/websocket v1.8.14
github.com/elastic/gokrb5/v8 v8.0.0-20251105095404-23cc45e6a102
github.com/forensicanalysis/fslib v0.15.2
github.com/mattn/go-sqlite3 v1.14.32
github.com/parsiya/golnk v0.0.0-20251207220015-443df11fe4fb
github.com/richardlehane/mscfb v1.0.6
Expand Down Expand Up @@ -267,6 +266,7 @@ require (
go.opentelemetry.io/otel/sdk/metric v1.40.0
go.uber.org/goleak v1.3.0
sigs.k8s.io/kind v0.29.0
www.velocidex.com/golang/go-ntfs v0.2.1-0.20250322152626-3c09d909d740
www.velocidex.com/golang/regparser v0.0.0-20250203141505-31e704a67ef7
)

Expand Down Expand Up @@ -297,6 +297,9 @@ require (
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.30.0 // indirect
github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.51.0 // indirect
github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.51.0 // indirect
github.com/Velocidex/json v0.0.0-20220224052537-92f3c0326e5a // indirect
github.com/Velocidex/ordereddict v0.0.0-20230909174157-2aa49cc5d11d // indirect
github.com/Velocidex/yaml/v2 v2.2.8 // indirect
github.com/VictoriaMetrics/easyproto v0.1.4 // indirect
github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 // indirect
github.com/andybalholm/brotli v1.2.0 // indirect
Expand Down Expand Up @@ -330,7 +333,6 @@ require (
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/dgraph-io/ristretto/v2 v2.1.0 // indirect
github.com/distribution/reference v0.6.0 // indirect
github.com/djherbis/times v1.5.0 // indirect
github.com/dnephin/pflag v1.0.7 // indirect
github.com/docker/go-metrics v0.0.1 // indirect
github.com/eapache/go-xerial-snappy v0.0.0-20230731223053-c322873962e3 // indirect
Expand Down Expand Up @@ -391,7 +393,6 @@ require (
github.com/hashicorp/go-rootcerts v1.0.2 // indirect
github.com/hashicorp/go-uuid v1.0.3 // indirect
github.com/hashicorp/go-version v1.8.0 // indirect
github.com/hashicorp/golang-lru v0.6.0 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/jcmturner/aescts/v2 v2.0.0 // indirect
github.com/jcmturner/dnsutils/v2 v2.0.0 // indirect
Expand Down Expand Up @@ -530,7 +531,6 @@ require (
sigs.k8s.io/randfill v1.0.0 // indirect
sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
sigs.k8s.io/yaml v1.6.0 // indirect
www.velocidex.com/golang/go-ntfs v0.1.1 // indirect
)

require (
Expand Down
34 changes: 12 additions & 22 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -160,22 +160,26 @@ github.com/StackExchange/wmi v1.2.1 h1:VIkavFPXSjcnS+O8yTq7NI32k0R5Aj+v39y29VYDO
github.com/StackExchange/wmi v1.2.1/go.mod h1:rcmrprowKIVzvc+NUiLncP2uuArMWLCbu9SBzvHz7e8=
github.com/UNO-SOFT/zlog v0.8.1 h1:TEFkGJHtUfTRgMkLZiAjLSHALjwSBdw6/zByMC5GJt4=
github.com/UNO-SOFT/zlog v0.8.1/go.mod h1:yqFOjn3OhvJ4j7ArJqQNA+9V+u6t9zSAyIZdWdMweWc=
github.com/Velocidex/json v0.0.0-20220224052537-92f3c0326e5a h1:AeXPUzhU0yhID/v5JJEIkjaE85ASe+Vh4Kuv1RSLL+4=
github.com/Velocidex/json v0.0.0-20220224052537-92f3c0326e5a/go.mod h1:ukJBuruT9b24pdgZwWDvOaCYHeS03B7oQPCUWh25bwM=
github.com/Velocidex/ordereddict v0.0.0-20230909174157-2aa49cc5d11d h1:fn372EqKyazBxYUP5HPpBi3jId4MXuppEypEALGfvEk=
github.com/Velocidex/ordereddict v0.0.0-20230909174157-2aa49cc5d11d/go.mod h1:+MqO5UMBemyFSm+yRXslbpFTwPUDhFHUf7HPV92twg4=
github.com/Velocidex/yaml/v2 v2.2.8 h1:GUrSy4SBJ6RjGt43k6MeBKtw2z/27gh4A3hfFmFY3No=
github.com/Velocidex/yaml/v2 v2.2.8/go.mod h1:PlXIg/Pxmoja48C1vMHo7C5pauAZvLq/UEPOQ3DsjS4=
github.com/VictoriaMetrics/easyproto v0.1.4 h1:r8cNvo8o6sR4QShBXQd1bKw/VVLSQma/V2KhTBPf+Sc=
github.com/VictoriaMetrics/easyproto v0.1.4/go.mod h1:QlGlzaJnDfFd8Lk6Ci/fuLxfTo3/GThPs2KH23mv710=
github.com/aerospike/aerospike-client-go/v7 v7.7.1 h1:lcskBtPZYe6ESObhIEQEp4XO1axYZpaFD3ie4iwr6tg=
github.com/aerospike/aerospike-client-go/v7 v7.7.1/go.mod h1:STlBtOkKT8nmp7iD+sEkr/JGEOu+4e2jGlNN0Jiu2a4=
github.com/akavel/rsrc v0.10.2 h1:Zxm8V5eI1hW4gGaYsJQUhxpjkENuG91ki8B4zCrvEsw=
github.com/akavel/rsrc v0.10.2/go.mod h1:uLoCtb9J+EyAqh+26kdrTgmzRBFPGOolLWKpdxkKq+c=
github.com/alecthomas/assert v0.0.0-20170929043011-405dbfeb8e38 h1:smF2tmSOzy2Mm+0dGI2AIUHY+w0BUc+4tn40djz7+6U=
github.com/alecthomas/assert v0.0.0-20170929043011-405dbfeb8e38/go.mod h1:r7bzyVFMNntcxPZXK3/+KdruV1H5KSlyVY0gc+NgInI=
github.com/alecthomas/assert v1.0.0 h1:3XmGh/PSuLzDbK3W2gUbRXwgW5lqPkuqvRgeQ30FI5o=
github.com/alecthomas/assert v1.0.0/go.mod h1:va/d2JC+M7F6s+80kl/R3G7FUiW6JzUO+hPhLyJ36ZY=
github.com/alecthomas/colour v0.1.0 h1:nOE9rJm6dsZ66RGWYSFrXw461ZIt9A6+nHgL7FRrDUk=
github.com/alecthomas/colour v0.1.0/go.mod h1:QO9JBoKquHd+jz9nshCh40fOfO+JzsoXy8qTHF68zU0=
github.com/alecthomas/repr v0.0.0-20200325044227-4184120f674c h1:MVVbswUlqicyj8P/JljoocA7AyCo62gzD0O7jfvrhtE=
github.com/alecthomas/repr v0.0.0-20200325044227-4184120f674c/go.mod h1:xTS7Pm1pD1mvyM075QCDSRqH6qRLXylzS24ZTpRiSzQ=
github.com/alecthomas/repr v0.1.1 h1:87P60cSmareLAxMc4Hro0r2RBY4ROm0dYwkJNpS4pPs=
github.com/alecthomas/repr v0.1.1/go.mod h1:Fr0507jx4eOXV7AlPV6AVZLYrLIuIeSOWtW57eE/O/4=
github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
github.com/alecthomas/units v0.0.0-20240927000941-0f3dac36c52b h1:mimo19zliBX/vSQ6PWWSL9lK8qwHozUj03+zLoEB8O0=
github.com/alecthomas/units v0.0.0-20240927000941-0f3dac36c52b/go.mod h1:fvzegU4vN3H1qMT+8wDmzjAcDONcgo2/SZ/TyfdUOFs=
github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 h1:Kk6a4nehpJ3UuJRqlA3JxYxBZEqCeOmATOvrbT4p9RA=
Expand Down Expand Up @@ -337,8 +341,6 @@ github.com/dimchansky/utfbom v1.1.0 h1:FcM3g+nofKgUteL8dm/UpdRXNC9KmADgTpLKsu0TR
github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8=
github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
github.com/djherbis/times v1.5.0 h1:79myA211VwPhFTqUk8xehWrsEO+zcIZj0zT8mXPVARU=
github.com/djherbis/times v1.5.0/go.mod h1:5q7FDLvbNg1L/KaBmPcWlVR9NmoKo3+ucqUA3ijQhA0=
github.com/dlclark/regexp2 v1.4.0 h1:F1rxgk7p4uKjwIQxBs9oAXe5CqrXlCduYEJvrF4u93E=
github.com/dlclark/regexp2 v1.4.0/go.mod h1:2pZnwuY/m+8K6iRw6wQdMtk+rH5tNGR1i55kozfMjCc=
github.com/dnephin/pflag v1.0.7 h1:oxONGlWxhmUct0YzKTgrpQv9AUA1wtPBn7zuSjJqptk=
Expand Down Expand Up @@ -467,8 +469,6 @@ github.com/fearful-symmetry/gorapl v0.0.4/go.mod h1:XoeZ+5v0tJX9WMvzqdPaaKAdX7y1
github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
github.com/forensicanalysis/fslib v0.15.2 h1:c09Pnm31vtSZgj6EiHGauMCcFuNiP/d3D5Qy4ZPfhKA=
github.com/forensicanalysis/fslib v0.15.2/go.mod h1:7xuslRTRu/B0apdl4u1QV/qlbyN8PY93mtcUk8w4s88=
github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw=
github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g=
Expand Down Expand Up @@ -687,10 +687,6 @@ github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/C
github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
github.com/hashicorp/go-version v1.8.0 h1:KAkNb1HAiZd1ukkxDFGmokVZe1Xy9HG6NUp+bPle2i4=
github.com/hashicorp/go-version v1.8.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
github.com/hashicorp/golang-lru v0.5.3/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
github.com/hashicorp/golang-lru v0.6.0 h1:uL2shRDx7RTrOrTCUZEGP/wJUFiUI8QT6E7z5o8jga4=
github.com/hashicorp/golang-lru v0.6.0/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
github.com/hashicorp/nomad/api v0.0.0-20251216171439-1dee0671280e h1:wGl06iy/H90NSbWjfXWeRwk9SJOks0u4voIryeJFlSA=
Expand Down Expand Up @@ -794,7 +790,6 @@ github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Ky
github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
github.com/mattn/go-runewidth v0.0.3/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
Expand Down Expand Up @@ -862,7 +857,6 @@ github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLA
github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4=
github.com/oklog/ulid/v2 v2.1.1 h1:suPZ4ARWLOJLegGFiZZ1dFAkqzhMjL3J1TzI+5wHz8s=
github.com/oklog/ulid/v2 v2.1.1/go.mod h1:rcEKHmBBKfef9DhnvX7y1HZBYxjXb0cP5ExxNsTT1QQ=
github.com/olekukonko/tablewriter v0.0.0-20180912035003-be2c049b30cc/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo=
github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
github.com/onsi/ginkgo v1.6.0 h1:Ix8l273rp3QzYgXSR+c8d1fTG7UPgYkOSELPhiY/YGw=
Expand Down Expand Up @@ -960,8 +954,6 @@ github.com/samuel/go-parser v0.0.0-20130731160455-ca8abbf65d0e h1:hUGyBE/4CXRPTh
github.com/samuel/go-parser v0.0.0-20130731160455-ca8abbf65d0e/go.mod h1:Sb6li54lXV0yYEjI4wX8cucdQ9gqUJV3+Ngg3l9g30I=
github.com/samuel/go-thrift v0.0.0-20140522043831-2187045faa54 h1:jbchLJWyhKcmOjkbC4zDvT/n5EEd7g6hnnF760rEyRA=
github.com/samuel/go-thrift v0.0.0-20140522043831-2187045faa54/go.mod h1:Vrkh1pnjV9Bl8c3P9zH0/D4NlOHWP5d4/hF4YTULaec=
github.com/sebdah/goldie v0.0.0-20180424091453-8784dd1ab561/go.mod h1:lvjGftC8oe7XPtyrOidaMi0rp5B9+XY/ZRUynGnuaxQ=
github.com/sebdah/goldie v0.0.0-20190531093107-d313ffb52c77/go.mod h1:jXP4hmWywNEwZzhMuv2ccnqTSFpuq8iyQhtQdkkZBH4=
github.com/sebdah/goldie v1.0.0 h1:9GNhIat69MSlz/ndaBg48vl9dF5fI+NBB6kfOxgfkMc=
github.com/sebdah/goldie v1.0.0/go.mod h1:jXP4hmWywNEwZzhMuv2ccnqTSFpuq8iyQhtQdkkZBH4=
github.com/segmentio/fasthash v1.0.3 h1:EI9+KE1EwvMLBWwjpRDc+fEM+prwxDYbslddQGtrmhM=
Expand Down Expand Up @@ -1002,7 +994,6 @@ github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/
github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
github.com/stretchr/testify v1.6.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
Expand Down Expand Up @@ -1393,7 +1384,6 @@ golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBc
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220408201424-a24fb2fb8a0f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220422013727-9388b58f7150/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220622161953-175b2fd9d664/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
Expand Down Expand Up @@ -1559,7 +1549,7 @@ sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/
sigs.k8s.io/structured-merge-diff/v6 v6.3.0/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE=
sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs=
sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4=
www.velocidex.com/golang/go-ntfs v0.1.1 h1:///bh0pjoKMHC8x/Q1yaIm2Wa2UNOYwmVti9PsR3i9A=
www.velocidex.com/golang/go-ntfs v0.1.1/go.mod h1:1sqoU8u2Jchwiqsbz4yMSq061wEAOcyXhTCfm6Gz3Lk=
www.velocidex.com/golang/go-ntfs v0.2.1-0.20250322152626-3c09d909d740 h1:MV9imIM3SmpegCd8G3JSM18fVzS7g7JZQXpJ9EKqo7s=
www.velocidex.com/golang/go-ntfs v0.2.1-0.20250322152626-3c09d909d740/go.mod h1:4MSO8W9iNMXyBpjSpxApWfMjJUb9IWFD2Yis5JPZaSY=
www.velocidex.com/golang/regparser v0.0.0-20250203141505-31e704a67ef7 h1:BMX/37sYwX+8JhHt+YNbPfbx7dXG1w1L1mXonNBtjt0=
www.velocidex.com/golang/regparser v0.0.0-20250203141505-31e704a67ef7/go.mod h1:pxSECT5mWM3goJ4sxB4HCJNKnKqiAlpyT8XnvBwkLGU=
67 changes: 54 additions & 13 deletions x-pack/osquerybeat/ext/osquery-extension/pkg/amcache/registry/registry.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,38 +10,79 @@ import (
"bytes"
"fmt"
"io"
"io/fs"
"os"
"path/filepath"

"github.com/forensicanalysis/fslib"
"github.com/forensicanalysis/fslib/systemfs"
"www.velocidex.com/golang/regparser"

"github.com/elastic/beats/v7/x-pack/osquerybeat/ext/osquery-extension/pkg/logger"
"www.velocidex.com/golang/go-ntfs/parser"
)

// getFileContents reads the contents of a file and returns it as a byte slice.
// If the file is not readable, it will attempt to read it using a low level read
// using fslib.
func getFileContents(filePath string, log *logger.Logger) ([]byte, error) {
content, err := os.ReadFile(filePath)
if err == nil {
return content, nil
}
log.Infof("failed to read %s, falling back to low level read", filePath)
return readFileViaNTFS(filePath)
}

// This function was written with help from Claude Code, and is based on the code
Copy link
Copy Markdown
Member

@andrewkroh andrewkroh Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Based on the comment, this sounds like it could be considered a derivative work and we need to satisfy the MIT license requirement of "The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software."

I think we need a comment like

// Portions of this function are based on code from the fslib library:
// https://github.com/forensicanalysis/fslib
//
// MIT License
// Copyright (c) 2019-2020 Siemens AG
// Copyright (c) 2019-2021 Jonas Plum
//
// Permission is hereby granted, free of charge, to any person obtaining a copy
// of this software and associated documentation files (the "Software"), to deal
// in the Software without restriction, including without limitation the rights
// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
// copies of the Software, and to permit persons to whom the Software is
// furnished to do so, subject to the following conditions:
//
// The above copyright notice and this permission notice shall be included in all
// copies or substantial portions of the Software.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND...

You might want to separate the derivative function into its own file to make it even more clear what code is derivative.

References:

https://github.com/elastic/open-source/blob/main/elastic-product-policy.md#third-party-code-in-an-elastic-repository-eg-copy-paste-vendoring-etc (internal)

// found in the fslib library for doing low level NTFS reads. fslib kept us pinned
// to an older version of go-ntfs, but this functionality was all we needed from that library,
// which already used go-ntfs under the hood. By implementing it ourselves we were able
// to update to the latest version of go-ntfs
func readFileViaNTFS(filePath string) ([]byte, error) {
if len(filePath) < 3 || filePath[1] != ':' {
return nil, fmt.Errorf("unsupported path format: %s", filePath)
}

// fallback to a low level read using fslib
sourceFS, err := systemfs.New()
driveLetter := filePath[0]
ntfsPath := "/" + filepath.ToSlash(filePath[3:]) // C:\Windows\foo.txt → /Windows/foo.txt

volume, err := os.Open(fmt.Sprintf(`\\.\%c:`, driveLetter))
if err != nil {
log.Errorf("failed to open file %s: %s", filePath, err.Error())
return nil, err
return nil, fmt.Errorf("failed to open volume: %w", err)
}
defer volume.Close()

reader, err := parser.NewPagedReader(volume, 1024*1024, 100*1024*1024)
if err != nil {
return nil, fmt.Errorf("failed to create paged reader: %w", err)
}
fsPath, err := fslib.ToFSPath(filePath)

ntfsCtx, err := parser.GetNTFSContext(reader, 0)
if err != nil {
return nil, err
return nil, fmt.Errorf("failed to parse NTFS: %w", err)
}

root, err := ntfsCtx.GetMFT(5)
if err != nil {
return nil, fmt.Errorf("failed to get MFT root: %w", err)
}

entry, err := root.Open(ntfsCtx, ntfsPath)
if err != nil {
return nil, fmt.Errorf("failed to open %s via NTFS: %w", ntfsPath, err)
}

attr, err := entry.GetAttribute(ntfsCtx, 128, -1, "") // 128 = $DATA
if err != nil {
return nil, fmt.Errorf("failed to get data attribute: %w", err)
}

infos, err := parser.ModelMFTEntry(ntfsCtx, entry)
if err != nil {
return nil, fmt.Errorf("failed to get file size: %w", err)
}

data := make([]byte, infos.Size)
_, err = attr.Data(ntfsCtx).ReadAt(data, 0)
if err != nil && err != io.EOF {
return nil, fmt.Errorf("failed to read file data: %w", err)
}
return fs.ReadFile(sourceFS, fsPath)
return data, nil
}

// loadExistingRegistry loads the registry from the given file path. Without any transaction logs.
Expand Down
25 changes: 25 additions & 0 deletions x-pack/osquerybeat/ext/osquery-extension/pkg/amcache/registry/registry_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,12 +7,14 @@
package registry

import (
"bytes"
"os"
"testing"

"github.com/stretchr/testify/assert"

"github.com/elastic/beats/v7/x-pack/osquerybeat/ext/osquery-extension/pkg/logger"
"www.velocidex.com/golang/regparser"
)

func TestRecovery(t *testing.T) {
Expand Down Expand Up @@ -52,6 +54,29 @@ func Test_findTransactionLogs(t *testing.T) {
}
}

func Test_readFileViaNTFS(t *testing.T) {
log := logger.New(os.Stdout, true)

// Read the actual amcache hive using the readFileViaNTFS function to ensure it can read the file and return valid registry data.
amcachePath := "C:\\Windows\\AppCompat\\Programs\\Amcache.hve"

// Read the file using
data, err := readFileViaNTFS(amcachePath, log)
assert.NoError(t, err, "readFileViaNTFS() failed: %v", err)
assert.NotEmpty(t, data, "readFileViaNTFS() returned empty data")

magic := []byte{0x72, 0x65, 0x67, 0x66} // "regf"
log.Infof("readFileViaNTFS() returned data with magic: %x", data[:5])
assert.True(t, bytes.HasPrefix(data, magic), "readFileViaNTFS() returned data with incorrect magic")
Comment on lines +57 to +70
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Mar 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
rg -n -C2 '\bfunc readFileViaNTFS\s*\(|\breadFileViaNTFS\s*\(|data\[:5\]|Test_readFileViaNTFS|\\\\\.\\C:' \
  x-pack/osquerybeat/ext/osquery-extension/pkg/amcache/registry/registry.go \
  x-pack/osquerybeat/ext/osquery-extension/pkg/amcache/registry/registry_test.go

Repository: elastic/beats

Length of output: 3137

Fix compile error and panic risk in Test_readFileViaNTFS before merge.

Line 64 calls readFileViaNTFS(amcachePath, log) with two arguments, but the function is declared with one parameter in registry.go (compile failure). Line 69 accesses data[:5] without bounds checking, causing panic on short reads. The test also hard-fails on runners without raw-volume access, blocking CI.

Proposed fix 
 import (
 	"bytes"
+	"errors"
 	"os"
 	"testing"
@@
-	data, err := readFileViaNTFS(amcachePath, log)
+	data, err := readFileViaNTFS(amcachePath)
+	if err != nil && (errors.Is(err, os.ErrPermission) || errors.Is(err, os.ErrNotExist)) {
+		t.Skipf("skipping NTFS raw-read test on this runner: %v", err)
+	}
 	assert.NoError(t, err, "readFileViaNTFS() failed: %v", err)
 	assert.NotEmpty(t, data, "readFileViaNTFS() returned empty data")
@@
 	magic := []byte{0x72, 0x65, 0x67, 0x66} // "regf"
-	log.Infof("readFileViaNTFS() returned data with magic: %x", data[:5])
+	assert.GreaterOrEqual(t, len(data), len(magic), "readFileViaNTFS() returned truncated data")
+	log.Infof("readFileViaNTFS() returned data with magic: %x", data[:len(magic)])
 	assert.True(t, bytes.HasPrefix(data, magic), "readFileViaNTFS() returned data with incorrect magic")
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In
`@x-pack/osquerybeat/ext/osquery-extension/pkg/amcache/registry/registry_test.go`
around lines 57 - 70, The test Test_readFileViaNTFS should be adjusted to match
the current readFileViaNTFS signature and to avoid panics and CI failures: call
readFileViaNTFS with the single parameter expected by the implementation (use
readFileViaNTFS(amcachePath) and remove the logger argument or update to the
function signature if you prefer changing the implementation), handle the
returned error by skipping the test when the error indicates lack of
raw-volume/permission (use t.Skipf with the error) instead of failing the run,
and guard any slice access by checking len(data) >= len(magic) before using
data[:len(magic)] (or skip/assert with a clear message) — reference
Test_readFileViaNTFS, readFileViaNTFS, magic, and data to locate the affected
code.


registry, err := regparser.NewRegistry(bytes.NewReader(data))
assert.NoError(t, err, "failed to create registry from NTFS data")
assert.NotNil(t, registry, "registry is nil")

keyNode := registry.OpenKey("Root\\InventoryApplication")
assert.NotNil(t, keyNode, "failed to open key Root\\InventoryApplication")
}

func TestLoadRegistry(t *testing.T) {
log := logger.New(os.Stdout, true)

Expand Down
Loading