Re: [sleuthkit-users] Autopsy shows deleted files that CLI tools miss
Brought to you by:
carrier
From: Brian C. <ca...@sl...> - 2008-03-20 22:13:06
|
What happens when you run fls on that directory? To do this, identify the directory inode in Autopsy (get the address from the '.' entry) and then run fls. fls root.img XX brian On Mar 20, 2008, at 2:15 PM, Walker JWalker wrote: > I had a honeypot get hacked and am doing my first intrusion > analysis with TSK and Autopsy. I think it was the rootkit > installed which really trashed the system and it appears as though > he gave up and deleted his files. > > Autopsy shows the the attacker's deleted files in the File Analysis > section that fls and ils weren't able to find. How can I get the > same evidence using the CLI tools? The commands I'm using are below. > > fls -f linux-ext3 -i raw -r -m / root.img > fls > ils -f linux-ext3 -i raw -m root.img >> fls > mactime -b fls > timeline.txt > > That timeline does show /root/linuxhelp.zip and the / > root/.linuxhelp directory, but fails to find any of the files that > were in that directory that Autopsy can see. > > Helping your favorite cause is as easy as instant messaging. You > IM, we give. Learn more. > ---------------------------------------------------------------------- > --- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |