Re: [sleuthkit-users] Autopsy keyword search returns no results - but should
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Autopsy keyword search returns no results - but should
|
From: Stephen M. <mat...@ya...> - 2008-11-10 03:09:43
|
Well, updating didn't really help. I made a backup copy of the host.aut file and just deleted the last three lines. A search still came up empty - my search term was a simple four letter word. The command in the exec log was correct, and in fact when running it manually, I obtained the expected non-zero results. In the end I just started over with the latest version of sleuthkit and autopsy and so far that has worked well. I only extracted ascii strings from allocated space, but searches on that did turn up results. I am now extracting unallocated space and strings etc, but so far so good thanks for the help -Steve On Friday 07 November 2008 14:24:56 Brian Carrier wrote: > Hi Stephen, > > Updating should not make a difference. This code hasn't changed in a > while. > > Can you look at the exec_log to see what grep command is being used > and if it generates results when you manually execute it? > > That is a bug that you found in the new Autopsy. Edit the file > mentioned and change line 12 from "dls ...." to "blkls ..." > > brian > > On Nov 6, 2008, at 5:30 PM, Stephen Mathezer wrote: > > On November 6, 2008 13:19:04 RB wrote: > >> On Thu, Nov 6, 2008 at 09:43, Stephen Mathezer > >> > >> <mat...@ya...> wrote: > >>> Can any provide any insight as to why my searches are coming up > >>> empty? > >> > >> Look at the log for your case, it should have the search terms there. > >> My guess is that your manual grep terms and those coming through > >> Autopsy's syntax-escapes differ. Autopsy also runs its searches > >> through srch_strings to reduce your search set by string length, so > >> that may have some effect if you're doing a lot of regex work. > >> > >> > >> RB > > > > Even basic strings weren't working, so I don't think the search > > term was a > > problem, but I didn't realize how far out of date I was in terms of > > software > > version, so upgrading seemed like a good idea until I ran into this: > > > > Error: invalid entry in /data1/autopsy/case1/Laptop/host.aut:12 > > dls vol4 vol1 output/sdb1.img-0-0-ntfs.unalloc > > > > I this easily fixed, or do I have to re-extract everything from the > > image? > > Given the size of the image, that takes longer than I would like. > > > > thanks > > > > -Steve > > > > > > ---------------------------------------------------------------------- > > --- > > This SF.Net email is sponsored by the Moblin Your Move Developer's > > challenge > > Build the coolest Linux based applications with Moblin SDK & win > > great prizes > > Grand prize is a trip for two to an Open Source event anywhere in > > the world > > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > > _______________________________________________ > > sleuthkit-users mailing list > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > http://www.sleuthkit.org |
