Re: [sleuthkit-users] Problems Using fiwalk

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi, Karl. I cannot speak for the version of fiwalk included on the SANS SIFT. However, if you wish to download the fiwalk from the afflib.org website and build it from sources, I'm happy to provide you with support.

Is your file HDDimage_ntfs_fiwalk available for testing?

identify_filenames requires the DFXML file. You can't do it with TSK tools alone; we will be integrating fiwalk into the SleuthKit distribution later this year.

On Oct 14, 2011, at 2:46 PM, Karl Bernard wrote:

> I'm trying to use fiwalk from within the SANS SIFT kit 2.1 to process some images and create a "digital forensics XML file" and it's failing out with some sort of programmatic error:
> root@sansforensics:~# fiwalk -I -X /media/sdb1/HDDimage_ntfs_fiwalk /media/sdb1/HDDimage.dd
> terminate called after throwing an instance of 'std::logic_error'
>   what():  basic_string::_S_construct NULL not valid
> Aborted (core dumped)
> 
> FWIW - from the beginning of the XML file that it started to make, it looks like it's trying to say all ftype's are 0 - like this: <ftype>0</ftype>
> 
> Any thoughts about what to try next? Anyone else successfully run fiwalk in the SIFT Kit? In the meantime, I'm going to break out my SANS 508 books and review the steps to resolve this directly in TSK ;)
> 
> Background:
> Using AFFLIB's bulk_extractor (many thanks to Derrick Karpo and the many others that gave great suggestions) I've had great luck finding some hits for possible CC and SSN info on some imaged drives and now want to map the offsets back to file names/locations. 
> 
> Ran this on all images:
> bulk_extractor -o /media/6241-4B1A/bulk_out1 -E accts /media/sdb1/HDDimage.dd
> 
> Found some hits like this (this one looks like part of a program):
> 79168205446          SSN: 123456789                               NE_[vsCkn?n][RU]SSN: 123456789_[vsckN?N][RU]Su
> 
> 
> And now I want to see what file resides at offset 79168205446. 
> 
> Planned to use this (from: http://afflib.org/software/bulk_extractor):
> identify_filenames.py
> In the bulk_extractor feature file, each feature is annotated with the byte offset from the beginning of the image in which it was found. The program takes as input a bulk_extractor feature file and a DFXML file containing the locations of each file on the drive (produced with Garfinkel’s fiwalk program) and produces an annotated feature file that contains the offset, feature, and the file in which the feature was found.
> 
> I know this can be done with TSK tools - but was hoping to use fiwalk instead... It looks like it could be a really great way to process these kinds of cases with a lot fewer headaches.
> 
> References:
> http://afflib.org/software/fiwalk
> 
> Any thoughts/suggestions are welcome,
> 
> Karl Bernard
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure contains a
> definitive record of customers, application performance, security
> threats, fraudulent activity and more. Splunk takes this data and makes
> sense of it. Business sense. IT sense. Common sense.
> http://p.sf.net/sfu/splunk-d2d-oct_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org