Re: [sleuthkit-users] Problems Using fiwalk
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Problems Using fiwalk
|
From: Karl B. <kar...@gm...> - 2011-10-15 03:34:36
|
Simson, Thanks for the reply. I can't share the image file, it's part of an ongoing investigation, but I'll try building fiwalk from source on Monday. I'll let you know how it goes. Thanks again, Karl On Oct 14, 2011 7:48 PM, "Simson Garfinkel" <si...@ac...> wrote: > Hi, Karl. I cannot speak for the version of fiwalk included on the SANS > SIFT. However, if you wish to download the fiwalk from the afflib.orgwebsite and build it from sources, I'm happy to provide you with support. > > Is your file *HDDimage_ntfs_fiwalk available for testing?* > > identify_filenames requires the DFXML file. You can't do it with TSK tools > alone; we will be integrating fiwalk into the SleuthKit distribution later > this year. > > > On Oct 14, 2011, at 2:46 PM, Karl Bernard wrote: > > I'm trying to use fiwalk from within the SANS SIFT kit 2.1 to process some > images and create a "digital forensics XML file" and it's failing out with > some sort of programmatic error: > > *root@sansforensics:~# fiwalk -I -X /media/sdb1/HDDimage_ntfs_fiwalk > /media/sdb1/HDDimage.dd* > *terminate called after throwing an instance of 'std::logic_error'* > * what(): basic_string::_S_construct NULL not valid* > *Aborted (core dumped)* > > > FWIW - from the beginning of the XML file that it started to make, it looks > like it's trying to say all ftype's are 0 - like this: <ftype>0</ftype> > > Any thoughts about what to try next? Anyone else successfully run fiwalk in > the SIFT Kit? In the meantime, I'm going to break out my SANS 508 books and > review the steps to resolve this directly in TSK ;) > > *Background:* > Using AFFLIB's bulk_extractor (many thanks to Derrick Karpo and the many > others that gave great suggestions) I've had great luck finding some hits > for possible CC and SSN info on some imaged drives and now want to map the > offsets back to file names/locations. > > Ran this on all images: > *bulk_extractor -o /media/6241-4B1A/bulk_out1 -E accts > /media/sdb1/HDDimage.dd* > > Found some hits like this (this one looks like part of a program): > > 79168205446 SSN: 123456789 > NE_[vsCkn?n][RU]SSN: 123456789_[vsckN?N][RU]Su > > And now I want to see what file resides at offset 79168205446. > > Planned to use this (from: http://afflib.org/software/bulk_extractor): > *identify_filenames.py* In the *bulk_extractor* feature file, each feature > is annotated with the byte offset from the beginning of the image in which > it was found. The program takes as input a *bulk_extractor* feature file > and a DFXML file containing the locations of each file on the drive (produced > with Garfinkel’s fiwalk program) and produces an annotated feature file > that contains the offset, feature, and the file in which the feature was > found. > > I know this can be done with TSK tools - but was hoping to use fiwalk > instead... It looks like it could be a really great way to process these > kinds of cases with a lot fewer headaches. > > References: > http://afflib.org/software/fiwalk > > Any thoughts/suggestions are welcome, > > Karl Bernard > ------------------------------------------------------------------------------ > All the data continuously generated in your IT infrastructure contains a > definitive record of customers, application performance, security > threats, fraudulent activity and more. Splunk takes this data and makes > sense of it. Business sense. IT sense. Common sense. > > http://p.sf.net/sfu/splunk-d2d-oct_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > > |
