Re: [sleuthkit-users] Problems Using fiwalk
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Problems Using fiwalk
|
From: Karl B. <kar...@gm...> - 2011-10-18 15:23:51
|
After compiling, fiwalk ran without incident and created the XML file. When
I try to run identify_filenames.py I get the following errors. I thought
perhaps I'm getting the order of the inputs wrong, but when I tried them in
different order, I see a similar error. I also downloaded the latest
bulk_extractor and did configure, make, and make install.
What are the proper inputs and switches for identify_filenames.py?
One more question - does bulk_extractor only do allocated blocks, or
everything? I'm unable to map my hit back to an inode using tsk tools
(ifind, etc). This may be reasonable if the space is unallocated, but seems
problematic if it is allocated. Of course, I could be doing all my
calculations wrong....
FWIW - this is an HFS+ filesystem...
Python3:
trying *identify_filenames.py fiwalk.xml featurefile outputfile*
root@sansforensics:/# python3
/home/sansforensics/Downloads/bulk_extractor-1.1.0_alpha2/python/identify_filenames.py
/media/sdb1/2011image_fiwalk /media/6241-4B1A/2011image.dd/ccn.txt
/media/sdb1/2011image_out
File
"/home/sansforensics/Downloads/bulk_extractor-1.1.0_alpha2/python/identify_filenames.py",
line 13
raise ImportError, 'This script requires the dfxml and fiwalk modules
for Python.'
^
SyntaxError: invalid syntax
Python2.6:
trying *identify_filenames.py fiwalk.xml featurefile outputfile*
root@sansforensics:/# python2.6
/home/sansforensics/Downloads/bulk_extractor-1.1.0_alpha2/python/identify_filenames.py
/media/sdb1/2011image_fiwalk /media/6241-4B1A/2011image.dd/ccn.txt
/media/sdb1/2011image_out
Traceback (most recent call last):
File
"/home/sansforensics/Downloads/bulk_extractor-1.1.0_alpha2/python/identify_filenames.py",
line 19, in <module>
which is in Python 2.7 or Python 3.0"""
ImportError: This script requires ArgumentParser
which is in Python 2.7 or Python 3.0
Python:
trying *identify_filenames.py fiwalk.xml featurefile*
root@sansforensics:/# python
./identify_filenames.py /media/sdb1/2011image_fiwalk
/media/6241-4B1A/2011image.dd/ccn.txt
Traceback (most recent call last):
File "./identify_filenames.py", line 13, in <module>
raise ImportError, 'This script requires the dfxml and fiwalk modules
for Python.'
ImportError: This script requires the dfxml and fiwalk modules for Python.
Any suggestions or comments are welcome.
Thanks,
Karl
On Mon, Oct 17, 2011 at 10:56 AM, Simson Garfinkel <si...@ac...> wrote:
> A progress report would require a two-pass scan.
>
> On Oct 17, 2011, at 11:49 AM, Karl Bernard wrote:
>
> FYI - fiwalk 0.6.15 compiled in the SIFT kit without incident and is
> running error-free at the moment. I'll let you know how it looks when it
> completes. I miss bulk_extractor's progress report ;)
>
> Karl
>
> On Fri, Oct 14, 2011 at 10:34 PM, Karl Bernard <kar...@gm...>wrote:
>
>> Simson,
>>
>> Thanks for the reply. I can't share the image file, it's part of an
>> ongoing investigation, but I'll try building fiwalk from source on Monday.
>> I'll let you know how it goes.
>>
>> Thanks again,
>>
>> Karl
>> On Oct 14, 2011 7:48 PM, "Simson Garfinkel" <si...@ac...> wrote:
>>
>>> Hi, Karl. I cannot speak for the version of fiwalk included on the SANS
>>> SIFT. However, if you wish to download the fiwalk from the afflib.orgwebsite and build it from sources, I'm happy to provide you with support.
>>>
>>> Is your file *HDDimage_ntfs_fiwalk available for testing?*
>>>
>>> identify_filenames requires the DFXML file. You can't do it with TSK
>>> tools alone; we will be integrating fiwalk into the SleuthKit distribution
>>> later this year.
>>>
>>>
>>> On Oct 14, 2011, at 2:46 PM, Karl Bernard wrote:
>>>
>>> I'm trying to use fiwalk from within the SANS SIFT kit 2.1 to process
>>> some images and create a "digital forensics XML file" and it's failing out
>>> with some sort of programmatic error:
>>>
>>> *root@sansforensics:~# fiwalk -I -X /media/sdb1/HDDimage_ntfs_fiwalk
>>> /media/sdb1/HDDimage.dd*
>>> *terminate called after throwing an instance of 'std::logic_error'*
>>> * what(): basic_string::_S_construct NULL not valid*
>>> *Aborted (core dumped)*
>>>
>>>
>>> FWIW - from the beginning of the XML file that it started to make, it
>>> looks like it's trying to say all ftype's are 0 - like
>>> this: <ftype>0</ftype>
>>>
>>> Any thoughts about what to try next? Anyone else successfully run fiwalk
>>> in the SIFT Kit? In the meantime, I'm going to break out my SANS 508 books
>>> and review the steps to resolve this directly in TSK ;)
>>>
>>> *Background:*
>>> Using AFFLIB's bulk_extractor (many thanks to Derrick Karpo and the many
>>> others that gave great suggestions) I've had great luck finding some hits
>>> for possible CC and SSN info on some imaged drives and now want to map the
>>> offsets back to file names/locations.
>>>
>>> Ran this on all images:
>>> *bulk_extractor -o /media/6241-4B1A/bulk_out1 -E accts
>>> /media/sdb1/HDDimage.dd*
>>>
>>> Found some hits like this (this one looks like part of a program):
>>>
>>> 79168205446 SSN: 123456789
>>> NE_[vsCkn?n][RU]SSN: 123456789_[vsckN?N][RU]Su
>>>
>>> And now I want to see what file resides at offset 79168205446.
>>>
>>> Planned to use this (from: http://afflib.org/software/bulk_extractor):
>>> *identify_filenames.py* In the *bulk_extractor* feature file, each
>>> feature is annotated with the byte offset from the beginning of the image in
>>> which it was found. The program takes as input a *bulk_extractor* feature
>>> file and a DFXML file containing the locations of each file on the drive (produced
>>> with Garfinkel’s fiwalk program) and produces an annotated feature file
>>> that contains the offset, feature, and the file in which the feature was
>>> found.
>>>
>>> I know this can be done with TSK tools - but was hoping to use fiwalk
>>> instead... It looks like it could be a really great way to process these
>>> kinds of cases with a lot fewer headaches.
>>>
>>> References:
>>> http://afflib.org/software/fiwalk
>>>
>>> Any thoughts/suggestions are welcome,
>>>
>>> Karl Bernard
>>> ------------------------------------------------------------------------------
>>> All the data continuously generated in your IT infrastructure contains a
>>> definitive record of customers, application performance, security
>>> threats, fraudulent activity and more. Splunk takes this data and makes
>>> sense of it. Business sense. IT sense. Common sense.
>>>
>>> http://p.sf.net/sfu/splunk-d2d-oct_______________________________________________
>>> sleuthkit-users mailing list
>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>> http://www.sleuthkit.org
>>>
>>>
>>>
>
>
|
