Re: [sleuthkit-users] RE: Problem adding image

[Sid P. - S. P. <sp...@si...>]

On Saturday 08 March 2003 16:19, Eagle Investigative Services wrote:
> Ok, My machine is a 18GHz P4, 512 RAM, 60 Gig WD 7200 HD, Win2k install=
ed
> on 20 Gigs, and SuSE 8.1 installed on the 404 Gig portion.

20Gigs is the size of the partition you're analysing then....

> So I got my image to appear in Autopsy. However, when I went to add the
> image
> I ran into a snag, which I believe is due to the mounting point paramet=
er.

It looks like you don't understand the concept of a mounting point, and I=
=20
notice that its not documented in the online help. Here is my explainatio=
n=20
for it, and others can pick up on where I go wrong or make wrong assumpti=
ons=20
regarding task / autopsy.

A hard disk is a physical device that is loaded into your system. It typi=
cally=20
is very large, in your case 60Gigs. You have broken your disk into two, a=
nd I=20
suspect 5 partitions. Windows gets a 20 gig partition, linux /boot maybe =
gets=20
a 20Mb partition, linux swap gets probably 128Mb, and the balance goes fo=
r=20
root.

Your disk will have primary partition /dev/hda1 and also partitions /dev/=
hda2=20
/dev/hda3 /dev/hda4

These /dev/hdx are how we reference the partitions in linux, this informa=
tion=20
is linux specific. Windows does not provide you with addressible device=20
labels such as this and internally references the partitions somthing lik=
e=20
ide0:1 to say first partition on IDE Bus 0

The target operating system that uses the partitions mounts them into mou=
nt=20
points. In linux your partitions might get mounted as:

/dev/hda1 could get mounted to /windows/C
/dev/hda2 could get mounted to /boot
/dev/hda3 might not get mounted at all as it is swap
/dev/hda4 might get mounted as /

I could have another disk, /dev/hdb that I use for /var/logs in which cas=
e=20
/devhdb1 would get mounted to /var/logs

If I ran windows on the same machine, windows would probably mount /dev/h=
da1=20
as C: (this is not guaranteed). If I had filesystem drivers for windows t=
o=20
read the linux partitions, it might mount /dev/hda2 as E: (assuming CD is=
=20
D:),  /dev/hda4 as F: , and /dev/hdb1 as F:

These are all mount points, /    /boot    C:   D:   E:  F:

There is no information in the imaged partition to say what they are moun=
ted=20
as under a specific operating system, and can be mounted under multiple=20
operating systems as different mountpoints and used withing the confines =
of=20
that os as that mountpoint.

Autopsy has no way then of knowing what the full path of a file was on a=20
target system. It finds a deleted file temp/bossescc#.txt and on the orig=
inal=20
system that would have possibly been C:/temp/bossescc#.txt

On a linux system it might have been /temp/bossescc#.txt

C: and / are the mount points on the two respective systems, and this=20
information needs to be given to autopsy in order for it to give you prop=
er=20
file paths back in its reports.

> I entered the following attempts
>
> /dev/hda1
> /home/niallc/Desktop/Locker/Thismachine/WIN2000/images
> /home/niallc/Desktop/Locker/Thismachine/WIN2000/images/hda1
> 0

The mounting point is just a label that autopsy is going to stick infront=
 of=20
all file paths that it gathers, so all of the above are relevant and "ok"=
 to=20
provide as mount points, but not necessarily correct when compaired with =
the=20
actual file system that you are analysing. They would not cause you any=20
problems though.

> All to no avail. The Konqueror browser would attempt to load the data a=
nd
> then
> stall.

I assume that you saw "Stalled" in the status bar of Konqueror?
That means that Konqueror is stalled, waiting for more information, it do=
es=20
not mean that the process has failed. You were trying to load a 20gig=20
partition, in my test I loaded a 10gig partition in the same manner as yo=
u,=20
and it probably took a whole 10 mins to load, I actually left it run and =
came=20
back to it a while later and went again and came back to find:

----- Begin Sample Output -----
Calculating MD5 of images/hda1
Current MD5: 81C534B8FA3AACDC70E507A2975223A7

<BR>Image: images/hda1 added to config file

[OK]
----- End Sample Output -----

Sounds to me like you didnt wait long enough for the processing to get th=
is=20
far, 20gigs is a LOT of data to load, imagine how long it would take to l=
oad=20
a text file 20gigs in size.....

> What should I enter as the mounting point?

Whatever the partitions mounting point was on the original system, presum=
ably,=20
but not always C: in terms of the first partition on a windows system.

It is conceivable that on some machines, running dual OS, that a partitio=
n=20
could get mounted under both OS, and you might have to run your analyses=20
twice one for each OS context. An example from my machine is my windows=20
C:/documents and settings/administrator/my documents folder is actually a=
=20
link that points to E:/home/dindang/Documents so that both my windows and=
=20
linux profiles share the same "documents" folder. Obviously in the window=
s=20
context the mount point for the partition that holds this folder is E: bu=
t on=20
linux its /

> I was running Autopsy as the root user (i.e. from the prompt
> linux:/home/niallc)

Sounds ok, little scary, but ok. Havent actually tried to run autopsy as =
an=20
unprivilaged user, would probably work just fine as user niallc maybe som=
eone=20
can confirm?

> At a loss at what to try next - any ideas greatly appreciated.

Do it again, and this time instead of panic'ing, go and have a few beers.

The "Stalled" status in Konqueror is not a panic signal, you should have =
been=20
able to hear plenty of disk activity going on, and the "cog" in the top r=
ight=20
hand corner of Konqueror's window should have been spinning. When that st=
ops=20
spinning, and you havent got your output, then panic!

> Thank  you all again,

More than welcome,

HTH,

Sid.