Re: [sleuthkit-users] RE: Problem adding image
Brought to you by:
carrier
From: Sid P. - S. P. <sp...@si...> - 2003-03-09 14:58:35
|
On Saturday 08 March 2003 16:19, Eagle Investigative Services wrote: > Ok, My machine is a 18GHz P4, 512 RAM, 60 Gig WD 7200 HD, Win2k install= ed > on 20 Gigs, and SuSE 8.1 installed on the 404 Gig portion. 20Gigs is the size of the partition you're analysing then.... > So I got my image to appear in Autopsy. However, when I went to add the > image > I ran into a snag, which I believe is due to the mounting point paramet= er. It looks like you don't understand the concept of a mounting point, and I= =20 notice that its not documented in the online help. Here is my explainatio= n=20 for it, and others can pick up on where I go wrong or make wrong assumpti= ons=20 regarding task / autopsy. A hard disk is a physical device that is loaded into your system. It typi= cally=20 is very large, in your case 60Gigs. You have broken your disk into two, a= nd I=20 suspect 5 partitions. Windows gets a 20 gig partition, linux /boot maybe = gets=20 a 20Mb partition, linux swap gets probably 128Mb, and the balance goes fo= r=20 root. Your disk will have primary partition /dev/hda1 and also partitions /dev/= hda2=20 /dev/hda3 /dev/hda4 These /dev/hdx are how we reference the partitions in linux, this informa= tion=20 is linux specific. Windows does not provide you with addressible device=20 labels such as this and internally references the partitions somthing lik= e=20 ide0:1 to say first partition on IDE Bus 0 The target operating system that uses the partitions mounts them into mou= nt=20 points. In linux your partitions might get mounted as: /dev/hda1 could get mounted to /windows/C /dev/hda2 could get mounted to /boot /dev/hda3 might not get mounted at all as it is swap /dev/hda4 might get mounted as / I could have another disk, /dev/hdb that I use for /var/logs in which cas= e=20 /devhdb1 would get mounted to /var/logs If I ran windows on the same machine, windows would probably mount /dev/h= da1=20 as C: (this is not guaranteed). If I had filesystem drivers for windows t= o=20 read the linux partitions, it might mount /dev/hda2 as E: (assuming CD is= =20 D:), /dev/hda4 as F: , and /dev/hdb1 as F: These are all mount points, / /boot C: D: E: F: There is no information in the imaged partition to say what they are moun= ted=20 as under a specific operating system, and can be mounted under multiple=20 operating systems as different mountpoints and used withing the confines = of=20 that os as that mountpoint. Autopsy has no way then of knowing what the full path of a file was on a=20 target system. It finds a deleted file temp/bossescc#.txt and on the orig= inal=20 system that would have possibly been C:/temp/bossescc#.txt On a linux system it might have been /temp/bossescc#.txt C: and / are the mount points on the two respective systems, and this=20 information needs to be given to autopsy in order for it to give you prop= er=20 file paths back in its reports. > I entered the following attempts > > /dev/hda1 > /home/niallc/Desktop/Locker/Thismachine/WIN2000/images > /home/niallc/Desktop/Locker/Thismachine/WIN2000/images/hda1 > 0 The mounting point is just a label that autopsy is going to stick infront= of=20 all file paths that it gathers, so all of the above are relevant and "ok"= to=20 provide as mount points, but not necessarily correct when compaired with = the=20 actual file system that you are analysing. They would not cause you any=20 problems though. > All to no avail. The Konqueror browser would attempt to load the data a= nd > then > stall. I assume that you saw "Stalled" in the status bar of Konqueror? That means that Konqueror is stalled, waiting for more information, it do= es=20 not mean that the process has failed. You were trying to load a 20gig=20 partition, in my test I loaded a 10gig partition in the same manner as yo= u,=20 and it probably took a whole 10 mins to load, I actually left it run and = came=20 back to it a while later and went again and came back to find: ----- Begin Sample Output ----- Calculating MD5 of images/hda1 Current MD5: 81C534B8FA3AACDC70E507A2975223A7 <BR>Image: images/hda1 added to config file [OK] ----- End Sample Output ----- Sounds to me like you didnt wait long enough for the processing to get th= is=20 far, 20gigs is a LOT of data to load, imagine how long it would take to l= oad=20 a text file 20gigs in size..... > What should I enter as the mounting point? Whatever the partitions mounting point was on the original system, presum= ably,=20 but not always C: in terms of the first partition on a windows system. It is conceivable that on some machines, running dual OS, that a partitio= n=20 could get mounted under both OS, and you might have to run your analyses=20 twice one for each OS context. An example from my machine is my windows=20 C:/documents and settings/administrator/my documents folder is actually a= =20 link that points to E:/home/dindang/Documents so that both my windows and= =20 linux profiles share the same "documents" folder. Obviously in the window= s=20 context the mount point for the partition that holds this folder is E: bu= t on=20 linux its / > I was running Autopsy as the root user (i.e. from the prompt > linux:/home/niallc) Sounds ok, little scary, but ok. Havent actually tried to run autopsy as = an=20 unprivilaged user, would probably work just fine as user niallc maybe som= eone=20 can confirm? > At a loss at what to try next - any ideas greatly appreciated. Do it again, and this time instead of panic'ing, go and have a few beers. The "Stalled" status in Konqueror is not a panic signal, you should have = been=20 able to hear plenty of disk activity going on, and the "cog" in the top r= ight=20 hand corner of Konqueror's window should have been spinning. When that st= ops=20 spinning, and you havent got your output, then panic! > Thank you all again, More than welcome, HTH, Sid. |