Re: [sleuthkit-users] NSRL question
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] NSRL question
|
From: Paul S. <pa...@vn...> - 2004-01-31 06:56:29
|
Hi all,
I just wrote a little script that does this. I d/l'ed the NSRL 2.3 in=20
format-15 (1.5?) and wrote a little script that takes the NSRLFile.txt=20
directly from the zip file and sticks it in an output file NSRLFile.txt. Is=
=20
fromat-15 the correct one to use? I couldn't find any doc on that.
Here's the script I used:
#!/bin/bash
# remove NSRLfile.txt to eliminate possibility of duplicating the database
rm NSRLFile.txt
for x in `ls *.zip`
do unzip -qq -c $x NSRLFile.txt >> NSRLFile.txt
done
Run it from the directory where you downloaded all of the .zip, .sha, and .=
md5=20
files. It'll give you the big database file as described below. Beware...=
=20
it is BIG - 2.6G big :-) Caveat - I did absolutely no error checking but i=
t=20
seems to work. Autopsy's make uses it with the following output. Any info=
=20
on what the 2,602 errors might be and how I could eliminate them would be=20
appreciated.
Enter the directory where you installed it:
/Forensics/NSRL
NSRL database was found (NSRLFile.txt)
NSRL Index file not found, do you want it created? (y/n) [n]:
y
=2D------------- begin hfind output --------------
Extracting Data from Database (/Forensics/NSRL/NSRLFile.txt)
Valid Database Entries: 17292990
Invalid Database Entries (headers or errors): 2602
Index File Entries (optimized): 16572711
Sorting Index (/Forensics/NSRL/NSRLFile.txt-md5.idx)
=2D-------------- end hfind output ---------------
Paul
On Friday 02 January 2004 00:33, Brian Carrier wrote:
> Mike,
>
> You want to have one big NSRLFile.txt file. I'm not sure of the
> details of all of the NSRL versions, but some of the distributions have
> multiple NSRLFile.txt files because they don't all fit on once CD.
> Concatenate the NSRLFile.txt files together into one file and give that
> location to Autopsy. So, it would be something like:
>
> cat NSRLFile-1.txt NSRLFile-2.txt > NSRLFile.txt
>
> That database will need to be indexed by Autopsy / Sleuth Kit and then
> it can be used.
>
> brian
>
> On Wednesday, December 31, 2003, at 04:38 PM, Michael Dundas wrote:
> > I've been using autopsy for some time now, but not with the NSRL
> > database. I've downloaded the entire database, format-15. It is in
> > many ZIP files. How does one make this work with autopsy? I know you
> > indicate the location of the NSRL DB during installation, but what is
> > one to do with all these zip files? Do you unzip them all, then
> > append the data in the files in the zip files to one big file? If
> > there are scripts written to do this, I'd like to know where one can
> > get a copy? If not, happy to write them, but don't understand the end
> > goal? Maybe I'm making this too complicated. Any help appreciated.
>
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
> Free Linux Tutorials. Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id=3D1278&alloc_id=3D3371&op=3Dclick
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
|
