[sleuthkit-users] Issue with Extracting Strings from 40gb NTFS Volume

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi,

I have configured a new case with Autopsy v2.05, and have added an Image
of a HDD which contained a single NTFS volume as C:\

At this stage everything worked fine, from within the Host Manager I
selected details for the NTFS partition contained within the volume
image.  Then selected to extract the Strings from the image where I
received the following errors in the autopsy command line window...

Keep this process running and use <ctrl-c> to exit
Use of uninitialized value in string eq at
/forensics/thesis/tools/autopsy-2.05/lib//Args.pm line 831.
Use of uninitialized value in string eq at
/forensics/thesis/tools/autopsy-2.05/lib//Args.pm line 831.
Use of uninitialized value in string eq at
/forensics/thesis/tools/autopsy-2.05/lib//Args.pm line 831.
Use of uninitialized value in string eq at
/forensics/thesis/tools/autopsy-2.05/lib//Args.pm line 831.
Use of uninitialized value in concatenation (.) or string at
/forensics/thesis/tools/autopsy-2.05/lib//Args.pm line 866.
Use of uninitialized value in concatenation (.) or string at
/forensics/thesis/tools/autopsy-2.05/lib//Args.pm line 866.
Use of uninitialized value in concatenation (.) or string at
/forensics/thesis/tools/autopsy-2.05/lib//Args.pm line 866.
Use of uninitialized value in concatenation (.) or string at
/forensics/thesis/tools/autopsy-2.05/lib//Args.pm line 866.
Missing image name and/or address
usage: /forensics/thesis/tools/sleuthkit-2.01/bin/dcat [-ahsvVw] [-f
fstype] [-i imgtype] [-o imgoffset] [-u usize] image [images] unit_addr
[num]

An error was also displayed in the browser window, however I do not have
a copy of that error as I tried to re-open the case, and unfortunately
the volume for this host is not longer available...

Here are the listings from the host exec log for the host...

Mon Apr 18 03:44:34 2005:
'/forensics/thesis/tools/sleuthkit-2.01/bin/img_stat' -t
"/forensicsbig/stickhdd/hdb.img"
Mon Apr 18 03:44:34 2005:
'/forensics/thesis/tools/sleuthkit-2.01/bin/mmstat' -i raw
"/forensicsbig/stickhdd/hdb.img"
Mon Apr 18 03:44:34 2005:
'/forensics/thesis/tools/sleuthkit-2.01/bin/mmls' -i raw -t dos -r
"/forensicsbig/stickhdd/hdb.img"
Mon Apr 18 03:44:34 2005:
'/forensics/thesis/tools/sleuthkit-2.01/bin/fsstat' -o 63 -i raw -t
"/forensicsbig/stickhdd/hdb.img"
Mon Apr 18 03:44:34 2005:
'/forensics/thesis/tools/sleuthkit-2.01/bin/mmls' -t dos -r
"/forensicsbig/stickhdd/hdb.img"
Mon Apr 18 03:44:51 2005:
'/forensics/thesis/tools/sleuthkit-2.01/bin/img_stat' -t
"/forensicsbig/stickhdd/hdb.img"
Mon Apr 18 03:44:51 2005:
'/forensics/thesis/tools/sleuthkit-2.01/bin/dls' -f raw -e
"/forensicsbig/stickhdd/hdb.img" |
'/forensics/thesis/tools/sleuthkit-2.01/bin/md5'
Mon Apr 18 04:14:46 2005:
'/forensics/thesis/tools/sleuthkit-2.01/bin/fsstat' -o 63 -i raw -f ntfs
"/forensicsbig/stickhdd/hdb.img"
Mon Apr 18 04:14:47 2005: /bin/ln -s '/forensicsbig/stickhdd/hdb.img'
'/forensics/thesis/ev.locker/StickBeetle/homepc/images/hdb.img'
Mon Apr 18 12:28:12 2005:
'/forensics/thesis/tools/sleuthkit-2.01/bin/dcat' -f ntfs -s -o 63 -i
raw '/forensics/thesis/ev.locker/StickBeetle/homepc/images/hdb.img'
Mon Apr 18 12:28:17 2005:
'/forensics/thesis/tools/sleuthkit-2.01/bin/dls' -e -f ntfs -o 63 -i raw
'/forensics/thesis/ev.locker/StickBeetle/homepc/images/hdb.img' |
'/forensics/thesis/tools/sleuthkit-2.01/bin/srch_strings' -a -t d >
'/forensics/thesis/ev.locker/StickBeetle/homepc/output/hdb.img-63-781401
59-ntfs.asc'
Mon Apr 18 16:08:58 2005:
'/forensics/thesis/tools/sleuthkit-2.01/bin/md5'
/forensics/thesis/ev.locker/StickBeetle/homepc/output/hdb.img-63-7814015
9-ntfs.asc
Mon Apr 18 16:10:12 2005:
'/forensics/thesis/tools/sleuthkit-2.01/bin/dls' -e -f ntfs -o 63 -i raw
'/forensics/thesis/ev.locker/StickBeetle/homepc/images/hdb.img' |
'/forensics/thesis/tools/sleuthkit-2.01/bin/srch_strings' -a -t d -e l
>
'/forensics/thesis/ev.locker/StickBeetle/homepc/output/hdb.img-63-781401
59-ntfs.uni'
Mon Apr 18 18:43:36 2005:
'/forensics/thesis/tools/sleuthkit-2.01/bin/md5'
/forensics/thesis/ev.locker/StickBeetle/homepc/output/hdb.img-63-7814015
9-ntfs.uni
Mon Apr 18 18:43:46 2005:
'/forensics/thesis/tools/sleuthkit-2.01/bin/dcat' -f  -s -o  -i =20

And here is the host log...

Mon Apr 18 03:43:39 2005: Host homepc added to case StickBeetle
Mon Apr 18 03:43:47 2005: Host homepc opened by Ants
Mon Apr 18 04:14:47 2005: Sym Linking image
/forensicsbig/stickhdd/hdb.img into StickBeetle:homepc
Mon Apr 18 04:14:47 2005: Image added: image img1 raw  images/hdb.img
Mon Apr 18 04:14:47 2005: Volume added: disk  vol1 img1    dos
Mon Apr 18 04:14:47 2005: Volume added: part  vol2 img1	63  78140159
ntfs  C:
Mon Apr 18 16:08:58 2005: Volume added: strings  vol3 vol2
output/hdb.img-63-78140159-ntfs.asc
Mon Apr 18 18:43:36 2005: Volume added: unistrings  vol1 vol2
output/hdb.img-63-78140159-ntfs.uni
Mon Apr 18 18:45:10 2005: Host homepc opened by Ants
Mon Apr 18 18:45:33 2005: Host homepc opened by Ants

As you can see I have done very little with this host.  At this stage I
haven't tried to re-add the image to the host as I wanted to check to
see if there were any comments/ideas on this list first?

Also, one possible suggestion for a future version, might be to include
a timing function on the search for ascii and Unicode strings on an
image, as on this 40gb drive it took a considerable amount of a time,
and it would be useful to have a reference for future purposes.

Any thoughts/ideas would be much appreciated.

Cheers

Surago.