Re: [sleuthkit-users] ISTAT output question

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

sorry, I've sent this on falsely on the linux-forensics-list

On Mon, 25 Apr 2005 16:34:08 -0500
Brian Carrier <ca...@ce...> wrote:

> 
> On Apr 25, 2005, at 10:34 AM, fu...@gm... wrote:
> 
> > I know that all these tasks can be done with sleuthkit tools like 
> > sorter,
> > srch_strings and so far, but now with the ability to load full images 
> > and
> > not only partitons this getting more complicated to do in a script. So 
> > I'd
> > like to ask what your tricks are to do this efficiently? Did you all 
> > write
> > scripts?
> 
> dls and sorter are run the exact same way as before, but now you need 
> to specify '-o X' where X is the sector offset of the file system in 
> the disk. You can just make a script, copy and paste the relevant 
> commands for each partition, and then change the offset values for 
> each.
> 
> Extracting strings from a partition is a little more tricky because the 
> strings tool does not know where the partition boundaries are.   So, 
> you will need to use either 'dd' or 'dls -f raw -e' to extract out the 
> sectors relevant to the partition and then pipe that into strings.  You 
> can look at the exec log to see the commands that have been executed 
> for previous files as a basis.

Oh I did not know about this log, this is exactly what I was looking for. I now start compiliing al list of one-liner, so I can make things faster. As fas as I can see the only problem would be that these steps are not automatically logged in the Autopsy-Files, so maybe not the best thing from the forensic point of view?

> 
> Adding the files to the Autopsy config file is probably the biggest 
> change because of the new file format.  As an example, a strings entry 
> could be:
> 
> strings  vol10  vol5   output/basic-dos.dd-63-48194-ntfs.asc
> 
> Every file now has a volume ID in autopsy and each entry in the config 
> file describes a file.   The above entry means that the volume id for 
> this strings file is 'vol10' and it is a strings file for the volume 
> with id 'vol5' (which could be a part entry  or dls entry).  The 
> strings are located in 'output/basic-dos....'.    The dls entries  have 
> a similar format.
> 
got it, this is not much problem to handle.

Furthermore, I got kinda other problem: I analyze an image of a NTFS-Hardrive, containing two partitions. If I look at the deleted files list on the first partition, I see a lot of files which are deleted, if I look into the directories, they are still there OR I don't see the brown, unallocated file. Is this a problem with NTFS handling?

> > The loading whole images features rocks by the way!
> 
> thanks.

thank you so much