Re: [sleuthkit-users] extracting .E01 and .Ex01 metadata
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] extracting .E01 and .Ex01 metadata
|
From: Greg F. <gre...@gm...> - 2013-09-16 11:58:41
|
Bela, Simon is expert on your question, but so is the team writing plaso. The plaso team is writing in python. Libewf is a c library for working with E01 images and can pull out the metadata for you. It is not part of sleuthkit. I believe it has a lgpl license so you don't have to worry about license issues. I suggest you checkout the plaso choices of libraries and how the workflow proceeds. I've only used it in linux. In linux the plaso workflow is: Use mmls (from sleuthkit) to pull the partition table info. Offsets are in sectors. You can then call log2timeline.py to parse a partition. It requires you pass in the offset. It uses pytsk as a python wrapper around libtsk to parse the filesystem. Libtsk is the core library which sleuthkit provides. In general they don't extract the files, but I think they have a python program that will extract the registry files that you could look at to see how they use libtsk to do that. In linux they have found their multi-threaded app works poorly if pointed directly at the E01 image, they recommend using ewfmount (included in libewf) as a image decoder and cache. It creates a virtual file that is the equivalent of a non-segmented dd image. The user just points log2timeline.py at the virtual dd image. They also use libvshadow to provide access to the volume shadow copies. It too has a lgpl license I believe. Hope that helps, Greg Bala <bal...@cs...> wrote: >Simson > > > >Here's what I'm trying to do. Develop a program on .Net platform to do >the >following. > > > >1. Extract metadata from the forensic image (Investigator, case >number >etc.) > >2. Iterate over files in the file structure on .E01 and .Ex01 >images >and read/copy the files > >I can't use the tools (.exe) which you have mentioned as they are. The >best >would be to write my own wrapper in a .Net language and make calls to >the >sleuth kit API to do the above. Hence the reason for me to ask my >previous >question > > > >BTW tsk_recover doesn't seem to iterate over files in the file >structure on >.E01 and .Ex01 images and read/copy the files. Is there another tool >which I >could use for this purpose ? > > > >Regards > >Bala > > > >From: Simson Garfinkel [mailto:si...@gm...] On Behalf Of Simson >Garfinkel >Sent: Friday, September 13, 2013 6:15 PM >To: Bala >Cc: sle...@li...; si...@gm... >Subject: Re: [sleuthkit-users] extracting .E01 and .Ex01 metadata > > > >Bala, > > > >I think that you have a fundamental misunderstanding about the tools >you are >using. > > > >There are no "method signatures" here. ewfinfo and tsk_recover are both >command-line C++ tools. ewfinfo is built upon libewf, which is a C >library. >There is also libewfcs which is a C# implementation of the EWF format. >tsk_recover is based on The SleuthKit, which is a C/C++ library. There >is no >managed code interface, but I believe that there is a JNI interface >that you >could call from Java. > > > >I'm not sure what you are trying to do, but I suspect that you need to >focus >on your desired outcome, rather than on the toolset. > > > > > >On Sep 13, 2013, at 1:50 AM, "Bala" <bal...@cs...> wrote: > > > > > >Simson > > > >I presume ewfinfo & tsk_recover would suit me ideally according to the >descriptions that I find, however I' unable to locate both their method >signature which could help me write a manged .Net code to call them. > > > >Could you help me find them (method signatures) in this please. > > <http://www.sleuthkit.org/sleuthkit/docs/api-docs/index.html> >http://www.sleuthkit.org/sleuthkit/docs/api-docs/index.html > > > > > >Regards > >Bala > > > >From: Simson Garfinkel [mailto:simsong@ <http://gmail.com> gmail.com] >On >Behalf Of Simson Garfinkel >Sent: Thursday, September 12, 2013 5:47 PM >To: Bala >Cc: <mailto:sle...@li...> >sle...@li... >Subject: Re: [sleuthkit-users] extracting .E01 and .Ex01 metadata > > > >Why do you want to use classes and methods? > > > >For #1 - what do you mean by "metadata"? Do you want to use ewfinfo? > >For #2 - Perhaps you want to use tsk_recover? > > > > > > > >On Sep 12, 2013, at 3:27 AM, "Bala" < ><mailto:bal...@cs...> >bal...@cs...> wrote: > > > > > > >Hi Guys > > > >I'm a newbie to TSK. Could someone help me figure out which classes and >methods that I need to use to get the following details from .E01 and >Ex01 >files > > > >1. Extract metadata from the forensic image > >2. Iterate over files in the file structure on .E01 and .Ex01 >images >and read/copy the files. > > > >Environment > >TSK Version 4.1.0 Core ( not the framework) > >OS version window 7/ windows 2008 R2 > > > > > > > >Regards > >Bala > > > >---------------------------------------------------------------------------- >-- >How ServiceNow helps IT people transform IT departments: >1. Consolidate legacy IT systems to a single system of record for IT >2. Standardize and globalize service processes across IT >3. Implement zero-touch automation to replace manual, redundant tasks > ><http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk >_______________________________________________> >http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk_ >______________________________________________ >sleuthkit-users mailing list > <https://lists.sourceforge.net/lists/listinfo/sleuthkit-users> >https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > <http://www.sleuthkit.org> http://www.sleuthkit.org > > > > > > > >------------------------------------------------------------------------ > >------------------------------------------------------------------------------ >LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! >1,500+ hours of tutorials including VisualStudio 2012, Windows 8, >SharePoint >2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack >includes >Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. >http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk > >------------------------------------------------------------------------ > >_______________________________________________ >sleuthkit-users mailing list >https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >http://www.sleuthkit.org -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. |
