Re: [sleuthkit-users] Attempting to use fiwalk

[Jeff S. <jef...@gm...>]

Thank you all for your reply.

@Alex -- I believe you are correct in that fiwalk wants one file.
Fortunately, Jason Wright had a workable idea for that.

@Brian Carrier -- Using tsk_gettimes on the image does seem to run through
the data.  The process ran for several minutes before I stopped the
program.  It seem the data would be more than what would be found in a
single file.

@Simson Garfinkel -- I have a few drive images that I am attempting to
extract data using Bulk Extractor.  According to a presentation you had
given on Bulk Extractor, I am using fiwalk to extract DFXML data and will
then run identify_filesnames.py in hopes of linking the data with the files.

@Jason Wright -- Thanks.  Using the affuse worked, once I had the commands
down correctly.  Below are the commands I used for reference.

affuse path/to/image.001 /mnt/combine
fiwalk -X report.xml /mnt/combine/image.001.raw

Thanks again,

Jeff Scarborough

On Fri, Mar 27, 2015 at 1:58 PM, Simson Garfinkel <si...@ac...> wrote:

> With the fiwalk rewrite, it's using standard Sleuthkit image processing.
>
> However, Jeff, what are you using fiwalk for? What's your interest in
> DFXML?
>
> Simson
>
>
> > On Mar 27, 2015, at 2:07 PM, Brian Carrier <ca...@sl...>
> wrote:
> >
> > TSK commands should find the remaining files if you give it just the
> ".001" file.   Not sure about fiwalk's usage.
> >
> > Jeff, if you run tsk_gettimes on the image, then does it find all of
> them?
> >
> >
> >
> > On Mar 27, 2015, at 1:27 PM, Jeff Scarborough <
> jef...@gm...> wrote:
> >
> >> I am a new user to SleuthKit and I am attempting to run fiwalk on an
> image and output a dfxml file.  The image is, I believe called a split raw
> since it is in the form of filename.001, filename.002, filename.003 etc.  I
> am having an issue with the command line to output the file.
> >>
> >> The below command is the example i usually run across.
> >>
> >> fiwalk -X path/report.xml path/image.raw
> >>
> >>
> >> I need to use fiwalk with split files.  I used the examples below with
> limited luck.
> >>
> >> fiwalk -X path/report.xml path/image.dd  -- this one said it had
> trouble opening the file
> >>
> >> fiwalk -X path/report.xml path/image.*  -- this one also has trouble
> >>
> >>
> >> The command line below seems to start the process but as far as I can
> see only processes the first file in the list and none of the others.
> >>
> >> fiwalk -X path/report.xml path/image.001
> >>
> >>
> >> Am I missing something in the command line that will process all of the
> files?
> >>
> >> I am using a virtual machine to run linux with SleuthKit installed and
> the image is on a USB drive.
> >>
> >> Thanks,
> >> Jeff Scarborough
> >>
> ------------------------------------------------------------------------------
> >> Dive into the World of Parallel Programming The Go Parallel Website,
> sponsored
> >> by Intel and developed in partnership with Slashdot Media, is your hub
> for all
> >> things parallel software development, from weekly thought leadership
> blogs to
> >> news, videos, case studies, tutorials and more. Take a look and join the
> >> conversation now.
> http://goparallel.sourceforge.net/_______________________________________________
> >> sleuthkit-users mailing list
> >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> >> http://www.sleuthkit.org
> >
> >
> >
> ------------------------------------------------------------------------------
> > Dive into the World of Parallel Programming The Go Parallel Website,
> sponsored
> > by Intel and developed in partnership with Slashdot Media, is your hub
> for all
> > things parallel software development, from weekly thought leadership
> blogs to
> > news, videos, case studies, tutorials and more. Take a look and join the
> > conversation now. http://goparallel.sourceforge.net/
> > _______________________________________________
> > sleuthkit-users mailing list
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > http://www.sleuthkit.org
>
>