Re: [sleuthkit-users] Attempting to use fiwalk
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Attempting to use fiwalk
|
From: Simson G. <si...@ac...> - 2015-03-28 12:12:17
|
The problem is that the information is inside the ntfs implementation but there is no API to get it out. > On Mar 28, 2015, at 7:23 AM, Atila <ati...@dp...> wrote: > > That reminds me of one more suggestion of improvement (unrelated to the current topic), but this time on Sleuthkit not Autopsy: tsk_loaddb could fill tsk_file_layout with byte_start for NTFS resident files, pointing to the appropriate position (and size, of course) inside MFT. Today, only a portion of the files (the non-resident ones) get they positions recorded in the DB. > > On 27-03-2015 18:32, Simson Garfinkel wrote: >> It seems that the main reason people are running fiwalk at this point is so that they can run identify_filenames.py with bulk_extractor. However, fiwalk is a bit of a mess and it doesn't fit in well with the sleuthkit tool suite. tsk_loaddb does a good job with most of what fiwalk does, but it doesn't support plugins and it doesn't export XML. >> >> Options: >> >> 1 - Modify tsk_loaddb to output DFXML. >> 2 - Have a Python script that takes a tsk_loaddb Sqlite3 database and outputs DFXML. >> 3 - Modify identify_filenames.py to read the Sqlite3 database produced by tsk_loaddb. >> >> I think that #2 and #3 are the right options, in that order, provided that nobody is making use of the fiwalk plugins (or provided that they can migrate to something else). Does anyone on the list of a dependency on dfxml or fiwalk plug-ins? >> >> Simson >> >> There are two ways to move forward on this. >> >>> On Mar 27, 2015, at 4:01 PM, Jeff Scarborough <jef...@gm... <mailto:jef...@gm...>> wrote: >>> >>> Thank you all for your reply. >>> >>> @Alex -- I believe you are correct in that fiwalk wants one file. Fortunately, Jason Wright had a workable idea for that. >>> >>> @Brian Carrier -- Using tsk_gettimes on the image does seem to run through the data. The process ran for several minutes before I stopped the program. It seem the data would be more than what would be found in a single file. >>> >>> @Simson Garfinkel -- I have a few drive images that I am attempting to extract data using Bulk Extractor. According to a presentation you had given on Bulk Extractor, I am using fiwalk to extract DFXML data and will then run identify_filesnames.py in hopes of linking the data with the files. >>> >>> @Jason Wright -- Thanks. Using the affuse worked, once I had the commands down correctly. Below are the commands I used for reference. >>> >>> affuse path/to/image.001 /mnt/combine >>> fiwalk -X report.xml /mnt/combine/image.001.raw >>> >>> Thanks again, >>> >>> Jeff Scarborough >>> >>> On Fri, Mar 27, 2015 at 1:58 PM, Simson Garfinkel <si...@ac... <mailto:si...@ac...>> wrote: >>> With the fiwalk rewrite, it's using standard Sleuthkit image processing. >>> >>> However, Jeff, what are you using fiwalk for? What's your interest in DFXML? >>> >>> Simson >>> >>> >>> > On Mar 27, 2015, at 2:07 PM, Brian Carrier <ca...@sl... <mailto:ca...@sl...>> wrote: >>> > >>> > TSK commands should find the remaining files if you give it just the ".001" file. Not sure about fiwalk's usage. >>> > >>> > Jeff, if you run tsk_gettimes on the image, then does it find all of them? >>> > >>> > >>> > >>> > On Mar 27, 2015, at 1:27 PM, Jeff Scarborough <jef...@gm... <mailto:jef...@gm...>> wrote: >>> > >>> >> I am a new user to SleuthKit and I am attempting to run fiwalk on an image and output a dfxml file. The image is, I believe called a split raw since it is in the form of filename.001, filename.002, filename.003 etc. I am having an issue with the command line to output the file. >>> >> >>> >> The below command is the example i usually run across. >>> >> >>> >> fiwalk -X path/report.xml path/image.raw >>> >> >>> >> >>> >> I need to use fiwalk with split files. I used the examples below with limited luck. >>> >> >>> >> fiwalk -X path/report.xml path/image.dd -- this one said it had trouble opening the file >>> >> >>> >> fiwalk -X path/report.xml path/image.* -- this one also has trouble >>> >> >>> >> >>> >> The command line below seems to start the process but as far as I can see only processes the first file in the list and none of the others. >>> >> >>> >> fiwalk -X path/report.xml path/image.001 >>> >> >>> >> >>> >> Am I missing something in the command line that will process all of the files? >>> >> >>> >> I am using a virtual machine to run linux with SleuthKit installed and the image is on a USB drive. >>> >> >>> >> Thanks, >>> >> Jeff Scarborough >>> >> ------------------------------------------------------------------------------ >>> >> Dive into the World of Parallel Programming The Go Parallel Website, sponsored >>> >> by Intel and developed in partnership with Slashdot Media, is your hub for all >>> >> things parallel software development, from weekly thought leadership blogs to >>> >> news, videos, case studies, tutorials and more. Take a look and join the >>> >> conversation now. http://goparallel.sourceforge.net/_______________________________________________ <http://goparallel.sourceforge.net/_______________________________________________> >>> >> sleuthkit-users mailing list >>> >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users <https://lists.sourceforge.net/lists/listinfo/sleuthkit-users> >>> >> http://www.sleuthkit.org <http://www.sleuthkit.org/> >>> > >>> > >>> > ------------------------------------------------------------------------------ >>> > Dive into the World of Parallel Programming The Go Parallel Website, sponsored >>> > by Intel and developed in partnership with Slashdot Media, is your hub for all >>> > things parallel software development, from weekly thought leadership blogs to >>> > news, videos, case studies, tutorials and more. Take a look and join the >>> > conversation now. http://goparallel.sourceforge.net/ <http://goparallel.sourceforge.net/> >>> > _______________________________________________ >>> > sleuthkit-users mailing list >>> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users <https://lists.sourceforge.net/lists/listinfo/sleuthkit-users> >>> > http://www.sleuthkit.org <http://www.sleuthkit.org/> >>> >>> >> >> >> >> ------------------------------------------------------------------------------ >> Dive into the World of Parallel Programming The Go Parallel Website, sponsored >> by Intel and developed in partnership with Slashdot Media, is your hub for all >> things parallel software development, from weekly thought leadership blogs to >> news, videos, case studies, tutorials and more. Take a look and join the >> conversation now. http://goparallel.sourceforge.net/ <http://goparallel.sourceforge.net/> >> >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users <https://lists.sourceforge.net/lists/listinfo/sleuthkit-users> >> http://www.sleuthkit.org <http://www.sleuthkit.org/> > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming The Go Parallel Website, sponsored > by Intel and developed in partnership with Slashdot Media, is your hub for all > things parallel software development, from weekly thought leadership blogs to > news, videos, case studies, tutorials and more. Take a look and join the > conversation now. http://goparallel.sourceforge.net/_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
