Re: [sleuthkit-users] sleuthkit framework and scalpel

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Ricky,    This looks like it was an oversight on our part in the framework. It looks like the files get added to the database but are not getting scheduled for analysis.If you are comfortable editing the C++ code the quickest fix would be to add something along the following lines to TskCarveExtractScalpel.cpp at line 375:
TskServices::Instance().getScheduler().schedule(Scheduler::FileAnalysis, fileId, fileId);
Of course you probably want a little extra error handling. For other examples of how this works, take a look at the TskL01Extract.cpp and ZipExtractionModule.cpp.
Out of curiosity, what are you looking to accomplish that led you to the Sleuthkit framework rather than Autopsy?
Thanks.

     On Wednesday, April 29, 2015 1:08 PM, "Sanchez, Ricardo" <rr...@ra...> wrote:

  <!--#yiv7819723122 _filtered #yiv7819723122 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;}#yiv7819723122 #yiv7819723122 p.yiv7819723122MsoNormal, #yiv7819723122 li.yiv7819723122MsoNormal, #yiv7819723122 div.yiv7819723122MsoNormal {margin:0in;margin-bottom:.0001pt;font-size:11.0pt;font-family:"Calibri", "sans-serif";}#yiv7819723122 a:link, #yiv7819723122 span.yiv7819723122MsoHyperlink {color:blue;text-decoration:underline;}#yiv7819723122 a:visited, #yiv7819723122 span.yiv7819723122MsoHyperlinkFollowed {color:purple;text-decoration:underline;}#yiv7819723122 span.yiv7819723122EmailStyle17 {font-family:"Calibri", "sans-serif";color:windowtext;}#yiv7819723122 .yiv7819723122MsoChpDefault {font-family:"Calibri", "sans-serif";} _filtered #yiv7819723122 {margin:1.0in 1.0in 1.0in 1.0in;}#yiv7819723122 div.yiv7819723122WordSection1 {}-->I have a question about scalpel and integration with the sleuthkit framework. I was able to get scalpel and sleuthkit built and I used the sample framework and pipeline XML files to carve and do some file analysis on a test image. However, I notice that carved files aren’t being processing in the file analysis phase. E.g., the carved files don’t get hashed. At least they don’t appear in the file_hashes table in the output database. So my question is: do I need to do something special to make sure the carved files get added to the scheduler for processing.    I’m just getting started with sleuthkit, so I apologize if this is a simple question.    Thank you,    -ricky       Ricardo Sanchez, RAND Corporation Research Software Engineer, Information Services n1428b   (504) 299-3448  rr...@ra...    
__________________________________________________________________________This email message is for the sole use of the intended recipient(s) and
may contain confidential information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply email and destroy all copies
of the original message.
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org