Re: [sleuthkit-users] Fiwalk on running system
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Fiwalk on running system
|
From: Rolf I. <rol...@gm...> - 2015-09-20 16:37:06
|
Thanks a lot to both of you! So far I tried tsk_loaddb, since it was included in the sleuthkit 4.2.0 on sourceforge. However, I will give fiwalk another try as soon as I tried out tsk_loaddb! So, tsk_loaddb is very promising! I tried your suggestion on a Windows 8.1 machine and it worked out pretty good! The sqlite DB was written do disk- the only thing I noticed (and what is a little bit weird), is that the column "md5" in tsk_files is null for every row. Do you have any idea why this is happening? (I started the cmd as Administrator for C:, so the rights should be fine ;) ). Thanks again! --Rolf > Gesendet: Freitag, 18. September 2015 um 17:14 Uhr > Von: "Derrick Karpo" <dk...@gm...> > An: "Rolf Inator" <rol...@gm...>, "sleuthkit-users users" <sle...@li...> > Betreff: Re: [sleuthkit-users] Fiwalk on running system > > Hi Rolf. > > I'm not sure if Michael's suggestion works with the latest fiwalk or > not but if it doesn't, have you looked at tsk_loaddb as an alternative > to fiwalk? fiwalk hasn't been getting as much development lately but > tsk_loaddb is actively developed and outputs all the results into a > SQLite database. Something like this would work with tsk_loaddb: > > tsk_loaddb -d myimage.db \\.\c: > > Alternatively, for physical disks: > > wmic diskdrive list > tsk_loaddb -d myimage.db \\.\PhysicalDrive0 > > Derrick > > > On Fri, Sep 18, 2015 at 8:05 AM, Michael Cohen <scu...@gm...> wrote: > > Does it work if you give it the volume name? fiwalk \\.\C: > > > > On 18 September 2015 at 14:50, Rolf Inator <rol...@gm...> wrote: > >> Hi list, > >> > >> I wonder if it's possible to run fiwalk on a live system? The documentation says > >> user@forensicbox:~$ fiwalk > >> usage: fiwalk [options] iso-name > >> > >> The problem I am facing is, that if I want to run fiwalk over a bitlocker encrypted dd image, I have to install Dislocker (a new driver) on my Linux system. It would be more decent if I could just run the fiwalk Windows executable while the suspects system is still running. > >> > >> I hope that was clear :) > >> > >> Kind regards, > >> Rolf > >> > >> ------------------------------------------------------------------------------ > >> _______________________________________________ > >> sleuthkit-users mailing list > >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > >> http://www.sleuthkit.org > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > > sleuthkit-users mailing list > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > http://www.sleuthkit.org > |
