Re: [sleuthkit-users] Fiwalk on running system
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Fiwalk on running system
|
From: Ketil F. <ke...@fr...> - 2015-09-20 18:36:41
|
You have to specify the -h option to calculate md5sums. http://www.sleuthkit.org/sleuthkit/man/tsk_loaddb.html Ketil On 20 Sep 2015 18:38, "Rolf Inator" <rol...@gm...> wrote: > Thanks a lot to both of you! So far I tried tsk_loaddb, since it was > included in the sleuthkit 4.2.0 on sourceforge. However, I will give fiwalk > another try as soon as I tried out tsk_loaddb! > > So, tsk_loaddb is very promising! I tried your suggestion on a Windows 8.1 > machine and it worked out pretty good! The sqlite DB was written do disk- > the only thing I noticed (and what is a little bit weird), is that the > column "md5" in tsk_files is null for every row. > Do you have any idea why this is happening? (I started the cmd as > Administrator for C:, so the rights should be fine ;) ). > > Thanks again! > --Rolf > > > > Gesendet: Freitag, 18. September 2015 um 17:14 Uhr > > Von: "Derrick Karpo" <dk...@gm...> > > An: "Rolf Inator" <rol...@gm...>, "sleuthkit-users users" < > sle...@li...> > > Betreff: Re: [sleuthkit-users] Fiwalk on running system > > > > Hi Rolf. > > > > I'm not sure if Michael's suggestion works with the latest fiwalk or > > not but if it doesn't, have you looked at tsk_loaddb as an alternative > > to fiwalk? fiwalk hasn't been getting as much development lately but > > tsk_loaddb is actively developed and outputs all the results into a > > SQLite database. Something like this would work with tsk_loaddb: > > > > tsk_loaddb -d myimage.db \\.\c: > > > > Alternatively, for physical disks: > > > > wmic diskdrive list > > tsk_loaddb -d myimage.db \\.\PhysicalDrive0 > > > > Derrick > > > > > > On Fri, Sep 18, 2015 at 8:05 AM, Michael Cohen <scu...@gm...> > wrote: > > > Does it work if you give it the volume name? fiwalk \\.\C: > > > > > > On 18 September 2015 at 14:50, Rolf Inator <rol...@gm...> > wrote: > > >> Hi list, > > >> > > >> I wonder if it's possible to run fiwalk on a live system? The > documentation says > > >> user@forensicbox:~$ fiwalk > > >> usage: fiwalk [options] iso-name > > >> > > >> The problem I am facing is, that if I want to run fiwalk over a > bitlocker encrypted dd image, I have to install Dislocker (a new driver) on > my Linux system. It would be more decent if I could just run the fiwalk > Windows executable while the suspects system is still running. > > >> > > >> I hope that was clear :) > > >> > > >> Kind regards, > > >> Rolf > > >> > > >> > ------------------------------------------------------------------------------ > > >> _______________________________________________ > > >> sleuthkit-users mailing list > > >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > >> http://www.sleuthkit.org > > > > > > > ------------------------------------------------------------------------------ > > > _______________________________________________ > > > sleuthkit-users mailing list > > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > > http://www.sleuthkit.org > > > > > ------------------------------------------------------------------------------ > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > |
