Re: [sleuthkit-users] Fiwalk on running system
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Fiwalk on running system
|
From: Rolf I. <rol...@gm...> - 2015-09-20 21:33:04
|
<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div> <div>This happens when you expect something else...</div> <div>I thought the hashes are automatically calculated and didn't expect the "-h" switch to be the hash switch (expected "help" when using "h" ^^).</div> <div> </div> <div>However, thanks guys, this works great on a running Windows!</div> <div>--Rolf</div> <div> <div name="quote" style="margin:10px 5px 5px 10px; padding: 10px 0 10px 10px; border-left:2px solid #C3D9E5; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"> <div style="margin:0 0 10px 0;"><b>Gesendet:</b> Sonntag, 20. September 2015 um 20:09 Uhr<br/> <b>Von:</b> "Ketil Froyn" <ke...@fr...><br/> <b>An:</b> "Rolf Inator" <rol...@gm...><br/> <b>Cc:</b> sleuthkit-users <sle...@li...>, "Derrick Karpo" <dk...@gm...><br/> <b>Betreff:</b> Re: [sleuthkit-users] Fiwalk on running system</div> <div name="quoted-content"> <p>You have to specify the -h option to calculate md5sums.</p> <p><a href="http://www.sleuthkit.org/sleuthkit/man/tsk_loaddb.html" target="_blank">http://www.sleuthkit.org/sleuthkit/man/tsk_loaddb.html</a></p> <p>Ketil</p> <div class="gmail_quote">On 20 Sep 2015 18:38, "Rolf Inator" <<a href="rol...@gm..." target="_parent">rol...@gm...</a>> wrote: <blockquote class="gmail_quote" style="margin: 0 0 0 0.8ex;border-left: 1.0px rgb(204,204,204) solid;padding-left: 1.0ex;">Thanks a lot to both of you! So far I tried tsk_loaddb, since it was included in the sleuthkit 4.2.0 on sourceforge. However, I will give fiwalk another try as soon as I tried out tsk_loaddb!<br/> <br/> So, tsk_loaddb is very promising! I tried your suggestion on a Windows 8.1 machine and it worked out pretty good! The sqlite DB was written do disk- the only thing I noticed (and what is a little bit weird), is that the column "md5" in tsk_files is null for every row.<br/> Do you have any idea why this is happening? (I started the cmd as Administrator for C:, so the rights should be fine ;) ).<br/> <br/> Thanks again!<br/> --Rolf<br/> <br/> <br/> > Gesendet: Freitag, 18. September 2015 um 17:14 Uhr<br/> > Von: "Derrick Karpo" <<a href="dk...@gm..." target="_parent">dk...@gm...</a>><br/> > An: "Rolf Inator" <<a href="rol...@gm..." target="_parent">rol...@gm...</a>>, "sleuthkit-users users" <<a href="sle...@li..." target="_parent">sle...@li...</a>><br/> > Betreff: Re: [sleuthkit-users] Fiwalk on running system<br/> ><br/> > Hi Rolf.<br/> ><br/> > I'm not sure if Michael's suggestion works with the latest fiwalk or<br/> > not but if it doesn't, have you looked at tsk_loaddb as an alternative<br/> > to fiwalk? fiwalk hasn't been getting as much development lately but<br/> > tsk_loaddb is actively developed and outputs all the results into a<br/> > SQLite database. Something like this would work with tsk_loaddb:<br/> ><br/> > tsk_loaddb -d myimage.db \\.\c:<br/> ><br/> > Alternatively, for physical disks:<br/> ><br/> > wmic diskdrive list<br/> > tsk_loaddb -d myimage.db \\.\PhysicalDrive0<br/> ><br/> > Derrick<br/> ><br/> ><br/> > On Fri, Sep 18, 2015 at 8:05 AM, Michael Cohen <<a href="scu...@gm..." target="_parent">scu...@gm...</a>> wrote:<br/> > > Does it work if you give it the volume name? fiwalk \\.\C:<br/> > ><br/> > > On 18 September 2015 at 14:50, Rolf Inator <<a href="rol...@gm..." target="_parent">rol...@gm...</a>> wrote:<br/> > >> Hi list,<br/> > >><br/> > >> I wonder if it's possible to run fiwalk on a live system? The documentation says<br/> > >> user@forensicbox:~$ fiwalk<br/> > >> usage: fiwalk [options] iso-name<br/> > >><br/> > >> The problem I am facing is, that if I want to run fiwalk over a bitlocker encrypted dd image, I have to install Dislocker (a new driver) on my Linux system. It would be more decent if I could just run the fiwalk Windows executable while the suspects system is still running.<br/> > >><br/> > >> I hope that was clear :)<br/> > >><br/> > >> Kind regards,<br/> > >> Rolf<br/> > >><br/> > >> ------------------------------------------------------------------------------<br/> > >> _______________________________________________<br/> > >> sleuthkit-users mailing list<br/> > >> <a href="https://lists.sourceforge.net/lists/listinfo/sleuthkit-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/sleuthkit-users</a><br/> > >> <a href="http://www.sleuthkit.org" target="_blank">http://www.sleuthkit.org</a><br/> > ><br/> > > ------------------------------------------------------------------------------<br/> > > _______________________________________________<br/> > > sleuthkit-users mailing list<br/> > > <a href="https://lists.sourceforge.net/lists/listinfo/sleuthkit-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/sleuthkit-users</a><br/> > > <a href="http://www.sleuthkit.org" target="_blank">http://www.sleuthkit.org</a><br/> ><br/> <br/> ------------------------------------------------------------------------------<br/> _______________________________________________<br/> sleuthkit-users mailing list<br/> <a href="https://lists.sourceforge.net/lists/listinfo/sleuthkit-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/sleuthkit-users</a><br/> <a href="http://www.sleuthkit.org" target="_blank">http://www.sleuthkit.org</a></blockquote> </div> </div> </div> </div> </div></div></body></html> |
