Re: [sleuthkit-users] Fiwalk on running system
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Fiwalk on running system
|
From: Richer, M. (CIV) <mhr...@np...> - 2015-09-20 22:10:36
|
While folks might usually want hashes, it's an expensive operation to perform on every file on a large source. I assume that's why it's an option. I suppose -m could be for md5, -s for sha1 etc so as not to be confused with help. My 2 cents (likely worth as much), Mark On Sep 20, 2015, at 17:33, Rolf Inator <rol...@gm...<mailto:rol...@gm...>> wrote: This happens when you expect something else... I thought the hashes are automatically calculated and didn't expect the "-h" switch to be the hash switch (expected "help" when using "h" ^^). However, thanks guys, this works great on a running Windows! --Rolf Gesendet: Sonntag, 20. September 2015 um 20:09 Uhr Von: "Ketil Froyn" <ke...@fr...<mailto:ke...@fr...>> An: "Rolf Inator" <rol...@gm...<mailto:rol...@gm...>> Cc: sleuthkit-users <sle...@li...<mailto:sle...@li...>>, "Derrick Karpo" <dk...@gm...<mailto:dk...@gm...>> Betreff: Re: [sleuthkit-users] Fiwalk on running system You have to specify the -h option to calculate md5sums. http://www.sleuthkit.org/sleuthkit/man/tsk_loaddb.html Ketil On 20 Sep 2015 18:38, "Rolf Inator" <rol...@gm...> wrote: Thanks a lot to both of you! So far I tried tsk_loaddb, since it was included in the sleuthkit 4.2.0 on sourceforge. However, I will give fiwalk another try as soon as I tried out tsk_loaddb! So, tsk_loaddb is very promising! I tried your suggestion on a Windows 8.1 machine and it worked out pretty good! The sqlite DB was written do disk- the only thing I noticed (and what is a little bit weird), is that the column "md5" in tsk_files is null for every row. Do you have any idea why this is happening? (I started the cmd as Administrator for C:, so the rights should be fine ;) ). Thanks again! --Rolf > Gesendet: Freitag, 18. September 2015 um 17:14 Uhr > Von: "Derrick Karpo" <dk...@gm...> > An: "Rolf Inator" <rol...@gm...>, "sleuthkit-users users" <sle...@li...> > Betreff: Re: [sleuthkit-users] Fiwalk on running system > > Hi Rolf. > > I'm not sure if Michael's suggestion works with the latest fiwalk or > not but if it doesn't, have you looked at tsk_loaddb as an alternative > to fiwalk? fiwalk hasn't been getting as much development lately but > tsk_loaddb is actively developed and outputs all the results into a > SQLite database. Something like this would work with tsk_loaddb: > > tsk_loaddb -d myimage.db \\.\c: > > Alternatively, for physical disks: > > wmic diskdrive list > tsk_loaddb -d myimage.db \\.\PhysicalDrive0 > > Derrick > > > On Fri, Sep 18, 2015 at 8:05 AM, Michael Cohen <scu...@gm...> wrote: > > Does it work if you give it the volume name? fiwalk \\.\C: > > > > On 18 September 2015 at 14:50, Rolf Inator <rol...@gm...> wrote: > >> Hi list, > >> > >> I wonder if it's possible to run fiwalk on a live system? The documentation says > >> user@forensicbox:~$ fiwalk > >> usage: fiwalk [options] iso-name > >> > >> The problem I am facing is, that if I want to run fiwalk over a bitlocker encrypted dd image, I have to install Dislocker (a new driver) on my Linux system. It would be more decent if I could just run the fiwalk Windows executable while the suspects system is still running. > >> > >> I hope that was clear :) > >> > >> Kind regards, > >> Rolf > >> > >> ------------------------------------------------------------------------------ > >> _______________________________________________ > >> sleuthkit-users mailing list > >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > >> http://www.sleuthkit.org > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > > sleuthkit-users mailing list > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > http://www.sleuthkit.org > ------------------------------------------------------------------------------ _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org ------------------------------------------------------------------------------ _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org |
