Re: [sleuthkit-users] Problems with Sorter

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Thanks for the email.

No, I'm not receiving any message about OpenSSL.

The only message returned is "incorrect file system type" reported back.

Below is the output after I put some print statements into the Perl code to
debug (the modified code is below the output).

Everything seems fine, but the $out variable is empty after execution of the
fsstat command.  Here's the code that feeds $out:

my $out = `\"$SK_FSSTAT\" $IMGTYPE -o $IMGOFF $FSTYPE -t $IMG`;

What is strange is that, when I manually run the exact same command
parameters in Cygwin with "fsstat", I get back the string "ntfs", which is
what I presume sorter wants to see.

I cannot determine why $out is not being populated with "ntfs".

Any ideas?

[output of modified code]

$ sorter -d / -f ntfs -i raw /usr/local/evidence/analysis.dd
SK_DIR:  /usr/local/sleuthkit-2.06/
BIN_DIR:  /usr/local/sleuthkit-2.06//bin/
sk_fsstat: /usr/local/sleuthkit- 2.06//bin/fsstat
IMGTYPE:  -i raw
IMGOFF:  0
FSTYPE:  -f ntfs
IMG:   "/usr/local/evidence/analysis.dd"
command:   /usr/local/sleuthkit-2.06//bin/fsstat -i raw -o 0 -f ntfs -t
"/usr/local/evidence/analysis.dd"
Command Result:
Incorrect file system type (-f ntfs)

[modified code]

else {
        print "SK_DIR:  $SK_DIR\n";
        print "BIN_DIR:  $BIN_DIR\n";
        print "sk_fsstat: $SK_FSSTAT\n";
        print "IMGTYPE:  $IMGTYPE\n";
        print "IMGOFF:  $IMGOFF\n";
        print "FSTYPE:  $FSTYPE\n";
        print "IMG:  $IMG\n";
        my $command = "\ $SK_FSSTAT\ $IMGTYPE -o $IMGOFF $FSTYPE -t $IMG";
        print "command:  $command\n";
    my $out = `\"$SK_FSSTAT\" $IMGTYPE -o $IMGOFF $FSTYPE -t $IMG`;
    print "Command Result: $out\n";
    unless ($out =~ /^([\w\d\-]+)$/) {
        print "Incorrect file system type ($FSTYPE)\n";
        exit(1);
    }
    }

On 11/17/06, Brian Carrier <ca...@sl...> wrote:
>
> Are you getting a dialog box about not being able to find the OpenSSL
> dlls?  When I just did a similar test, that is what I got and then got
> the same error.  The problem is that sorter clears the PATH, but Cygwin
> needs to find the OpenSSL dlls for AFFLib.  The quick fix is to edit
> bin/sorter and comment out line 21 (add a #):
>
> #$ENV{PATH} = '';
>
> brian
>
>
> Brent Kidwell wrote:
> > I have a dd image of an NTFS disk.  I'm using the most recent build of
> > TSK under Cygwin on a XP machine.
> >
> > When I run sorter on the dd image and specify "-f ntfs", I get back an
> > error message "Incorrect file system type (-f ntfs)".
> >
> > Running fsstat on the same dd image returns recognition that this image
> > is indeed an NTFS file system.
> >
> > Any suggestions?
> >
> > For reference, here is the complete sorter command I am running:
> >
> >  >> sorter -d c:\\output -h -s -n /usr/local/nsrl/NSRLFile.txt -m "E:/"
> > -f ntfs -i raw /usr/local/images/analysis.dd
> >
> > By the way, from within Autopsy the same error is generated.
> >
> > Many thanks.
> >
> > Brent
> >
> >
> > ------------------------------------------------------------------------
> >
> >
> -------------------------------------------------------------------------
> > Take Surveys. Earn Cash. Influence the Future of IT
> > Join SourceForge.net's Techsay panel and you'll get the chance to share
> your
> > opinions on IT & business topics through brief surveys - and earn cash
> >
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > sleuthkit-users mailing list
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > http://www.sleuthkit.org
>