sleuthkit-developers Mailing List for The Sleuth Kit (Page 13)
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-developers — A list to discuss development of new features of The Sleuth Kit and Autopsy
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(10) |
Sep
(2) |
Oct
|
Nov
(1) |
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(22) |
Feb
(39) |
Mar
(8) |
Apr
(17) |
May
(10) |
Jun
(2) |
Jul
(6) |
Aug
(4) |
Sep
(1) |
Oct
(3) |
Nov
|
Dec
|
| 2005 |
Jan
(2) |
Feb
(6) |
Mar
(2) |
Apr
(2) |
May
(13) |
Jun
(2) |
Jul
|
Aug
|
Sep
(5) |
Oct
|
Nov
(2) |
Dec
|
| 2006 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
(2) |
Jun
(9) |
Jul
(4) |
Aug
(2) |
Sep
|
Oct
(1) |
Nov
(9) |
Dec
(4) |
| 2007 |
Jan
(1) |
Feb
(2) |
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
(6) |
Aug
|
Sep
(4) |
Oct
|
Nov
|
Dec
(2) |
| 2008 |
Jan
(4) |
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
(9) |
Jul
(14) |
Aug
|
Sep
(5) |
Oct
(10) |
Nov
(4) |
Dec
(7) |
| 2009 |
Jan
(7) |
Feb
(10) |
Mar
(10) |
Apr
(19) |
May
(16) |
Jun
(3) |
Jul
(9) |
Aug
(5) |
Sep
(5) |
Oct
(16) |
Nov
(35) |
Dec
(30) |
| 2010 |
Jan
(4) |
Feb
(24) |
Mar
(25) |
Apr
(31) |
May
(11) |
Jun
(9) |
Jul
(11) |
Aug
(31) |
Sep
(11) |
Oct
(10) |
Nov
(15) |
Dec
(3) |
| 2011 |
Jan
(8) |
Feb
(17) |
Mar
(14) |
Apr
(2) |
May
(4) |
Jun
(4) |
Jul
(3) |
Aug
(7) |
Sep
(18) |
Oct
(8) |
Nov
(16) |
Dec
(1) |
| 2012 |
Jan
(9) |
Feb
(2) |
Mar
(3) |
Apr
(13) |
May
(10) |
Jun
(7) |
Jul
(1) |
Aug
(5) |
Sep
|
Oct
(3) |
Nov
(19) |
Dec
(3) |
| 2013 |
Jan
(16) |
Feb
(3) |
Mar
(2) |
Apr
(4) |
May
|
Jun
(3) |
Jul
(2) |
Aug
(17) |
Sep
(6) |
Oct
(1) |
Nov
|
Dec
(4) |
| 2014 |
Jan
(2) |
Feb
|
Mar
(3) |
Apr
(7) |
May
(6) |
Jun
(1) |
Jul
(18) |
Aug
|
Sep
(3) |
Oct
(1) |
Nov
(26) |
Dec
(7) |
| 2015 |
Jan
(5) |
Feb
(1) |
Mar
(2) |
Apr
|
May
(1) |
Jun
(1) |
Jul
(5) |
Aug
(7) |
Sep
(4) |
Oct
(1) |
Nov
(1) |
Dec
|
| 2016 |
Jan
(3) |
Feb
|
Mar
(1) |
Apr
|
May
(1) |
Jun
(13) |
Jul
(23) |
Aug
(2) |
Sep
(11) |
Oct
|
Nov
(1) |
Dec
|
| 2017 |
Jan
(4) |
Feb
|
Mar
|
Apr
(2) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(2) |
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
(2) |
Apr
|
May
(1) |
Jun
(3) |
Jul
|
Aug
|
Sep
(2) |
Oct
|
Nov
(2) |
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(2) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2020 |
Jan
(4) |
Feb
|
Mar
|
Apr
|
May
|
Jun
(3) |
Jul
(5) |
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2021 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2024 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
|
From: SourceForge.net <no...@so...> - 2012-04-19 15:43:59
|
Feature Requests item #3519549, was opened at 2012-04-19 08:43 Message generated for change (Tracker Item Submitted) made by kfairbanks You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477892&aid=3519549&group_id=55685 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: API Group: None Status: Open Priority: 5 Private: No Submitted By: kfairbanks (kfairbanks) Assigned to: Nobody/Anonymous (nobody) Summary: subsecond timestamp reporting Initial Comment: While working on the Ext4 support, I noticed that a great deal of the time printing functions eventually end up calling tsk_fs_time_to_str. As a temporary hack, I have made a tsk_fs_time_to_str_subsecs which allows me to pass in another parameter for the ext4 nano second timestamps. So the question is, how should subsecond times be represented in TSK output? Does this require changes to the API? [seconds].[subseconds] (Just a decimal point separating) [seconds] | [subseconds] (An entirely new field) ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477892&aid=3519549&group_id=55685 |
|
From: Kevin F. <kev...@ga...> - 2012-04-16 12:17:42
|
I have only one slight correction to what Willi has stated. The extension of his patches for full Ext4 support in TSK is actually a Naval Postgraduate School (NPS) Project. I just happen to work for JHUAPL and would be happy if others wanted to contribute. -Kevin On Fri, Apr 13, 2012 at 10:14 AM, Willi Ballenthin <wil...@gm...>wrote: > Ken, > > I think the most promising development push is by the Johns Hopkins > University Applied Physics Lab. About a year ago I put together a set > of patches that bring support for the most common Ext4 structures to TSK > (http://www.williballenthin.com/ext4/index.html). The JHUAPL is working > to extend these patches to bring complete support. You may want to > reach out Dr. Kevin Fairbanks to help out with the effort. > > Thanks, > > Willi > > > On 04/12/2012 01:16 AM, Ken Chiang wrote: > > Hello, > > > > Is anyone working on fls recursion into subdirectories for the ext4 > > filesystem? Latest stuff I've found says that it is still in the works. > I > > am just wondering if I should pick up this task and code up something. > > Thanks. > > Ken > > > > > > > > > > > ------------------------------------------------------------------------------ > > For Developers, A Lot Can Happen In A Second. > > Boundary is the first to Know...and Tell You. > > Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! > > http://p.sf.net/sfu/Boundary-d2dvs2 > > > > > > > > _______________________________________________ > > sleuthkit-developers mailing list > > sle...@li... > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers > > > > ------------------------------------------------------------------------------ > For Developers, A Lot Can Happen In A Second. > Boundary is the first to Know...and Tell You. > Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! > http://p.sf.net/sfu/Boundary-d2dvs2 > _______________________________________________ > sleuthkit-developers mailing list > sle...@li... > https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers > |
|
From: Willi B. <wil...@gm...> - 2012-04-13 14:14:43
|
Ken, I think the most promising development push is by the Johns Hopkins University Applied Physics Lab. About a year ago I put together a set of patches that bring support for the most common Ext4 structures to TSK (http://www.williballenthin.com/ext4/index.html). The JHUAPL is working to extend these patches to bring complete support. You may want to reach out Dr. Kevin Fairbanks to help out with the effort. Thanks, Willi On 04/12/2012 01:16 AM, Ken Chiang wrote: > Hello, > > Is anyone working on fls recursion into subdirectories for the ext4 > filesystem? Latest stuff I've found says that it is still in the works. I > am just wondering if I should pick up this task and code up something. > Thanks. > Ken > > > > > ------------------------------------------------------------------------------ > For Developers, A Lot Can Happen In A Second. > Boundary is the first to Know...and Tell You. > Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! > http://p.sf.net/sfu/Boundary-d2dvs2 > > > > _______________________________________________ > sleuthkit-developers mailing list > sle...@li... > https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers |
|
From: Brian C. <ca...@sl...> - 2012-04-12 13:39:39
|
Hi Everyone. A friendly reminder that proposals for OSDF are due by next monday (4/16). And if you are interested in participating in a hack-a-thon, e-mail us at hac...@os.... See you in October.
2012 Sleuth Kit and Open Source Digital Forensics Conference
http://www.osdfcon.org
Call For Presentations and Workshops
The 3rd Annual Sleuth Kit and Open Source Digital Forensics Conference will be held on October 3, 2012 in Chantilly, VA and we invite you to submit a presentation (note that the conference is several months later than previous years). The conference will be attended by digital forensic investigators and developers. This event is a unique opportunity to make investigators aware of your tools, get feedback from users, meet fellow developers, and help direct the future of open source digital forensics software.
We are looking for talks on a variety of topics about using open source tools, including:
* Open, plug-in analysis framework designs and experiences
* Automated forensics
* Hard drive analysis and triage
* Analyzing application-level artifacts
* Mobile device forensics
* Cyber incident response
* Getting involved with the community
* User experiences
* Case studies
We are also looking for people who are interested in providing half- and full-day workshops on the day before the conference (October 2, 2012). The workshops should provide hands-on guidance for using or developing open source digital forensic tools.
Submission Instructions
Topics can be submitted by e-mail to sub...@os... and are due by April 16, 2012. To submit a presentation or workshop idea, e-mail the following information:
Title:
Author:
Description of presentation or workshop:
Short biography of author:
Are the authors developers or users of the tools that are discussed:
Is this targeted towards users or developers:
Duration (45-minute presentation, half-day workshop, or full-day workshop):
About the Conference
The mission of the Sleuth Kit and Open Source Digital Forensics Conference is to create a forum where developers and users of open source digital forensics software can learn and interact. One of the benefits of open source software in digital forensics is that an investigator can examine how a tool works and better testify to it. See http://www.opensourceforensics.org for more information on finding open source tools.
The first conference was held in 2010. Basis Technology has always organized the conferences and Brian Carrier (author of The Sleuth Kit) has been the conference chair. This years conference will be held at the Westfields Marriott hotel in Chantilly, VA.
|
|
From: SourceForge.net <no...@so...> - 2012-04-12 13:21:23
|
Bugs item #3516866, was opened at 2012-04-11 07:50 Message generated for change (Comment added) made by carrier You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=3516866&group_id=55685 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: File System Tools Group: None >Status: Closed >Resolution: Fixed Priority: 5 Private: No Submitted By: Greg (gregfreemyer) Assigned to: Nobody/Anonymous (nobody) Summary: Potential Buffer overflow found by gcc 4.7 Initial Comment: The below code adjusts the starting location of a snprintf as a string is built, but not the max. length of the string. --- sleuthkit-3.2.3.orig/tsk3/fs/ext2fs.c +++ sleuthkit-3.2.3/tsk3/fs/ext2fs.c @@ -1519,23 +1519,23 @@ ext2fs_make_acl_str(char *str, int len, int i = 0; if (perm & EXT2_PACL_PERM_READ) { - snprintf(&str[i], len - 1, "Read"); + snprintf(&str[i], len - i - 1, "Read"); i += 4; } if (perm & EXT2_PACL_PERM_WRITE) { if (i) { - snprintf(&str[i], len - 1, ", "); + snprintf(&str[i], len - i - 1, ", "); i += 2; } - snprintf(&str[i], len - 1, "Write"); + snprintf(&str[i], len - i - 1, "Write"); i += 5; } if (perm & EXT2_PACL_PERM_EXEC) { if (i) { - snprintf(&str[i], len - 1, ", "); + snprintf(&str[i], len - i - 1, ", "); i += 2; } - snprintf(&str[i], len - 1, "Execute"); + snprintf(&str[i], len - i - 1, "Execute"); i += 7; } } ---------------------------------------------------------------------- >Comment By: Brian Carrier (carrier) Date: 2012-04-12 06:21 Message: Fixed on master on github. [master 5648cc7] Fixed issue 3516866 of Ext2 sprintfs reported by gregfreemyer 1 files changed, 4 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=3516866&group_id=55685 |
|
From: SourceForge.net <no...@so...> - 2012-04-12 13:20:24
|
Bugs item #3516875, was opened at 2012-04-11 08:19 Message generated for change (Comment added) made by carrier You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=3516875&group_id=55685 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None >Status: Closed >Resolution: Fixed Priority: 5 Private: No Submitted By: Greg (gregfreemyer) Assigned to: Nobody/Anonymous (nobody) Summary: 2 more gcc 4.7 warnings Initial Comment: ===== fatfs.c: In function 'fatfs_fsstat': fatfs.c:896:13: warning: array subscript is above array bounds [-Warray-bounds] fatfs.c:896:13: warning: array subscript is above array bounds [-Warray-bounds] fatfs.c:896:13: warning: array subscript is above array bounds [-Warray-bounds] fatfs.c:896:13: warning: array subscript is above array bounds [-Warray-bounds] ===== ===== ext2fs.c: In function 'ext2fs_istat': ext2fs.c:1763:22: warning: array subscript is above array bounds [-Warray-bounds] ext2fs.c:1763:22: warning: array subscript is above array bounds [-Warray-bounds] ext2fs.c:1763:22: warning: array subscript is above array bounds [-Warray-bounds] ext2fs.c:1763:22: warning: array subscript is above array bounds [-Warray-bounds] ===== I have not evaluated the source to see if these are significant or noise. ---------------------------------------------------------------------- >Comment By: Brian Carrier (carrier) Date: 2012-04-12 06:20 Message: Fixed on github master: [master 68bc824] fix for 3516875 from gregfreemeyer regarding using getu32 on some 16-bit values 2 files changed, 3 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=3516875&group_id=55685 |
|
From: Ken C. <kch...@gm...> - 2012-04-12 05:16:25
|
Hello, Is anyone working on fls recursion into subdirectories for the ext4 filesystem? Latest stuff I've found says that it is still in the works. I am just wondering if I should pick up this task and code up something. Thanks. Ken |
|
From: SourceForge.net <no...@so...> - 2012-04-11 15:19:03
|
Bugs item #3516875, was opened at 2012-04-11 08:19 Message generated for change (Tracker Item Submitted) made by gregfreemyer You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=3516875&group_id=55685 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Greg (gregfreemyer) Assigned to: Nobody/Anonymous (nobody) Summary: 2 more gcc 4.7 warnings Initial Comment: ===== fatfs.c: In function 'fatfs_fsstat': fatfs.c:896:13: warning: array subscript is above array bounds [-Warray-bounds] fatfs.c:896:13: warning: array subscript is above array bounds [-Warray-bounds] fatfs.c:896:13: warning: array subscript is above array bounds [-Warray-bounds] fatfs.c:896:13: warning: array subscript is above array bounds [-Warray-bounds] ===== ===== ext2fs.c: In function 'ext2fs_istat': ext2fs.c:1763:22: warning: array subscript is above array bounds [-Warray-bounds] ext2fs.c:1763:22: warning: array subscript is above array bounds [-Warray-bounds] ext2fs.c:1763:22: warning: array subscript is above array bounds [-Warray-bounds] ext2fs.c:1763:22: warning: array subscript is above array bounds [-Warray-bounds] ===== I have not evaluated the source to see if these are significant or noise. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=3516875&group_id=55685 |
|
From: SourceForge.net <no...@so...> - 2012-04-11 14:50:57
|
Bugs item #3516866, was opened at 2012-04-11 07:50 Message generated for change (Tracker Item Submitted) made by gregfreemyer You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=3516866&group_id=55685 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: File System Tools Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Greg (gregfreemyer) Assigned to: Nobody/Anonymous (nobody) Summary: Potential Buffer overflow found by gcc 4.7 Initial Comment: The below code adjusts the starting location of a snprintf as a string is built, but not the max. length of the string. --- sleuthkit-3.2.3.orig/tsk3/fs/ext2fs.c +++ sleuthkit-3.2.3/tsk3/fs/ext2fs.c @@ -1519,23 +1519,23 @@ ext2fs_make_acl_str(char *str, int len, int i = 0; if (perm & EXT2_PACL_PERM_READ) { - snprintf(&str[i], len - 1, "Read"); + snprintf(&str[i], len - i - 1, "Read"); i += 4; } if (perm & EXT2_PACL_PERM_WRITE) { if (i) { - snprintf(&str[i], len - 1, ", "); + snprintf(&str[i], len - i - 1, ", "); i += 2; } - snprintf(&str[i], len - 1, "Write"); + snprintf(&str[i], len - i - 1, "Write"); i += 5; } if (perm & EXT2_PACL_PERM_EXEC) { if (i) { - snprintf(&str[i], len - 1, ", "); + snprintf(&str[i], len - i - 1, ", "); i += 2; } - snprintf(&str[i], len - 1, "Execute"); + snprintf(&str[i], len - i - 1, "Execute"); i += 7; } } ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=3516866&group_id=55685 |
|
From: SourceForge.net <no...@so...> - 2012-04-10 10:07:11
|
Feature Requests item #2990416, was opened at 2010-04-21 06:23 Message generated for change (Comment added) made by buffertly You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2990416&group_id=55685 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: File System Group: None Status: Open Priority: 5 Private: No Submitted By: Wlet (wlet) Assigned to: Nobody/Anonymous (nobody) Summary: Please add XFS Support Initial Comment: Hi, please add XFS support for TSK. Thanks in advance. wlet ---------------------------------------------------------------------- Comment By: Zsombor (buffertly) Date: 2012-04-10 03:07 Message: Hello, I also ask for XFS support regards, Zsombor ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2990416&group_id=55685 |
|
From: SourceForge.net <no...@so...> - 2012-04-06 20:48:49
|
Feature Requests item #3367368, was opened at 2011-07-14 09:18 Message generated for change (Comment added) made by carrier You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477892&aid=3367368&group_id=55685 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Other Group: None >Status: Closed Priority: 5 Private: No Submitted By: Omar Choudary (ochoudary) Assigned to: Nobody/Anonymous (nobody) Summary: Patch for libewf that works with sleuth kit version 3.2.2 Initial Comment: This is an updated patch for libewf version 2 support (ID: 3154664). This makes the alpha version of libewf work with version 3.2.2 of the sleuth kit. ---------------------------------------------------------------------- >Comment By: Brian Carrier (carrier) Date: 2012-04-06 13:48 Message: Checked into master branch. [master 7dcf786] Added libewf v2 API support based on patch in issue 3367368 from ochoudary 3 files changed, 285 insertions(+), 70 deletions(-) ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477892&aid=3367368&group_id=55685 |
|
From: Brian C. <ca...@sl...> - 2012-03-30 19:06:21
|
We're thinking about hosting an open source forensics hack-a-thon along with the Sleuth Kit and Open Source Digital Forensics Conference (http://www.osdfcon.org/2012). But, we want to know how many engineers we can expect to participate. E-mail hac...@os... if you would be interested (details are below). [side note: reminder that submissions for presentations at the conference are due April 16. You don't need to submit the full presentation, just the abstract and we are interested in presentations from both users and developers] What is a hack-a-thon? A hack-a-thon is when a bunch of developers and non-developers get together to build something in a short amount of time, we're thinking 24 hours. Anyone comes up with an idea for a new feature or tool (i.e. it could be to make modules for the new Sleuth Kit, Autopsy, or other frameworks). Developers pick a team to join (or make their own) and everyone works to build the best solution. The winning teams gets a prize. Some events give out cash, some ipads, etc. We haven't finalized that part yet. We'll provide the food and drinks for the duration. Who is needed? We need non-developers to come up with use cases, ideas, testing, project management, and working on a final presentation. We need developers to come up with use cases and ideas and to write code. Why should you participate? Developers get to learn about new tools and learn about new use cases. Non-developers get to push their ideas for tools that don't exist and get to learn more about the development process. When would it be? After the conference on October 4, 2012. The conference will be on October 3 and tutorials will be held on October 2. What do we want to know? Because the goal of the event is to develop code, having enough developers is crucial to these events and we want to know if we'll have enough. If you would be interested in participating, e-mail hac...@os.... thanks, brian |
|
From: Brian C. <ca...@sl...> - 2012-03-21 03:27:47
|
I had meant to send this e-mail out in January when I did a talk at the DC3 Cybercrime on Sleuth Kit and Autopsy, but ... it has been siting in my Drafts mailbox since then. If I were more hip, I'd do this in a blog. While I do not have one of those right now, I do now have a twitter account to provide updates on all things TSK:
http://twitter.com/#!/sleuthkit
Topics that have relevant updates:
* The Third Sleuth Kit and Open Source Digital Forensics Conference will be held in October (instead of June). The CFP is out and submissions are due by Apr 16. We're looking for both developers and users to present. Please submit topics for presentations and plan on attending. Everyone seems to learn a bunch each year.
http://www.osdfcon.org/2012/
* The application-level framework that was presented this past summer at the Sleuth Kit and Open Source Digital Forensics Conference is now in the public github repository. Basic development docs can be found below, but they are still being tweaked. The APIs may change a little before the official release and I'll provide more details later, but it is available for anyone to start playing with. We'll be adding more sample modules later. tsk_analyzeimg is a new command line tool that allows you to run the analysis pipelines on a disk image. For those who do not know anything about this framework, it will make it easier to build end-to-end forensics solutions. For the readers who are not developers, the framework won't do much for you yet. Sorry.
http://www.sleuthkit.org/sleuthkit/docs/framework-docs/
* The github repository for Autopsy 3 has a keyword search capability with SOLR. It isn't complete yet, but that is what we are working on there. There is also code in there that is pulling out web artifacts and recent activity. It has a new "triage" / multi-threaded data ingest design now.
https://github.com/sleuthkit/autopsy
* I added a bunch of links on the site to the Sleuth Kit Hadoop Framework that we mentioned at last years conference, but never added any links to it. It was a joint project funded by the US Army Intelligence Center of Excellence (USAICoE) and performed by Basis Technology, Lightbox Technologies, and 42Six Solutions. It is a prototype system that allows you to analyze a disk image in a Hadoop cluster (i.e. the "cloud").
http://www.sleuthkit.org/tsk_hadoop/index.php
brian
|
|
From: Brian C. <ca...@sl...> - 2012-03-06 18:10:11
|
We're doing it again this year, but a few months later than last year. Sorry if you receive this multiple times.
2012 Sleuth Kit and Open Source Digital Forensics Conference
http://www.osdfcon.org
Call For Presentations and Workshops
The 3rd Annual Sleuth Kit and Open Source Digital Forensics Conference will be held on October 3, 2012 in Chantilly, VA and we invite you to submit a presentation (note that the conference is several months later than previous years). The conference will be attended by digital forensic investigators and developers. This event is a unique opportunity to make investigators aware of your tools, get feedback from users, meet fellow developers, and help direct the future of open source digital forensics software.
We are looking for talks on a variety of topics about using open source tools, including:
* Open, plug-in analysis framework designs and experiences
* Automated forensics
* Hard drive analysis and triage
* Analyzing application-level artifacts
* Mobile device forensics
* Cyber incident response
* Getting involved with the community
* User experiences
* Case studies
We are also looking for people who are interested in providing half- and full-day workshops on the day before the conference (October 2, 2012). The workshops should provide hands-on guidance for using or developing open source digital forensic tools.
Submission Instructions
Topics can be submitted by e-mail to sub...@os... and are due by April 16, 2012. To submit a presentation or workshop idea, e-mail the following information:
Title:
Author:
Description of presentation or workshop:
Short biography of author:
Are the authors developers or users of the tools that are discussed:
Is this targeted towards users or developers:
Duration (45-minute presentation, half-day workshop, or full-day workshop):
About the Conference
The mission of the Sleuth Kit and Open Source Digital Forensics Conference is to create a forum where developers and users of open source digital forensics software can learn and interact. One of the benefits of open source software in digital forensics is that an investigator can examine how a tool works and better testify to it. See http://www.opensourceforensics.org for more information on finding open source tools.
The first conference was held in 2010. Basis Technology has always organized the conferences and Brian Carrier (author of The Sleuth Kit) has been the conference chair. This years conference will be held at the Westfields Marriott hotel in Chantilly, VA.
|
|
From: SourceForge.net <no...@so...> - 2012-02-27 02:37:57
|
Feature Requests item #3494874, was opened at 2012-02-26 18:37 Message generated for change (Tracker Item Submitted) made by carrier You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477892&aid=3494874&group_id=55685 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Auto Group: None Status: Open Priority: 5 Private: No Submitted By: Brian Carrier (carrier) Assigned to: Nobody/Anonymous (nobody) Summary: Move tsk_recover logic to library Initial Comment: There is a lot of logic in tsk_recover to save directories to a local directory and it could be useful to have in the library for tools that want to extract full directories. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477892&aid=3494874&group_id=55685 |
|
From: SourceForge.net <no...@so...> - 2012-02-27 02:36:46
|
Feature Requests item #3494873, was opened at 2012-02-26 18:36 Message generated for change (Tracker Item Submitted) made by carrier You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477892&aid=3494873&group_id=55685 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Auto Group: None Status: Open Priority: 5 Private: No Submitted By: Brian Carrier (carrier) Assigned to: Nobody/Anonymous (nobody) Summary: Better TskAuto error handling Initial Comment: Background: TskAuto tries to push its way through a disk image and as a result many error messages get dropped and ignored. There is a handleNotification() method now that gets some error messages, but there isn't a clear plan / policy on how someone implementing TskAuto should use it and it isn't being consistently called. We also have no way to really stop all processing if we hit some kind of really bad system error (I.e. it may stop processing a given file system, but it will then start processing then next volume). We also blindly reset some errors right now (I.e. VsWalkCB). My main requirements for this system is that it is possible to stop processing entirely of an image and that all error messages can be recorded and later retrieved after the processing is done. My proposal is: * Add a class-level Boolean value that is set to stop all processing (ignore future volumes / file systems, etc.). * Rename handleNotification() to registerError() and make the general requirement that when this method is called, that the TSK error values and strings will be set with an error to "register". The implementation of TskAuto is free to keep track of these errors as it sees fit. I was thinking about making a default version that kept a list of the errors and the error codes that could be retrieved after the processing was done. * Document to users who implement 'processFile()' and 'processAttribute()' that they should also send their errors to registerError() so that they have a consistent reporting mechanism. * Instruct users who implement 'processFile()' and 'processAttribute()' that they should only be returning CONT or STOP and not use the ERROR return value (or we could change the return value to only be one of those two options). Returning ERROR implies that processFile() and such set the global error values and in this case we don't want those to be processed by the lower-level code. If processFile() encounters an error, they should record the error with registerError() and then decide to continue or stop. Thoughts? ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477892&aid=3494873&group_id=55685 |
|
From: SourceForge.net <no...@so...> - 2012-01-30 01:05:19
|
Bugs item #3481464, was opened at 2012-01-29 17:05 Message generated for change (Tracker Item Submitted) made by bensonmargulies You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=3481464&group_id=55685 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Benson Margulies (bensonmargulies) Assigned to: Nobody/Anonymous (nobody) Summary: errors_test.h missing from git Initial Comment: errors_test.cpp is there. errors_test.h is not. g++ -DHAVE_CONFIG_H -I. -I../../tsk3 -I../.. -Wall -I/usr/local/include -g -O2 -c -o errors_test.o errors_test.cpp errors_test.cpp:23:25: error: errors_test.h: No such file or directory errors_test.cpp:26: error: expected constructor, destructor, or type conversion before ‘(’ token errors_test.cpp:28: error: ‘ErrorsTest’ has not been declared errors_test.cpp:29: error: ‘ErrorsTest’ has not been declared errors_test.cpp:31: error: ‘ErrorsTest’ has not been declared errors_test.cpp: In function ‘void testInitialState()’: errors_test.cpp:35: error: ‘CPPUNIT_ASSERT’ was not declared in this scope errors_test.cpp: At global scope: errors_test.cpp:40: error: ‘ErrorsTest’ has not been declared errors_test.cpp: In function ‘void testLengthChecks()’: errors_test.cpp:50: error: ‘CPPUNIT_ASSERT’ was not declared in this scope errors_test.cpp: At global scope: errors_test.cpp:115: error: ‘ErrorsTest’ has not been declared errors_test.cpp: In function ‘void testMultithreaded()’: errors_test.cpp:125: error: ‘CPPUNIT_FAIL’ was not declared in this scope errors_test.cpp:139: error: ‘CPPUNIT_FAIL’ was not declared in this scope errors_test.cpp:146: error: ‘CPPUNIT_FAIL’ was not declared in this scope errors_test.cpp:152: error: ‘CPPUNIT_FAIL’ was not declared in this scope errors_test.cpp:167: error: ‘CPPUNIT_ASSERT’ was not declared in this scope errors_test.cpp:175: error: ‘CPPUNIT_FAIL’ was not declared in this scope errors_test.cpp:188: error: ‘CPPUNIT_FAIL’ was not declared in this scope make: *** [errors_test.o] Error 1 ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=3481464&group_id=55685 |
|
From: SourceForge.net <no...@so...> - 2012-01-30 00:45:12
|
Bugs item #3481447, was opened at 2012-01-29 16:34 Message generated for change (Comment added) made by bensonmargulies You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=3481447&group_id=55685 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Benson Margulies (bensonmargulies) Assigned to: Nobody/Anonymous (nobody) Summary: Failing to build on OSX Lion, current XCode Initial Comment: bin/sh ../../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I../../tsk3 -I../.. -Wall -g -O2 -D_THREAD_SAFE -pthread -I/usr/local/include -MT md5c.lo -MD -MP -MF .deps/md5c.Tpo -c -o md5c.lo md5c.c libtool: Version mismatch error. This is libtool 2.2.10, but the libtool: definition of this LT_INIT comes from libtool 2.2.4. libtool: You should recreate aclocal.m4 with macros from libtool 2.2.10 libtool: and run autoconf again. make[3]: *** [md5c.lo] Error 63 make[2]: *** [all-recursive] Error 1 make[1]: *** [all] Error 2 make: *** [all-recursive] Error 1 █▓▒░benson@tinfoilhat░▒▓██▓▒░ Sun Jan 29 07:30:25P ~/x/sleuthkit/ autoconf aclocal.m4:14: error: this file was generated for autoconf 2.61. You have another version of autoconf. If you want to use that, you should regenerate the build system entirely. aclocal.m4:14: the top level autom4te: /opt/local/bin/gm4 failed with exit status: 63 █▓▒░benson@tinfoilhat░▒▓██▓▒░ Sun Jan 29 07:30:34P ~/x/sleuthkit/ aquamacs Makefile █▓▒░benson@tinfoilhat░▒▓██▓▒░ Sun Jan 29 07:30:45P ~/x/sleuthkit/ make am-refresh make: *** No rule to make target `am-refresh'. Stop. █▓▒░benson@tinfoilhat░▒▓██▓▒░ Sun Jan 29 07:31:16P ~/x/sleuthkit/ make am-refresh make: *** No rule to make target `am-refresh'. Stop. █▓▒░benson@tinfoilhat░▒▓██▓▒░ Sun Jan 29 07:31:20P ~/x/sleuthkit/ make am--refresh █▓▒░benson@tinfoilhat░▒▓██▓▒░ Sun Jan 29 07:31:24P ~/x/sleuthkit/ which libtool /usr/bin/libtool █▓▒░benson@tinfoilhat░▒▓██▓▒░ Sun Jan 29 07:34:22P ~/x/sleuthkit/ ls /opt/local/bin/libtool ls: /opt/local/bin/libtool: No such file or directory █▓▒░benson@tinfoilhat░▒▓██▓▒░ Sun Jan 29 07:34:28P █▓▒░benson@tinfoilhat░▒▓██▓▒░ Sun Jan 29 07:34:33P ~/x/sleuthkit/ ---------------------------------------------------------------------- >Comment By: Benson Margulies (bensonmargulies) Date: 2012-01-29 16:45 Message: The version of libtool that configure drops into the tree is 2.2.10. So it looks to me as if the current tip is not in a consistent state. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=3481447&group_id=55685 |
|
From: SourceForge.net <no...@so...> - 2012-01-30 00:34:45
|
Bugs item #3481447, was opened at 2012-01-29 16:34 Message generated for change (Tracker Item Submitted) made by bensonmargulies You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=3481447&group_id=55685 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Benson Margulies (bensonmargulies) Assigned to: Nobody/Anonymous (nobody) Summary: Failing to build on OSX Lion, current XCode Initial Comment: bin/sh ../../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I../../tsk3 -I../.. -Wall -g -O2 -D_THREAD_SAFE -pthread -I/usr/local/include -MT md5c.lo -MD -MP -MF .deps/md5c.Tpo -c -o md5c.lo md5c.c libtool: Version mismatch error. This is libtool 2.2.10, but the libtool: definition of this LT_INIT comes from libtool 2.2.4. libtool: You should recreate aclocal.m4 with macros from libtool 2.2.10 libtool: and run autoconf again. make[3]: *** [md5c.lo] Error 63 make[2]: *** [all-recursive] Error 1 make[1]: *** [all] Error 2 make: *** [all-recursive] Error 1 █▓▒░benson@tinfoilhat░▒▓██▓▒░ Sun Jan 29 07:30:25P ~/x/sleuthkit/ autoconf aclocal.m4:14: error: this file was generated for autoconf 2.61. You have another version of autoconf. If you want to use that, you should regenerate the build system entirely. aclocal.m4:14: the top level autom4te: /opt/local/bin/gm4 failed with exit status: 63 █▓▒░benson@tinfoilhat░▒▓██▓▒░ Sun Jan 29 07:30:34P ~/x/sleuthkit/ aquamacs Makefile █▓▒░benson@tinfoilhat░▒▓██▓▒░ Sun Jan 29 07:30:45P ~/x/sleuthkit/ make am-refresh make: *** No rule to make target `am-refresh'. Stop. █▓▒░benson@tinfoilhat░▒▓██▓▒░ Sun Jan 29 07:31:16P ~/x/sleuthkit/ make am-refresh make: *** No rule to make target `am-refresh'. Stop. █▓▒░benson@tinfoilhat░▒▓██▓▒░ Sun Jan 29 07:31:20P ~/x/sleuthkit/ make am--refresh █▓▒░benson@tinfoilhat░▒▓██▓▒░ Sun Jan 29 07:31:24P ~/x/sleuthkit/ which libtool /usr/bin/libtool █▓▒░benson@tinfoilhat░▒▓██▓▒░ Sun Jan 29 07:34:22P ~/x/sleuthkit/ ls /opt/local/bin/libtool ls: /opt/local/bin/libtool: No such file or directory █▓▒░benson@tinfoilhat░▒▓██▓▒░ Sun Jan 29 07:34:28P █▓▒░benson@tinfoilhat░▒▓██▓▒░ Sun Jan 29 07:34:33P ~/x/sleuthkit/ ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=3481447&group_id=55685 |
|
From: SourceForge.net <no...@so...> - 2012-01-19 18:59:39
|
Bugs item #3476125, was opened at 2012-01-19 09:24 Message generated for change (Comment added) made by robjoyce You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=3476125&group_id=55685 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Rob (robjoyce) Assigned to: Nobody/Anonymous (nobody) Summary: Fix build on MinGW Initial Comment: The master branch of TSK (at least as of last Friday) doesn't build on MinGW. The attached patch fixes this. (It also makes the threading test compile on Windows. Haven't tested that the test actually passes, but at least it doesn't stop the build now.) The patch is against master as of last Friday, e5794db. ---------------------------------------------------------------------- >Comment By: Rob (robjoyce) Date: 2012-01-19 10:59 Message: Forgot to mention: in order for the build to work in MinGW, the Java JDK needs to be in a path that doesn't have spaces (ie, not C:\Program Files\Java\jdk...\). ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=3476125&group_id=55685 |
|
From: SourceForge.net <no...@so...> - 2012-01-19 17:25:14
|
Bugs item #3476121, was opened at 2012-01-19 09:21 Message generated for change (Comment added) made by robjoyce You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=3476121&group_id=55685 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Image File Tools Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Rob (robjoyce) Assigned to: Nobody/Anonymous (nobody) Summary: Improve globbing for multiple segments Initial Comment: TSK recently added the ability to specify only the .E01 file in a segmented EWF image. The attached patch allows for more than 676 .E01 segments (where .EZZ rolls over to .FAA) by using libewf's globbing function directly. It also moves the EWF segment globbing to ewf.c so that we don't test for .001 and other segment formats when examining an EWF file (and we don't test for .E01, .E02, etc. when looking at a DD image). The patch also expands the segment globbing patterns to include .001 (rolling over from .999 to .1000 as FTK does), .01, _001, _01, .000, _000, .00, _00, .aa, .aaa, xaa (from split(1)), and .002.dmgpart (from Apple's hdiutil). Finally, it changes img_open.c to use split by default when guessing the image type. If the user doesn't want automatic globbing for more segments, they'd need to specify TSK_IMG_TYPE_RAW_SING. I'm not sure if that's the best policy, or if auto-globbing should only be enabled if TSK_IMG_TYPE_RAW_SPLIT. But it's a start. ---------------------------------------------------------------------- >Comment By: Rob (robjoyce) Date: 2012-01-19 09:25 Message: (The patch is against master as of Jan 13 2012, e5794db.) ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=3476121&group_id=55685 |
|
From: SourceForge.net <no...@so...> - 2012-01-19 17:24:29
|
Bugs item #3476125, was opened at 2012-01-19 09:24 Message generated for change (Tracker Item Submitted) made by robjoyce You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=3476125&group_id=55685 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Rob (robjoyce) Assigned to: Nobody/Anonymous (nobody) Summary: Fix build on MinGW Initial Comment: The master branch of TSK (at least as of last Friday) doesn't build on MinGW. The attached patch fixes this. (It also makes the threading test compile on Windows. Haven't tested that the test actually passes, but at least it doesn't stop the build now.) The patch is against master as of last Friday, e5794db. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=3476125&group_id=55685 |
|
From: SourceForge.net <no...@so...> - 2012-01-19 17:21:51
|
Bugs item #3476121, was opened at 2012-01-19 09:21 Message generated for change (Tracker Item Submitted) made by robjoyce You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=3476121&group_id=55685 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Image File Tools Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Rob (robjoyce) Assigned to: Nobody/Anonymous (nobody) Summary: Improve globbing for multiple segments Initial Comment: TSK recently added the ability to specify only the .E01 file in a segmented EWF image. The attached patch allows for more than 676 .E01 segments (where .EZZ rolls over to .FAA) by using libewf's globbing function directly. It also moves the EWF segment globbing to ewf.c so that we don't test for .001 and other segment formats when examining an EWF file (and we don't test for .E01, .E02, etc. when looking at a DD image). The patch also expands the segment globbing patterns to include .001 (rolling over from .999 to .1000 as FTK does), .01, _001, _01, .000, _000, .00, _00, .aa, .aaa, xaa (from split(1)), and .002.dmgpart (from Apple's hdiutil). Finally, it changes img_open.c to use split by default when guessing the image type. If the user doesn't want automatic globbing for more segments, they'd need to specify TSK_IMG_TYPE_RAW_SING. I'm not sure if that's the best policy, or if auto-globbing should only be enabled if TSK_IMG_TYPE_RAW_SPLIT. But it's a start. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=3476121&group_id=55685 |
|
From: SourceForge.net <no...@so...> - 2012-01-17 10:45:24
|
Feature Requests item #3474896, was opened at 2012-01-17 02:45 Message generated for change (Tracker Item Submitted) made by You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477892&aid=3474896&group_id=55685 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Priority: 5 Private: No Submitted By: https://www.google.com/accounts () Assigned to: Nobody/Anonymous (nobody) Summary: 64 bit windows support Initial Comment: I am trying to implement TSK in 64bit windows machine. These days all machines are coming with 64bit OS so any plans to support it? ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477892&aid=3474896&group_id=55685 |
|
From: SourceForge.net <no...@so...> - 2012-01-03 23:03:50
|
Feature Requests item #3469250, was opened at 2012-01-03 15:03 Message generated for change (Tracker Item Submitted) made by carrier You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477892&aid=3469250&group_id=55685 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: File System Group: None Status: Open Priority: 5 Private: No Submitted By: Brian Carrier (carrier) Assigned to: Nobody/Anonymous (nobody) Summary: istat to show when FAT files cant' be recovered Initial Comment: The istat output for a FAT file that can't be recovered shoudl have some message to that effect. It shows the recovered layout if it is possible, but seems to silently ignore the topic if it can't be recovered. PRoviding details on why it can't recover would be better, but I don't think that data is available in that method. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477892&aid=3469250&group_id=55685 |
1 message has been excluded from this view by a project administrator.
