sleuthkit-developers — A list to discuss development of new features of The Sleuth Kit and Autopsy

[sleuthkit-developers] Update Sequence Number Journal support

[noxdafox <nox...@gm...>]

Greetings,

recently I've been playing around with NTFS Update Sequence Number 
Journals which I find a fairly good instrument for extracting timelines 
from NTFS drives.

I have been writing few parsers for it, the last one been written in C.

I was thinking about porting it to sleuthkit. Do you think it would be 
beneficial for the library?

The idea would be to expose a visitor API (in similar fashion as for 
tsk_fs_dir_walk) and then a command line tool built on top of it.

More info about UsnJrnl files:
https://msdn.microsoft.com/en-us/library/windows/desktop/aa365722%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396#

Re: [sleuthkit-developers] Android forensics - Autopsy module

[Wiktor S. <wik...@gm...>]

Roberto I did something similar for my final year project. I can share my
paper with you? Also, search mailing group for my email. I used external
python framework.

Vic
On 13 Jun 2016 16:36, "Roberto Amelio" <g.r...@gm...> wrote:

> Ok, I think I got stuff to start with! thank you both so much.
>
> Roberto
>
> On Mon, 13 Jun 2016 at 15:43 Brian Carrier <ca...@sl...> wrote:
>
>> Adding to Justin’s comment, you can start with the Python tutorial that I
>> did last year, which focuses on a smart phone-like use case that looks for
>> a SQLite database and parses the contents.
>>
>>
>> http://www.autopsy.com/python-autopsy-module-tutorial-2-the-data-source-ingest-module/
>>
>>
>> > On Jun 12, 2016, at 12:18 PM, Justin Grover <jus...@gm...>
>> wrote:
>> >
>> > Hi Roberto,
>> >
>> > Good luck on your project! Assuming I'm understanding your task
>> correctly, you are first going to need to target/look at a specific app or
>> file of interest on Android that contains geodata. After you've figured out
>> the specifics of where/how the data is stored, you will probably want to
>> create a data source ingest module in Autopsy to extract/display your
>> findings.
>> >
>> > Justin
>> >
>> > On Jun 11, 2016 2:18 PM, "Roberto Amelio" <g.r...@gm...> wrote:
>> > Hi,
>> >
>> > My name is Roberto and I'm doing a MSc in Cyber Security. I would like
>> to develop a module for Autopsy as my final project. It has to be focused
>> on mobile (Android) forensics, I am reading the documentation online
>> getting an idea about ingest modules and what the Android Analyser Module
>> already does.
>> >
>> > My idea is to retrieve as much information on locations as possible to
>> be able to track where the phone has been, providing an XML file (or
>> something like that) to plot.
>> >
>> > I would appreciate feedback about it and help to start. I hope my
>> question is appropriate for this mailing list, I am not used to use it.
>> >
>> > Regards,
>> >
>> > Roberto
>> >
>> >
>> >
>> ------------------------------------------------------------------------------
>> > What NetFlow Analyzer can do for you? Monitors network bandwidth and
>> traffic
>> > patterns at an interface-level. Reveals which users, apps, and
>> protocols are
>> > consuming the most bandwidth. Provides multi-vendor support for NetFlow,
>> > J-Flow, sFlow and other flows. Make informed decisions using capacity
>> > planning reports.
>> https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
>> > _______________________________________________
>> > sleuthkit-developers mailing list
>> > sle...@li...
>> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
>> >
>> >
>> ------------------------------------------------------------------------------
>> > What NetFlow Analyzer can do for you? Monitors network bandwidth and
>> traffic
>> > patterns at an interface-level. Reveals which users, apps, and
>> protocols are
>> > consuming the most bandwidth. Provides multi-vendor support for NetFlow,
>> > J-Flow, sFlow and other flows. Make informed decisions using capacity
>> > planning reports.
>> https://ad.doubleclick.net/ddm/clk/305295220;132659582;e_______________________________________________
>> > sleuthkit-developers mailing list
>> > sle...@li...
>> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
>>
>>
>
> ------------------------------------------------------------------------------
> What NetFlow Analyzer can do for you? Monitors network bandwidth and
> traffic
> patterns at an interface-level. Reveals which users, apps, and protocols
> are
> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> J-Flow, sFlow and other flows. Make informed decisions using capacity
> planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
> _______________________________________________
> sleuthkit-developers mailing list
> sle...@li...
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
>
>

Re: [sleuthkit-developers] Android forensics - Autopsy module

[Roberto A. <g.r...@gm...>]

Ok, I think I got stuff to start with! thank you both so much.

Roberto

On Mon, 13 Jun 2016 at 15:43 Brian Carrier <ca...@sl...> wrote:

> Adding to Justin’s comment, you can start with the Python tutorial that I
> did last year, which focuses on a smart phone-like use case that looks for
> a SQLite database and parses the contents.
>
>
> http://www.autopsy.com/python-autopsy-module-tutorial-2-the-data-source-ingest-module/
>
>
> > On Jun 12, 2016, at 12:18 PM, Justin Grover <jus...@gm...>
> wrote:
> >
> > Hi Roberto,
> >
> > Good luck on your project! Assuming I'm understanding your task
> correctly, you are first going to need to target/look at a specific app or
> file of interest on Android that contains geodata. After you've figured out
> the specifics of where/how the data is stored, you will probably want to
> create a data source ingest module in Autopsy to extract/display your
> findings.
> >
> > Justin
> >
> > On Jun 11, 2016 2:18 PM, "Roberto Amelio" <g.r...@gm...> wrote:
> > Hi,
> >
> > My name is Roberto and I'm doing a MSc in Cyber Security. I would like
> to develop a module for Autopsy as my final project. It has to be focused
> on mobile (Android) forensics, I am reading the documentation online
> getting an idea about ingest modules and what the Android Analyser Module
> already does.
> >
> > My idea is to retrieve as much information on locations as possible to
> be able to track where the phone has been, providing an XML file (or
> something like that) to plot.
> >
> > I would appreciate feedback about it and help to start. I hope my
> question is appropriate for this mailing list, I am not used to use it.
> >
> > Regards,
> >
> > Roberto
> >
> >
> >
> ------------------------------------------------------------------------------
> > What NetFlow Analyzer can do for you? Monitors network bandwidth and
> traffic
> > patterns at an interface-level. Reveals which users, apps, and protocols
> are
> > consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> > J-Flow, sFlow and other flows. Make informed decisions using capacity
> > planning reports.
> https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
> > _______________________________________________
> > sleuthkit-developers mailing list
> > sle...@li...
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
> >
> >
> ------------------------------------------------------------------------------
> > What NetFlow Analyzer can do for you? Monitors network bandwidth and
> traffic
> > patterns at an interface-level. Reveals which users, apps, and protocols
> are
> > consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> > J-Flow, sFlow and other flows. Make informed decisions using capacity
> > planning reports.
> https://ad.doubleclick.net/ddm/clk/305295220;132659582;e_______________________________________________
> > sleuthkit-developers mailing list
> > sle...@li...
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
>
>

Re: [sleuthkit-developers] Android forensics - Autopsy module

[Brian C. <ca...@sl...>]

Adding to Justin’s comment, you can start with the Python tutorial that I did last year, which focuses on a smart phone-like use case that looks for a SQLite database and parses the contents.

http://www.autopsy.com/python-autopsy-module-tutorial-2-the-data-source-ingest-module/


> On Jun 12, 2016, at 12:18 PM, Justin Grover <jus...@gm...> wrote:
> 
> Hi Roberto,
> 
> Good luck on your project! Assuming I'm understanding your task correctly, you are first going to need to target/look at a specific app or file of interest on Android that contains geodata. After you've figured out the specifics of where/how the data is stored, you will probably want to create a data source ingest module in Autopsy to extract/display your findings.
> 
> Justin
> 
> On Jun 11, 2016 2:18 PM, "Roberto Amelio" <g.r...@gm...> wrote:
> Hi,
> 
> My name is Roberto and I'm doing a MSc in Cyber Security. I would like to develop a module for Autopsy as my final project. It has to be focused on mobile (Android) forensics, I am reading the documentation online getting an idea about ingest modules and what the Android Analyser Module already does. 
> 
> My idea is to retrieve as much information on locations as possible to be able to track where the phone has been, providing an XML file (or something like that) to plot.
> 
> I would appreciate feedback about it and help to start. I hope my question is appropriate for this mailing list, I am not used to use it.
> 
> Regards,
> 
> Roberto
> 
> 
> ------------------------------------------------------------------------------
> What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
> patterns at an interface-level. Reveals which users, apps, and protocols are
> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> J-Flow, sFlow and other flows. Make informed decisions using capacity
> planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
> _______________________________________________
> sleuthkit-developers mailing list
> sle...@li...
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
> 
> ------------------------------------------------------------------------------
> What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
> patterns at an interface-level. Reveals which users, apps, and protocols are 
> consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
> J-Flow, sFlow and other flows. Make informed decisions using capacity 
> planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e_______________________________________________
> sleuthkit-developers mailing list
> sle...@li...
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers

Re: [sleuthkit-developers] Android forensics - Autopsy module

[Justin G. <jus...@gm...>]

Yes, good plan. I imagine its full usefulness will dependent on your
findings, but at the very least it should serve as a good "example" for
others wanting to do something similar with other apps/geodata.

Justin
On Jun 12, 2016 2:31 PM, "Roberto Amelio" <g.r...@gm...> wrote:

> Thank you! my plan was like that, is it worthy? It is my first time I
> contribute on a open source platform and I would like to interact with the
> community and doing something useful.
>
> Roberto
>
> On Sun, 12 Jun 2016 at 17:18 Justin Grover <jus...@gm...>
> wrote:
>
>> Hi Roberto,
>>
>> Good luck on your project! Assuming I'm understanding your task
>> correctly, you are first going to need to target/look at a specific app or
>> file of interest on Android that contains geodata. After you've figured out
>> the specifics of where/how the data is stored, you will probably want to
>> create a data source ingest module in Autopsy to extract/display your
>> findings.
>>
>> Justin
>> On Jun 11, 2016 2:18 PM, "Roberto Amelio" <g.r...@gm...> wrote:
>>
>>> Hi,
>>>
>>> My name is Roberto and I'm doing a MSc in Cyber Security. I would like
>>> to develop a module for Autopsy as my final project. It has to be focused
>>> on mobile (Android) forensics, I am reading the documentation online
>>> getting an idea about ingest modules and what the Android Analyser Module
>>> already does.
>>>
>>> My idea is to retrieve as much information on locations as possible to
>>> be able to track where the phone has been, providing an XML file (or
>>> something like that) to plot.
>>>
>>> I would appreciate feedback about it and help to start. I hope my
>>> question is appropriate for this mailing list, I am not used to use it.
>>>
>>> Regards,
>>>
>>> Roberto
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> What NetFlow Analyzer can do for you? Monitors network bandwidth and
>>> traffic
>>> patterns at an interface-level. Reveals which users, apps, and protocols
>>> are
>>> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
>>> J-Flow, sFlow and other flows. Make informed decisions using capacity
>>> planning reports.
>>> https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
>>> _______________________________________________
>>> sleuthkit-developers mailing list
>>> sle...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
>>>
>>>

Re: [sleuthkit-developers] Android forensics - Autopsy module

[Roberto A. <g.r...@gm...>]

Thank you! my plan was like that, is it worthy? It is my first time I
contribute on a open source platform and I would like to interact with the
community and doing something useful.

Roberto

On Sun, 12 Jun 2016 at 17:18 Justin Grover <jus...@gm...> wrote:

> Hi Roberto,
>
> Good luck on your project! Assuming I'm understanding your task correctly,
> you are first going to need to target/look at a specific app or file of
> interest on Android that contains geodata. After you've figured out the
> specifics of where/how the data is stored, you will probably want to create
> a data source ingest module in Autopsy to extract/display your findings.
>
> Justin
> On Jun 11, 2016 2:18 PM, "Roberto Amelio" <g.r...@gm...> wrote:
>
>> Hi,
>>
>> My name is Roberto and I'm doing a MSc in Cyber Security. I would like to
>> develop a module for Autopsy as my final project. It has to be focused on
>> mobile (Android) forensics, I am reading the documentation online
>> getting an idea about ingest modules and what the Android Analyser Module
>> already does.
>>
>> My idea is to retrieve as much information on locations as possible to
>> be able to track where the phone has been, providing an XML file (or
>> something like that) to plot.
>>
>> I would appreciate feedback about it and help to start. I hope my
>> question is appropriate for this mailing list, I am not used to use it.
>>
>> Regards,
>>
>> Roberto
>>
>>
>> ------------------------------------------------------------------------------
>> What NetFlow Analyzer can do for you? Monitors network bandwidth and
>> traffic
>> patterns at an interface-level. Reveals which users, apps, and protocols
>> are
>> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
>> J-Flow, sFlow and other flows. Make informed decisions using capacity
>> planning reports.
>> https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
>> _______________________________________________
>> sleuthkit-developers mailing list
>> sle...@li...
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
>>
>>

Re: [sleuthkit-developers] Android forensics - Autopsy module

[Justin G. <jus...@gm...>]

Hi Roberto,

Good luck on your project! Assuming I'm understanding your task correctly,
you are first going to need to target/look at a specific app or file of
interest on Android that contains geodata. After you've figured out the
specifics of where/how the data is stored, you will probably want to create
a data source ingest module in Autopsy to extract/display your findings.

Justin
On Jun 11, 2016 2:18 PM, "Roberto Amelio" <g.r...@gm...> wrote:

> Hi,
>
> My name is Roberto and I'm doing a MSc in Cyber Security. I would like to
> develop a module for Autopsy as my final project. It has to be focused on
> mobile (Android) forensics, I am reading the documentation online getting
> an idea about ingest modules and what the Android Analyser Module already
> does.
>
> My idea is to retrieve as much information on locations as possible to be
> able to track where the phone has been, providing an XML file (or something
> like that) to plot.
>
> I would appreciate feedback about it and help to start. I hope my question
> is appropriate for this mailing list, I am not used to use it.
>
> Regards,
>
> Roberto
>
>
> ------------------------------------------------------------------------------
> What NetFlow Analyzer can do for you? Monitors network bandwidth and
> traffic
> patterns at an interface-level. Reveals which users, apps, and protocols
> are
> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> J-Flow, sFlow and other flows. Make informed decisions using capacity
> planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
> _______________________________________________
> sleuthkit-developers mailing list
> sle...@li...
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
>
>

[sleuthkit-developers] Android forensics - Autopsy module

[Roberto A. <g.r...@gm...>]

Hi,

My name is Roberto and I'm doing a MSc in Cyber Security. I would like to
develop a module for Autopsy as my final project. It has to be focused on
mobile (Android) forensics, I am reading the documentation online getting
an idea about ingest modules and what the Android Analyser Module already
does.

My idea is to retrieve as much information on locations as possible to be
able to track where the phone has been, providing an XML file (or something
like that) to plot.

I would appreciate feedback about it and help to start. I hope my question
is appropriate for this mailing list, I am not used to use it.

Regards,

Roberto

Re: [sleuthkit-developers] Upgrade to Visual Studio 2015

[Michael C. <scu...@gm...>]

Hi Brian,
Just as an FYI, pytsk uses VS 9.0 since that is the only supported compiler
for python 2.7. But we do not use any of the project files since python has
its own build system.

https://wiki.python.org/moin/WindowsCompilers

It would be good to keep the code itself compilable under this old version
which does not support later c standards.

Thanks
Michael.

On 9 Jun 2016 08:46, "Brian Carrier" <ca...@sl...> wrote:

> If you compile TSK with Visual Studio, you have to have use 2010, which
> has become dated and is a pain to get 64-bit builds out of. We’re thinking
> about moving to VS 2015 (still the free version).  Does this impact
> anyone?   Anyone building for source on Windows and want it to remain in
> 2010?
>
> brian
>
>
>
> ------------------------------------------------------------------------------
> What NetFlow Analyzer can do for you? Monitors network bandwidth and
> traffic
> patterns at an interface-level. Reveals which users, apps, and protocols
> are
> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> J-Flow, sFlow and other flows. Make informed decisions using capacity
> planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
> _______________________________________________
> sleuthkit-developers mailing list
> sle...@li...
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
>

[sleuthkit-developers] Upgrade to Visual Studio 2015

[Brian C. <ca...@sl...>]

If you compile TSK with Visual Studio, you have to have use 2010, which has become dated and is a pain to get 64-bit builds out of. We’re thinking about moving to VS 2015 (still the free version).  Does this impact anyone?   Anyone building for source on Windows and want it to remain in 2010?

brian

[sleuthkit-developers] NullPointerException at HashLookupSettingsPanel

[khoirunnisa A. <k....@ro...>]

Hello,
I just started developing module on Autopsy 4. I had followed steps in https://github.com/sleuthkit/autopsy/blob/develop/BUILDING.txt and successfully compile it on Ubuntu 12.04.5 using netbeans 8.0.2. But when running autopsy I get NullPointerException everytime new case was created. Here's the stacktraces :

SEVERE: Error creating case a
java.lang.NullPointerException
    at org.sleuthkit.autopsy.modules.hashdatabase.HashLookupSettingsPanel.addPropertyChangeListener(HashLookupSettingsPanel.java:109)
    at javax.swing.plaf.synth.SynthPanelUI.installListeners(SynthPanelUI.java:83)
    at javax.swing.plaf.synth.SynthPanelUI.installUI(SynthPanelUI.java:63)
    at javax.swing.JComponent.setUI(JComponent.java:666)
    at javax.swing.JPanel.setUI(JPanel.java:153)
    at javax.swing.JPanel.updateUI(JPanel.java:126)
    at javax.swing.JPanel.<init>(JPanel.java:86)
    at javax.swing.JPanel.<init>(JPanel.java:109)
    at javax.swing.JPanel.<init>(JPanel.java:117)
    at org.sleuthkit.autopsy.ingest.IngestModuleGlobalSettingsPanel.<init>(IngestModuleGlobalSettingsPanel.java:26)
    at org.sleuthkit.autopsy.modules.hashdatabase.HashLookupSettingsPanel.<init>(HashLookupSettingsPanel.java:67)
    at org.sleuthkit.autopsy.modules.hashdatabase.HashLookupModuleFactory.getGlobalSettingsPanel(HashLookupModuleFactory.java:103)
    at org.sleuthkit.autopsy.ingest.IngestModuleTemplate.getGlobalSettingsPanel(IngestModuleTemplate.java:69)
    at org.sleuthkit.autopsy.ingest.IngestJobSettingsPanel$IngestModuleModel.<init>(IngestJobSettingsPanel.java:362)
    at org.sleuthkit.autopsy.ingest.IngestJobSettingsPanel.<init>(IngestJobSettingsPanel.java:58)
    at org.sleuthkit.autopsy.casemodule.AddImageWizardIngestConfigPanel.<init>(AddImageWizardIngestConfigPanel.java:81)
    at org.sleuthkit.autopsy.casemodule.AddImageWizardIterator.getPanels(AddImageWizardIterator.java:55)
    at org.sleuthkit.autopsy.casemodule.AddImageWizardIterator.current(AddImageWizardIterator.java:104)
    at org.openide.WizardDescriptor.updateStateOpen(WizardDescriptor.java:844)
    at org.openide.WizardDescriptor.updateState(WizardDescriptor.java:822)
    at org.openide.WizardDescriptor._updateState(WizardDescriptor.java:800)
    at org.openide.WizardDescriptor.initialize(WizardDescriptor.java:475)
    at org.openide.NotifyDescriptor.getterCalled(NotifyDescriptor.java:302)
    at org.openide.DialogDescriptor.isModal(DialogDescriptor.java:322)
    at org.netbeans.core.windows.services.NbDialog.<init>(NbDialog.java:67)
    at org.netbeans.core.windows.services.DialogDisplayerImpl$1.run(DialogDisplayerImpl.java:158)
    at org.netbeans.core.windows.services.DialogDisplayerImpl$1.run(DialogDisplayerImpl.java:119)
    at org.netbeans.modules.openide.util.NbMutexEventProvider$Event.doEventAccess(NbMutexEventProvider.java:138)
    at org.netbeans.modules.openide.util.NbMutexEventProvider$Event.readAccess(NbMutexEventProvider.java:98)
    at org.netbeans.modules.openide.util.LazyMutexImplementation.readAccess(LazyMutexImplementation.java:94)
    at org.openide.util.Mutex.readAccess(Mutex.java:218)
    at org.netbeans.core.windows.services.DialogDisplayerImpl.createDialog(DialogDisplayerImpl.java:119)
    at org.netbeans.core.windows.services.DialogDisplayerImpl.createDialog(DialogDisplayerImpl.java:111)
    at org.sleuthkit.autopsy.casemodule.AddImageAction.actionPerformed(AddImageAction.java:130)
    at org.sleuthkit.autopsy.casemodule.NewCaseWizardAction$1.done(NewCaseWizardAction.java:113)
    at javax.swing.SwingWorker$5.run(SwingWorker.java:737)
    at javax.swing.SwingWorker$DoSubmitAccumulativeRunnable.run(SwingWorker.java:832)
    at sun.swing.AccumulativeRunnable.run(AccumulativeRunnable.java:112)
    at javax.swing.SwingWorker$DoSubmitAccumulativeRunnable.actionPerformed(SwingWorker.java:842)
    at javax.swing.Timer.fireActionPerformed(Timer.java:313)
    at javax.swing.Timer$DoPostEvent.run(Timer.java:245)
    at java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:311)
    at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:756)
    at java.awt.EventQueue.access$500(EventQueue.java:97)
    at java.awt.EventQueue$3.run(EventQueue.java:709)
    at java.awt.EventQueue$3.run(EventQueue.java:703)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:76)
    at java.awt.EventQueue.dispatchEvent(EventQueue.java:726)
    at org.netbeans.core.TimableEventQueue.dispatchEvent(TimableEventQueue.java:159)
    at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:201)
    at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116)
    at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105)
    at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
    at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93)
    at java.awt.EventDispatchThread.run(EventDispatchThread.java:82)

Does anyone could help me with this problem? Did I miss important steps or something?
 Thanks,Khoirunnisa Afifah

[sleuthkit-developers] Option to commit parcial results for tsk_loaddb

[Luís F. N. <lfc...@gm...>]

Hi,

Sometimes tsk_loaddb takes hours to finish an image decoding and we have to
wait that before starting image content processing. We have patched
tsk_loaddb to commit the results for each 10k files inserted into sqlite,
so we are able to process the files as soon as possible. It has increased
tsk_loaddb total time only a little bit, approximately 10%.

I would like to contribute that patch as a command line option, without
changing default behaviour, if you agree.

Best regards,
Luis

Re: [sleuthkit-developers] error loading shared libraries

[Stuart M. <st...@ap...>]

There are two parts to getting a binary with shared libraries to work.  
The first is the BUILD. For any routine you use, just must tell the 
linker where it is, and this step uses the -L and -l options:

gcc -o myApp myApp,o -L/path/to/libs -lfoo

for some shared library /path/to/libs/libfoo.so

That has to work, else the linker will complain of unresolved dependencies.

But that's only half the story.  The build link step merely embeds the 
simple string 'libfoo.so' in the binary.
Now you got to RUNTIME and the link-loader has to find a file libfoo.so, 
but obviously does NOT use, or know anything about, the -L, -l options 
of the build step.  The BUILD and RUN steps can be on different hosts of 
course.

Instead, the link-loader looks for libfoo.so according to directories in 
LD_LIBRARY_PATH, if set, and in standard directories like /lib, /usr/lib 
etc.  I think there is some kind of cached list too, and ldconfig can 
query this list.

A useful command is ldd, it tells you all runtime dependenices, and 
whether the link-loader would be able to resolve them

$ ldd myApp

Hope this helps

Stuart

Re: [sleuthkit-developers] Sleuthkit bug #561 breaks tsk_loaddb -a on Linux (dev branch)

[Brian C. <ca...@sl...>]

Should be fixed.

> On Jan 6, 2016, at 8:03 AM, Luís Filipe Nassif <lfc...@gm...> wrote:
> 
> Could a C programmer kindly take a look at ticket #561, it seems easy to fix.
> 
> Thanks,
> Luis
> ------------------------------------------------------------------------------
> _______________________________________________
> sleuthkit-developers mailing list
> sle...@li...
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers

[sleuthkit-developers] Sleuthkit bug #561 breaks tsk_loaddb -a on Linux (dev branch)

[Luís F. N. <lfc...@gm...>]

Could a C programmer kindly take a look at ticket #561, it seems easy to
fix.

Thanks,
Luis

Re: [sleuthkit-developers] Error while loading shared libraries: libtsk.so.13: cannot open shared object file: No such file or directory

[Roberto M. <rma...@ch...>]

Are you running on Linux? Do you see the folder in question when running "ldconfig -v"?

- Roberto




On Oct 22, 2015, at 4:58 PM, Efstratios Skleparis <esk...@gm...<mailto:esk...@gm...>> wrote:

Dear all,

After successfully building and compiling sleuthkit library, I tried to write an itrospection tool using the library.. Thing is whenever i am trying to compile the program in order to test it and I am using a function from the library API I'm get the following error :

 error while loading shared libraries: libtsk.so.13: cannot open shared object file: No such file or directory

I found thought that this find exists in /usr/local/lib folder . Am i missing something ? ./configure && make didn't give me any errors.. and I am including -ltsk on the makefile!

My pc information : XEN hypervisor [Ubuntu 12.04 x64bit] and i am trying to investigate a guest vm running ubuntu 12.04 x32bit

Thanks in advance,
Efstratios
------------------------------------------------------------------------------
_______________________________________________
sleuthkit-developers mailing list
sle...@li...<mailto:sle...@li...>
https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers

[sleuthkit-developers] Error while loading shared libraries: libtsk.so.13: cannot open shared object file: No such file or directory

[Efstratios S. <esk...@gm...>]

Dear all,

After successfully building and compiling sleuthkit library, I tried to
write an itrospection tool using the library.. Thing is whenever i am
trying to compile the program in order to test it and I am using a function
from the library API I'm get the following error :

 *error while loading shared libraries: libtsk.so.13: cannot open shared
object file: No such file or directory*

I found thought that this find exists in /usr/local/lib folder . Am i
missing something ? ./configure && make didn't give me any errors.. and I
am including -ltsk on the makefile!

My pc information : XEN hypervisor [Ubuntu 12.04 x64bit] and i am trying to
investigate a guest vm running ubuntu 12.04 x32bit

Thanks in advance,
Efstratios

[sleuthkit-developers] Option to store file layout info in AddImageProcess?

[Luís F. N. <lfc...@gm...>]

Hi,

Is it possible to add an option to SleuthkitCase.makeAddImageProcess(...)
to store file layout information, like tsk_loaddb currently does? In my
tests, there is no significant running time difference when using or not
the -k loaddb option. I think being able to programatically query this info
is very useful.

Thank you,
Luis Nassif

[sleuthkit-developers] SleuthkitCase Locks to access SQLite?

[Luís F. N. <lfc...@gm...>]

Hi,

Could someone kindly explain why SleuthkitCase.java was changed a few
months ago to explicitly acquire and release shared and exclusive locks
before and after accessing SQLite?

SQLite handles read/write concurrency automatically, so this logic into
SleuthkitCase could be redundant and increase code complexity a lot.

I think strange the code comment that java locks perform better than sqlite
"native" locks "for reasons that are not currently understood". There are
references or tests were done to support this?

And finally, native SQLite locks were disabled after implementing this
explicity and so sensible lock control?

Thank you very much for your attention,
Luis

Re: [sleuthkit-developers] Millions of orphan files found with sleuthkit develop branch

[Luís F. N. <lfc...@gm...>]

Sorry for the long delay. I do not have the image with me, I will ask my
colleague if trimming the image is possible... We worked around the problem
by filtering out orphans with logical size greater than 10 MB before
sending them to the processing engine.

Thank you,
Luis

2015-08-13 14:13 GMT-03:00 Stefan Petrea <ste...@gm...>:

> Hi Luis,
>
> Could the NTFS image you're looking at be trimmed down and provided as
> sample input to reproduce the problem ?
>
> Best Regards,
> Stefan
>
> On Thu, Aug 13, 2015 at 8:05 PM, Luís Filipe Nassif <lfc...@gm...>
> wrote:
>
>> This error have happened again with a colleague's NTFS image, using the
>> develop branch compiled about 1 month ago. Thousands of huge corrupted
>> orphans were added by loaddb, which caused our processing application (and
>> probably Autopsy too) to process indefinitely the evidence.
>>
>> Any help will be appreciated.
>>
>> Regards,
>> Luis Nassif
>>
>>
>> 2014-09-30 21:00 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>:
>>
>>> This problem still happens with 4.2.0 branch. If I can help with some
>>> more information, please let me know.
>>>
>>> Thanks
>>> Luis
>>>
>>> 2014-07-24 9:21 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>:
>>>
>>>> Another information: the sum of the millions of file sizes resulted in
>>>> 1,1 petabyte, while the image has only 250 GB.
>>>>
>>>>
>>>> 2014-07-23 22:21 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>:
>>>>
>>>>> We tested loaddb of both the released 4.1.3 version and the develop
>>>>> branch of sleuthkit on a NTFS image of a hard disk with a lot of bad
>>>>> blocks, many of them at the beginning of the disk.
>>>>>
>>>>> The 4.1.3 version found ~400.000 allocated files more ~100.000 orphan
>>>>> files, about the same found by other forensic tools. The develop branch
>>>>> found the same ~400.000 allocated files more ~2.500.000 orphan files! Most
>>>>> of these millions of orphans have corrupted names or the name
>>>>> OrphanFile-xxxxxxx and have lengths ranging from 0 to 4.294.967.296 bytes.
>>>>> We think the recent changes to NTFS code are causing this large number of
>>>>> corrupted orphans to be added to the case. Maybe it should be investigated
>>>>> before the final 4.2 release.
>>>>>
>>>>> Luis
>>>>>
>>>>
>>>>
>>>
>>
>>
>> ------------------------------------------------------------------------------
>>
>> _______________________________________________
>> sleuthkit-developers mailing list
>> sle...@li...
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
>>
>>
>

Re: [sleuthkit-developers] Java Bindings Update

[Luís F. N. <lfc...@gm...>]

Interesting work, Stuart, thank you for sharing! I have not had time to
test your bindings yet, but I see use cases where it should be very useful,
like fast previewing of data at crime scenes, or processing data as soon as
the file system starts to be transversed (in some cases loaddb takes a long
time...)

Thanks again for sharing your great work,
Luis

2015-08-20 12:36 GMT-03:00 Stuart Maclean <st...@ap...>:

> Hi Brian, yes my effort is just Java and C.
>
> Stuart
>
>
> On 08/20/2015 06:22 AM, Brian Carrier wrote:
> > Thanks Stuart.  Just to be clear, the main difference between your
> bindings and the one that ships with TSK is that the “official” one relies
> on SQLite and JNI while yours is 100% JNI, right?
> >
> > thanks,
> > brian
> >
> >
>
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> sleuthkit-developers mailing list
> sle...@li...
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
>

Re: [sleuthkit-developers] Java Bindings Update

[Stuart M. <st...@ap...>]

Hi Brian, yes my effort is just Java and C.

Stuart


On 08/20/2015 06:22 AM, Brian Carrier wrote:
> Thanks Stuart.  Just to be clear, the main difference between your bindings and the one that ships with TSK is that the “official” one relies on SQLite and JNI while yours is 100% JNI, right?
>
> thanks,
> brian
>
>

Re: [sleuthkit-developers] Java Bindings Update

[Brian C. <ca...@sl...>]

Thanks Stuart.  Just to be clear, the main difference between your bindings and the one that ships with TSK is that the “official” one relies on SQLite and JNI while yours is 100% JNI, right?

thanks,
brian



> On Aug 20, 2015, at 3:12 AM, Stuart Maclean <st...@ap...> wrote:
> 
> I have been working on some Java bindings to Sleuthkit for a good while,
> and have finally found time to upload to github.  As of today I finished the README and converted the develop branch into master and tagged.
> 
> https://github.com/uw-dims/tsk4j/
> 
> Feedback welcomed.
> 
> Stuart
> 
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> sleuthkit-developers mailing list
> sle...@li...
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers

[sleuthkit-developers] Java Bindings Update

[Stuart M. <st...@ap...>]

I have been working on some Java bindings to Sleuthkit for a good while,
and have finally found time to upload to github.  As of today I finished the README and converted the develop branch into master and tagged.

https://github.com/uw-dims/tsk4j/

Feedback welcomed.

Stuart

[sleuthkit-developers] Java Bindings to Sleuthkit

[Stuart M. <st...@ap...>]

I have been working on some Java bindings to Sleuthkit for a good while, 
and have finally found time to upload to github. Currently it's all on 
the 'develop' branch, as you can see from the url. Master release to follow.

https://github.com/uw-dims/tsk4j/tree/develop

Feedback welcomed.

Stuart