sleuthkit-developers — A list to discuss development of new features of The Sleuth Kit and Autopsy

[sleuthkit-developers] Some questions

[kenshin <ken...@gm...>]

I'm interesting in develop sleuthkit and I have some questions ...

Why do you want to use static executables?
Why do you not use shared libraries?
Why do you use "cd dir; make" instead "make -C dir" ?
Why have "src/fstools/" filesystems and tools to analyze? I thinks that is
better
put filesystems in src/fs/ and tools in src/fstools/
Why do you compile the comand file,md5,sha1? (a normal system have its)
Has anyone interesting in reiserfs development?

It's all for now :)

[sleuthkit-developers] Searchtools 3.2 for Sleuthkit 2.04 patch

[Paul B. <p.j...@br...>]

Hi everybody,

After a long while I finally got back to searchtools. While not really 
adding any new functionality (Save for functionality now supported by 
the Sleuthkit) I have updated the Searchtools to work with Sleuthkit 
version 2.04.

The Autopsy patch may still take a while as that costs a lot more 
effort. But don't worry. It will come. And I will update you if it 
finaly arrives.

Searchtools is located at:
http://brainspark.nl/tools#searchtools_patch

But faster is: 
http://brainspark.nl/downloads/sleuthkit-2.04-searchtools-3.2.patch

If you have any questions, don't hesitate to ask. If I can I will answer 
and help you.

Regards,
Paul Bakker

[sleuthkit-developers] Nigilant32 Released - Freeware Windows GUI Incident Response Tool, Based on Sleuthkit

[Matthew M. S. <msh...@ag...>]

To all- 

 

Agile Risk Management is committed to advancing information security
concepts, technology, and techniques. As such, we have developed Nigilant32,
a freeware Windows GUI Incident Response tool based on the source code
provided by Sleuthkit.

 

Nigilant32 is an incident response tool designed to capture as much
information as possible from a running system with the smallest potential
impact. Nigilant32 has been developed with Windows 2000, XP, and 2003 in
mind, and should work fine with computers running one of those operating
systems. Nigilant32 is beta software and may not work in all instances.

 

In addition, over the next three weeks we'll be releasing one article each
week covering how to use Nigilant32 to perform different Incident Response
tasks.

 

The first article is "Nigilant32 For First Responders: The SnapShot". This
article covers using Nigilant32 to review and save a report of the running
system that includes Processes, Services, User accounts, Scheduled Tasks,
Network Ports, etc.

 

We sincerely hope you find Nigilant32 useful, however please remember, it is
beta software therefore you should exercise good judgment when using it in
your IT environment.

 

Nigilant32, articles (as they are released), and modified Sleuthkit source
code (libsleuthkit) is available at
http://www.agilerm.net/publications_4.html

 

Warmest Regards,

 

Matthew M Shannon, CIFI, CISSP
Principal - Computer Forensics and Litigation Support
Agile Risk Management LLC
2202 N Westshore Blvd, Suite 200
Tampa, FL 33607

msh...@ag...
(M) 813.732.5076
(O) 1.877.AGILE13 (877.244.5313)
 <http://www.agileriskmanagement.com/> www.agileriskmanagement.com

 

Re: [sleuthkit-developers] Sleuthkit through Java GUI

[Brian C. <ca...@sl...>]

I haven't tried this setup before.  Can you tell if the tools are 
running or if they are exiting because of the setup?  Try to run a 
command such as 'fls image.dd > foo.txt' in the exec and see if the 
'foo.txt' file is created.  That will tell you if the command isn't 
being run or if the output isn't being properly displayed.

brian


Ultan Fitzgerald wrote:
> I have chosen to do a college project that uses the sleuth kit through a 
> java gui, displaying output from commands in a JText area. I can run the 
> linux based commands withough problem like 'dd'  but  the  sleuthkit 
> ones wont run. There is no problem running the sleuthkit commands from 
> the konsole so I presumed the java runtime exec()  would not be a 
> problem with them, any ideas why they wont run?
> Thanks. <mailto:sle...@li...>

[sleuthkit-developers] Sleuthkit through Java GUI

[Ultan F. <ult...@gm...>]

I have chosen to do a college project that uses the sleuth kit through a
java gui, displaying output from commands in a JText area. I can run the
linux based commands withough problem like 'dd'  but  the  sleuthkit ones
wont run. There is no problem running the sleuthkit commands from the
konsole so I presumed the java runtime exec()  would not be a problem with
them, any ideas why they wont run?
Thanks. <sle...@li...>

[sleuthkit-developers] new here as well

[eric <er...@ho...>]

I would like to offer some of my time writing documentation.
Thank you,
eric

[sleuthkit-developers] HFS+ Support for SleuthKit.

[Wyatt B. <wb...@cr...>]

Support for HFS+ file systems is a feature that is being developed.  There
is a version that the code ships with version 2.03 at present.  To use it
just uncomment hfs.o, hfs_dent.o and hfs_journal.o from the Makefile in
src/fstools.

The support for HFS+ is working but is undergoing some changes at present to
allow faster, more efficient searching for inodes, among other changes.

This code is not officially in the mainstream release of The Sleuth Kit at
present.  When the final changes are made to these files then can begin the
process of verifying the integrity and accuracy of the code contained
therein.

I hope this was helpful. :-)

Wyatt Banks
Crucial Security
14900 Conference Center Drive
Chantilly, VA 20151
www.crucialsecurity.com

-----Original Message-----
From: sle...@li...
[mailto:sle...@li...] On Behalf Of
sle...@li...
Sent: Sunday, November 13, 2005 11:39 PM
To: sle...@li...
Subject: sleuthkit-developers digest, Vol 1 #71 - 1 msg

Send sleuthkit-developers mailing list submissions to
	sle...@li...

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
or, via email, send a message with subject or body 'help' to
	sle...@li...

You can reach the person managing the list at
	sle...@li...

When replying, please edit your Subject line so it is more specific
than "Re: Contents of sleuthkit-developers digest..."


Today's Topics:

   1. sleuthkit and HFS+ file systems (Scott Turnbull)

--__--__--

Message: 1
To: sle...@li...
From: Scott Turnbull <sco...@ao...>
Date: Mon, 14 Nov 2005 04:21:24 +0000
Subject: [sleuthkit-developers] sleuthkit and HFS+ file systems


--Apple-Mail-1--983938232
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
	charset=US-ASCII;
	format=flowed

Are there any plans to add support for Apple HFS+ file systems?

Currently the only semi-usable tool I've come across is hfsdebug, which 
is neither very
comprehensive nor open source.  There appears to be adequate 
documentation out-there;
I'm thinking specifically about ADC Technical Note TN1150.

By the way, File System Forensic Analysis is a terrific resource.

Scott Turnbull

--Apple-Mail-1--983938232
Content-Transfer-Encoding: 7bit
Content-Type: text/enriched;
	charset=US-ASCII

Are there any plans to add support for Apple HFS+ file systems?


Currently the only semi-usable tool I've come across is
<italic>hfsdebug</italic>, which is neither very

comprehensive nor open source.  There appears to be adequate
documentation out-there;

I'm thinking specifically about ADC Technical Note TN1150.


By the way, <italic>File System Forensic Analysis</italic> is a
terrific resource.


Scott Turnbull

--Apple-Mail-1--983938232--



--__--__--

_______________________________________________
sleuthkit-developers mailing list
sle...@li...
https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers


End of sleuthkit-developers Digest

[sleuthkit-developers] sleuthkit and HFS+ file systems

[Scott T. <sco...@ao...>]

Are there any plans to add support for Apple HFS+ file systems?

Currently the only semi-usable tool I've come across is hfsdebug, which 
is neither very
comprehensive nor open source.  There appears to be adequate 
documentation out-there;
I'm thinking specifically about ADC Technical Note TN1150.

By the way, File System Forensic Analysis is a terrific resource.

Scott Turnbull

Re: [sleuthkit-developers] Suggestion for another tool within the Sleuthkit

[youcef b. <ybi...@ya...>]

Surago,
Valid question but Sleuthkit is meant to be a file
system analysis and not an application analysis tool.

stepping over that would open a pandora box of tools
that need to be added. so why not add an windows event
log viewer, a registry viewer, ...etc. the list is
endless.

youcef



--- Surago Jones <su...@sj...> wrote:

> Not sure if this exists already somewhere else, and
> am not sure if it
> would be completely transportable between various
> operating systems but
> maybe some form of Tool that reads the
> /var/log/lastlog file and outputs
> the details would be handy.
> 
> I am currently performing the Forensic Challenge
> from the Honeynet
> Project (yeah a couple years later than everyone
> else, but still very
> beneficial for learning the functionality available
> in Autopsy and The
> SleuthKit).  
> 
> During my analysis I have extracted the
> /var/log/lastlog file and have
> used the lastlog.c source provided by Thomas
> Roessler to output the
> details I need, however because my C skills are very
> rusty (and I am
> time limited) I was thinking it would be handy if
> someone could improve
> this source to include the ability to set the
> timezone to use for the
> logon times output, and/or reference a /etc/passwd
> file to correlate the
> user id's to a username.
> 
> I haven't had much experience with other flavours of
> Linux (Mainly used
> the Red Hat varieties), so I don't know if such an
> addition to the
> SleuthKit would be a valuable addition or not, but
> if the lastlog file
> (or similar) is common to varying distributions and
> the data structure
> is similar then possibly this would be a great
> additional tool to
> include.
> 
> As the current method of exporting the data units,
> changing the timezone
> then using the lastlog.c source provided by Thomas
> Roessler, then
> changing my timezone back is somewhat cumbersome. 
> Obviously this is
> only a problem for me as my timzone is different to
> that of the
> compromised machine.
> 
> Just thought this suggestion might be useful, or if
> this wheel as
> already been invented somewhere then can someone
> please point me in the
> right direction.
> 
> Cheers
> 
> Surago.
> 
> 
> 
>
-------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content,
> downloads, discussions,
> and more.
> http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> sleuthkit-developers mailing list
> sle...@li...
>
https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
> 



	
	
		
___________________________________________________________ 
Yahoo! Messenger - NEW crystal clear PC to PC calling worldwide with voicemail http://uk.messenger.yahoo.com

[sleuthkit-developers] Suggestion for another tool within the Sleuthkit

[Surago J. <su...@sj...>]

Not sure if this exists already somewhere else, and am not sure if it
would be completely transportable between various operating systems but
maybe some form of Tool that reads the /var/log/lastlog file and outputs
the details would be handy.

I am currently performing the Forensic Challenge from the Honeynet
Project (yeah a couple years later than everyone else, but still very
beneficial for learning the functionality available in Autopsy and The
SleuthKit). =20

During my analysis I have extracted the /var/log/lastlog file and have
used the lastlog.c source provided by Thomas Roessler to output the
details I need, however because my C skills are very rusty (and I am
time limited) I was thinking it would be handy if someone could improve
this source to include the ability to set the timezone to use for the
logon times output, and/or reference a /etc/passwd file to correlate the
user id's to a username.

I haven't had much experience with other flavours of Linux (Mainly used
the Red Hat varieties), so I don't know if such an addition to the
SleuthKit would be a valuable addition or not, but if the lastlog file
(or similar) is common to varying distributions and the data structure
is similar then possibly this would be a great additional tool to
include.

As the current method of exporting the data units, changing the timezone
then using the lastlog.c source provided by Thomas Roessler, then
changing my timezone back is somewhat cumbersome.  Obviously this is
only a problem for me as my timzone is different to that of the
compromised machine.

Just thought this suggestion might be useful, or if this wheel as
already been invented somewhere then can someone please point me in the
right direction.

Cheers

Surago.

Re: [sleuthkit-developers] MacTime Body file format

[Brian C. <ca...@ce...>]

'ils -m' gives the headers for each column, although those are very  
minimal.  Many of the fields are not used by mactime and some aren't  
even filled in by ils or fls.  This layout is from the original TCT  
design and I have thought about changing it... but have never gotten  
around to it.


1: md5
2: name
3: device number
4: Inode number
5: Mode as a number
6: Mode as a string (the human readable version of the previous number)
7: Number of links
8: UID
9: GID
10: size
11: A-time
12: M-time
13: C-time
14: Block size
15: Number of blocks


brian


On Sep 11, 2005, at 10:34 AM, Surago Jones wrote:

> Hi,
>
> I'm just looking at the body file used by MacTime and am wondering  
> what
> the field layout is.  I have checked out the MacTime Source code,
> however my C is very rusty, and I'm not sure what some of the  
> variables
> stand for.
>
> My guess is as follows...
>
> Example Data:
>
> '
> 0|/usr/bin/uptime|0|17088|33133|-/-r-xr-xr-x|1|0|0|0|2836|973693553| 
> 9524
> 52206|973386197|4096|0'
>
> Column1:    0            Assigned to $tmp, so unused??
> Column2:    /usr/bin/uptime    Filename
> Column3:    0            Assigned to $tmp, so unused??
> Column4:    17088            Inode
> Column5:    33133            Assigned to $tmp, so unused??
> Column6:    -/-r-xr-xr-x    Rights for ls listings??
> Column7:    1            Assigned to $tmp, so unused??
> Column8:    0            Think this would be User Owner
> ID??
> Column9:    0            Think this would be Group Owner
> ID??
> Column10:    0            Assigned to $tmp, so unused??
> Column11:    2836            Size of file
> Column12:    973693553        A-Time
> Column13:    952452206        M-Time
> Column14:    973386197        C-Time
> Column15:    4096            Assigned to $tmp, so unused??
> Column16:    0            Assigned to $tmp, so unused??
>
> If anyone can fill me in on what the $tmp columns may represent it  
> would
> be appreciated.  Also what the correct terming of the data  
> contained in
> Column 6 is.
>
> This info I gathered from the source code file mactime.base, I have
> looked at the fls sourcecode however I wasn't able to understand  
> that on
> the very quick glance I had at it. :) (Was mainly looking for comments
> or descriptive variables. :) )

RE: [sleuthkit-developers] MacTime Body file format

[Surago J. <su...@sj...>]

I have just looked at the source code for Mac-Robber and have come to
the following possibilities... :)

Column1:	Something to do with MD5 value?  No idea, but that is
what the variable was named. :_)
Column3:	Device string? Or something along those lines??
Column5:	Mode??
Column7:	Number of links to this file??
Column15:	Block Size of device
Column16:	Blocks??

So slowly getting there by reading source. :)  But I'm sure it can be
easily answered by the author. :)

Cheers

Surago

-----Original Message-----
From: sle...@li...
[mailto:sle...@li...] On Behalf Of
Surago Jones
Sent: Monday, 12 September 2005 03:34
To: sle...@li...
Subject: [sleuthkit-developers] MacTime Body file format

Hi,

I'm just looking at the body file used by MacTime and am wondering what
the field layout is.  I have checked out the MacTime Source code,
however my C is very rusty, and I'm not sure what some of the variables
stand for.

My guess is as follows...

Example Data:

'
0|/usr/bin/uptime|0|17088|33133|-/-r-xr-xr-x|1|0|0|0|2836|973693553|9524
52206|973386197|4096|0'

Column1:	0			Assigned to $tmp, so unused??
Column2:	/usr/bin/uptime	Filename
Column3:	0			Assigned to $tmp, so unused??
Column4:	17088			Inode
Column5:	33133			Assigned to $tmp, so unused??
Column6:	-/-r-xr-xr-x	Rights for ls listings??
Column7:	1			Assigned to $tmp, so unused??
Column8:	0			Think this would be User Owner
ID??
Column9:	0			Think this would be Group Owner
ID??
Column10:	0			Assigned to $tmp, so unused??
Column11:	2836			Size of file
Column12:	973693553		A-Time
Column13:	952452206		M-Time
Column14:	973386197		C-Time
Column15:	4096			Assigned to $tmp, so unused??
Column16:	0			Assigned to $tmp, so unused??

If anyone can fill me in on what the $tmp columns may represent it would
be appreciated.  Also what the correct terming of the data contained in
Column 6 is.

This info I gathered from the source code file mactime.base, I have
looked at the fls sourcecode however I wasn't able to understand that on
the very quick glance I had at it. :) (Was mainly looking for comments
or descriptive variables. :) )

Cheers

Surago.



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle
Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing &
QA
Security * Process Improvement & Measurement *
http://www.sqe.com/bsce5sf
_______________________________________________
sleuthkit-developers mailing list
sle...@li...
https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers

[sleuthkit-developers] MacTime Body file format

[Surago J. <su...@sj...>]

Hi,

I'm just looking at the body file used by MacTime and am wondering what
the field layout is.  I have checked out the MacTime Source code,
however my C is very rusty, and I'm not sure what some of the variables
stand for.

My guess is as follows...

Example Data:

'
0|/usr/bin/uptime|0|17088|33133|-/-r-xr-xr-x|1|0|0|0|2836|973693553|9524
52206|973386197|4096|0'

Column1:	0			Assigned to $tmp, so unused??
Column2:	/usr/bin/uptime	Filename
Column3:	0			Assigned to $tmp, so unused??
Column4:	17088			Inode
Column5:	33133			Assigned to $tmp, so unused??
Column6:	-/-r-xr-xr-x	Rights for ls listings??
Column7:	1			Assigned to $tmp, so unused??
Column8:	0			Think this would be User Owner
ID??
Column9:	0			Think this would be Group Owner
ID??
Column10:	0			Assigned to $tmp, so unused??
Column11:	2836			Size of file
Column12:	973693553		A-Time
Column13:	952452206		M-Time
Column14:	973386197		C-Time
Column15:	4096			Assigned to $tmp, so unused??
Column16:	0			Assigned to $tmp, so unused??

If anyone can fill me in on what the $tmp columns may represent it would
be appreciated.  Also what the correct terming of the data contained in
Column 6 is.

This info I gathered from the source code file mactime.base, I have
looked at the fls sourcecode however I wasn't able to understand that on
the very quick glance I had at it. :) (Was mainly looking for comments
or descriptive variables. :) )

Cheers

Surago.

[sleuthkit-developers] Re: [sleuthkit-users] cygwin sleuthkit 2.01 compile error

[<ro...@mo...>]

Hmmmmm...... Paul, I've installed everything from the latest cygwin on 3 windows XP
machines. I've added the magic location  in an environement variable no luck so far. 

This morning I've tried to install 2.00, same error messages on XP.

Did you install everything from cygwin or the default?

RJM. 


> Hmm..
> 
> Then I do have to inform you that I did all that (My testing) on a
> Windows XP machine!.. So that is not the case... I think it is more
> something of environment variables/tools missing or too much on your XP
> machine.
> 
> I would like to help, but without being able to reproduce the problem,
> that is hard.
> 
> Are you sure you installed the same tools within cygwin at both PC's?
> 
> Paul
> 
> On Thu, Jun 16, 2005 at 08:16:33AM +0000, ro...@mo... wrote:
> > Hello,
> > 
> > I want to install the latest version of the sleuthkit under cygwin on windows XP. Paul
> > told me to install the latest cygwin. I've done that but keep getting the same compile
> > errors in windows XP dutch and english versions. I've installed the latest cygwin+
> > sleuthkit on a windows 2000 client. Everything works fine, but I want the latest
version

> > to work under cygwin with windows XP.
> > 
> > I'm keep getting the same following error messages on different machines with XP
> > installed;
> > 
> > magic type offset invalid(numerous times) messages.
> > 
> > file: could not find any magic files!
> > make[2]:***[magic.mgc] error 255
> > make[2]: leaving directory "/usr/local/sleuthkit2-.01/src/file/magic"
> > make[1]: ***[install recursive]error 1
> > make [1]: leaving directory "/usr/local/sleuthkit2-.01/src/file"
> > make:***[file] error 2
> > 
> > 
> > I'm getting a little bit frustrated about it and hope that someone has the solution.
> > 
> > RJM.
> > 
> > 
> > 
> > 
> > 
> > -------------------------------------------------------
> > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> > from IBM. Find simple to follow Roadmaps, straightforward articles,
> > informative Webcasts and more! Get everything you need to get up to
> > speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> > _______________________________________________
> > sleuthkit-users mailing list
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > http://www.sleuthkit.org

[sleuthkit-developers] Re: [sleuthkit-users] cygwin sleuthkit 2.01 compile error

[<ro...@mo...>]

Hmmmmm...... Paul, I've installed everything from the latest cygwin on 3 windows XP
machines. I've added the magic location  in an environement variable no luck so far. 

This morning I've tried to install 2.00, same error messages on XP.

Did you install everything from cygwin or the default?

RJM. 


> Hmm..
> 
> Then I do have to inform you that I did all that (My testing) on a
> Windows XP machine!.. So that is not the case... I think it is more
> something of environment variables/tools missing or too much on your XP
> machine.
> 
> I would like to help, but without being able to reproduce the problem,
> that is hard.
> 
> Are you sure you installed the same tools within cygwin at both PC's?
> 
> Paul
> 
> On Thu, Jun 16, 2005 at 08:16:33AM +0000, ro...@mo... wrote:
> > Hello,
> > 
> > I want to install the latest version of the sleuthkit under cygwin on windows XP. Paul
> > told me to install the latest cygwin. I've done that but keep getting the same compile
> > errors in windows XP dutch and english versions. I've installed the latest cygwin+
> > sleuthkit on a windows 2000 client. Everything works fine, but I want the latest
version

> > to work under cygwin with windows XP.
> > 
> > I'm keep getting the same following error messages on different machines with XP
> > installed;
> > 
> > magic type offset invalid(numerous times) messages.
> > 
> > file: could not find any magic files!
> > make[2]:***[magic.mgc] error 255
> > make[2]: leaving directory "/usr/local/sleuthkit2-.01/src/file/magic"
> > make[1]: ***[install recursive]error 1
> > make [1]: leaving directory "/usr/local/sleuthkit2-.01/src/file"
> > make:***[file] error 2
> > 
> > 
> > I'm getting a little bit frustrated about it and hope that someone has the solution.
> > 
> > RJM.
> > 
> > 
> > 
> > 
> > 
> > -------------------------------------------------------
> > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> > from IBM. Find simple to follow Roadmaps, straightforward articles,
> > informative Webcasts and more! Get everything you need to get up to
> > speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> > _______________________________________________
> > sleuthkit-users mailing list
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > http://www.sleuthkit.org

RE: [sleuthkit-developers] compile tsk 2.01 error cygwin

[Paul B. <ba...@fo...>]

Robert-Jan,

I just downloaded sleuthkit 2.01 to check for you.

Under my cygwin with the latest install of the tools (gcc, automake,
libtool ,autoconf, make and such) it compiles in one run without any
errors...

So I think it has to do with the version of your tools or an ommission
of one required tool in your cygwin install.

I hope this helps a bit..

Paul Bakker

> -----Original Message-----
> From: ro...@mo... [mailto:ro...@mo...]=20
> Sent: Wednesday 25 May 2005 6:02
> To: sle...@li...
> Cc: sle...@li...
> Subject: [sleuthkit-developers] compile tsk 2.01 error cygwin
>=20
> Hello,
>=20
> I want to compile the latest sleuthkit 2.01 under cygwin. But=20
> I keep getting error messages about magic file. Error messages:
>=20
> Error file could not find any magic files!
> Make 2 magic.mgc error 255?
>=20
> Has anyone been succesfull installing the latest TSK and autopsy?
>=20
>=20
> Thanks,
>=20
> RJM
>=20
>=20
>=20
>=20
> -------------------------------------------------------
> This SF.Net email is sponsored by Yahoo.
> Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
> Search APIs Find out how you can build Yahoo! directly into=20
> your own Applications - visit=20
> http://developer.yahoo.net/?fr=3Doffad-ysdn-ostg-q22005
> _______________________________________________
> sleuthkit-developers mailing list
> sle...@li...
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
>=20

[sleuthkit-developers] compile tsk 2.01 error cygwin

[<ro...@mo...>]

Hello,

I want to compile the latest sleuthkit 2.01 under cygwin. But I keep getting error
messages about magic file. Error messages:

Error file could not find any magic files!
Make 2 magic.mgc error 255?

Has anyone been succesfull installing the latest TSK and autopsy?


Thanks,

RJM

Re: [sleuthkit-developers] Sort in hfind

[Marcio C. <mar...@gm...>]

On 5/22/05, Brian Carrier <ca...@sl...> wrote:
>=20
>   hfind uses the local 'sort' tool to sort the index file.  I think the
> NSRL files are already somewhat sorted by SHA1, but not fully (although
> I'm traveling and don't have access to the full database).  So, the
> SHA1 sorting does not need as many temporary files because less work
> needs to be done.  The MD5 sorting may need to duplicate the entire DB
> in temp files.

The strange thing it that the /tmp has 1GB... And the oddest thing is
that now it worked... :-P Maybe I have updated sort, I'm not sure...

Thanks!

M=E1rcio.

Re: [sleuthkit-developers] Sort in hfind

[Brian C. <ca...@sl...>]

On May 17, 2005, at 4:38 PM, Marcio Carneiro wrote:

> Hi!
>
> Have anyone had problems with sort in hfind to create the index file 
> for NSRL?
>
> I can't sort the MD5 index file, but I can sort the SHA1 index file!
> The message is like:
>
> sort: write failed: /tmp/sortKYlDin: No space left on device
>
> I don't understand why it happens only with the MD5 file, that has the
> same number of lines that the SHA1 file (12421779)!

  hfind uses the local 'sort' tool to sort the index file.  I think the 
NSRL files are already somewhat sorted by SHA1, but not fully (although 
I'm traveling and don't have access to the full database).  So, the 
SHA1 sorting does not need as many temporary files because less work 
needs to be done.  The MD5 sorting may need to duplicate the entire DB 
in temp files.

brian

[sleuthkit-developers] Out of Office

[Matthew S. <msh...@ag...>]

I will be out of the office from May 10, 2005 through May 18, 2005.

If this request is urgent, or in regards to prospective or ongoing engagements, please contact my partner, Matthew Decker at mjd...@ag... or 1-877-244-5313.

Warmest Regards,

M. Shannon

[sleuthkit-developers] Sort in hfind

[Marcio C. <mar...@gm...>]

Hi!

Have anyone had problems with sort in hfind to create the index file for NS=
RL?

I can't sort the MD5 index file, but I can sort the SHA1 index file!
The message is like:

sort: write failed: /tmp/sortKYlDin: No space left on device

I don't understand why it happens only with the MD5 file, that has the
same number of lines that the SHA1 file (12421779)!

Thanks!

M=E1rcio.

Re: [sleuthkit-developers] Fls core dumped

[Brian C. <ca...@sl...>]

On May 17, 2005, at 8:08 AM, Jaime Chang wrote:

> On 05/17/05 00:57, Brian Carrier wrote:
>
>> Did you change the code associated with the short and long file 
>> names?   The crash is in the code looking for the short name and I 
>> remember you  wanted to get rid of them....   If you didn't then I 
>> have a new version  that checks a return value (which it should have 
>> before) and prevents a  crash.
>
> No, actually I untar a fresh copy of the TSK 2.01 just to double check 
> that this wasn't cause by the changes I made.

Hmm, try this version of src/fstools/fatfs_dent.c at:

http://sleuthkit.sf.net/sleuthkit/fatfs_dent.c

Can you also send me the output of 'icat IMG.DD 2 | xxd' so that I can 
see the directory entry that is causing problems.  Was this file 
deleted using Debian (or whichever distro that shows the ils vs fls 
issue)?

thanks,
brian

Re: [sleuthkit-developers] Fls core dumped

[Jaime C. <jc...@id...>]

On 05/17/05 00:57, Brian Carrier wrote:

> Did you change the code associated with the short and long file 
> names?   The crash is in the code looking for the short name and I 
> remember you  wanted to get rid of them....   If you didn't then I 
> have a new version  that checks a return value (which it should have 
> before) and prevents a  crash.

No, actually I untar a fresh copy of the TSK 2.01 just to double check 
that this wasn't cause by the changes I made.

jimmy

Re: [sleuthkit-developers] Fls core dumped

[Brian C. <ca...@sl...>]

Did you change the code associated with the short and long file names?  =20=

The crash is in the code looking for the short name and I remember you =20=

wanted to get rid of them....   If you didn't then I have a new version =20=

that checks a return value (which it should have before) and prevents a =20=

crash.

brian


On May 16, 2005, at 5:21 PM, Jaime Chang wrote:

> I was testing usbkey with one FAT16 partition that contained active =20=

> and deleted directories and files.
>
> I run the fls command against the FAT16 partition and it segmented =20
> fault
>
> + r/r 73217:    D3X100K.txt
> + r/r 73218:    D3Y1M-E.txt
> d/d * 5:        _IR004
> d/d 6:  =20
> =
OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO=20=

> OOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
> Segmentation fault (core dumped)
>
> gdb output:
>
> #0  0x08063af5 in fatfs_dent_parse_block (fatfs=3D0x807e048, =20
> buf=3D0x807f038 "=E5IR002     \020", len=3D512, addr=3D384, flags=3D7, =
=20
> fs_dent=3D0x8084068,
>    action=3D0x8070335 <print_dent_act>, ptr=3D0x0) at fatfs_dent.c:464
>
> I can see that buf address has junk in it (buf=3D0x807f038 "=E5IR002   =
  =20
> \020")

[sleuthkit-developers] Out of Office

[Matthew S. <msh...@ag...>]

I will be out of the office from May 10, 2005 through May 18, 2005.

If this request is urgent, or in regards to prospective or ongoing engagements, please contact my partner, Matthew Decker at mjd...@ag... or 1-877-244-5313.

Warmest Regards,

M. Shannon