Thread: [sleuthkit-developers] Some questions
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-developers
|
From: kenshin <ken...@gm...> - 2006-06-20 23:37:49
|
I'm interesting in develop sleuthkit and I have some questions ... Why do you want to use static executables? Why do you not use shared libraries? Why do you use "cd dir; make" instead "make -C dir" ? Why have "src/fstools/" filesystems and tools to analyze? I thinks that is better put filesystems in src/fs/ and tools in src/fstools/ Why do you compile the comand file,md5,sha1? (a normal system have its) Has anyone interesting in reiserfs development? It's all for now :) |
|
From: Valter S. <vsa...@se...> - 2006-06-21 00:56:31
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 kenshin wrote: > > Why do you want to use static executables? > Why do you not use shared libraries? For forensic and incident response purposes: with static executables we don't rely on anything that is deployed on a compromised system on performing live analysis. This is done so we get a "trusted" executable we can rely on. > Why do you compile the comand file,md5,sha1? (a normal system have its) The same as above, I think. These tools are crucial to sleuthkit activity, so they get compiled in a trusted fashion ;) have fun /valter - -- o Valter Santos <vsantola at sectoid.com> o INFOCON Tactical Overview: http://infocon.sectoid.com o o PGP Key ID: 0xE2A4B206 o Fingerprint: 99FA 3D80 4B54 BA70 7DD7 C751 47BA 49BC E2A4 B206 o o Attack is the secret of defense; defense is the planning of an attack. o Sun Tzu, Art of War -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEmJJeR7pJvOKksgYRAm+8AJ4m3GMPJ7KyMSBHsHsIeqac5uZioACggiTY 0rjxbwEXzHvqWrOHPzb9tDE= =1nis -----END PGP SIGNATURE----- |
|
From: kenshin <ken...@gm...> - 2006-06-21 02:10:43
|
I know that we don't use untruted executable, but normaly we make a copy of hd in other and then we analyzed this image in our computer and I trust my computer :) Thanks for the interest 2006/6/21, Valter Santos <vsa...@se...>: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > kenshin wrote: > > > > Why do you want to use static executables? > > Why do you not use shared libraries? > > For forensic and incident response purposes: with static executables we > don't rely on anything that is deployed on a compromised system on > performing live analysis. This is done so we get a "trusted" executable > we can rely on. > > > Why do you compile the comand file,md5,sha1? (a normal system have its) > > The same as above, I think. These tools are crucial to sleuthkit > activity, so they get compiled in a trusted fashion ;) > > have fun > /valter > > > - -- > o Valter Santos <vsantola at sectoid.com> > o INFOCON Tactical Overview: http://infocon.sectoid.com > o > o PGP Key ID: 0xE2A4B206 > o Fingerprint: 99FA 3D80 4B54 BA70 7DD7 C751 47BA 49BC E2A4 B206 > o > o Attack is the secret of defense; defense is the planning of an attack. > o Sun Tzu, Art of War > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.1 (GNU/Linux) > > iD8DBQFEmJJeR7pJvOKksgYRAm+8AJ4m3GMPJ7KyMSBHsHsIeqac5uZioACggiTY > 0rjxbwEXzHvqWrOHPzb9tDE= > =1nis > -----END PGP SIGNATURE----- > |
|
From: Valter S. <vsa...@se...> - 2006-06-21 15:59:48
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 kenshin wrote: > I know that we don't use untruted executable, but normaly we make a copy > of hd > in other and then we analyzed this image in our computer and I trust my > computer :) > Kenshin, but this is not always the case, there are times that we need to analyze a system that couldn't be powered off, so we need trusted binaries for live analysis. Anyways, as Brian already pointed out, compiling sleuthkit as static is optional so your problem is solved here :-) have fun /valter - -- o Valter Santos <vsantola at sectoid.com> o INFOCON Tactical Overview: http://infocon.sectoid.com o o PGP Key ID: 0xE2A4B206 o Fingerprint: 99FA 3D80 4B54 BA70 7DD7 C751 47BA 49BC E2A4 B206 o o Attack is the secret of defense; defense is the planning of an attack. o Sun Tzu, Art of War -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEmWzAR7pJvOKksgYRAhIXAKC91oSrjzgBLrjjRAuXyH+nr7Y2pgCgiv65 H7rV0GQofgXPE+1dE0mdqoA= =fCen -----END PGP SIGNATURE----- |
|
From: Brian C. <ca...@sl...> - 2006-06-21 04:45:07
|
On Jun 20, 2006, at 7:37 PM, kenshin wrote: > I'm interesting in develop sleuthkit and I have some questions ... > > Why do you want to use static executables? > Why do you not use shared libraries? By default, the executables use shared libraries and are not static. There is the option for static binaries so that you can use them for live analysis and not have to rely on untrusted libraries. > Why do you use "cd dir; make" instead "make -C dir" ? They have the same effect don't they? Is 'make -C dir' only in GNU or is it also in BSD make? > Why have "src/fstools/" filesystems and tools to analyze? I thinks > that is better > put filesystems in src/fs/ and tools in src/fstools/ Yea, I could separate the library code from the tools one of these days. > Why do you compile the comand file,md5,sha1? (a normal system have > its) > Has anyone interesting in reiserfs development? As someone else said, it forces a consistent version of the tools to exist. Different systems have different output formats. brian |
|
From: kenshin <ken...@gm...> - 2006-06-21 11:38:14
|
I think that make a shared library witch all the posible code is better than put the same code in all files. You could make a libsleuthkit.so with ~1M of code If you want small files don't use -g -Wall in gcc :) > They have the same effect don't they? Is 'make -C dir' only in GNU > or is it also in BSD make? FreeBSD have -C option in make Other suggestion, I think that open stdin is better that open a file. For example "fls < ext3fs.img" is better because you could for example make "bunzip2 -c ext3fs.img.bz2| fls" or other combinations. With this you have small images and if you have a good cpu you could scan images faster :) Thanks to solve my doubts 2006/6/21, Brian Carrier <ca...@sl...>: > > > On Jun 20, 2006, at 7:37 PM, kenshin wrote: > > > I'm interesting in develop sleuthkit and I have some questions ... > > > > Why do you want to use static executables? > > Why do you not use shared libraries? > > By default, the executables use shared libraries and are not static. > There is the option for static binaries so that you can use them for > live analysis and not have to rely on untrusted libraries. > > > Why do you use "cd dir; make" instead "make -C dir" ? > > They have the same effect don't they? Is 'make -C dir' only in GNU > or is it also in BSD make? > > > Why have "src/fstools/" filesystems and tools to analyze? I thinks > > that is better > > put filesystems in src/fs/ and tools in src/fstools/ > > Yea, I could separate the library code from the tools one of these days. > > > Why do you compile the comand file,md5,sha1? (a normal system have > > its) > > Has anyone interesting in reiserfs development? > > As someone else said, it forces a consistent version of the tools to > exist. Different systems have different output formats. > > brian > > > |
|
From: Michael C. <mic...@ne...> - 2006-07-06 11:42:36
|
On Wed, Jun 21, 2006 at 01:38:13PM +0200, kenshin wrote: > Other suggestion, I think that open stdin is better that open a file. > For example "fls < ext3fs.img" is better because you could for example > make "bunzip2 -c ext3fs.img.bz2| fls" or other combinations. With this > you have small images and if you have a good cpu you could scan > images faster :) kenshin, Its impossible for fls to use stdin since it needs to seek in the input file which means it cant use a pipe (you could still do fls < ext3fs.img because thats not a pipe, but not the second example). Also for normal images you certainly couldnt do bunzip2 -c ext3fs.img.bz2| fls because the image would take a huge length of time to decompress for a single shot of fls. If you want to handle compressed images you better use ewf, eff or sgzip formats. Michael. |
|
From: kenshin <ken...@gm...> - 2006-07-07 01:20:32
|
Thks Michael to solve my doubts I make some test with sgzip, but I dont see whereis the compression between raw image and sgzip image. Do you now other seekable compression system? 2000/1/1, Michael Cohen <mic...@ne...>: > > On Wed, Jun 21, 2006 at 01:38:13PM +0200, kenshin wrote: > > Other suggestion, I think that open stdin is better that open a file. > > For example "fls < ext3fs.img" is better because you could for example > > make "bunzip2 -c ext3fs.img.bz2| fls" or other combinations. With this > > you have small images and if you have a good cpu you could scan > > images faster :) > > kenshin, Its impossible for fls to use stdin since it needs to seek in the > input file which means it cant use a pipe (you could still do fls < > ext3fs.img > because thats not a pipe, but not the second example). Also for normal > images > you certainly couldnt do bunzip2 -c ext3fs.img.bz2| fls because the image > would > take a huge length of time to decompress for a single shot of fls. If you > want > to handle compressed images you better use ewf, eff or sgzip formats. > > Michael. > > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job > easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > sleuthkit-developers mailing list > sle...@li... > https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers > |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X