sleuthkit-users Mailing List for The Sleuth Kit (Page 16)
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users — List to discuss Autopsy and The Sleuth Kit.
You can subscribe to this list here.
| 2002 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(6) |
Aug
|
Sep
(11) |
Oct
(5) |
Nov
(4) |
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 |
Jan
(1) |
Feb
(20) |
Mar
(60) |
Apr
(40) |
May
(24) |
Jun
(28) |
Jul
(18) |
Aug
(27) |
Sep
(6) |
Oct
(14) |
Nov
(15) |
Dec
(22) |
| 2004 |
Jan
(34) |
Feb
(13) |
Mar
(28) |
Apr
(23) |
May
(27) |
Jun
(26) |
Jul
(37) |
Aug
(19) |
Sep
(20) |
Oct
(39) |
Nov
(17) |
Dec
(9) |
| 2005 |
Jan
(45) |
Feb
(43) |
Mar
(66) |
Apr
(36) |
May
(19) |
Jun
(64) |
Jul
(10) |
Aug
(11) |
Sep
(35) |
Oct
(6) |
Nov
(4) |
Dec
(13) |
| 2006 |
Jan
(52) |
Feb
(34) |
Mar
(39) |
Apr
(39) |
May
(37) |
Jun
(15) |
Jul
(13) |
Aug
(48) |
Sep
(9) |
Oct
(10) |
Nov
(47) |
Dec
(13) |
| 2007 |
Jan
(25) |
Feb
(4) |
Mar
(2) |
Apr
(29) |
May
(11) |
Jun
(19) |
Jul
(13) |
Aug
(15) |
Sep
(30) |
Oct
(12) |
Nov
(10) |
Dec
(13) |
| 2008 |
Jan
(2) |
Feb
(54) |
Mar
(58) |
Apr
(43) |
May
(10) |
Jun
(27) |
Jul
(25) |
Aug
(27) |
Sep
(48) |
Oct
(69) |
Nov
(55) |
Dec
(43) |
| 2009 |
Jan
(26) |
Feb
(36) |
Mar
(28) |
Apr
(27) |
May
(55) |
Jun
(9) |
Jul
(19) |
Aug
(16) |
Sep
(15) |
Oct
(17) |
Nov
(70) |
Dec
(21) |
| 2010 |
Jan
(56) |
Feb
(59) |
Mar
(53) |
Apr
(32) |
May
(25) |
Jun
(31) |
Jul
(36) |
Aug
(11) |
Sep
(37) |
Oct
(19) |
Nov
(23) |
Dec
(6) |
| 2011 |
Jan
(21) |
Feb
(20) |
Mar
(30) |
Apr
(30) |
May
(74) |
Jun
(50) |
Jul
(34) |
Aug
(34) |
Sep
(12) |
Oct
(33) |
Nov
(10) |
Dec
(8) |
| 2012 |
Jan
(23) |
Feb
(57) |
Mar
(26) |
Apr
(14) |
May
(27) |
Jun
(27) |
Jul
(60) |
Aug
(88) |
Sep
(13) |
Oct
(36) |
Nov
(97) |
Dec
(85) |
| 2013 |
Jan
(60) |
Feb
(24) |
Mar
(43) |
Apr
(32) |
May
(22) |
Jun
(38) |
Jul
(51) |
Aug
(50) |
Sep
(76) |
Oct
(65) |
Nov
(25) |
Dec
(30) |
| 2014 |
Jan
(19) |
Feb
(41) |
Mar
(43) |
Apr
(28) |
May
(61) |
Jun
(12) |
Jul
(10) |
Aug
(37) |
Sep
(76) |
Oct
(31) |
Nov
(41) |
Dec
(12) |
| 2015 |
Jan
(33) |
Feb
(28) |
Mar
(53) |
Apr
(22) |
May
(29) |
Jun
(20) |
Jul
(15) |
Aug
(17) |
Sep
(52) |
Oct
(3) |
Nov
(18) |
Dec
(21) |
| 2016 |
Jan
(20) |
Feb
(8) |
Mar
(21) |
Apr
(7) |
May
(13) |
Jun
(35) |
Jul
(34) |
Aug
(11) |
Sep
(14) |
Oct
(22) |
Nov
(31) |
Dec
(23) |
| 2017 |
Jan
(20) |
Feb
(7) |
Mar
(5) |
Apr
(6) |
May
(6) |
Jun
(22) |
Jul
(11) |
Aug
(16) |
Sep
(8) |
Oct
(1) |
Nov
(1) |
Dec
(1) |
| 2018 |
Jan
|
Feb
|
Mar
(16) |
Apr
(2) |
May
(6) |
Jun
(5) |
Jul
|
Aug
(2) |
Sep
(4) |
Oct
|
Nov
(16) |
Dec
(13) |
| 2019 |
Jan
|
Feb
(1) |
Mar
(25) |
Apr
(9) |
May
(2) |
Jun
(1) |
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2020 |
Jan
(2) |
Feb
|
Mar
(1) |
Apr
|
May
(1) |
Jun
(3) |
Jul
(2) |
Aug
|
Sep
|
Oct
(5) |
Nov
|
Dec
|
| 2021 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(4) |
Jul
(1) |
Aug
|
Sep
(1) |
Oct
|
Nov
(1) |
Dec
|
| 2022 |
Jan
|
Feb
(2) |
Mar
|
Apr
|
May
(2) |
Jun
|
Jul
(3) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2023 |
Jan
(2) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
| 2024 |
Jan
|
Feb
(3) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2025 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Brian C. <ca...@sl...> - 2016-07-09 14:08:35
|
Has anyone tried libewf-20140608.tar.gz to see if it works without TSK code changes? We tried the latest experimental a while back, but ran into some problems with that and backed off. > On Jul 9, 2016, at 12:28 AM, Edward Diener <eld...@tr...> wrote: > > On 7/8/2016 11:56 PM, Brian Carrier wrote: >> We use the 64-bit version on github, but I have an email from Joachim a while back saying to go to https://github.com/libyal/libewf/wiki for the older stable releases, which eventually directs you to this google drive: https://53efc0a7187d0baa489ee347026b8278fe4020f6.googledrive.com/host/0B3fBvzttpiiSMTdoaVExWWNsRjg/ > None of those versions are compatible with the latest TSK, whether > 'develop' or 'master' branch. For the reason why please see > http://forum.sleuthkit.org/viewtopic.php?f=9&t=2740&sid=cc46e2042f4e0696d6e7c22ed2efc90a. > I have been using the 64-bit version on Sleuthkit's github configured > for both 32-bit and 64-bit configurations, but I believe this may be a > very old libewf version. > > Eddie Diener >> >> >>> On Jun 24, 2016, at 3:31 PM, Edward Diener <eld...@tr...> wrote: >>> >>> In the instructions for building Sleuthkit from source on Windows with >>> the VC++ compiler it says in the win32/BUILDING.txt file: >>> >>> "1) Download libewf-20130128 (or later). The official releases are from: >>> http://sourceforge.net/projects/libewf/" >>> >>> There is no longer a libewf-20130128 release ( or any other libewf >>> release ) at Sourceforge and the only releases offered after that from >>> the libewf Github site are in Linux line ending format, come after the >>> libewf-20130128 release, and are incompatible with the current Sleuthkit >>> source, whether 'master' or 'develop' branch. Furthermore the libewf >>> Github source is also incompatible with SleuthKit, as explained at >>> http://forum.sleuthkit.org/viewtopic.php?f=9&t=2740. >>> >>> How can I get the libewf-20130128 release for Windows so I can build >>> Sleuthkit from source using VC++ ? >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San >>> Francisco, CA to explore cutting-edge tech and listen to tech luminaries >>> present their vision of the future. This family event has something for >>> everyone, including kids. Get more information and register today. >>> http://sdm.link/attshape >>> _______________________________________________ >>> sleuthkit-users mailing list >>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>> http://www.sleuthkit.org > > > > ------------------------------------------------------------------------------ > Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San > Francisco, CA to explore cutting-edge tech and listen to tech luminaries > present their vision of the future. This family event has something for > everyone, including kids. Get more information and register today. > http://sdm.link/attshape > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: Edward D. <eld...@tr...> - 2016-07-09 04:28:38
|
On 7/8/2016 11:56 PM, Brian Carrier wrote: > We use the 64-bit version on github, but I have an email from Joachim a while back saying to go to https://github.com/libyal/libewf/wiki for the older stable releases, which eventually directs you to this google drive: https://53efc0a7187d0baa489ee347026b8278fe4020f6.googledrive.com/host/0B3fBvzttpiiSMTdoaVExWWNsRjg/ None of those versions are compatible with the latest TSK, whether 'develop' or 'master' branch. For the reason why please see http://forum.sleuthkit.org/viewtopic.php?f=9&t=2740&sid=cc46e2042f4e0696d6e7c22ed2efc90a. I have been using the 64-bit version on Sleuthkit's github configured for both 32-bit and 64-bit configurations, but I believe this may be a very old libewf version. Eddie Diener > > >> On Jun 24, 2016, at 3:31 PM, Edward Diener <eld...@tr...> wrote: >> >> In the instructions for building Sleuthkit from source on Windows with >> the VC++ compiler it says in the win32/BUILDING.txt file: >> >> "1) Download libewf-20130128 (or later). The official releases are from: >> http://sourceforge.net/projects/libewf/" >> >> There is no longer a libewf-20130128 release ( or any other libewf >> release ) at Sourceforge and the only releases offered after that from >> the libewf Github site are in Linux line ending format, come after the >> libewf-20130128 release, and are incompatible with the current Sleuthkit >> source, whether 'master' or 'develop' branch. Furthermore the libewf >> Github source is also incompatible with SleuthKit, as explained at >> http://forum.sleuthkit.org/viewtopic.php?f=9&t=2740. >> >> How can I get the libewf-20130128 release for Windows so I can build >> Sleuthkit from source using VC++ ? >> >> >> >> ------------------------------------------------------------------------------ >> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San >> Francisco, CA to explore cutting-edge tech and listen to tech luminaries >> present their vision of the future. This family event has something for >> everyone, including kids. Get more information and register today. >> http://sdm.link/attshape >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org |
|
From: Brian C. <ca...@sl...> - 2016-07-09 03:57:00
|
We use the 64-bit version on github, but I have an email from Joachim a while back saying to go to https://github.com/libyal/libewf/wiki for the older stable releases, which eventually directs you to this google drive: https://53efc0a7187d0baa489ee347026b8278fe4020f6.googledrive.com/host/0B3fBvzttpiiSMTdoaVExWWNsRjg/ > On Jun 24, 2016, at 3:31 PM, Edward Diener <eld...@tr...> wrote: > > In the instructions for building Sleuthkit from source on Windows with > the VC++ compiler it says in the win32/BUILDING.txt file: > > "1) Download libewf-20130128 (or later). The official releases are from: > http://sourceforge.net/projects/libewf/" > > There is no longer a libewf-20130128 release ( or any other libewf > release ) at Sourceforge and the only releases offered after that from > the libewf Github site are in Linux line ending format, come after the > libewf-20130128 release, and are incompatible with the current Sleuthkit > source, whether 'master' or 'develop' branch. Furthermore the libewf > Github source is also incompatible with SleuthKit, as explained at > http://forum.sleuthkit.org/viewtopic.php?f=9&t=2740. > > How can I get the libewf-20130128 release for Windows so I can build > Sleuthkit from source using VC++ ? > > > > ------------------------------------------------------------------------------ > Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San > Francisco, CA to explore cutting-edge tech and listen to tech luminaries > present their vision of the future. This family event has something for > everyone, including kids. Get more information and register today. > http://sdm.link/attshape > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: Simson G. <si...@ac...> - 2016-06-30 01:36:30
|
It's pretty easy to add supports for new file formats to TSK. You just add it to the img_open_table() in img_types.c, add the bitfields to TSK_IMG_TYPE_ENUM in tsk_img.h, and update img_open.c. Try this search to see all the places that AFF is referenced: https://github.com/sleuthkit/sleuthkit/search?utf8=%E2%9C%93&q=AFF <https://github.com/sleuthkit/sleuthkit/search?utf8=%E2%9C%93&q=AFF> The issue with AFF is that version 3 doesn't offer compelling features over EWF. Version 4 does, but as others have said, it isn't ready for general use yet. Simson > On Jun 27, 2016, at 6:02 PM, Edward Diener <eld...@tr...> wrote: > > On 6/27/2016 4:32 PM, Simson Garfinkel wrote: >> I don't recommend using AFF at this point for production purposes. >> >> Why do you want to use it? > I was curious whether it is integrated into TSK or not and, if so, how was it done ? I actually have little use for it in the project on which I am working. > > Eddie Diener >> >> >> ---- >> Sent from my phone. >> >>> On Jun 27, 2016, at 3:16 PM, Edward Diener <eld...@tr...> wrote: >>> >>>> On 6/27/2016 3:08 PM, Edward Diener wrote: >>>> Hello Eddie, >>>> >>>> You're correct regarding RAW files. RAW can have different extensions >>>> other >>>> than ".dd" also, such as .001, .raw, .img, etc., so saying "RAW" includes >>>> all of those. Single refers to a single disk image file such as >>>> someimage.dd, and split refers to a disk image file separated into >>>> multiple >>>> chunks such as someotherimage.001, someotherimage.002, >>>> someotherimage.003, >>>> ... Windows doesn't come with an included disk imager as far as I'm >>>> aware. >>> There is a product called FTK Imager from AccessData which can create >>> EWF image files. >>>> RAW and .dd is pretty much considered an industry standard, regardless of >>>> the file extension actually used or the examiner's chosen platform. >>> I will investigate these on the web. >>>> You're also correct regarding EWF (Expert Witness Format). AFF (Advanced >>>> Forensic Format) uses AFFLIB, which can be found here: >>>> https://github.com/sshock/AFFLIBv3/releases. >>> How do I add support for AFF to TSK if I need it ? The docs don't seem >>> to mention this. >>>> I hope this helps! >>> Very helpful. Thanks ! >>>> Hoyt >>>> >>>> >>>> On Sat, Jun 25, 2016 at 7:42 AM, Edward Diener < >>>> eldlistmailingz@...> wrote: >>>> >>>>> What are the disk image formats in TSK ? >>>>> >>>>> I see mention of single and split raw images. To what do these refer ? >>>>> Are these files created by the Linux 'dd' command ? What about on other >>>>> operating systems such as Windows ? >>>>> >>>>> I also see mention of EWF and AFF. I assume that EWF are images created >>>>> by the libewf project and I can see that TSK 4.2.0 supports libewf. What >>>>> is needed to support AFF and where would I find more information >>>>> about it ? >>>>> >>>>> Eddie Diener >>> ------------------------------------------------------------------------------ >>> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San >>> Francisco, CA to explore cutting-edge tech and listen to tech luminaries >>> present their vision of the future. This family event has something for >>> everyone, including kids. Get more information and register today. >>> http://sdm.link/attshape >>> _______________________________________________ >>> sleuthkit-users mailing list >>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>> http://www.sleuthkit.org > > |
|
From: Luís F. N. <lfc...@gm...> - 2016-06-29 13:34:41
|
Hi Mauricio, I think you are right. The fix uses parent paths to choose the correct parent, so it will not work if the possible parents have the same path and name. I think there should be another approach for the fix, because the child paths always were ok, so tsk knows the correct parent at some point. Luis 2016-06-24 15:10 GMT-03:00 Mauricio Lage <mau...@gm...>: > Hi, > I have verified the same issue with a case I am currently working on: many > allocated files were put into a wrong deleted parent folder. But some of > those wrong deleted parent folders have exactly the same name and path of > the true parent folders. For example, there are two "Program Files" folders > in the root, one allocated and one deleted, and many allocated children > were put below the deleted "Program Files". So I think the current fix, > that uses the parent paths to decide into which folder they will be put, > will not work for some cases like mine. > > thanks, > > -- > Mauricio S. Lage > > > > ------------------------------------------------------------------------------ > Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San > Francisco, CA to explore cutting-edge tech and listen to tech luminaries > present their vision of the future. This family event has something for > everyone, including kids. Get more information and register today. > http://sdm.link/attshape > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > |
|
From: Hoyt H. <hoy...@gm...> - 2016-06-28 17:14:02
|
Simson is the man behind AFF and he has the authoritative opinion on this, together with Michael Cohen and Bradley Schatz. They're working on AFF4 currently and, based on what he said, it doesn't sound like that's ready yet. Previous versions of AFF are deprecated. Once it's ready, TSK would need to be compiled against the AFF4 library similar to the way it's done using libewf. For what it's worth, I've been tinkering around this past month compiling TSK against the latest version of AFF4 from Github resulting in errors. You can experiment with it as well if you'd like, but I'd wait until the AFF4 guys have a stable release they're happy with. Otherwise, here's more detailed information: http://forensicswiki.org/wiki/AFF4 ...and here's AFF4 on Github (read the README.md, then find the releases): https://github.com/google/aff4 Hoyt On Mon, Jun 27, 2016 at 5:02 PM, Edward Diener < eld...@tr...> wrote: > On 6/27/2016 4:32 PM, Simson Garfinkel wrote: > > I don't recommend using AFF at this point for production purposes. > > > > Why do you want to use it? > I was curious whether it is integrated into TSK or not and, if so, how > was it done ? I actually have little use for it in the project on which > I am working. > > Eddie Diener > > > > > > ---- > > Sent from my phone. > > > >> On Jun 27, 2016, at 3:16 PM, Edward Diener < > eld...@tr...> wrote: > >> > >>> On 6/27/2016 3:08 PM, Edward Diener wrote: > >>> Hello Eddie, > >>> > >>> You're correct regarding RAW files. RAW can have different extensions > >>> other > >>> than ".dd" also, such as .001, .raw, .img, etc., so saying "RAW" > includes > >>> all of those. Single refers to a single disk image file such as > >>> someimage.dd, and split refers to a disk image file separated into > >>> multiple > >>> chunks such as someotherimage.001, someotherimage.002, > >>> someotherimage.003, > >>> ... Windows doesn't come with an included disk imager as far as I'm > >>> aware. > >> There is a product called FTK Imager from AccessData which can create > >> EWF image files. > >>> RAW and .dd is pretty much considered an industry standard, regardless > of > >>> the file extension actually used or the examiner's chosen platform. > >> I will investigate these on the web. > >>> You're also correct regarding EWF (Expert Witness Format). AFF > (Advanced > >>> Forensic Format) uses AFFLIB, which can be found here: > >>> https://github.com/sshock/AFFLIBv3/releases. > >> How do I add support for AFF to TSK if I need it ? The docs don't seem > >> to mention this. > >>> I hope this helps! > >> Very helpful. Thanks ! > >>> Hoyt > >>> > >>> > >>> On Sat, Jun 25, 2016 at 7:42 AM, Edward Diener < > >>> eldlistmailingz@...> wrote: > >>> > >>>> What are the disk image formats in TSK ? > >>>> > >>>> I see mention of single and split raw images. To what do these refer ? > >>>> Are these files created by the Linux 'dd' command ? What about on > other > >>>> operating systems such as Windows ? > >>>> > >>>> I also see mention of EWF and AFF. I assume that EWF are images > created > >>>> by the libewf project and I can see that TSK 4.2.0 supports libewf. > What > >>>> is needed to support AFF and where would I find more information > >>>> about it ? > >>>> > >>>> Eddie Diener > >> > ------------------------------------------------------------------------------ > >> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San > >> Francisco, CA to explore cutting-edge tech and listen to tech luminaries > >> present their vision of the future. This family event has something for > >> everyone, including kids. Get more information and register today. > >> http://sdm.link/attshape > >> _______________________________________________ > >> sleuthkit-users mailing list > >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > >> http://www.sleuthkit.org > > > > > ------------------------------------------------------------------------------ > Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San > Francisco, CA to explore cutting-edge tech and listen to tech luminaries > present their vision of the future. This family event has something for > everyone, including kids. Get more information and register today. > http://sdm.link/attshape > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > -- Hoyt ----------------- There are 11 kinds of people - those who think binary jokes are funny, those who don't, ...and those who don't know binary. |
|
From: Edward D. <eld...@tr...> - 2016-06-27 22:02:58
|
On 6/27/2016 4:32 PM, Simson Garfinkel wrote: > I don't recommend using AFF at this point for production purposes. > > Why do you want to use it? I was curious whether it is integrated into TSK or not and, if so, how was it done ? I actually have little use for it in the project on which I am working. Eddie Diener > > > ---- > Sent from my phone. > >> On Jun 27, 2016, at 3:16 PM, Edward Diener <eld...@tr...> wrote: >> >>> On 6/27/2016 3:08 PM, Edward Diener wrote: >>> Hello Eddie, >>> >>> You're correct regarding RAW files. RAW can have different extensions >>> other >>> than ".dd" also, such as .001, .raw, .img, etc., so saying "RAW" includes >>> all of those. Single refers to a single disk image file such as >>> someimage.dd, and split refers to a disk image file separated into >>> multiple >>> chunks such as someotherimage.001, someotherimage.002, >>> someotherimage.003, >>> ... Windows doesn't come with an included disk imager as far as I'm >>> aware. >> There is a product called FTK Imager from AccessData which can create >> EWF image files. >>> RAW and .dd is pretty much considered an industry standard, regardless of >>> the file extension actually used or the examiner's chosen platform. >> I will investigate these on the web. >>> You're also correct regarding EWF (Expert Witness Format). AFF (Advanced >>> Forensic Format) uses AFFLIB, which can be found here: >>> https://github.com/sshock/AFFLIBv3/releases. >> How do I add support for AFF to TSK if I need it ? The docs don't seem >> to mention this. >>> I hope this helps! >> Very helpful. Thanks ! >>> Hoyt >>> >>> >>> On Sat, Jun 25, 2016 at 7:42 AM, Edward Diener < >>> eldlistmailingz@...> wrote: >>> >>>> What are the disk image formats in TSK ? >>>> >>>> I see mention of single and split raw images. To what do these refer ? >>>> Are these files created by the Linux 'dd' command ? What about on other >>>> operating systems such as Windows ? >>>> >>>> I also see mention of EWF and AFF. I assume that EWF are images created >>>> by the libewf project and I can see that TSK 4.2.0 supports libewf. What >>>> is needed to support AFF and where would I find more information >>>> about it ? >>>> >>>> Eddie Diener >> ------------------------------------------------------------------------------ >> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San >> Francisco, CA to explore cutting-edge tech and listen to tech luminaries >> present their vision of the future. This family event has something for >> everyone, including kids. Get more information and register today. >> http://sdm.link/attshape >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org |
|
From: Edward D. <eld...@tr...> - 2016-06-27 19:17:01
|
On 6/27/2016 3:08 PM, Edward Diener wrote: > Hello Eddie, > > You're correct regarding RAW files. RAW can have different extensions > other > than ".dd" also, such as .001, .raw, .img, etc., so saying "RAW" includes > all of those. Single refers to a single disk image file such as > someimage.dd, and split refers to a disk image file separated into > multiple > chunks such as someotherimage.001, someotherimage.002, > someotherimage.003, > ... Windows doesn't come with an included disk imager as far as I'm > aware. There is a product called FTK Imager from AccessData which can create EWF image files. > RAW and .dd is pretty much considered an industry standard, regardless of > the file extension actually used or the examiner's chosen platform. I will investigate these on the web. > > You're also correct regarding EWF (Expert Witness Format). AFF (Advanced > Forensic Format) uses AFFLIB, which can be found here: > https://github.com/sshock/AFFLIBv3/releases. How do I add support for AFF to TSK if I need it ? The docs don't seem to mention this. > > I hope this helps! Very helpful. Thanks ! > > Hoyt > > > On Sat, Jun 25, 2016 at 7:42 AM, Edward Diener < > eldlistmailingz@...> wrote: > >> What are the disk image formats in TSK ? >> >> I see mention of single and split raw images. To what do these refer ? >> Are these files created by the Linux 'dd' command ? What about on other >> operating systems such as Windows ? >> >> I also see mention of EWF and AFF. I assume that EWF are images created >> by the libewf project and I can see that TSK 4.2.0 supports libewf. What >> is needed to support AFF and where would I find more information >> about it ? >> >> Eddie Diener |
|
From: Hoyt H. <hoy...@gm...> - 2016-06-25 19:03:57
|
Hello Eddie, You're correct regarding RAW files. RAW can have different extensions other than ".dd" also, such as .001, .raw, .img, etc., so saying "RAW" includes all of those. Single refers to a single disk image file such as someimage.dd, and split refers to a disk image file separated into multiple chunks such as someotherimage.001, someotherimage.002, someotherimage.003, ... Windows doesn't come with an included disk imager as far as I'm aware. RAW and .dd is pretty much considered an industry standard, regardless of the file extension actually used or the examiner's chosen platform. You're also correct regarding EWF (Expert Witness Format). AFF (Advanced Forensic Format) uses AFFLIB, which can be found here: https://github.com/sshock/AFFLIBv3/releases. I hope this helps! Hoyt On Sat, Jun 25, 2016 at 7:42 AM, Edward Diener < eld...@tr...> wrote: > What are the disk image formats in TSK ? > > I see mention of single and split raw images. To what do these refer ? > Are these files created by the Linux 'dd' command ? What about on other > operating systems such as Windows ? > > I also see mention of EWF and AFF. I assume that EWF are images created > by the libewf project and I can see that TSK 4.2.0 supports libewf. What > is needed to support AFF and where would I find more information about it ? > > Eddie Diener > > > > ------------------------------------------------------------------------------ > Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San > Francisco, CA to explore cutting-edge tech and listen to tech luminaries > present their vision of the future. This family event has something for > everyone, including kids. Get more information and register today. > http://sdm.link/attshape > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > -- Hoyt ----------------- There are 11 kinds of people - those who think binary jokes are funny, those who don't, ...and those who don't know binary. |
|
From: Edward D. <eld...@tr...> - 2016-06-25 12:46:58
|
Is there any technical reason that libtsk cannot be built as a DLL, with extern "C" functionality so that it can be called from other languages ? I have a client who would like to call the functionality in libtsk from Embracadero's Delphi. Eddie Diener |
|
From: Edward D. <eld...@tr...> - 2016-06-25 12:42:53
|
What are the disk image formats in TSK ? I see mention of single and split raw images. To what do these refer ? Are these files created by the Linux 'dd' command ? What about on other operating systems such as Windows ? I also see mention of EWF and AFF. I assume that EWF are images created by the libewf project and I can see that TSK 4.2.0 supports libewf. What is needed to support AFF and where would I find more information about it ? Eddie Diener |
|
From: Edward D. <eld...@tr...> - 2016-06-24 23:14:04
|
According to Dependency Walker the msvc100p.dll and msvc100r.dll in the SleuthKit 4.2.0 distribution are 64-bit DLLs while the TSK DLLs and EXEs are all 32-bit. Yet running any of the exes works fine. Is this a Dependency Walker problem or what ? Eddie Diener |
|
From: Edward D. <eld...@tr...> - 2016-06-24 19:32:26
|
I downloaded the SleuthKit 4.2.0 binary release for Windows in .zip format from https://sourceforge.net/projects/sleuthkit/files/sleuthkit/4.2.0/sleuthkit-4.2.0-win32.zip/download. After unzipping the release I see in the bin directories the DLLs: libewf.dll libtsk_jni.dll msvcp100.dll msvcr100.dll zlib.dll I do not see a libtsk.dll ? Is it missing ? Eddie Diener |
|
From: Edward D. <eld...@tr...> - 2016-06-24 19:31:42
|
In the instructions for building Sleuthkit from source on Windows with
the VC++ compiler it says in the win32/BUILDING.txt file:
"1) Download libewf-20130128 (or later). The official releases are from:
http://sourceforge.net/projects/libewf/"
There is no longer a libewf-20130128 release ( or any other libewf
release ) at Sourceforge and the only releases offered after that from
the libewf Github site are in Linux line ending format, come after the
libewf-20130128 release, and are incompatible with the current Sleuthkit
source, whether 'master' or 'develop' branch. Furthermore the libewf
Github source is also incompatible with SleuthKit, as explained at
http://forum.sleuthkit.org/viewtopic.php?f=9&t=2740.
How can I get the libewf-20130128 release for Windows so I can build
Sleuthkit from source using VC++ ?
|
|
From: Mauricio L. <mau...@gm...> - 2016-06-24 18:10:40
|
Hi, I have verified the same issue with a case I am currently working on: many allocated files were put into a wrong deleted parent folder. But some of those wrong deleted parent folders have exactly the same name and path of the true parent folders. For example, there are two "Program Files" folders in the root, one allocated and one deleted, and many allocated children were put below the deleted "Program Files". So I think the current fix, that uses the parent paths to decide into which folder they will be put, will not work for some cases like mine. thanks, -- Mauricio S. Lage |
|
From: Joel G. <joe...@gm...> - 2016-06-24 16:43:53
|
Hi gustavo I think the sector size is not 512 for an iPod But i can remembrer this info Any help ? Le ven. 24 juin 2016 à 18:09, Gustavo Valadares <gu...@gm...> a écrit : > Hi, > > I've created an E01 file from an iPod device pluged in Windows 7 via USB > using FKT Imager. > > The imagem is OK, I can open it in FTK Imager. > > But SleuthKit can't recognize the file system: > > "Error: Cannot determine file system type (Sector offset: 0)" > > Running tsk_loaddb.exe in this image, with verbose option set, I get the > output listed in the attached file. > > I guess it's a bug. > > Any help? > > Thanks. > > ------------------------------------------------------------------------------ > Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San > Francisco, CA to explore cutting-edge tech and listen to tech luminaries > present their vision of the future. This family event has something for > everyone, including kids. Get more information and register today. > http://sdm.link/attshape_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > |
|
From: Gustavo V. <gu...@gm...> - 2016-06-24 16:04:43
|
C:\IPED 3.9.4\tools\tsk\x64>tsk_loaddb.exe -v "j:\Memo5053-16 Equipe RJ-01\Image ns\Item03_ItemArrecadacao03.E01" TskAutoDb::startAddImage: Starting add image process tsk_img_open: Type: 0 NumImg: 1 Img1: j:\Memo5053-16 Equipe RJ-01\Imagens\Ite m03_ItemArrecadacao03.E01 ewf_open: found 1 segment files via libewf_glob dos_load_prim: Table Sector: 0 ewf_image_read: byte offset: 0 len: 65536 dos_load_prim_table: Testing FAT/NTFS conditions dos_load_prim_table: MSDOS OEM name exists bsd_load_table: Table Sector: 1 gpt_load_table: Sector: 0 gpt_open: Trying other sector sizes gpt_open: Trying sector size: 512 gpt_load_table: Sector: 0 gpt_open: Trying sector size: 1024 gpt_load_table: Sector: 0 gpt_open: Trying sector size: 2048 gpt_load_table: Sector: 0 gpt_open: Trying sector size: 4096 gpt_load_table: Sector: 0 gpt_open: Trying sector size: 8192 gpt_load_table: Sector: 0 sun_load_table: Trying sector: 0 sun_load_table: Trying sector: 1 mac_load_table: Sector: 1 mac_load: Missing initial magic value mac_open: Trying 4096-byte sector size instead of 512-byte mac_load_table: Sector: 1 mac_load: 0 Starting Sector: 1 Size: 62 Type: Apple_partition_map Status: 0 findFilesInVs: Error opening volume system, trying as a file system fsopen: Auto detection mode at offset 0 ntfs_open: invalid volume size: 0 fatxxfs_open: Invalid number of sectors per FAT (0) exfatfs_get_fs_size_params: Invalid sector size base 2 logarithm (4096), not in range (9 - 12) fatxxfs_open: Invalid number of sectors per FAT (0) ext2fs_open: invalid magic ewf_image_read: byte offset: 65536 len: 65536 ufs_open: Trying 256KB UFS2 location ewf_image_read: byte offset: 262144 len: 65536 ufs_open: Trying UFS1 location ufs_open: No UFS magic found ewf_image_read: byte offset: 156160 len: 65536 ewf_image_read: byte offset: 426496 len: 65536 ewf_image_read: byte offset: 407552 len: 65536 ewf_image_read: byte offset: 561664 len: 65536 ewf_image_read: byte offset: 542720 len: 65536 ewf_image_read: byte offset: 696832 len: 65536 ewf_image_read: byte offset: 677888 len: 65536 ewf_image_read: byte offset: 832000 len: 65536 ewf_image_read: byte offset: 813056 len: 65536 ewf_image_read: byte offset: 967168 len: 65536 ewf_image_read: byte offset: 948224 len: 65536 ewf_image_read: byte offset: 1102336 len: 65536 ewf_image_read: byte offset: 1083392 len: 65536 ewf_image_read: byte offset: 1237504 len: 65536 ewf_image_read: byte offset: 1218560 len: 65536 ewf_image_read: byte offset: 1372672 len: 65536 ewf_image_read: byte offset: 1353728 len: 65536 ewf_image_read: byte offset: 1507840 len: 65536 ewf_image_read: byte offset: 1488896 len: 65536 yaffsfs_open: could not find valid spare area format See http://wiki.sleuthkit.org/index.php?title=YAFFS2 for help on Yaffs2 configur ation ewf_image_read: byte offset: 1024 len: 65536 iso9660_open img_info: 3194832 ftype: 2048 test: 1 iso_load_vol_desc: Bad volume descriptor: Magic number is not CD001 Trying RAW ISO9660 with 16-byte pre-block size fs_prepost_read: Mapped 32768 to 37648 iso_load_vol_desc: Bad volume descriptor: Magic number is not CD001 Trying RAW ISO9660 with 24-byte pre-block size fs_prepost_read: Mapped 32768 to 37656 iso_load_vol_desc: Bad volume descriptor: Magic number is not CD001 iso9660_open: Error loading volume descriptor Error: Cannot determine file system type (Sector offset: 0) TskAutoDb::commitAddImage: Commiting add image process Database stored at: j:\Memo5053-16 Equipe RJ-01\Imagens\Item03_ItemArrecadacao03 .E01.db |
|
From: Luís F. N. <lfc...@gm...> - 2016-06-17 16:11:47
|
Hi, What timezone does tskloaddb use for fat file systems? It is possible to configure it like Java bindings addimageprocess? Thank you, Luis |
|
From: Luís F. N. <lfc...@gm...> - 2016-06-15 19:34:31
|
TskAutoDb::startAddImage: Starting add image process tsk_img_open: Type: 0 NumImg: 1 Img1: j:\AA482_2015_EQ25_IT30\imagem\aa482_2015_EQDF25_IT30\aa482_2015_EQDF25_IT30.E01 ewf_open: found 33 segment files via libewf_globdos_load_prim: Table Sector: 0 ewf_image_read: byte offset: 0 len: 65536 File is not a DOS partition (invalid primary magic) (Sector: 0)bsd_load_table: Table Sector: 1 gpt_load_table: Sector: 0 gpt_open: Trying other sector sizes gpt_open: Trying sector size: 512 gpt_load_table: Sector: 0 gpt_open: Trying sector size: 1024 gpt_load_table: Sector: 0 gpt_open: Trying sector size: 2048 gpt_load_table: Sector: 0 gpt_open: Trying sector size: 4096 gpt_load_table: Sector: 0 gpt_open: Trying sector size: 8192 gpt_load_table: Sector: 0 sun_load_table: Trying sector: 0 sun_load_table: Trying sector: 1 mac_load_table: Sector: 1 mac_load: 0 Starting Sector: 1 Size: 63 Type: Apple_partition_map Status: 3 mac_open: Trying 4096-byte sector size instead of 512-byte mac_load_table: Sector: 1 mac_load: Missing initial magic value findFilesInVs: Error opening volume system, trying as a file system fsopen: Auto detection mode at offset 0 ntfs_open: Incorrect NTFS magic fatxxfs_open: Invalid sector size (0) exfatfs_get_fs_size_params: Invalid sector size base 2 logarithm (0), not in range (9 - 12) fatxxfs_open: Invalid sector size (0) ext2fs_open: invalid magic ewf_image_read: byte offset: 65536 len: 65536 ufs_open: Trying 256KB UFS2 location ewf_image_read: byte offset: 262144 len: 65536 ufs_open: Trying UFS1 location ufs_open: No UFS magic found ewf_image_read: byte offset: 156160 len: 65536 ewf_image_read: byte offset: 426496 len: 65536 ewf_image_read: byte offset: 561664 len: 65536 ewf_image_read: byte offset: 696832 len: 65536 ewf_image_read: byte offset: 832000 len: 65536 ewf_image_read: byte offset: 967168 len: 65536 ewf_image_read: byte offset: 1102336 len: 65536 ewf_image_read: byte offset: 1237504 len: 65536 ewf_image_read: byte offset: 1372672 len: 65536 ewf_image_read: byte offset: 1507840 len: 65536 ewf_image_read: byte offset: 1643008 len: 65536 ewf_image_read: byte offset: 1778176 len: 65536 ewf_image_read: byte offset: 1913344 len: 65536 ewf_image_read: byte offset: 2048512 len: 65536 ewf_image_read: byte offset: 2183680 len: 65536 ewf_image_read: byte offset: 2318848 len: 65536 ewf_image_read: byte offset: 2454016 len: 65536 ewf_image_read: byte offset: 2589184 len: 65536 ewf_image_read: byte offset: 2724352 len: 65536 ewf_image_read: byte offset: 2859520 len: 65536 ewf_image_read: byte offset: 2994688 len: 65536 ewf_image_read: byte offset: 3129856 len: 65536 ewf_image_read: byte offset: 3265024 len: 65536 ewf_image_read: byte offset: 3400192 len: 65536 ewf_image_read: byte offset: 3535360 len: 65536 ewf_image_read: byte offset: 3670528 len: 65536 ewf_image_read: byte offset: 3805696 len: 65536 ewf_image_read: byte offset: 3940864 len: 65536 ewf_image_read: byte offset: 4076032 len: 65536 ewf_image_read: byte offset: 4211200 len: 65536 ewf_image_read: byte offset: 4346368 len: 65536 ewf_image_read: byte offset: 4481536 len: 65536 ewf_image_read: byte offset: 4616704 len: 65536 ewf_image_read: byte offset: 4751872 len: 65536 ewf_image_read: byte offset: 4887040 len: 65536 ewf_image_read: byte offset: 5022208 len: 65536 ewf_image_read: byte offset: 5157376 len: 65536 ewf_image_read: byte offset: 5292544 len: 65536 ewf_image_read: byte offset: 5427712 len: 65536 ewf_image_read: byte offset: 5562880 len: 65536 ewf_image_read: byte offset: 5698048 len: 65536 ewf_image_read: byte offset: 5833216 len: 65536 ewf_image_read: byte offset: 5968384 len: 65536 ewf_image_read: byte offset: 5949440 len: 65536 ewf_image_read: byte offset: 6103552 len: 65536 ewf_image_read: byte offset: 6238720 len: 65536 ewf_image_read: byte offset: 6373888 len: 65536 ewf_image_read: byte offset: 6509056 len: 65536 ewf_image_read: byte offset: 6644224 len: 65536 ewf_image_read: byte offset: 6779392 len: 65536 ewf_image_read: byte offset: 6914560 len: 65536 ewf_image_read: byte offset: 7049728 len: 65536 ewf_image_read: byte offset: 7184896 len: 65536 ewf_image_read: byte offset: 7320064 len: 65536 ewf_image_read: byte offset: 7455232 len: 65536 ewf_image_read: byte offset: 7590400 len: 65536 ewf_image_read: byte offset: 7725568 len: 65536 ewf_image_read: byte offset: 7706624 len: 65536 ewf_image_read: byte offset: 7860736 len: 65536 ewf_image_read: byte offset: 7995904 len: 65536 ewf_image_read: byte offset: 8131072 len: 65536 ewf_image_read: byte offset: 8266240 len: 65536 ewf_image_read: byte offset: 8401408 len: 65536 ewf_image_read: byte offset: 8382464 len: 65536 ewf_image_read: byte offset: 8536576 len: 65536 ewf_image_read: byte offset: 8671744 len: 65536 ewf_image_read: byte offset: 8806912 len: 65536 ewf_image_read: byte offset: 8942080 len: 65536 ewf_image_read: byte offset: 9077248 len: 65536 ewf_image_read: byte offset: 9212416 len: 65536 ewf_image_read: byte offset: 9347584 len: 65536 ewf_image_read: byte offset: 9328640 len: 65536 ewf_image_read: byte offset: 9482752 len: 65536 ewf_image_read: byte offset: 9617920 len: 65536 ewf_image_read: byte offset: 9753088 len: 65536 ewf_image_read: byte offset: 9734144 len: 65536 ewf_image_read: byte offset: 9888256 len: 65536 ewf_image_read: byte offset: 9869312 len: 65536 ewf_image_read: byte offset: 10023424 len: 65536 ewf_image_read: byte offset: 10004480 len: 65536 ewf_image_read: byte offset: 10158592 len: 65536 ewf_image_read: byte offset: 10139648 len: 65536 ewf_image_read: byte offset: 10293760 len: 65536 ewf_image_read: byte offset: 10428928 len: 65536 ewf_image_read: byte offset: 10564096 len: 65536 ewf_image_read: byte offset: 10545152 len: 65536 ewf_image_read: byte offset: 10699264 len: 65536 ewf_image_read: byte offset: 10680320 len: 65536 yaffsfs_open: could not find valid spare area format See http://wiki.sleuthkit.org/index.php?title=YAFFS2 for help on Yaffs2 configuration ewf_image_read: byte offset: 1024 len: 65536 iso9660_open img_info: 30851024 ftype: 2048 test: 1 iso_load_vol_desc: Bad volume descriptor: Magic number is not CD001 Trying RAW ISO9660 with 16-byte pre-block size fs_prepost_read: Mapped 32768 to 37648 iso_load_vol_desc: Bad volume descriptor: Magic number is not CD001 Trying RAW ISO9660 with 24-byte pre-block size fs_prepost_read: Mapped 32768 to 37656 iso_load_vol_desc: Bad volume descriptor: Magic number is not CD001 iso9660_open: Error loading volume descriptor Error: Cannot determine file system type (Sector offset: 0) TskAutoDb::commitAddImage: Commiting add image process Database stored at: j:\AA482_2015_EQ25_IT30\imagem\aa482_2015_EQDF25_IT30\aa482_2015_EQDF25_IT30.E01.db |
|
From: Brian C. <ca...@sl...> - 2016-06-13 20:41:22
|
It is now time for the community to help decide the agenda for OSDFCon 2016. We have 22 submissions and need to pick 14. What talk do you want to see at this years event? Vote before June 27 to let your voice be heard.
https://www.surveymonkey.com/r/SPVTQGS
OSDFCon is an annual conference that Basis Technology organizes each year and it is focused on open source digital forensics software. The 7th annual conference will be held this year on October 26 in Herndon, VA. More details can be found at http://.osdfcon.org/.
|
|
From: PCF R. R. C. <ron...@dp...> - 2016-06-13 17:44:56
|
Hi Brian, Release-4.3.0 solved this problem. Thank you very much, -- Ronaldo Rosenau da Costa Perito Criminal Federal Setor Técnico Científico (SETEC) Departamento de Polícia Federal - Paraná Tel: (41) 3251-7651 Voip: 4 4100-7651 On 10/06/2016 00:33, Brian Carrier wrote: > hi Ronaldo, > > I think you are seeing the same bug that “SuperGod” reported (https://github.com/sleuthkit/sleuthkit/issues/651) and gave a patch for. The fix is in the release-4.3.0 branch. If you are not compiling from source, I can send you a windows binary to test it out to make sure it fixes your problems. Please let me know. > > thanks, > brian > >> On Jun 8, 2016, at 10:17 AM, PCF Ronaldo R. Costa <ron...@dp...> wrote: >> >> Hi Brian, >> >> I am not sure, but it seems to be a exFat or at least Fat. It doesn´t look like NTFS. Curiously, there are files typical of Mac OS or Apple Timemachine device (Fsevend, spotlight, timemachine). This device is an external drive of 2TB. I have attached some pictures of file system folders/files (I had to blur some parts, because are sensitive). >> >> Dump of sector 64 is attached too. >> >> Thanks, >> >> -- >> Ronaldo Rosenau da Costa >> Perito Criminal Federal >> Setor Técnico Científico (SETEC) >> Departamento de Polícia Federal - Paraná >> Tel: (41) 3251-7651 >> Voip: 4 4100-7651 >> >> On 07/06/2016 15:56, Brian Carrier wrote: >>> From the verbose log, these seem to be the relevant lines: >>> >>> fsopen: Auto detection mode at offset 32768 >>> ntfs_open: invalid sector size: 0 >>> fatxxfs_open: Invalid sector size (0) >>> exfatfs_get_fs_layout: Invalid root directory sector address (122880) >>> …. >>> >>> So, both ExFAT and NTFS are unhappy because sector size is 0 and ExFAT is also unhappy because it doesn’t like the starting root directory address. Can you tell from FTK / EnCase what the file system is? Usually NTFS has more $ files in the root folder. If you could send me the raw contents of sector 64 (or a picture of the hex dump) that would be useful too to debug this. >>> >>> thanks >>> brian >>> >>> >>> >>> >>> >>> >>> >>>> On Jun 6, 2016, at 3:48 PM, PCF Ronaldo R. Costa <ron...@dp...> wrote: >>>> >>>> Hi, >>>> >>>> tsk_loaddb.exe aborted with message below: >>>> Error: Cannot determine file system type (Sector offset: 64, Partition >>>> Type: NTFS / exFAT (0x07)) >>>> >>>> I can open this image with FTK and Encase, without any problem. >>>> >>>> Full verbose log is attached. >>>> >>>> Any suggestion? >>>> >>>> Regards, >>>> >>>> -- >>>> Ronaldo Rosenau da Costa >>>> Perito Criminal Federal >>>> Setor Técnico Científico (SETEC) >>>> Departamento de Polícia Federal - Paraná >>>> Tel: (41) 3251-7651 >>>> Voip: 4 4100-7651 >>>> >>>> <report_item0906.txt>------------------------------------------------------------------------------ >>>> What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic >>>> patterns at an interface-level. Reveals which users, apps, and protocols are >>>> consuming the most bandwidth. Provides multi-vendor support for NetFlow, >>>> J-Flow, sFlow and other flows. Make informed decisions using capacity >>>> planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e_______________________________________________ >>>> sleuthkit-users mailing list >>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>>> http://www.sleuthkit.org >>> >> <dump_sector_64><file_system.jpg><file_system2.jpg> > > |
|
From: Simson G. <si...@ac...> - 2016-06-13 14:15:24
|
I think that you need more RAM. You should try a system with 16GB or 32GB. Simson > On Jun 13, 2016, at 9:49 AM, Vaine Barreira <vlb...@gm...> wrote: > > Hi Simson, > > I have a notebook Dell XPS Core i7 3thGEN with 8GB RAM, HD SATA 1TB, with two partitions (Autopsy in one and case another). > > I have 175GB of free space in partition of folder case. > > My image RAW have 320GB. > > Thank you! > > -- > Vaine Luiz Barreira > Consultor de TI | Perito em Computação Forense | Ethical Hacker | Professor Universitário | Palestrante > vlb...@gm... <mailto:vlb...@gm...> | (16) 99172-2055 > http://about.me/vlbarreira <http://about.me/vlbarreira> | https://www.facebook.com/vaineluizbarreira <https://www.facebook.com/vaineluizbarreira> > Portal Computação Forense: http://www.ciberforense.com.br <http://www.ciberforense.com.br/> > Revista Segurança Cibernética: http://flip.it/GYGQY <http://flip.it/GYGQY> > > > 2016-06-13 9:56 GMT-03:00 Simson Garfinkel <si...@ac... <mailto:si...@ac...>>: > Hi Vaine, > > What is your analysis system? What CPU, and how much RAM? How much free disk space does it have? What is the size of your case file? > > Simson > >> On Jun 13, 2016, at 8:48 AM, Vaine Barreira <vlb...@gm... <mailto:vlb...@gm...>> wrote: >> >> Hello, >> >> I'm using the 4.0.0 version of Autopsy to read a 320GB RAW image of a Windows XP system. >> >> The process has been successfully completed, and the Autopsy indexed 435,000 images files. >> >> When I select "Images" in the menu "Views", "File Types", the Autopsy stop in "Please Wait ..." and can not demonstrate any image. >> >> I believe it is the large number of indexed files. >> >> How to solve this? How can view these images? >> >> Thank you! >> >> -- >> Vaine Luiz Barreira >> Consultor de TI | Perito em Computação Forense | Ethical Hacker | Professor Universitário | Palestrante >> vlb...@gm... <mailto:vlb...@gm...> | (16) 99172-2055 >> http://about.me/vlbarreira <http://about.me/vlbarreira> | https://www.facebook.com/vaineluizbarreira <https://www.facebook.com/vaineluizbarreira> >> Portal Computação Forense: http://www.ciberforense.com.br <http://www.ciberforense.com.br/> >> Revista Segurança Cibernética: http://flip.it/GYGQY <http://flip.it/GYGQY> >> >> ------------------------------------------------------------------------------ >> What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic >> patterns at an interface-level. Reveals which users, apps, and protocols are >> consuming the most bandwidth. Provides multi-vendor support for NetFlow, >> J-Flow, sFlow and other flows. Make informed decisions using capacity >> planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e_______________________________________________ <https://ad.doubleclick.net/ddm/clk/305295220;132659582;e_______________________________________________> >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users <https://lists.sourceforge.net/lists/listinfo/sleuthkit-users> >> http://www.sleuthkit.org <http://www.sleuthkit.org/> > > > > > |
|
From: Vaine B. <vlb...@gm...> - 2016-06-13 13:49:43
|
Hi Simson, I have a notebook Dell XPS Core i7 3thGEN with 8GB RAM, HD SATA 1TB, with two partitions (Autopsy in one and case another). I have 175GB of free space in partition of folder case. My image RAW have 320GB. Thank you! -- *Vaine Luiz Barreira* Consultor de TI | Perito em Computação Forense | Ethical Hacker | Professor Universitário | Palestrante vlb...@gm... | (16) 99172-2055 http://about.me/vlbarreira | https://www.facebook.com/vaineluizbarreira Portal Computação Forense: http://www.ciberforense.com.br Revista Segurança Cibernética: http://flip.it/GYGQY 2016-06-13 9:56 GMT-03:00 Simson Garfinkel <si...@ac...>: > Hi Vaine, > > What is your analysis system? What CPU, and how much RAM? How much free > disk space does it have? What is the size of your case file? > > Simson > > On Jun 13, 2016, at 8:48 AM, Vaine Barreira <vlb...@gm...> wrote: > > Hello, > > I'm using the 4.0.0 version of Autopsy to read a 320GB RAW image of a > Windows XP system. > > The process has been successfully completed, and the Autopsy > indexed 435,000 images files. > > When I select "Images" in the menu "Views", "File Types", the Autopsy stop > in "Please Wait ..." and can not demonstrate any image. > > I believe it is the large number of indexed files. > > How to solve this? How can view these images? > > Thank you! > > -- > *Vaine Luiz Barreira* > Consultor de TI | Perito em Computação Forense | Ethical Hacker | > Professor Universitário | Palestrante > vlb...@gm... | (16) 99172-2055 > http://about.me/vlbarreira | https://www.facebook.com/vaineluizbarreira > Portal Computação Forense: http://www.ciberforense.com.br > Revista Segurança Cibernética: http://flip.it/GYGQY > > > ------------------------------------------------------------------------------ > What NetFlow Analyzer can do for you? Monitors network bandwidth and > traffic > patterns at an interface-level. Reveals which users, apps, and protocols > are > consuming the most bandwidth. Provides multi-vendor support for NetFlow, > J-Flow, sFlow and other flows. Make informed decisions using capacity > planning reports. > https://ad.doubleclick.net/ddm/clk/305295220;132659582;e_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > > |
|
From: Simson G. <si...@ac...> - 2016-06-13 12:56:30
|
Hi Vaine, What is your analysis system? What CPU, and how much RAM? How much free disk space does it have? What is the size of your case file? Simson > On Jun 13, 2016, at 8:48 AM, Vaine Barreira <vlb...@gm...> wrote: > > Hello, > > I'm using the 4.0.0 version of Autopsy to read a 320GB RAW image of a Windows XP system. > > The process has been successfully completed, and the Autopsy indexed 435,000 images files. > > When I select "Images" in the menu "Views", "File Types", the Autopsy stop in "Please Wait ..." and can not demonstrate any image. > > I believe it is the large number of indexed files. > > How to solve this? How can view these images? > > Thank you! > > -- > Vaine Luiz Barreira > Consultor de TI | Perito em Computação Forense | Ethical Hacker | Professor Universitário | Palestrante > vlb...@gm... <mailto:vlb...@gm...> | (16) 99172-2055 > http://about.me/vlbarreira <http://about.me/vlbarreira> | https://www.facebook.com/vaineluizbarreira <https://www.facebook.com/vaineluizbarreira> > Portal Computação Forense: http://www.ciberforense.com.br <http://www.ciberforense.com.br/> > Revista Segurança Cibernética: http://flip.it/GYGQY <http://flip.it/GYGQY> > > ------------------------------------------------------------------------------ > What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic > patterns at an interface-level. Reveals which users, apps, and protocols are > consuming the most bandwidth. Provides multi-vendor support for NetFlow, > J-Flow, sFlow and other flows. Make informed decisions using capacity > planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: Vaine B. <vlb...@gm...> - 2016-06-13 12:48:15
|
Hello, I'm using the 4.0.0 version of Autopsy to read a 320GB RAW image of a Windows XP system. The process has been successfully completed, and the Autopsy indexed 435,000 images files. When I select "Images" in the menu "Views", "File Types", the Autopsy stop in "Please Wait ..." and can not demonstrate any image. I believe it is the large number of indexed files. How to solve this? How can view these images? Thank you! -- *Vaine Luiz Barreira* Consultor de TI | Perito em Computação Forense | Ethical Hacker | Professor Universitário | Palestrante vlb...@gm... | (16) 99172-2055 http://about.me/vlbarreira | https://www.facebook.com/vaineluizbarreira Portal Computação Forense: http://www.ciberforense.com.br Revista Segurança Cibernética: http://flip.it/GYGQY |
38 messages has been excluded from this view by a project administrator.
