sleuthkit-users — List to discuss Autopsy and The Sleuth Kit.

Re: [sleuthkit-users] how to map a bad block back to a file?

[Simson G. <si...@ac...>]

Sleuthkit can't do this out-of-the-box. Are you really running Sleuth  
Kit on the raw drive?

However, the combination of aimage & sleuthkit and some fancy  
software that I am working can do this pretty easily. What would you  
use it for?


On Nov 20, 2006, at 1:22 PM, Gary Funck wrote:

>
>  From time to time, we process a hard drive that has
> a series of unrecoverable errors.  We'd like a fairly
> quick check that we can run while imaging the drive
> that tells us if the bad blocks likely fall in
> allocated space (inclusive of metadata), and if so,
> which files (and/or metadata) might be affected.
> It would also be nice to know if the bad blocks
> are part of a deleted file as well, if applicable.
>
>  Given that ntfs volumes are prevalent these
> days, our primary interest is ntfs volumes, but
> hopefully the same principles might apply to
> FAT32, ext3 and other file system types as well.
>
>  Can the sleuthkit tools perform this fucntion?
> What would be the recommended sequnces of
> commands that must be run to accomplish the task?
>
>
> ---------------------------------------------------------------------- 
> ---
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to  
> share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php? 
> page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>

Re: [sleuthkit-users] What information is needed to do a digital forensic analysis? (was: RE: Examining RAID-5 with only 1 drive)

[Svein Y. W. <sv...@wi...>]

> In digital forensics, like classical forensics, it's appropriate to
> explicitly define the task but not tell the examiner the expected
> outcome.
> 
> 	- Tell me if this child porn document is on this hard drive.
> 	- Tell me if this document has a GUID that is consistent with this
> computer.
> 
> Giving an examiner a 50GB drive and saying "find something
> incriminating" is akin to putting an investigator in bedroom and
> saying "find something."  The real issue isn't digital vs. non-
> digital, but one of clearly defining the expectations of the
> investigation.

During my time in the police and when working as a forensic expert, I've had
several of those cases where the task has been clearly defined. They have
usually been variations of the theme "find this email" or "find this
document". These cases are usually fairly straightforward, although they
tend to culminate in difficult questions like "why wasn't it found?" or "how
did it get there?"

More often then not however, I find that the person that asks me to do the
investigation lacks the expertise and experience to give me a clear
assignment. This may be because they may not have the necessary computer
knowledge (typically a prosecutor, attorney or judge), because they do not
have the details of the case themselves, or simply because they do not know
exactly what to look for.

Imagine investigating the computer used by someone suspected to be involved
in a tax fraud. In such a case, one could certainly start browsing the
documents stored on the computer in the hope of finding something
interesting. But how would you know which document has value as evidence in
the specific case?  The documents of evidentiary value can only be
pinpointed if the investigator knows the specifics of the case.

I have indeed several times been asked to "find the evidence" without being
given any further clues. In these cases I took the responsibility to go back
and obtain further information about the case before starting the
investigation.

Svein

[sleuthkit-users] how to map a bad block back to a file?

[Gary F. <ga...@in...>]

 From time to time, we process a hard drive that has
a series of unrecoverable errors.  We'd like a fairly
quick check that we can run while imaging the drive
that tells us if the bad blocks likely fall in
allocated space (inclusive of metadata), and if so,
which files (and/or metadata) might be affected.
It would also be nice to know if the bad blocks
are part of a deleted file as well, if applicable.

 Given that ntfs volumes are prevalent these
days, our primary interest is ntfs volumes, but
hopefully the same principles might apply to
FAT32, ext3 and other file system types as well.

 Can the sleuthkit tools perform this fucntion?
What would be the recommended sequnces of
commands that must be run to accomplish the task?

Re: [sleuthkit-users] What information is needed to do a digital forensic analysis? (was: RE: Examining RAID-5 with only 1 drive)

[<Fra...@ps...>]

My two cents. (I don't have my glasses so forgive my unproofed response.)

This is something that I've not seen a lot of and feel this topic is 
overdue.

As was stated before getting to the disk and finding files is for most 
security professionals a no brainier.  This isn't where the problem 
exists.  It's with the legal system and how specific forensic examinations 
should be done.

There are a number of types of cases which the examiner needs to know what 
he should focus his examination on.  I feel this is imperative.  If for 
example you're given a computer and told "find something" you could be 
there for an extended amount of time spinning your wheels and hours of 
chargeable time to a case for almost very little result.

That would be the purpose of the chain of custody prior to the forensic 
examination.  With the newly imaged drive the examiner can pretty much run 
tests to determine certain criteria on the system.  As long as the 
original evidence can be used to make another image and the defense or 
prosecution can use the original evidence and methods to recreate what has 
been discovered then I personally see no reason why an examiner cannot be 
told there may be child porn on this drive.  I think what's at question 
here is not so much the what as the how.  How something was discovered. If 
you have a legal warrant and confiscate a suspects computer then that 
evidence would be use in that case for the purpose of determining if they 
can discover supporting data.

This is a good reason why this type of forensic examination is very 
expensive.  I would personally charge by the hour at $150 to $300 an hour 
fot this type of work depending on the case.  Nothing less.  (rant: I 
don't really see the necessity of a CFE type of certification because it's 
not how you use the tools it's how you've collected the data and followed 
the appropriate CoC.)  All the certification in the world isn't going to 
provide you with enough knowledge as a good auditor. - That's just my two 
cents SANS. Like the old adage, 'it's not over till the paper work is 
done".

A good example would be in a non-criminal case. An investigation into 
weather someone is cheating on a spouse. You're given a computer and told 
'find something'.  In this type of case the forensic examiner would 'need 
to know' that he's looking for any signs of a cheating spouse.

I'm not an attorney, that's just my blurred two cents.

Frank Kenisky IV, CISSP, CISA, CISM
Information Technical Security Specialist
(210) 301-6433 - (210) 887-6985



"Svein Yngvar Willassen" <sv...@wi...> 
Sent by: sle...@li...
11/20/2006 01:40 AM

To
<sle...@li...>
cc

Subject
[sleuthkit-users] What information is needed to do a digital    forensic 
analysis? (was: RE: Examining RAID-5 with only 1 drive)







> The lawyer does not want to give us too many details.  She thinks it
> will damage our impartiality.

This is interesting. In classic forensics, where the task can be 
explicitly
defined, this attitude is appropriate. For example: 

- tell me if fingerprint A and B match
- tell me if this hair comes from the same person as this blood sample

I think the opposite is the case in digital forensics. In digital 
forensics,
the task is (usually) to find the evidence, given a large heap of
information. Say for example a 50 Gb hard drive.  Since it is impossible 
for
the investigator to know in advance what kind of evidence may be on the
drive, he must imagine possible evidence items based on an assumption of
what could be on the drive. Valid assumptions can in my opinion only be 
made
if the investigator has access to all possible information about the case.

After all, you only find what you look for.

Any thoughts?

Regards,

Svein Willassen
--
Researcher
Norwegian University of Science and Technology



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share 
your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org

Re: [sleuthkit-users] What information is needed to do a digital forensic analysis? (was: RE: Examining RAID-5 with only 1 drive)

[Simson G. <si...@ac...>]

Hi, Svein.

I agree with your reasoning but not with your conclusion.

In digital forensics, like classical forensics, it's appropriate to  
explicitly define the task but not tell the examiner the expected  
outcome.

	- Tell me if this child porn document is on this hard drive.
	- Tell me if this document has a GUID that is consistent with this  
computer.

Giving an examiner a 50GB drive and saying "find something  
incriminating" is akin to putting an investigator in bedroom and  
saying "find something."  The real issue isn't digital vs. non- 
digital, but one of clearly defining the expectations of the  
investigation.


On Nov 20, 2006, at 2:40 AM, Svein Yngvar Willassen wrote:

>
>> The lawyer does not want to give us too many details.  She thinks it
>> will damage our impartiality.
>
> This is interesting. In classic forensics, where the task can be  
> explicitly
> defined, this attitude is appropriate. For example:
>
> - tell me if fingerprint A and B match
> - tell me if this hair comes from the same person as this blood sample
>
> I think the opposite is the case in digital forensics. In digital  
> forensics,
> the task is (usually) to find the evidence, given a large heap of
> information. Say for example a 50 Gb hard drive.  Since it is  
> impossible for
> the investigator to know in advance what kind of evidence may be on  
> the
> drive, he must imagine possible evidence items based on an  
> assumption of
> what could be on the drive. Valid assumptions can in my opinion  
> only be made
> if the investigator has access to all possible information about  
> the case.
>
> After all, you only find what you look for.
>
> Any thoughts?
>
> Regards,
>
> Svein Willassen
> --
> Researcher
> Norwegian University of Science and Technology
>
>
>
> ---------------------------------------------------------------------- 
> ---
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to  
> share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php? 
> page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>

Re: [sleuthkit-users] What information is needed to do a digital ? orensic analysis? (was: RE: Examining RAID-5 with only 1 drive)

[<an...@n-...>]

In my humble opinion - this is a common misconception about forensic =
computing.

Much of the time we are acting more like crime scene examiners and either=09=
 need to determine if anything resembling a crime has been committed OR =
find evidence relating to a particular activity. As system complexity and=
 storage capacity increase, the size of our "crime scene" also increases.=
 Thus, rather than dealing with a single room, we are more often searching=
 an area equivalent to a whole city for a small amount of evidence.

Without information from the client, our job becomes almost infinitely =
complex...

-----Original Message-----
From:  Svein Yngvar Willassen
Date:  20/11/06 7:40
To:  sle...@li...
Subj:  [sleuthkit-users] What information is needed to do a digital	=
forensic analysis? (was: RE: Examining RAID-5 with only 1 drive)


> The lawyer does not want to give us too many details.  She thinks it
> will damage our impartiality.

This is interesting. In classic forensics, where the task can be =
explicitly
defined, this attitude is appropriate. For example: 

- tell me if fingerprint A and B match
- tell me if this hair comes from the same person as this blood sample

I think the opposite is the case in digital forensics. In digital =
forensics,
the task is (usually) to find the evidence, given a large heap of
information. Say for example a 50 Gb hard drive.  Since it is impossible=
 for
the investigator to know in advance what kind of evidence may be on the
drive, he must imagine possible evidence items based on an assumption of
what could be on the drive. Valid assumptions can in my opinion only be =
made
if the investigator has access to all possible information about the case.

After all, you only find what you look for.

Any thoughts?

Regards,

Svein Willassen
--
Researcher
Norwegian University of Science and Technology



--------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share =
your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=3Djoin.php&p=3Dsourceforge&CID=3DDEV=
VDEV
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org

[sleuthkit-users] What information is needed to do a digital forensic analysis? (was: RE: Examining RAID-5 with only 1 drive)

[Svein Y. W. <sv...@wi...>]

> The lawyer does not want to give us too many details.  She thinks it
> will damage our impartiality.

This is interesting. In classic forensics, where the task can be explicitly
defined, this attitude is appropriate. For example: 

- tell me if fingerprint A and B match
- tell me if this hair comes from the same person as this blood sample

I think the opposite is the case in digital forensics. In digital forensics,
the task is (usually) to find the evidence, given a large heap of
information. Say for example a 50 Gb hard drive.  Since it is impossible for
the investigator to know in advance what kind of evidence may be on the
drive, he must imagine possible evidence items based on an assumption of
what could be on the drive. Valid assumptions can in my opinion only be made
if the investigator has access to all possible information about the case.

After all, you only find what you look for.

Any thoughts?

Regards,

Svein Willassen
--
Researcher
Norwegian University of Science and Technology

Re: [sleuthkit-users] Examining RAID-5 with only 1 drive

[Simson L. G. <si...@ac...>]

> The lawyer does not want to give us too many details.  She thinks it
> will damage our impartiality.
> What I have been told: source code files were copied from a remote
> site to the server this drive was on.
> The source code was sent to various other 3rd parties.
> The source code was deleted from the server.
>
> I have been asked: prove it or disprove it.

You can't do either, it turns out. However, you might be able to show that 
fragments of the source code are on the disk that you have.

>>
>> Honestly, I think that you're going to need to bring in somebody who
>> has more experience than you do at this sort of thing.
>>
>
> That's what my boss said, but another manager-type in my department
> assured the lawyers and law enforcement that we could do whatever they
> wanted before my boss even knew about the case or the work needed.

Ah, the real world...

Re: [sleuthkit-users] Examining RAID-5 with only 1 drive

[DePriest, J. R. <jrd...@gm...>]

On 11/19/06, Simson Garfinkel  wrote:
>
> On Nov 19, 2006, at 6:00 PM, DePriest, Jason R. wrote:
>
> >
> > I have been told by my boss that the lawyers say the FBI found
> > evidence of file deletion on the drive.
>
> That's a weird statement. What does it mean? That files were deleted?
> That files relevant to the case were deleted?

The statement is that relevant files were deleted and that there is
evidence of this on the drive I am looking at.

The lawyer does not want to give us too many details.  She thinks it
will damage our impartiality.
What I have been told: source code files were copied from a remote
site to the server this drive was on.
The source code was sent to various other 3rd parties.
The source code was deleted from the server.

I have been asked: prove it or disprove it.

Any other questions about what the code was for or what language it
was in or where it was copied from or where it was sent to have met
with no answers.

>
> >
> > My question is this: how can such evidence be found when the file
> > system is not mountable?  If there is not a recognized file system to
> > provide the references and pointers to files and file names, how can
> > you know what was deleted and what was still a file?
>
> Depends on what the file system is. If it is FAT32, then the first
> character of filenames will be changed when they are deleted. You
> might recover directory entries even if the file system is not
> recoverable.
>
> Or do they mean that they think there has been intentional running of
> a sanitization tool?

This was not clarified.
The only person I get information from is my manager who gets
information from the lawyer.

>
> >
> > I see large sections of the disk that are just 0x00, but that is
> > normal for areas that have never been written to.
>
> It's also normal for areas that have 0x00s in them.  You will find a
> lot of them in file systems.
> >
> > Other areas have suspicious patterns such as 00 01 02 03 04 05 06 07
> > 08 09 0a 0b 0c 0d 0e 0f 00, etc.  I honestly don't know what would
> > cause that naturally.
>
> TIFF files. Data. Who knows?
>
> >
> > But since I cannot mount the drive and look at the file system
> > directly, I can only make inferences.
> >
> > I imagine the disk was inside a Windows server, so the original file
> > system was likely NTFS.
>
> Why do you imagine this?
>

This is from a company server and 95% of our servers run a Windows OS.

> >
> > Is there anyway I can force any of the sleuthkit tools to see it as
> > such and extract a real file list from it?
> >
> > Or am I completely out of luck?  I cannot search for file names,
> > only strings.
> >
> > What would be the best way to search for the MFT by strings alone?
>
> Honestly, I think that you're going to need to bring in somebody who
> has more experience than you do at this sort of thing.
>

That's what my boss said, but another manager-type in my department
assured the lawyers and law enforcement that we could do whatever they
wanted before my boss even knew about the case or the work needed.


-Jason

-- 
+ + + NO CARRIER

Re: [sleuthkit-users] Examining RAID-5 with only 1 drive

[Simson G. <si...@ac...>]

On Nov 19, 2006, at 6:00 PM, DePriest, Jason R. wrote:

>
> I have been told by my boss that the lawyers say the FBI found
> evidence of file deletion on the drive.

That's a weird statement. What does it mean? That files were deleted?  
That files relevant to the case were deleted?

>
> My question is this: how can such evidence be found when the file
> system is not mountable?  If there is not a recognized file system to
> provide the references and pointers to files and file names, how can
> you know what was deleted and what was still a file?

Depends on what the file system is. If it is FAT32, then the first  
character of filenames will be changed when they are deleted. You  
might recover directory entries even if the file system is not  
recoverable.

Or do they mean that they think there has been intentional running of  
a sanitization tool?

>
> I see large sections of the disk that are just 0x00, but that is
> normal for areas that have never been written to.

It's also normal for areas that have 0x00s in them.  You will find a  
lot of them in file systems.
>
> Other areas have suspicious patterns such as 00 01 02 03 04 05 06 07
> 08 09 0a 0b 0c 0d 0e 0f 00, etc.  I honestly don't know what would
> cause that naturally.

TIFF files. Data. Who knows?

>
> But since I cannot mount the drive and look at the file system
> directly, I can only make inferences.
>
> I imagine the disk was inside a Windows server, so the original file
> system was likely NTFS.

Why do you imagine this?

>
> Is there anyway I can force any of the sleuthkit tools to see it as
> such and extract a real file list from it?
>
> Or am I completely out of luck?  I cannot search for file names,  
> only strings.
>
> What would be the best way to search for the MFT by strings alone?

Honestly, I think that you're going to need to bring in somebody who  
has more experience than you do at this sort of thing.

Re: [sleuthkit-users] Examining RAID-5 with only 1 drive

[DePriest, J. R. <jrd...@gm...>]

On 11/15/06, Simson Garfinkel  wrote:
> >
> > So I am extracting strings from the partition labeled 'Hibernation'
> > and hopefully that will be good enough.
> >
> Why are you extracting from the Hibernation partition and not from
> the entire physical device?
>

Oversight.  I have extracted the entire thing.

I have been told by my boss that the lawyers say the FBI found
evidence of file deletion on the drive.

My question is this: how can such evidence be found when the file
system is not mountable?  If there is not a recognized file system to
provide the references and pointers to files and file names, how can
you know what was deleted and what was still a file?

I see large sections of the disk that are just 0x00, but that is
normal for areas that have never been written to.

Other areas have suspicious patterns such as 00 01 02 03 04 05 06 07
08 09 0a 0b 0c 0d 0e 0f 00, etc.  I honestly don't know what would
cause that naturally.

But since I cannot mount the drive and look at the file system
directly, I can only make inferences.

I imagine the disk was inside a Windows server, so the original file
system was likely NTFS.

Is there anyway I can force any of the sleuthkit tools to see it as
such and extract a real file list from it?

Or am I completely out of luck?  I cannot search for file names, only strings.

What would be the best way to search for the MFT by strings alone?

-Jason

-- 
+ + + NO CARRIER

Re: [sleuthkit-users] Problems with Sorter

[Brent K. <bre...@gm...>]

Thanks for the email.

No, I'm not receiving any message about OpenSSL.

The only message returned is "incorrect file system type" reported back.

Below is the output after I put some print statements into the Perl code to
debug (the modified code is below the output).

Everything seems fine, but the $out variable is empty after execution of the
fsstat command.  Here's the code that feeds $out:

my $out = `\"$SK_FSSTAT\" $IMGTYPE -o $IMGOFF $FSTYPE -t $IMG`;

What is strange is that, when I manually run the exact same command
parameters in Cygwin with "fsstat", I get back the string "ntfs", which is
what I presume sorter wants to see.

I cannot determine why $out is not being populated with "ntfs".

Any ideas?

[output of modified code]

$ sorter -d / -f ntfs -i raw /usr/local/evidence/analysis.dd
SK_DIR:  /usr/local/sleuthkit-2.06/
BIN_DIR:  /usr/local/sleuthkit-2.06//bin/
sk_fsstat: /usr/local/sleuthkit- 2.06//bin/fsstat
IMGTYPE:  -i raw
IMGOFF:  0
FSTYPE:  -f ntfs
IMG:   "/usr/local/evidence/analysis.dd"
command:   /usr/local/sleuthkit-2.06//bin/fsstat -i raw -o 0 -f ntfs -t
"/usr/local/evidence/analysis.dd"
Command Result:
Incorrect file system type (-f ntfs)

[modified code]

else {
        print "SK_DIR:  $SK_DIR\n";
        print "BIN_DIR:  $BIN_DIR\n";
        print "sk_fsstat: $SK_FSSTAT\n";
        print "IMGTYPE:  $IMGTYPE\n";
        print "IMGOFF:  $IMGOFF\n";
        print "FSTYPE:  $FSTYPE\n";
        print "IMG:  $IMG\n";
        my $command = "\ $SK_FSSTAT\ $IMGTYPE -o $IMGOFF $FSTYPE -t $IMG";
        print "command:  $command\n";
    my $out = `\"$SK_FSSTAT\" $IMGTYPE -o $IMGOFF $FSTYPE -t $IMG`;
    print "Command Result: $out\n";
    unless ($out =~ /^([\w\d\-]+)$/) {
        print "Incorrect file system type ($FSTYPE)\n";
        exit(1);
    }
    }

On 11/17/06, Brian Carrier <ca...@sl...> wrote:
>
> Are you getting a dialog box about not being able to find the OpenSSL
> dlls?  When I just did a similar test, that is what I got and then got
> the same error.  The problem is that sorter clears the PATH, but Cygwin
> needs to find the OpenSSL dlls for AFFLib.  The quick fix is to edit
> bin/sorter and comment out line 21 (add a #):
>
> #$ENV{PATH} = '';
>
> brian
>
>
> Brent Kidwell wrote:
> > I have a dd image of an NTFS disk.  I'm using the most recent build of
> > TSK under Cygwin on a XP machine.
> >
> > When I run sorter on the dd image and specify "-f ntfs", I get back an
> > error message "Incorrect file system type (-f ntfs)".
> >
> > Running fsstat on the same dd image returns recognition that this image
> > is indeed an NTFS file system.
> >
> > Any suggestions?
> >
> > For reference, here is the complete sorter command I am running:
> >
> >  >> sorter -d c:\\output -h -s -n /usr/local/nsrl/NSRLFile.txt -m "E:/"
> > -f ntfs -i raw /usr/local/images/analysis.dd
> >
> > By the way, from within Autopsy the same error is generated.
> >
> > Many thanks.
> >
> > Brent
> >
> >
> > ------------------------------------------------------------------------
> >
> >
> -------------------------------------------------------------------------
> > Take Surveys. Earn Cash. Influence the Future of IT
> > Join SourceForge.net's Techsay panel and you'll get the chance to share
> your
> > opinions on IT & business topics through brief surveys - and earn cash
> >
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > sleuthkit-users mailing list
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > http://www.sleuthkit.org
>

Re: [sleuthkit-users] Problems with Sorter

[Simson L. G. <si...@ac...>]

Since the only OpenSSL function that AFF currently uses are MD5 and SHA-1, 
should I just embed my own implementations  of those?

----- Original Message ----- 
From: "Brian Carrier" <ca...@sl...>
To: "Brent Kidwell" <bre...@gm...>
Cc: <sle...@li...>
Sent: Friday, November 17, 2006 5:00 PM
Subject: Re: [sleuthkit-users] Problems with Sorter


> Are you getting a dialog box about not being able to find the OpenSSL
> dlls?  When I just did a similar test, that is what I got and then got
> the same error.  The problem is that sorter clears the PATH, but Cygwin
> needs to find the OpenSSL dlls for AFFLib.  The quick fix is to edit
> bin/sorter and comment out line 21 (add a #):
>
> #$ENV{PATH} = '';
>
> brian
>
>
> Brent Kidwell wrote:
>> I have a dd image of an NTFS disk.  I'm using the most recent build of
>> TSK under Cygwin on a XP machine.
>>
>> When I run sorter on the dd image and specify "-f ntfs", I get back an
>> error message "Incorrect file system type (-f ntfs)".
>>
>> Running fsstat on the same dd image returns recognition that this image
>> is indeed an NTFS file system.
>>
>> Any suggestions?
>>
>> For reference, here is the complete sorter command I am running:
>>
>>  >> sorter -d c:\\output -h -s -n /usr/local/nsrl/NSRLFile.txt -m "E:/"
>> -f ntfs -i raw /usr/local/images/analysis.dd
>>
>> By the way, from within Autopsy the same error is generated.
>>
>> Many thanks.
>>
>> Brent
>>
>>
>> ------------------------------------------------------------------------
>>
>> -------------------------------------------------------------------------
>> Take Surveys. Earn Cash. Influence the Future of IT
>> Join SourceForge.net's Techsay panel and you'll get the chance to share 
>> your
>> opinions on IT & business topics through brief surveys - and earn cash
>> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share 
> your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
> 

Re: [sleuthkit-users] sleuthkit-users Digest, Vol 6, Issue 6

[Melissa R. <mel...@ve...>]

I have a manual if you want it email me 

-----Original Message-----
From: sle...@li...
[mailto:sle...@li...] On Behalf Of
sle...@li...
Sent: Friday, November 17, 2006 3:22 PM
To: sle...@li...
Subject: sleuthkit-users Digest, Vol 6, Issue 6

Send sleuthkit-users mailing list submissions to
	sle...@li...

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
or, via email, send a message with subject or body 'help' to
	sle...@li...

You can reach the person managing the list at
	sle...@li...

When replying, please edit your Subject line so it is more specific than
"Re: Contents of sleuthkit-users digest..."


Today's Topics:

   1. Problems with Sorter (Brent Kidwell)
   2. How to set up the sleuth kit in Linux (=?gb2312?B?zfUg7M8=?=)
   3. Re: How to set up the sleuth kit in Linux (Henrik Kramsh?j)


----------------------------------------------------------------------

Message: 1
Date: Thu, 16 Nov 2006 15:54:33 -0600
From: "Brent Kidwell" <bre...@gm...>
Subject: [sleuthkit-users] Problems with Sorter
To: sle...@li...
Message-ID:
	<87c...@ma...>
Content-Type: text/plain; charset="iso-8859-1"

I have a dd image of an NTFS disk.  I'm using the most recent build of TSK
under Cygwin on a XP machine.

When I run sorter on the dd image and specify "-f ntfs", I get back an error
message "Incorrect file system type (-f ntfs)".

Running fsstat on the same dd image returns recognition that this image is
indeed an NTFS file system.

Any suggestions?

For reference, here is the complete sorter command I am running:

>> sorter -d c:\\output -h -s -n /usr/local/nsrl/NSRLFile.txt -m "E:/" 
>> -f
ntfs -i raw /usr/local/images/analysis.dd

By the way, from within Autopsy the same error is generated.

Many thanks.

Brent
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://sourceforge.net/mailarchive/forum.php?forum=sleuthkit-users/attachmen
ts/20061116/e158f59d/attachment.html 

------------------------------

Message: 2
Date: Fri, 17 Nov 2006 21:33:15 +0800
From: =?gb2312?B?zfUg7M8=?= <por...@ho...>
Subject: [sleuthkit-users] How to set up the sleuth kit in Linux
To: sle...@li...
Message-ID: <BAY...@ph...>
Content-Type: text/plain; charset=gb2312; format=flowed

I know nothing about Linux, but I need to use the sleuth kit and the
autopsy. So I want to know the steps to install these tools in Linux.Thank
you!

_________________________________________________________________
???????????????????????????? MSN Messenger:  http://messenger.msn.com/cn  




------------------------------

Message: 3
Date: Fri, 17 Nov 2006 14:53:01 +0100
From: Henrik Kramsh?j <hl...@kr...>
Subject: Re: [sleuthkit-users] How to set up the sleuth kit in Linux
To: sle...@li...
Message-ID: <91E...@kr...>
Content-Type: text/plain; charset=UTF-8; delsp=yes; format=flowed


On 17/11/2006, at 14.33, ? ? wrote:

> I know nothing about Linux, but I need to use the sleuth kit and the 
> autopsy. So I want to know the steps to install these tools in 
> Linux.Thank you!

I would recommend downloading a boot CD with Linux that has autopsy
preinstalled. You wont get the latest, but you will get an idea of the tools
great potential.

Something like Auditor Security Collection which can be found at:
http://www.remote-exploit.org/index.php/Auditor

They also produce a boot CD called BackTrack, but this one it more bleeding
edge and still has some rough edges.

Using a boot CD you dont need to waiste time doing a lot of downloading,
installing, selecting packages, compiling - but can go right to running nice
applications like autopsy and TASK.

I have used boot CD's on multiple occasion with people without any forensic
and linux skills. Went pretty OK and we played around using stuff like
Honeynet Project Scan of the Month challenges.

You need USB key for data or install the boot CD on a partition if you want
to keep data from "session to session".

Best regards

Henrik

--
Henrik Lund Kramsh?j, cand.scient, CISSP Follower of the Great Way of Unix
e-mail: hl...@se..., tlf: 2026 6000
www.security6.net - IPv6, sikkerhed, netv?rk                       
Overhold netikketten!
http://e-learning.security6.net - gratis kursusmateriale       http:// 
usenet.dk/netikette/






------------------------------

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's
Techsay panel and you'll get the chance to share your opinions on IT &
business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

------------------------------

_______________________________________________
sleuthkit-users mailing list
sle...@li...
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users


End of sleuthkit-users Digest, Vol 6, Issue 6
*********************************************

Re: [sleuthkit-users] Problems with Sorter

[Brian C. <ca...@sl...>]

Are you getting a dialog box about not being able to find the OpenSSL 
dlls?  When I just did a similar test, that is what I got and then got 
the same error.  The problem is that sorter clears the PATH, but Cygwin 
needs to find the OpenSSL dlls for AFFLib.  The quick fix is to edit 
bin/sorter and comment out line 21 (add a #):

#$ENV{PATH} = '';

brian


Brent Kidwell wrote:
> I have a dd image of an NTFS disk.  I'm using the most recent build of 
> TSK under Cygwin on a XP machine.
> 
> When I run sorter on the dd image and specify "-f ntfs", I get back an 
> error message "Incorrect file system type (-f ntfs)".
> 
> Running fsstat on the same dd image returns recognition that this image 
> is indeed an NTFS file system.
> 
> Any suggestions?
> 
> For reference, here is the complete sorter command I am running:
> 
>  >> sorter -d c:\\output -h -s -n /usr/local/nsrl/NSRLFile.txt -m "E:/" 
> -f ntfs -i raw /usr/local/images/analysis.dd
> 
> By the way, from within Autopsy the same error is generated.
> 
> Many thanks.
> 
> Brent
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

Re: [sleuthkit-users] How to set up the sleuth kit in Linux

[<hl...@kr...>]

On 17/11/2006, at 14.33, =E7=8E=8B =E7=85=9C wrote:

> I know nothing about Linux, but I need to use the sleuth kit and =20
> the autopsy. So I want to know the steps to install these tools in =20
> Linux.Thank you!

I would recommend downloading a boot CD with Linux that has
autopsy preinstalled. You wont get the latest, but you will get an idea
of the tools great potential.

Something like Auditor Security Collection which can be found at:
http://www.remote-exploit.org/index.php/Auditor

They also produce a boot CD called BackTrack, but this one it more =20
bleeding edge
and still has some rough edges.

Using a boot CD you dont need to waiste time doing a lot of downloading,
installing, selecting packages, compiling - but can go right to =20
running nice
applications like autopsy and TASK.

I have used boot CD's on multiple occasion with people without
any forensic and linux skills. Went pretty OK and we played around
using stuff like Honeynet Project Scan of the Month challenges.

You need USB key for data or install the boot CD on a partition
if you want to keep data from "session to session".

Best regards

Henrik

--
Henrik Lund Kramsh=C3=B8j, cand.scient, CISSP Follower of the Great Way =
of =20
Unix
e-mail: hl...@se..., tlf: 2026 6000
www.security6.net - IPv6, sikkerhed, netv=C3=A6rk                      =20=

Overhold netikketten!
http://e-learning.security6.net - gratis kursusmateriale       http://=20=

usenet.dk/netikette/

[sleuthkit-users] How to set up the sleuth kit in Linux

[<por...@ho...>]

I know nothing about Linux, but I need to use the sleuth kit and the 
autopsy. So I want to know the steps to install these tools in Linux.Thank 
you!

_________________________________________________________________
与联机的朋友进行交流，请使用 MSN Messenger:  http://messenger.msn.com/cn  

[sleuthkit-users] Problems with Sorter

[Brent K. <bre...@gm...>]

I have a dd image of an NTFS disk.  I'm using the most recent build of TSK
under Cygwin on a XP machine.

When I run sorter on the dd image and specify "-f ntfs", I get back an error
message "Incorrect file system type (-f ntfs)".

Running fsstat on the same dd image returns recognition that this image is
indeed an NTFS file system.

Any suggestions?

For reference, here is the complete sorter command I am running:

>> sorter -d c:\\output -h -s -n /usr/local/nsrl/NSRLFile.txt -m "E:/" -f
ntfs -i raw /usr/local/images/analysis.dd

By the way, from within Autopsy the same error is generated.

Many thanks.

Brent

Re: [sleuthkit-users] Examining RAID-5 with only 1 drive

[Simson G. <si...@ac...>]

>
> So I am extracting strings from the partition labeled 'Hibernation'
> and hopefully that will be good enough.
>
Why are you extracting from the Hibernation partition and not from  
the entire physical device?

Re: [sleuthkit-users] Examining RAID-5 with only 1 drive

[DePriest, J. R. <jrd...@gm...>]

The SCSI drive produces this output:
A70067@ebizsrvb /sleuthkit/sleuthkit/bin
$ ./img_stat -i raw -v /dev/sdd
img_open: Type: raw   NumImg: 1  Img1: /dev/sdd
IMAGE FILE INFORMATION
--------------------------------------------
Image Type: raw

Size in bytes: 18209320960
A70067@ebizsrvb /sleuthkit/sleuthkit/bin
$ ./mmls -t dos -i raw -v /dev/sdd
img_open: Type: raw   NumImg: 1  Img1: /dev/sdd
dos_load_prim: Table Sector: 0
raw_read_random: byte offset: 0 len: 512
load_pri:0:0    Start: 0   Size: 0  Type: 0
load_pri:0:1    Start: 0   Size: 0  Type: 0
load_pri:0:2    Start: 63   Size: 16002  Type: 18
load_pri:0:3    Start: 0   Size: 0  Type: 0
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

     Slot    Start        End          Length       Description
00:  -----   0000000000   0000000000   0000000001   Primary Table (#0)
01:  -----   0000000001   0000000062   0000000062   Unallocated
02:  00:02   0000000063   0000016064   0000016002   Hibernation (0x12)
03:  -----   0000016065   0035565079   0035549015   Unallocated
A70067@ebizsrvb /sleuthkit/sleuthkit/bin

dls and ils produce identical errors:
img_open: Type: raw   NumImg: 1  Img1: /dev/sdd
fsopen: Auto detection mode at offset 0
raw_read_random: byte offset: 0 len: 512
raw_read_random: byte offset: 0 len: 512
raw_read_random: byte offset: 1024 len: 1024
raw_read_random: byte offset: 65536 len: 1536
raw_read_random: byte offset: 262144 len: 1536
raw_read_random: byte offset: 8192 len: 1536
iso9660_open img_info: 268566976 ftype: 112 test: 1
raw_read_random: byte offset: 32768 len: 7
get_vol_desc Bad volume descriptor:                              Magic
number is not CD001Cannot determine file system type

So I am extracting strings from the partition labeled 'Hibernation'
and hopefully that will be good enough.

Any other ideas?

-Jason

-- 
+ + + NO CARRIER

Re: [sleuthkit-users] Examining RAID-5 with only 1 drive

[DePriest, J. R. <jrd...@gm...>]

The RAID drive is a SCSI drive pulled from a Compaq server (it's
product number has a -002 at the end, not sure what that means) and I
do not have a piece of write-blocking hardware for SCSI.

I've ordered it to be overnighted, so hopefully tomorrow I can start
providing some information about what shows up on the drive.

In the mean-time, I am examining a more common IDE drive that was also
sent.  I already have an IDE write-blocker.

-Jason

-- 
+ + + NO CARRIER

Re: [sleuthkit-users] Re LVM drives

[Mark W. J. <ma...@gm...>]

On 11/12/06, computer-cop <dep...@fc...> wrote:
> any one have experience using Autopsy on a LVM Drive

computer-cop,

I haven't had to use Autopsy to analyze an LVM drive, yet.  But, I do
have lots of experience with LVM in general.  I've done much work in
recovering bad LVM sets.

Specifically, what are you having trouble with?  Hopefully, I can help.

MJ

[sleuthkit-users] Re LVM drives

[computer-cop <dep...@fc...>]

any one have experience using Autopsy on a LVM Drive 



Det Shlomo Koenig CFE SCERS CFCE EnCE CISSP CEH MCP LPI NETWORK+, SECURITY+, A +   CCCI CCFT
Rockland County Sheriff Dept Computer Crimes Task Force
USSS Ny Electronic Crimes Task Force Member
Tel 845-638-5415
Fax 845-578-4025

Re: [sleuthkit-users] Examining RAID-5 with only 1 drive

[DePriest, J. R. <jrd...@gm...>]

> Neat idea, but don't know if the court would go for yoyr cryptanalysis. ...
>  And one would need to show that not other interpretation was possible...
> >
> >Just depends on how hard you're willing to work for it and whether or
> >not you can convince a court that the information really is there.
> >
> >Or maybe I'm being daft.
> >
> >- Colby

Two other parties have forensic images of the hard disk drive so
anything I do they can recreate and hopefully have the same results.
I am keeping detailed notes which is why I am not starting until
Monday.  The work day is almost over here (20 more minutes), so I
don't want to be in the middle of something and skip any
documentation.  I need plenty of time to keep track of what I am
doing.

I will happily post what my luck is.

I actually have the FedEx box at my desk and I've signed the Chain of
Custody form so it is in my possession until I'm done with it.

It is very tempting to rip it open and dive in, but I have so far
resisted the urge.

-Jason

--

Re: [sleuthkit-users] Examining RAID-5 with only 1 drive

[Simson L. Garfinkel's T. 7. <si...@ac...>]

>I also pointed out in a private e-mail that perhaps you could get  
>information
>off of the parity drive if you already knew the text you were looking  
>for
>and approached the problem from the angle of retrieving a key  
>(missing info)
>when you already have the known text (keyword(s)) and the crypt text
>(parity info) available.


Neat idea, but don't know if the court would go for yoyr cryptanalysis. ... 
 And one would need to show that not other interpretation was possible...
>
>Just depends on how hard you're willing to work for it and whether or
>not you can convince a court that the information really is there.
>
>Or maybe I'm being daft.
>
>- Colby
>