sleuthkit-users — List to discuss Autopsy and The Sleuth Kit.

[sleuthkit-users] Indexed Searching

[John T. H. <joh...@gm...>]

SXMgYW55b25lIG9uIHRoaXMgbGlzdCBhd2FyZSBvZiBhbiBvcGVuIHNvdXJjZSBpbmRleGluZyBz
ZWFyY2ggZW5naW5lPyBJJ20KbG9va2luZyBmb3Igc29tZXRoaW5nIGFsb25nIHRoZSBsaW5lcyBv
ZiBkdFNlYXJjaCAod2hpY2ggaXMgd2hhdCBGVEsncwppbmRleGVkIHNlYXJjaCBpcyBkZXJpdmVk
IGZyb20pIHRoYXQgSSBjYW4gdXNlIHRvIGdlbmVyYXRlIGFuIGluZGV4IG9mIGNhc2UKZmlsZXMs
IGFuZCB0aGVuIHBlcmZvcm0gc3RyaW5nIHF1ZXJpZXMgYXQgYSBtdWNoIGZhc3RlciBwYWNlIHRo
YW4gaWYgZWFjaApxdWVyeSBoYXMgdG8gcmVhZCB0aHJvdWdoIHRoZSBlbnRpcmV0eSBvZiB0aGUg
ZXZpZGVuY2UgZmlsZXMuCgpUaGFua3MuCgotLQpKb2huIFQuIEhvZmZvc3MK

[sleuthkit-users] Problem with delete file and TASK

[Mario de F. D. <ma...@ca...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi everyone!

I'm new in this list and a n00b using forensics tools and making
forensics analysis. I hope that i learn a lot in this list!

My question is: I have a deleted file that it inode had been realocated
but with the istat command i only obtain the following information:

Inode Times:
Accessed:       Tue Mar 21 00:00:15 2006
File Modified:  Mon Mar 20 12:08:04 2006
Inode Modified: Mon Mar 20 12:08:04 2006

In other unllocated inodes i have the following information:

Inode Times:
Accessed:       Wed Feb  8 00:00:15 2006
File Modified:  Thu Feb 16 18:41:37 2006
Inode Modified: Thu Feb 16 18:41:37 2006
Deleted:        Thu Feb 16 18:41:37 2006

How can i obtain the "deleted" info in the first inode?

Thank you and sorry for my "bad english"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFENNN9bPPtxT8v/3wRAh0vAJ9QQYUBS2t1BZSdOaIRJ6dAiLaOLwCfcny1
xwAtNE9KpYz6wfEv2KThsmY=
=OrR/
-----END PGP SIGNATURE-----

Re: [sleuthkit-users] (no subject)

[<gim...@we...>]

On Tue, 28 Mar 2006 16:00:22 -0500
Carlton Foster <c.a...@la...> wrote:

> mmls -V
> The Sleuthkit ver 2.01
> 
> mmls -t dos -i raw <host>.img
> mmls: Invalid extended partition table magic in sector 18201645
> 
> file <host>.img
> <host>.img: x86 boot sector
> 
>   fdisk -lu <host>.img
> You must set cylinders.
> You can do this from the extra functions menu.
> Warning: ignoring extra data in partition table 5
> Warning: ignoring extra data in partition table 5
> Warning: ignoring extra data in partition table 5
> Warning: invalid flag 0xffffd366 of partition table 5 will be 
> corrected by w(rite)
> 
> Disk <host>.img: 0 MB, 0 bytes
> 255 heads, 63 sectors/track, 0 cylinders, total 0 sectors
> Units = sectors of 1 * 512 = 512 bytes
> 
>      Device Boot      Start         End      Blocks   Id  System
> 54_21.img1   *          63    18201644     9100791    7  HPFS/NTFS
> Partition 1 has different physical/logical endings:
>       phys=(1023, 254, 63) logical=(1132, 254, 63)
> 54_21.img2        18201645    58605119    20201737+   f  W95 Ext'd
> (LBA) Partition 2 has different physical/logical beginnings
> (non-Linux?): phys=(1023, 0, 1) logical=(1133, 0, 1)
> Partition 2 has different physical/logical endings:
>       phys=(1023, 254, 63) logical=(3647, 254, 63)
> 54_21.img5   ?  1358216596  4227304473  1434543939   6b  Unknown
> You must set cylinders.

What would be result setting  logical geometry to (1023, 254, 63) for partition 1? Something you might try out.

Re: [sleuthkit-users] (no subject)

[Carlton F. <c.a...@la...>]

mmls -V
The Sleuthkit ver 2.01

mmls -t dos -i raw <host>.img
mmls: Invalid extended partition table magic in sector 18201645

file <host>.img
<host>.img: x86 boot sector

  fdisk -lu <host>.img
You must set cylinders.
You can do this from the extra functions menu.
Warning: ignoring extra data in partition table 5
Warning: ignoring extra data in partition table 5
Warning: ignoring extra data in partition table 5
Warning: invalid flag 0xffffd366 of partition table 5 will be 
corrected by w(rite)

Disk <host>.img: 0 MB, 0 bytes
255 heads, 63 sectors/track, 0 cylinders, total 0 sectors
Units = sectors of 1 * 512 = 512 bytes

     Device Boot      Start         End      Blocks   Id  System
54_21.img1   *          63    18201644     9100791    7  HPFS/NTFS
Partition 1 has different physical/logical endings:
      phys=(1023, 254, 63) logical=(1132, 254, 63)
54_21.img2        18201645    58605119    20201737+   f  W95 Ext'd (LBA)
Partition 2 has different physical/logical beginnings (non-Linux?):
      phys=(1023, 0, 1) logical=(1133, 0, 1)
Partition 2 has different physical/logical endings:
      phys=(1023, 254, 63) logical=(3647, 254, 63)
54_21.img5   ?  1358216596  4227304473  1434543939   6b  Unknown
You must set cylinders.
You can do this from the extra functions menu.



At 2:29 PM +0100 3/28/06, Angus Marshall wrote:
>The physical/logical issue sounds fairly typical of a lot of disks that I've
>examined.
>
>Could you post the results from sleuthkit's "mmls -t dos -i raw 
><imagefile>" here ?
>
>We might be able to give some more specific help.
>
>On Tue Mar 28 14:00 , gim...@we... sent:
>
>>On Mon, 27 Mar 2006 10:14:23 -0500
>>Carlton Foster c.a...@LA...> wrote:
>>
>>>  I was asked to create an image of a system a couple of weeks ago but
>>>  told not to investigate it.  I used dcfldd over netcat on a crossover
>>>  cable to image the system.  I created MD5's of the source and image,
>>>  and both matched.
>>>
>>>  I did a physical image, not logical.
>>>
>>>  Today, I have been asked to investigate the image.  However, the
>>>  partition table appears bad.
>>>
>>>  I am getting warnings from fdisk saying Partition 1 has different
>>>  logical/physical endings.  Then Partition 2 has different beginnings
>>>  and endings.  I can't figure out how to get the logical images
>>>  extracted, and we no longer have access to the source system.
>>>
>>>  Can anyone provide any help?
>>>  --
>>
>>Try out this one: http://www.cgsecurity.org/wiki/TestDisk
>>
>>From the summary:
>>
>>"If you have missing partitions or a completely empty Partition Table,
>>TestDisk can search for partitions and create a new Table or even a new
>>MBR if necessary."
>>
>>regards
>>
>>
>>-------------------------------------------------------
>>This SF.Net email is sponsored by xPML, a groundbreaking scripting language
>>that extends applications into web and mobile media. Attend the live webcast
>>and join the prime developer group breaking into this new coding territory!
>>http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
>>_______________________________________________
>>sleuthkit-users mailing list
>>https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>http://www.sleuthkit.org
>
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by xPML, a groundbreaking scripting language
>that extends applications into web and mobile media. Attend the live webcast
>and join the prime developer group breaking into this new coding territory!
>http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
>_______________________________________________
>sleuthkit-users mailing list
>https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>http://www.sleuthkit.org


-- 

Re: [sleuthkit-users] (no subject)

[Angus M. <an...@n-...>]

The physical/logical issue sounds fairly typical of a lot of disks that I've
examined.

Could you post the results from sleuthkit's "mmls -t dos -i raw <imagefile>" here ? 

We might be able to give some more specific help.

On Tue Mar 28 14:00 , gim...@we... sent:

>On Mon, 27 Mar 2006 10:14:23 -0500
>Carlton Foster c.a...@LA...> wrote:
>
>> I was asked to create an image of a system a couple of weeks ago but 
>> told not to investigate it.  I used dcfldd over netcat on a crossover 
>> cable to image the system.  I created MD5's of the source and image, 
>> and both matched.
>> 
>> I did a physical image, not logical.
>> 
>> Today, I have been asked to investigate the image.  However, the 
>> partition table appears bad.
>> 
>> I am getting warnings from fdisk saying Partition 1 has different 
>> logical/physical endings.  Then Partition 2 has different beginnings 
>> and endings.  I can't figure out how to get the logical images 
>> extracted, and we no longer have access to the source system.
>> 
>> Can anyone provide any help?
>> -- 
>
>Try out this one: http://www.cgsecurity.org/wiki/TestDisk
>
>From the summary:
>
>"If you have missing partitions or a completely empty Partition Table,
>TestDisk can search for partitions and create a new Table or even a new
>MBR if necessary."
>
>regards
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by xPML, a groundbreaking scripting language
>that extends applications into web and mobile media. Attend the live webcast
>and join the prime developer group breaking into this new coding territory!
>http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
>_______________________________________________
>sleuthkit-users mailing list
>https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>http://www.sleuthkit.org

Re: [sleuthkit-users] (no subject)

[<gim...@we...>]

On Mon, 27 Mar 2006 10:14:23 -0500
Carlton Foster <c.a...@LA...> wrote:

> I was asked to create an image of a system a couple of weeks ago but 
> told not to investigate it.  I used dcfldd over netcat on a crossover 
> cable to image the system.  I created MD5's of the source and image, 
> and both matched.
> 
> I did a physical image, not logical.
> 
> Today, I have been asked to investigate the image.  However, the 
> partition table appears bad.
> 
> I am getting warnings from fdisk saying Partition 1 has different 
> logical/physical endings.  Then Partition 2 has different beginnings 
> and endings.  I can't figure out how to get the logical images 
> extracted, and we no longer have access to the source system.
> 
> Can anyone provide any help?
> -- 

Try out this one: http://www.cgsecurity.org/wiki/TestDisk

From the summary:

"If you have missing partitions or a completely empty Partition Table,
TestDisk can search for partitions and create a new Table or even a new
MBR if necessary."

regards

[sleuthkit-users] (no subject)

[Carlton F. <c.a...@LA...>]

I was asked to create an image of a system a couple of weeks ago but 
told not to investigate it.  I used dcfldd over netcat on a crossover 
cable to image the system.  I created MD5's of the source and image, 
and both matched.

I did a physical image, not logical.

Today, I have been asked to investigate the image.  However, the 
partition table appears bad.

I am getting warnings from fdisk saying Partition 1 has different 
logical/physical endings.  Then Partition 2 has different beginnings 
and endings.  I can't figure out how to get the logical images 
extracted, and we no longer have access to the source system.

Can anyone provide any help?
-- 

Re: [sleuthkit-users] Errors with Autopsy

[DePriest, J. R. <jrd...@gm...>]

On the laptop I used to use for investigations, I used Firefox.  On
the server, I was using IE.  That is likely why I had no issues in the
past.  I have installed Firefox on the server and will see if my
problems go away.

On 3/22/06, DePriest, Jason R. <> wrote:
> I may have found my problem.
>
> After lots of experimenting with shutting down services and moving
> files to different drives, it looks like it was the web browser after
> all.
>
> I have no idea why, but it does "something" every hour that kicks off
> a new set of apps to extract the strings.  Maybe if the page being
> displayed doesn't change for an hour, it automatically refreshes it or
> something.
>
> I just closed IE after the extraction started.  It has been 1 hour and
> 10 minutes, and I still only have one set of processes and one file of
> extracted strings.
>
> -Jason
>
> On 3/17/06, DePriest, Jason R. <> wrote:
> > It is still creating new files every hour.
> > I will give the details of the environment so you can understand what
> > is going on.
> >
> > I have a Windows 2003 Server with Service Pack 1.  This server has two
> > external hard disk drives connected via a FireWire PCI card.  One of
> > them is about two years old; it is a Maxtor OneTouch with 300 GB of
> > space.  The other is a relatively new La Cie drive with 1 TB of space.
> > I used to do all of my investigations on my laptop with the 300 GB
> > drive.  As hard disk drives have gotten larger, I found myself having
> > to leave my laptop cable-locked to my desk overnight and over weekends
> > just to work with the gigantic images.
> > The server was an attempt to let things run as long as they needed to
> > without keeping me from doing other things.
> >
> > The server runs Cygwin which is what I compiled sleuthkit and
> > configured autopsy under.  I have to make a slight change to the
> > autopsy launcher to include some paths in the environment, but other
> > than that, I get no errors or problems.  I was using the same set up
> > on my laptop for the last two years.
> >
> > I disabled Diskeeper, set exceptions in the anti-virus software for
> > all directories involved, and turned off the ISS server sensor.
> >
> > Every hour after I start a scan, it kicks off new processes (while
> > keeping the old ones running) and starts writing to a new file (while
> > still writing to the old one, as well).
> >
> > I have tried linking to the image as a raw disk image with three
> > volume images, and as a single large partition image.
> >
> > Both lead to the same problem.
> >
> > I am open to suggestions, as I did not have this problem when I was
> > using my laptop as the investigation platform.  My laptop is running
> > Windows XP Professional with SP1 and I used a PCMCIA FireWire card.
> > Other than that, the setups are similar.  If anything I have more junk
> > software installed on my laptop than I do on the server.
> >
> > On 3/16/06, DePriest, Jason R. <> wrote:
> > > The browser shouldn't be refreshing on its own.
> > >
> > > The hard disk drive image and the sleuthkit evidence locker are on an
> > > external hard disk drive connected via firewire.  Is it possible that
> > > there is a latency issue?
> > >
> > > I ask that because the drive is connected to a Windows 2003 Server,
> > > and the server has Diskeeper on it, and Diskeeper was set with its
> > > 'Set it and forget settings' and was trying to defrag the drive at th=
e
> > > same time I was extracting strings.
> > >
> > > The once an hour time frame would fit with Diskeeper being the culpri=
t
> > > as it tries to run approximately every hour.
> > >
> > > The external drive is low on disk space, so I am moving my disk image
> > > files from a 300 GB external drive to a 1 TB external drive and I wil=
l
> > > hopefully try the extraction again tomorrow after disabling Diskeeper=
.
> > >
> > > -Jason
> > >
> > > On 3/16/06, Brian Carrier <> wrote:
> > > > That is strange.  It looks they they are starting every hour.  Is y=
our
> > > > web browser refreshing somehow and starting a new process.  Every t=
ime
> > > > the page loads the extraction will start again (kind of like how
> > > > refreshing a web page can cause your credit card to be charged twic=
e).
> > > >
> > > > brian
> > > >
> > > > DePriest, Jason R. wrote:
> > > > > While I am not getting the error with Caseman.pm, I am still havi=
ng
> > > > > strange issues.  It continues to spawn multiple sets of perl, dls=
, and
> > > > > srch_strings.  And it continues to create multiple output files.
> > > > > The extraction I started yesterday is still running and here is w=
hat
> > > > > the running programs and file system look like.
> > > > > -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-
> > > > > A70067@ebizsrvb ~
> > > > > $ ps -s
> > > > >     PID TTY     STIME COMMAND
> > > > >     300   0  16:56:56 /usr/bin/rxvt
> > > > >    2452   1  16:56:57 /usr/bin/bash
> > > > >    3680   1  17:02:52 /usr/bin/perl
> > > > >    6128   1  17:03:55 /usr/bin/perl
> > > > >    4648   1  17:03:56 /usr/bin/sh
> > > > >    3756   1  17:03:56 /sleuthkit/sleuthkit-2.03/bin/dls
> > > > >    4484   1  17:03:57 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > > >    4772   1  18:03:58 /usr/bin/perl
> > > > >    3064   1  18:04:04 /usr/bin/sh
> > > > >    3304   1  18:04:06 /sleuthkit/sleuthkit-2.03/bin/dls
> > > > >    3860   1  18:04:07 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > > >    4844   1  19:04:03 /usr/bin/perl
> > > > >    6036   1  19:04:06 /usr/bin/sh
> > > > >     664   1  19:04:07 /sleuthkit/sleuthkit-2.03/bin/dls
> > > > >    4984   1  19:04:08 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > > >    5000   1  20:04:08 /usr/bin/perl
> > > > >    2344   1  20:04:16 /usr/bin/sh
> > > > >    5840   1  20:04:17 /sleuthkit/sleuthkit-2.03/bin/dls
> > > > >    5272   1  20:04:18 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > > >    5548   1  21:04:16 /usr/bin/perl
> > > > >    5480   1  21:04:27 /usr/bin/sh
> > > > >    4656   1  21:04:33 /sleuthkit/sleuthkit-2.03/bin/dls
> > > > >     660   1  21:04:33 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > > >    6136   1  22:04:22 /usr/bin/perl
> > > > >     824   1  22:04:27 /usr/bin/sh
> > > > >    3720   1  22:04:31 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > > >    1904   1  22:04:31 /sleuthkit/sleuthkit-2.03/bin/dls
> > > > >    2360   1  23:04:27 /usr/bin/perl
> > > > >    1484   1  23:04:30 /usr/bin/sh
> > > > >    1296   1  23:04:31 /sleuthkit/sleuthkit-2.03/bin/dls
> > > > >    5980   1  23:04:33 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > > >    5668   1  00:04:28 /usr/bin/perl
> > > > >     420   1  00:04:32 /usr/bin/sh
> > > > >    4572   1  00:04:35 /sleuthkit/sleuthkit-2.03/bin/dls
> > > > >    4904   1  00:04:38 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > > >    4124   1  01:04:29 /usr/bin/perl
> > > > >    4820   1  01:04:35 /usr/bin/sh
> > > > >    3416   1  01:04:38 /sleuthkit/sleuthkit-2.03/bin/dls
> > > > >    5924   1  01:04:39 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > > >    6112   1  02:04:30 /usr/bin/perl
> > > > >    4360   1  02:04:33 /usr/bin/sh
> > > > >    5908   1  02:04:34 /sleuthkit/sleuthkit-2.03/bin/dls
> > > > >    4796   1  02:04:35 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > > >    5788   1  03:04:32 /usr/bin/perl
> > > > >    6072   1  03:04:34 /usr/bin/sh
> > > > >    4288   1  03:04:35 /sleuthkit/sleuthkit-2.03/bin/dls
> > > > >    5776   1  03:04:36 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > > >    1412   1  04:04:33 /usr/bin/perl
> > > > >    3244   1  04:04:34 /usr/bin/sh
> > > > >    5440   1  04:04:37 /sleuthkit/sleuthkit-2.03/bin/dls
> > > > >    5208   1  04:04:38 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > > >    5536   1  05:04:34 /usr/bin/perl
> > > > >    4512   1  05:04:38 /usr/bin/sh
> > > > >    5180   1  05:04:39 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > > >    3256   1  05:04:39 /sleuthkit/sleuthkit-2.03/bin/dls
> > > > >    5996   1  06:04:37 /usr/bin/perl
> > > > >    4528   1  06:04:38 /usr/bin/sh
> > > > >    4540   1  06:04:40 /sleuthkit/sleuthkit-2.03/bin/dls
> > > > >    5604   1  06:04:42 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > > >    1924   1  07:04:38 /usr/bin/perl
> > > > >    4472   1  07:04:41 /usr/bin/sh
> > > > >    3984   1  07:04:42 /sleuthkit/sleuthkit-2.03/bin/dls
> > > > >    5052   1  07:04:42 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > > >    5828   1  08:04:40 /usr/bin/perl
> > > > >     228   1  08:04:43 /usr/bin/sh
> > > > >    5756   1  08:04:44 /sleuthkit/sleuthkit-2.03/bin/dls
> > > > >    4160   1  08:04:45 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > > >    5820   1  09:04:42 /usr/bin/perl
> > > > >    2748   1  09:04:43 /usr/bin/sh
> > > > >    5912   1  09:04:45 /sleuthkit/sleuthkit-2.03/bin/dls
> > > > >    3900   1  09:04:46 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > > >    5560   2  10:00:33 /usr/bin/rxvt
> > > > >    4188   3  10:00:38 /usr/bin/bash
> > > > >    4208   1  10:04:46 /usr/bin/perl
> > > > >    6108   1  10:04:48 /usr/bin/sh
> > > > >    4448   1  10:04:50 /sleuthkit/sleuthkit-2.03/bin/dls
> > > > >    3652   1  10:04:51 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > > >    4548   3  10:05:20 /usr/bin/ps
> > > > > -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-
> > > > > F:\sleuthkit-evidence\2006-013\MMA4-T-23GR6\output>dir
> > > > >  Volume in drive F is Store01
> > > > >  Volume Serial Number is E8EA-BBB0
> > > > >
> > > > >  Directory of F:\sleuthkit-evidence\2006-013\MMA4-T-23GR6\output
> > > > >
> > > > > 03/16/2006  10:04 AM    <DIR>          .
> > > > > 03/16/2006  10:04 AM    <DIR>          ..
> > > > > 03/15/2006  06:04 PM     1,273,554,944 hdd.raw-0-0-ntfs-1.asc
> > > > > 03/16/2006  03:04 AM       294,304,768 hdd.raw-0-0-ntfs-10.asc
> > > > > 03/16/2006  04:04 AM       228,928,512 hdd.raw-0-0-ntfs-11.asc
> > > > > 03/16/2006  05:04 AM       159,662,080 hdd.raw-0-0-ntfs-12.asc
> > > > > 03/16/2006  06:04 AM       114,588,672 hdd.raw-0-0-ntfs-13.asc
> > > > > 03/16/2006  07:04 AM     1,130,283,008 hdd.raw-0-0-ntfs-14.asc
> > > > > 03/16/2006  08:04 AM        59,233,280 hdd.raw-0-0-ntfs-15.asc
> > > > > 03/16/2006  09:04 AM         9,054,208 hdd.raw-0-0-ntfs-16.asc
> > > > > 03/16/2006  10:04 AM            18,432 hdd.raw-0-0-ntfs-17.asc
> > > > > 03/15/2006  07:04 PM       952,222,720 hdd.raw-0-0-ntfs-2.asc
> > > > > 03/15/2006  08:04 PM       651,894,784 hdd.raw-0-0-ntfs-3.asc
> > > > > 03/15/2006  09:04 PM    10,184,050,688 hdd.raw-0-0-ntfs-4.asc
> > > > > 03/15/2006  10:04 PM       425,999,360 hdd.raw-0-0-ntfs-5.asc
> > > > > 03/15/2006  11:04 PM       393,921,536 hdd.raw-0-0-ntfs-6.asc
> > > > > 03/16/2006  12:04 AM       374,238,208 hdd.raw-0-0-ntfs-7.asc
> > > > > 03/16/2006  01:04 AM       345,949,184 hdd.raw-0-0-ntfs-8.asc
> > > > > 03/16/2006  02:04 AM       323,683,328 hdd.raw-0-0-ntfs-9.asc
> > > > > 03/15/2006  05:03 PM     2,038,089,728 hdd.raw-0-0-ntfs.asc
> > > > >               18 File(s) 18,959,677,440 bytes
> > > > >                2 Dir(s)  71,763,845,120 bytes free
> > > > > -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-
> > > > >
> > > > > Is this normal, expected behavior?
> > > > >
> > > > > -Jason
> > > > >
> > > > >
> > > >
> > >
> >
>

Re: [sleuthkit-users] Errors with Autopsy

[DePriest, J. R. <jrd...@gm...>]

I may have found my problem.

After lots of experimenting with shutting down services and moving
files to different drives, it looks like it was the web browser after
all.

I have no idea why, but it does "something" every hour that kicks off
a new set of apps to extract the strings.  Maybe if the page being
displayed doesn't change for an hour, it automatically refreshes it or
something.

I just closed IE after the extraction started.  It has been 1 hour and
10 minutes, and I still only have one set of processes and one file of
extracted strings.

-Jason

On 3/17/06, DePriest, Jason R. <> wrote:
> It is still creating new files every hour.
> I will give the details of the environment so you can understand what
> is going on.
>
> I have a Windows 2003 Server with Service Pack 1.  This server has two
> external hard disk drives connected via a FireWire PCI card.  One of
> them is about two years old; it is a Maxtor OneTouch with 300 GB of
> space.  The other is a relatively new La Cie drive with 1 TB of space.
> I used to do all of my investigations on my laptop with the 300 GB
> drive.  As hard disk drives have gotten larger, I found myself having
> to leave my laptop cable-locked to my desk overnight and over weekends
> just to work with the gigantic images.
> The server was an attempt to let things run as long as they needed to
> without keeping me from doing other things.
>
> The server runs Cygwin which is what I compiled sleuthkit and
> configured autopsy under.  I have to make a slight change to the
> autopsy launcher to include some paths in the environment, but other
> than that, I get no errors or problems.  I was using the same set up
> on my laptop for the last two years.
>
> I disabled Diskeeper, set exceptions in the anti-virus software for
> all directories involved, and turned off the ISS server sensor.
>
> Every hour after I start a scan, it kicks off new processes (while
> keeping the old ones running) and starts writing to a new file (while
> still writing to the old one, as well).
>
> I have tried linking to the image as a raw disk image with three
> volume images, and as a single large partition image.
>
> Both lead to the same problem.
>
> I am open to suggestions, as I did not have this problem when I was
> using my laptop as the investigation platform.  My laptop is running
> Windows XP Professional with SP1 and I used a PCMCIA FireWire card.
> Other than that, the setups are similar.  If anything I have more junk
> software installed on my laptop than I do on the server.
>
> On 3/16/06, DePriest, Jason R. <> wrote:
> > The browser shouldn't be refreshing on its own.
> >
> > The hard disk drive image and the sleuthkit evidence locker are on an
> > external hard disk drive connected via firewire.  Is it possible that
> > there is a latency issue?
> >
> > I ask that because the drive is connected to a Windows 2003 Server,
> > and the server has Diskeeper on it, and Diskeeper was set with its
> > 'Set it and forget settings' and was trying to defrag the drive at the
> > same time I was extracting strings.
> >
> > The once an hour time frame would fit with Diskeeper being the culprit
> > as it tries to run approximately every hour.
> >
> > The external drive is low on disk space, so I am moving my disk image
> > files from a 300 GB external drive to a 1 TB external drive and I will
> > hopefully try the extraction again tomorrow after disabling Diskeeper.
> >
> > -Jason
> >
> > On 3/16/06, Brian Carrier <> wrote:
> > > That is strange.  It looks they they are starting every hour.  Is you=
r
> > > web browser refreshing somehow and starting a new process.  Every tim=
e
> > > the page loads the extraction will start again (kind of like how
> > > refreshing a web page can cause your credit card to be charged twice)=
.
> > >
> > > brian
> > >
> > > DePriest, Jason R. wrote:
> > > > While I am not getting the error with Caseman.pm, I am still having
> > > > strange issues.  It continues to spawn multiple sets of perl, dls, =
and
> > > > srch_strings.  And it continues to create multiple output files.
> > > > The extraction I started yesterday is still running and here is wha=
t
> > > > the running programs and file system look like.
> > > > -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-
> > > > A70067@ebizsrvb ~
> > > > $ ps -s
> > > >     PID TTY     STIME COMMAND
> > > >     300   0  16:56:56 /usr/bin/rxvt
> > > >    2452   1  16:56:57 /usr/bin/bash
> > > >    3680   1  17:02:52 /usr/bin/perl
> > > >    6128   1  17:03:55 /usr/bin/perl
> > > >    4648   1  17:03:56 /usr/bin/sh
> > > >    3756   1  17:03:56 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    4484   1  17:03:57 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    4772   1  18:03:58 /usr/bin/perl
> > > >    3064   1  18:04:04 /usr/bin/sh
> > > >    3304   1  18:04:06 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    3860   1  18:04:07 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    4844   1  19:04:03 /usr/bin/perl
> > > >    6036   1  19:04:06 /usr/bin/sh
> > > >     664   1  19:04:07 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    4984   1  19:04:08 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    5000   1  20:04:08 /usr/bin/perl
> > > >    2344   1  20:04:16 /usr/bin/sh
> > > >    5840   1  20:04:17 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    5272   1  20:04:18 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    5548   1  21:04:16 /usr/bin/perl
> > > >    5480   1  21:04:27 /usr/bin/sh
> > > >    4656   1  21:04:33 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >     660   1  21:04:33 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    6136   1  22:04:22 /usr/bin/perl
> > > >     824   1  22:04:27 /usr/bin/sh
> > > >    3720   1  22:04:31 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    1904   1  22:04:31 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    2360   1  23:04:27 /usr/bin/perl
> > > >    1484   1  23:04:30 /usr/bin/sh
> > > >    1296   1  23:04:31 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    5980   1  23:04:33 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    5668   1  00:04:28 /usr/bin/perl
> > > >     420   1  00:04:32 /usr/bin/sh
> > > >    4572   1  00:04:35 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    4904   1  00:04:38 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    4124   1  01:04:29 /usr/bin/perl
> > > >    4820   1  01:04:35 /usr/bin/sh
> > > >    3416   1  01:04:38 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    5924   1  01:04:39 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    6112   1  02:04:30 /usr/bin/perl
> > > >    4360   1  02:04:33 /usr/bin/sh
> > > >    5908   1  02:04:34 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    4796   1  02:04:35 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    5788   1  03:04:32 /usr/bin/perl
> > > >    6072   1  03:04:34 /usr/bin/sh
> > > >    4288   1  03:04:35 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    5776   1  03:04:36 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    1412   1  04:04:33 /usr/bin/perl
> > > >    3244   1  04:04:34 /usr/bin/sh
> > > >    5440   1  04:04:37 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    5208   1  04:04:38 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    5536   1  05:04:34 /usr/bin/perl
> > > >    4512   1  05:04:38 /usr/bin/sh
> > > >    5180   1  05:04:39 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    3256   1  05:04:39 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    5996   1  06:04:37 /usr/bin/perl
> > > >    4528   1  06:04:38 /usr/bin/sh
> > > >    4540   1  06:04:40 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    5604   1  06:04:42 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    1924   1  07:04:38 /usr/bin/perl
> > > >    4472   1  07:04:41 /usr/bin/sh
> > > >    3984   1  07:04:42 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    5052   1  07:04:42 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    5828   1  08:04:40 /usr/bin/perl
> > > >     228   1  08:04:43 /usr/bin/sh
> > > >    5756   1  08:04:44 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    4160   1  08:04:45 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    5820   1  09:04:42 /usr/bin/perl
> > > >    2748   1  09:04:43 /usr/bin/sh
> > > >    5912   1  09:04:45 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    3900   1  09:04:46 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    5560   2  10:00:33 /usr/bin/rxvt
> > > >    4188   3  10:00:38 /usr/bin/bash
> > > >    4208   1  10:04:46 /usr/bin/perl
> > > >    6108   1  10:04:48 /usr/bin/sh
> > > >    4448   1  10:04:50 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    3652   1  10:04:51 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    4548   3  10:05:20 /usr/bin/ps
> > > > -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-
> > > > F:\sleuthkit-evidence\2006-013\MMA4-T-23GR6\output>dir
> > > >  Volume in drive F is Store01
> > > >  Volume Serial Number is E8EA-BBB0
> > > >
> > > >  Directory of F:\sleuthkit-evidence\2006-013\MMA4-T-23GR6\output
> > > >
> > > > 03/16/2006  10:04 AM    <DIR>          .
> > > > 03/16/2006  10:04 AM    <DIR>          ..
> > > > 03/15/2006  06:04 PM     1,273,554,944 hdd.raw-0-0-ntfs-1.asc
> > > > 03/16/2006  03:04 AM       294,304,768 hdd.raw-0-0-ntfs-10.asc
> > > > 03/16/2006  04:04 AM       228,928,512 hdd.raw-0-0-ntfs-11.asc
> > > > 03/16/2006  05:04 AM       159,662,080 hdd.raw-0-0-ntfs-12.asc
> > > > 03/16/2006  06:04 AM       114,588,672 hdd.raw-0-0-ntfs-13.asc
> > > > 03/16/2006  07:04 AM     1,130,283,008 hdd.raw-0-0-ntfs-14.asc
> > > > 03/16/2006  08:04 AM        59,233,280 hdd.raw-0-0-ntfs-15.asc
> > > > 03/16/2006  09:04 AM         9,054,208 hdd.raw-0-0-ntfs-16.asc
> > > > 03/16/2006  10:04 AM            18,432 hdd.raw-0-0-ntfs-17.asc
> > > > 03/15/2006  07:04 PM       952,222,720 hdd.raw-0-0-ntfs-2.asc
> > > > 03/15/2006  08:04 PM       651,894,784 hdd.raw-0-0-ntfs-3.asc
> > > > 03/15/2006  09:04 PM    10,184,050,688 hdd.raw-0-0-ntfs-4.asc
> > > > 03/15/2006  10:04 PM       425,999,360 hdd.raw-0-0-ntfs-5.asc
> > > > 03/15/2006  11:04 PM       393,921,536 hdd.raw-0-0-ntfs-6.asc
> > > > 03/16/2006  12:04 AM       374,238,208 hdd.raw-0-0-ntfs-7.asc
> > > > 03/16/2006  01:04 AM       345,949,184 hdd.raw-0-0-ntfs-8.asc
> > > > 03/16/2006  02:04 AM       323,683,328 hdd.raw-0-0-ntfs-9.asc
> > > > 03/15/2006  05:03 PM     2,038,089,728 hdd.raw-0-0-ntfs.asc
> > > >               18 File(s) 18,959,677,440 bytes
> > > >                2 Dir(s)  71,763,845,120 bytes free
> > > > -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-
> > > >
> > > > Is this normal, expected behavior?
> > > >
> > > > -Jason
> > > >
> > > >
> > >
> >
>

Re: [sleuthkit-users] Errors with Autopsy

[DePriest, J. R. <jrd...@gm...>]

It is still creating new files every hour.
I will give the details of the environment so you can understand what
is going on.

I have a Windows 2003 Server with Service Pack 1.  This server has two
external hard disk drives connected via a FireWire PCI card.  One of
them is about two years old; it is a Maxtor OneTouch with 300 GB of
space.  The other is a relatively new La Cie drive with 1 TB of space.
I used to do all of my investigations on my laptop with the 300 GB
drive.  As hard disk drives have gotten larger, I found myself having
to leave my laptop cable-locked to my desk overnight and over weekends
just to work with the gigantic images.
The server was an attempt to let things run as long as they needed to
without keeping me from doing other things.

The server runs Cygwin which is what I compiled sleuthkit and
configured autopsy under.  I have to make a slight change to the
autopsy launcher to include some paths in the environment, but other
than that, I get no errors or problems.  I was using the same set up
on my laptop for the last two years.

I disabled Diskeeper, set exceptions in the anti-virus software for
all directories involved, and turned off the ISS server sensor.

Every hour after I start a scan, it kicks off new processes (while
keeping the old ones running) and starts writing to a new file (while
still writing to the old one, as well).

I have tried linking to the image as a raw disk image with three
volume images, and as a single large partition image.

Both lead to the same problem.

I am open to suggestions, as I did not have this problem when I was
using my laptop as the investigation platform.  My laptop is running
Windows XP Professional with SP1 and I used a PCMCIA FireWire card.=20
Other than that, the setups are similar.  If anything I have more junk
software installed on my laptop than I do on the server.

On 3/16/06, DePriest, Jason R. <> wrote:
> The browser shouldn't be refreshing on its own.
>
> The hard disk drive image and the sleuthkit evidence locker are on an
> external hard disk drive connected via firewire.  Is it possible that
> there is a latency issue?
>
> I ask that because the drive is connected to a Windows 2003 Server,
> and the server has Diskeeper on it, and Diskeeper was set with its
> 'Set it and forget settings' and was trying to defrag the drive at the
> same time I was extracting strings.
>
> The once an hour time frame would fit with Diskeeper being the culprit
> as it tries to run approximately every hour.
>
> The external drive is low on disk space, so I am moving my disk image
> files from a 300 GB external drive to a 1 TB external drive and I will
> hopefully try the extraction again tomorrow after disabling Diskeeper.
>
> -Jason
>
> On 3/16/06, Brian Carrier <> wrote:
> > That is strange.  It looks they they are starting every hour.  Is your
> > web browser refreshing somehow and starting a new process.  Every time
> > the page loads the extraction will start again (kind of like how
> > refreshing a web page can cause your credit card to be charged twice).
> >
> > brian
> >
> > DePriest, Jason R. wrote:
> > > While I am not getting the error with Caseman.pm, I am still having
> > > strange issues.  It continues to spawn multiple sets of perl, dls, an=
d
> > > srch_strings.  And it continues to create multiple output files.
> > > The extraction I started yesterday is still running and here is what
> > > the running programs and file system look like.
> > > -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-
> > > A70067@ebizsrvb ~
> > > $ ps -s
> > >     PID TTY     STIME COMMAND
> > >     300   0  16:56:56 /usr/bin/rxvt
> > >    2452   1  16:56:57 /usr/bin/bash
> > >    3680   1  17:02:52 /usr/bin/perl
> > >    6128   1  17:03:55 /usr/bin/perl
> > >    4648   1  17:03:56 /usr/bin/sh
> > >    3756   1  17:03:56 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    4484   1  17:03:57 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    4772   1  18:03:58 /usr/bin/perl
> > >    3064   1  18:04:04 /usr/bin/sh
> > >    3304   1  18:04:06 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    3860   1  18:04:07 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    4844   1  19:04:03 /usr/bin/perl
> > >    6036   1  19:04:06 /usr/bin/sh
> > >     664   1  19:04:07 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    4984   1  19:04:08 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    5000   1  20:04:08 /usr/bin/perl
> > >    2344   1  20:04:16 /usr/bin/sh
> > >    5840   1  20:04:17 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    5272   1  20:04:18 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    5548   1  21:04:16 /usr/bin/perl
> > >    5480   1  21:04:27 /usr/bin/sh
> > >    4656   1  21:04:33 /sleuthkit/sleuthkit-2.03/bin/dls
> > >     660   1  21:04:33 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    6136   1  22:04:22 /usr/bin/perl
> > >     824   1  22:04:27 /usr/bin/sh
> > >    3720   1  22:04:31 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    1904   1  22:04:31 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    2360   1  23:04:27 /usr/bin/perl
> > >    1484   1  23:04:30 /usr/bin/sh
> > >    1296   1  23:04:31 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    5980   1  23:04:33 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    5668   1  00:04:28 /usr/bin/perl
> > >     420   1  00:04:32 /usr/bin/sh
> > >    4572   1  00:04:35 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    4904   1  00:04:38 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    4124   1  01:04:29 /usr/bin/perl
> > >    4820   1  01:04:35 /usr/bin/sh
> > >    3416   1  01:04:38 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    5924   1  01:04:39 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    6112   1  02:04:30 /usr/bin/perl
> > >    4360   1  02:04:33 /usr/bin/sh
> > >    5908   1  02:04:34 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    4796   1  02:04:35 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    5788   1  03:04:32 /usr/bin/perl
> > >    6072   1  03:04:34 /usr/bin/sh
> > >    4288   1  03:04:35 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    5776   1  03:04:36 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    1412   1  04:04:33 /usr/bin/perl
> > >    3244   1  04:04:34 /usr/bin/sh
> > >    5440   1  04:04:37 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    5208   1  04:04:38 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    5536   1  05:04:34 /usr/bin/perl
> > >    4512   1  05:04:38 /usr/bin/sh
> > >    5180   1  05:04:39 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    3256   1  05:04:39 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    5996   1  06:04:37 /usr/bin/perl
> > >    4528   1  06:04:38 /usr/bin/sh
> > >    4540   1  06:04:40 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    5604   1  06:04:42 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    1924   1  07:04:38 /usr/bin/perl
> > >    4472   1  07:04:41 /usr/bin/sh
> > >    3984   1  07:04:42 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    5052   1  07:04:42 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    5828   1  08:04:40 /usr/bin/perl
> > >     228   1  08:04:43 /usr/bin/sh
> > >    5756   1  08:04:44 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    4160   1  08:04:45 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    5820   1  09:04:42 /usr/bin/perl
> > >    2748   1  09:04:43 /usr/bin/sh
> > >    5912   1  09:04:45 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    3900   1  09:04:46 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    5560   2  10:00:33 /usr/bin/rxvt
> > >    4188   3  10:00:38 /usr/bin/bash
> > >    4208   1  10:04:46 /usr/bin/perl
> > >    6108   1  10:04:48 /usr/bin/sh
> > >    4448   1  10:04:50 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    3652   1  10:04:51 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    4548   3  10:05:20 /usr/bin/ps
> > > -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-
> > > F:\sleuthkit-evidence\2006-013\MMA4-T-23GR6\output>dir
> > >  Volume in drive F is Store01
> > >  Volume Serial Number is E8EA-BBB0
> > >
> > >  Directory of F:\sleuthkit-evidence\2006-013\MMA4-T-23GR6\output
> > >
> > > 03/16/2006  10:04 AM    <DIR>          .
> > > 03/16/2006  10:04 AM    <DIR>          ..
> > > 03/15/2006  06:04 PM     1,273,554,944 hdd.raw-0-0-ntfs-1.asc
> > > 03/16/2006  03:04 AM       294,304,768 hdd.raw-0-0-ntfs-10.asc
> > > 03/16/2006  04:04 AM       228,928,512 hdd.raw-0-0-ntfs-11.asc
> > > 03/16/2006  05:04 AM       159,662,080 hdd.raw-0-0-ntfs-12.asc
> > > 03/16/2006  06:04 AM       114,588,672 hdd.raw-0-0-ntfs-13.asc
> > > 03/16/2006  07:04 AM     1,130,283,008 hdd.raw-0-0-ntfs-14.asc
> > > 03/16/2006  08:04 AM        59,233,280 hdd.raw-0-0-ntfs-15.asc
> > > 03/16/2006  09:04 AM         9,054,208 hdd.raw-0-0-ntfs-16.asc
> > > 03/16/2006  10:04 AM            18,432 hdd.raw-0-0-ntfs-17.asc
> > > 03/15/2006  07:04 PM       952,222,720 hdd.raw-0-0-ntfs-2.asc
> > > 03/15/2006  08:04 PM       651,894,784 hdd.raw-0-0-ntfs-3.asc
> > > 03/15/2006  09:04 PM    10,184,050,688 hdd.raw-0-0-ntfs-4.asc
> > > 03/15/2006  10:04 PM       425,999,360 hdd.raw-0-0-ntfs-5.asc
> > > 03/15/2006  11:04 PM       393,921,536 hdd.raw-0-0-ntfs-6.asc
> > > 03/16/2006  12:04 AM       374,238,208 hdd.raw-0-0-ntfs-7.asc
> > > 03/16/2006  01:04 AM       345,949,184 hdd.raw-0-0-ntfs-8.asc
> > > 03/16/2006  02:04 AM       323,683,328 hdd.raw-0-0-ntfs-9.asc
> > > 03/15/2006  05:03 PM     2,038,089,728 hdd.raw-0-0-ntfs.asc
> > >               18 File(s) 18,959,677,440 bytes
> > >                2 Dir(s)  71,763,845,120 bytes free
> > > -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-
> > >
> > > Is this normal, expected behavior?
> > >
> > > -Jason
> > >
> > >
> >
>

Re: [sleuthkit-users] Errors with Autopsy

[DePriest, J. R. <jrd...@gm...>]

The browser shouldn't be refreshing on its own.

The hard disk drive image and the sleuthkit evidence locker are on an
external hard disk drive connected via firewire.  Is it possible that
there is a latency issue?

I ask that because the drive is connected to a Windows 2003 Server,
and the server has Diskeeper on it, and Diskeeper was set with its
'Set it and forget settings' and was trying to defrag the drive at the
same time I was extracting strings.

The once an hour time frame would fit with Diskeeper being the culprit
as it tries to run approximately every hour.

The external drive is low on disk space, so I am moving my disk image
files from a 300 GB external drive to a 1 TB external drive and I will
hopefully try the extraction again tomorrow after disabling Diskeeper.

-Jason

On 3/16/06, Brian Carrier <> wrote:
> That is strange.  It looks they they are starting every hour.  Is your
> web browser refreshing somehow and starting a new process.  Every time
> the page loads the extraction will start again (kind of like how
> refreshing a web page can cause your credit card to be charged twice).
>
> brian
>
> DePriest, Jason R. wrote:
> > While I am not getting the error with Caseman.pm, I am still having
> > strange issues.  It continues to spawn multiple sets of perl, dls, and
> > srch_strings.  And it continues to create multiple output files.
> > The extraction I started yesterday is still running and here is what
> > the running programs and file system look like.
> > -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-
> > A70067@ebizsrvb ~
> > $ ps -s
> >     PID TTY     STIME COMMAND
> >     300   0  16:56:56 /usr/bin/rxvt
> >    2452   1  16:56:57 /usr/bin/bash
> >    3680   1  17:02:52 /usr/bin/perl
> >    6128   1  17:03:55 /usr/bin/perl
> >    4648   1  17:03:56 /usr/bin/sh
> >    3756   1  17:03:56 /sleuthkit/sleuthkit-2.03/bin/dls
> >    4484   1  17:03:57 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    4772   1  18:03:58 /usr/bin/perl
> >    3064   1  18:04:04 /usr/bin/sh
> >    3304   1  18:04:06 /sleuthkit/sleuthkit-2.03/bin/dls
> >    3860   1  18:04:07 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    4844   1  19:04:03 /usr/bin/perl
> >    6036   1  19:04:06 /usr/bin/sh
> >     664   1  19:04:07 /sleuthkit/sleuthkit-2.03/bin/dls
> >    4984   1  19:04:08 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    5000   1  20:04:08 /usr/bin/perl
> >    2344   1  20:04:16 /usr/bin/sh
> >    5840   1  20:04:17 /sleuthkit/sleuthkit-2.03/bin/dls
> >    5272   1  20:04:18 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    5548   1  21:04:16 /usr/bin/perl
> >    5480   1  21:04:27 /usr/bin/sh
> >    4656   1  21:04:33 /sleuthkit/sleuthkit-2.03/bin/dls
> >     660   1  21:04:33 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    6136   1  22:04:22 /usr/bin/perl
> >     824   1  22:04:27 /usr/bin/sh
> >    3720   1  22:04:31 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    1904   1  22:04:31 /sleuthkit/sleuthkit-2.03/bin/dls
> >    2360   1  23:04:27 /usr/bin/perl
> >    1484   1  23:04:30 /usr/bin/sh
> >    1296   1  23:04:31 /sleuthkit/sleuthkit-2.03/bin/dls
> >    5980   1  23:04:33 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    5668   1  00:04:28 /usr/bin/perl
> >     420   1  00:04:32 /usr/bin/sh
> >    4572   1  00:04:35 /sleuthkit/sleuthkit-2.03/bin/dls
> >    4904   1  00:04:38 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    4124   1  01:04:29 /usr/bin/perl
> >    4820   1  01:04:35 /usr/bin/sh
> >    3416   1  01:04:38 /sleuthkit/sleuthkit-2.03/bin/dls
> >    5924   1  01:04:39 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    6112   1  02:04:30 /usr/bin/perl
> >    4360   1  02:04:33 /usr/bin/sh
> >    5908   1  02:04:34 /sleuthkit/sleuthkit-2.03/bin/dls
> >    4796   1  02:04:35 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    5788   1  03:04:32 /usr/bin/perl
> >    6072   1  03:04:34 /usr/bin/sh
> >    4288   1  03:04:35 /sleuthkit/sleuthkit-2.03/bin/dls
> >    5776   1  03:04:36 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    1412   1  04:04:33 /usr/bin/perl
> >    3244   1  04:04:34 /usr/bin/sh
> >    5440   1  04:04:37 /sleuthkit/sleuthkit-2.03/bin/dls
> >    5208   1  04:04:38 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    5536   1  05:04:34 /usr/bin/perl
> >    4512   1  05:04:38 /usr/bin/sh
> >    5180   1  05:04:39 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    3256   1  05:04:39 /sleuthkit/sleuthkit-2.03/bin/dls
> >    5996   1  06:04:37 /usr/bin/perl
> >    4528   1  06:04:38 /usr/bin/sh
> >    4540   1  06:04:40 /sleuthkit/sleuthkit-2.03/bin/dls
> >    5604   1  06:04:42 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    1924   1  07:04:38 /usr/bin/perl
> >    4472   1  07:04:41 /usr/bin/sh
> >    3984   1  07:04:42 /sleuthkit/sleuthkit-2.03/bin/dls
> >    5052   1  07:04:42 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    5828   1  08:04:40 /usr/bin/perl
> >     228   1  08:04:43 /usr/bin/sh
> >    5756   1  08:04:44 /sleuthkit/sleuthkit-2.03/bin/dls
> >    4160   1  08:04:45 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    5820   1  09:04:42 /usr/bin/perl
> >    2748   1  09:04:43 /usr/bin/sh
> >    5912   1  09:04:45 /sleuthkit/sleuthkit-2.03/bin/dls
> >    3900   1  09:04:46 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    5560   2  10:00:33 /usr/bin/rxvt
> >    4188   3  10:00:38 /usr/bin/bash
> >    4208   1  10:04:46 /usr/bin/perl
> >    6108   1  10:04:48 /usr/bin/sh
> >    4448   1  10:04:50 /sleuthkit/sleuthkit-2.03/bin/dls
> >    3652   1  10:04:51 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    4548   3  10:05:20 /usr/bin/ps
> > -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-
> > F:\sleuthkit-evidence\2006-013\MMA4-T-23GR6\output>dir
> >  Volume in drive F is Store01
> >  Volume Serial Number is E8EA-BBB0
> >
> >  Directory of F:\sleuthkit-evidence\2006-013\MMA4-T-23GR6\output
> >
> > 03/16/2006  10:04 AM    <DIR>          .
> > 03/16/2006  10:04 AM    <DIR>          ..
> > 03/15/2006  06:04 PM     1,273,554,944 hdd.raw-0-0-ntfs-1.asc
> > 03/16/2006  03:04 AM       294,304,768 hdd.raw-0-0-ntfs-10.asc
> > 03/16/2006  04:04 AM       228,928,512 hdd.raw-0-0-ntfs-11.asc
> > 03/16/2006  05:04 AM       159,662,080 hdd.raw-0-0-ntfs-12.asc
> > 03/16/2006  06:04 AM       114,588,672 hdd.raw-0-0-ntfs-13.asc
> > 03/16/2006  07:04 AM     1,130,283,008 hdd.raw-0-0-ntfs-14.asc
> > 03/16/2006  08:04 AM        59,233,280 hdd.raw-0-0-ntfs-15.asc
> > 03/16/2006  09:04 AM         9,054,208 hdd.raw-0-0-ntfs-16.asc
> > 03/16/2006  10:04 AM            18,432 hdd.raw-0-0-ntfs-17.asc
> > 03/15/2006  07:04 PM       952,222,720 hdd.raw-0-0-ntfs-2.asc
> > 03/15/2006  08:04 PM       651,894,784 hdd.raw-0-0-ntfs-3.asc
> > 03/15/2006  09:04 PM    10,184,050,688 hdd.raw-0-0-ntfs-4.asc
> > 03/15/2006  10:04 PM       425,999,360 hdd.raw-0-0-ntfs-5.asc
> > 03/15/2006  11:04 PM       393,921,536 hdd.raw-0-0-ntfs-6.asc
> > 03/16/2006  12:04 AM       374,238,208 hdd.raw-0-0-ntfs-7.asc
> > 03/16/2006  01:04 AM       345,949,184 hdd.raw-0-0-ntfs-8.asc
> > 03/16/2006  02:04 AM       323,683,328 hdd.raw-0-0-ntfs-9.asc
> > 03/15/2006  05:03 PM     2,038,089,728 hdd.raw-0-0-ntfs.asc
> >               18 File(s) 18,959,677,440 bytes
> >                2 Dir(s)  71,763,845,120 bytes free
> > -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-
> >
> > Is this normal, expected behavior?
> >
> > -Jason
> >
> >
>

Re: [sleuthkit-users] Errors with Autopsy

[Brian C. <ca...@sl...>]

That is strange.  It looks they they are starting every hour.  Is your 
web browser refreshing somehow and starting a new process.  Every time 
the page loads the extraction will start again (kind of like how 
refreshing a web page can cause your credit card to be charged twice).

brian

DePriest, Jason R. wrote:
> While I am not getting the error with Caseman.pm, I am still having
> strange issues.  It continues to spawn multiple sets of perl, dls, and
> srch_strings.  And it continues to create multiple output files.
> The extraction I started yesterday is still running and here is what
> the running programs and file system look like.
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> A70067@ebizsrvb ~
> $ ps -s
>     PID TTY     STIME COMMAND
>     300   0  16:56:56 /usr/bin/rxvt
>    2452   1  16:56:57 /usr/bin/bash
>    3680   1  17:02:52 /usr/bin/perl
>    6128   1  17:03:55 /usr/bin/perl
>    4648   1  17:03:56 /usr/bin/sh
>    3756   1  17:03:56 /sleuthkit/sleuthkit-2.03/bin/dls
>    4484   1  17:03:57 /sleuthkit/sleuthkit-2.03/bin/srch_strings
>    4772   1  18:03:58 /usr/bin/perl
>    3064   1  18:04:04 /usr/bin/sh
>    3304   1  18:04:06 /sleuthkit/sleuthkit-2.03/bin/dls
>    3860   1  18:04:07 /sleuthkit/sleuthkit-2.03/bin/srch_strings
>    4844   1  19:04:03 /usr/bin/perl
>    6036   1  19:04:06 /usr/bin/sh
>     664   1  19:04:07 /sleuthkit/sleuthkit-2.03/bin/dls
>    4984   1  19:04:08 /sleuthkit/sleuthkit-2.03/bin/srch_strings
>    5000   1  20:04:08 /usr/bin/perl
>    2344   1  20:04:16 /usr/bin/sh
>    5840   1  20:04:17 /sleuthkit/sleuthkit-2.03/bin/dls
>    5272   1  20:04:18 /sleuthkit/sleuthkit-2.03/bin/srch_strings
>    5548   1  21:04:16 /usr/bin/perl
>    5480   1  21:04:27 /usr/bin/sh
>    4656   1  21:04:33 /sleuthkit/sleuthkit-2.03/bin/dls
>     660   1  21:04:33 /sleuthkit/sleuthkit-2.03/bin/srch_strings
>    6136   1  22:04:22 /usr/bin/perl
>     824   1  22:04:27 /usr/bin/sh
>    3720   1  22:04:31 /sleuthkit/sleuthkit-2.03/bin/srch_strings
>    1904   1  22:04:31 /sleuthkit/sleuthkit-2.03/bin/dls
>    2360   1  23:04:27 /usr/bin/perl
>    1484   1  23:04:30 /usr/bin/sh
>    1296   1  23:04:31 /sleuthkit/sleuthkit-2.03/bin/dls
>    5980   1  23:04:33 /sleuthkit/sleuthkit-2.03/bin/srch_strings
>    5668   1  00:04:28 /usr/bin/perl
>     420   1  00:04:32 /usr/bin/sh
>    4572   1  00:04:35 /sleuthkit/sleuthkit-2.03/bin/dls
>    4904   1  00:04:38 /sleuthkit/sleuthkit-2.03/bin/srch_strings
>    4124   1  01:04:29 /usr/bin/perl
>    4820   1  01:04:35 /usr/bin/sh
>    3416   1  01:04:38 /sleuthkit/sleuthkit-2.03/bin/dls
>    5924   1  01:04:39 /sleuthkit/sleuthkit-2.03/bin/srch_strings
>    6112   1  02:04:30 /usr/bin/perl
>    4360   1  02:04:33 /usr/bin/sh
>    5908   1  02:04:34 /sleuthkit/sleuthkit-2.03/bin/dls
>    4796   1  02:04:35 /sleuthkit/sleuthkit-2.03/bin/srch_strings
>    5788   1  03:04:32 /usr/bin/perl
>    6072   1  03:04:34 /usr/bin/sh
>    4288   1  03:04:35 /sleuthkit/sleuthkit-2.03/bin/dls
>    5776   1  03:04:36 /sleuthkit/sleuthkit-2.03/bin/srch_strings
>    1412   1  04:04:33 /usr/bin/perl
>    3244   1  04:04:34 /usr/bin/sh
>    5440   1  04:04:37 /sleuthkit/sleuthkit-2.03/bin/dls
>    5208   1  04:04:38 /sleuthkit/sleuthkit-2.03/bin/srch_strings
>    5536   1  05:04:34 /usr/bin/perl
>    4512   1  05:04:38 /usr/bin/sh
>    5180   1  05:04:39 /sleuthkit/sleuthkit-2.03/bin/srch_strings
>    3256   1  05:04:39 /sleuthkit/sleuthkit-2.03/bin/dls
>    5996   1  06:04:37 /usr/bin/perl
>    4528   1  06:04:38 /usr/bin/sh
>    4540   1  06:04:40 /sleuthkit/sleuthkit-2.03/bin/dls
>    5604   1  06:04:42 /sleuthkit/sleuthkit-2.03/bin/srch_strings
>    1924   1  07:04:38 /usr/bin/perl
>    4472   1  07:04:41 /usr/bin/sh
>    3984   1  07:04:42 /sleuthkit/sleuthkit-2.03/bin/dls
>    5052   1  07:04:42 /sleuthkit/sleuthkit-2.03/bin/srch_strings
>    5828   1  08:04:40 /usr/bin/perl
>     228   1  08:04:43 /usr/bin/sh
>    5756   1  08:04:44 /sleuthkit/sleuthkit-2.03/bin/dls
>    4160   1  08:04:45 /sleuthkit/sleuthkit-2.03/bin/srch_strings
>    5820   1  09:04:42 /usr/bin/perl
>    2748   1  09:04:43 /usr/bin/sh
>    5912   1  09:04:45 /sleuthkit/sleuthkit-2.03/bin/dls
>    3900   1  09:04:46 /sleuthkit/sleuthkit-2.03/bin/srch_strings
>    5560   2  10:00:33 /usr/bin/rxvt
>    4188   3  10:00:38 /usr/bin/bash
>    4208   1  10:04:46 /usr/bin/perl
>    6108   1  10:04:48 /usr/bin/sh
>    4448   1  10:04:50 /sleuthkit/sleuthkit-2.03/bin/dls
>    3652   1  10:04:51 /sleuthkit/sleuthkit-2.03/bin/srch_strings
>    4548   3  10:05:20 /usr/bin/ps
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> F:\sleuthkit-evidence\2006-013\MMA4-T-23GR6\output>dir
>  Volume in drive F is Store01
>  Volume Serial Number is E8EA-BBB0
> 
>  Directory of F:\sleuthkit-evidence\2006-013\MMA4-T-23GR6\output
> 
> 03/16/2006  10:04 AM    <DIR>          .
> 03/16/2006  10:04 AM    <DIR>          ..
> 03/15/2006  06:04 PM     1,273,554,944 hdd.raw-0-0-ntfs-1.asc
> 03/16/2006  03:04 AM       294,304,768 hdd.raw-0-0-ntfs-10.asc
> 03/16/2006  04:04 AM       228,928,512 hdd.raw-0-0-ntfs-11.asc
> 03/16/2006  05:04 AM       159,662,080 hdd.raw-0-0-ntfs-12.asc
> 03/16/2006  06:04 AM       114,588,672 hdd.raw-0-0-ntfs-13.asc
> 03/16/2006  07:04 AM     1,130,283,008 hdd.raw-0-0-ntfs-14.asc
> 03/16/2006  08:04 AM        59,233,280 hdd.raw-0-0-ntfs-15.asc
> 03/16/2006  09:04 AM         9,054,208 hdd.raw-0-0-ntfs-16.asc
> 03/16/2006  10:04 AM            18,432 hdd.raw-0-0-ntfs-17.asc
> 03/15/2006  07:04 PM       952,222,720 hdd.raw-0-0-ntfs-2.asc
> 03/15/2006  08:04 PM       651,894,784 hdd.raw-0-0-ntfs-3.asc
> 03/15/2006  09:04 PM    10,184,050,688 hdd.raw-0-0-ntfs-4.asc
> 03/15/2006  10:04 PM       425,999,360 hdd.raw-0-0-ntfs-5.asc
> 03/15/2006  11:04 PM       393,921,536 hdd.raw-0-0-ntfs-6.asc
> 03/16/2006  12:04 AM       374,238,208 hdd.raw-0-0-ntfs-7.asc
> 03/16/2006  01:04 AM       345,949,184 hdd.raw-0-0-ntfs-8.asc
> 03/16/2006  02:04 AM       323,683,328 hdd.raw-0-0-ntfs-9.asc
> 03/15/2006  05:03 PM     2,038,089,728 hdd.raw-0-0-ntfs.asc
>               18 File(s) 18,959,677,440 bytes
>                2 Dir(s)  71,763,845,120 bytes free
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> 
> Is this normal, expected behavior?
> 
> -Jason
> 
> 

Re: [sleuthkit-users] Errors with Autopsy

[DePriest, J. R. <jrd...@gm...>]

While I am not getting the error with Caseman.pm, I am still having
strange issues.  It continues to spawn multiple sets of perl, dls, and
srch_strings.  And it continues to create multiple output files.
The extraction I started yesterday is still running and here is what
the running programs and file system look like.
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-
A70067@ebizsrvb ~
$ ps -s
    PID TTY     STIME COMMAND
    300   0  16:56:56 /usr/bin/rxvt
   2452   1  16:56:57 /usr/bin/bash
   3680   1  17:02:52 /usr/bin/perl
   6128   1  17:03:55 /usr/bin/perl
   4648   1  17:03:56 /usr/bin/sh
   3756   1  17:03:56 /sleuthkit/sleuthkit-2.03/bin/dls
   4484   1  17:03:57 /sleuthkit/sleuthkit-2.03/bin/srch_strings
   4772   1  18:03:58 /usr/bin/perl
   3064   1  18:04:04 /usr/bin/sh
   3304   1  18:04:06 /sleuthkit/sleuthkit-2.03/bin/dls
   3860   1  18:04:07 /sleuthkit/sleuthkit-2.03/bin/srch_strings
   4844   1  19:04:03 /usr/bin/perl
   6036   1  19:04:06 /usr/bin/sh
    664   1  19:04:07 /sleuthkit/sleuthkit-2.03/bin/dls
   4984   1  19:04:08 /sleuthkit/sleuthkit-2.03/bin/srch_strings
   5000   1  20:04:08 /usr/bin/perl
   2344   1  20:04:16 /usr/bin/sh
   5840   1  20:04:17 /sleuthkit/sleuthkit-2.03/bin/dls
   5272   1  20:04:18 /sleuthkit/sleuthkit-2.03/bin/srch_strings
   5548   1  21:04:16 /usr/bin/perl
   5480   1  21:04:27 /usr/bin/sh
   4656   1  21:04:33 /sleuthkit/sleuthkit-2.03/bin/dls
    660   1  21:04:33 /sleuthkit/sleuthkit-2.03/bin/srch_strings
   6136   1  22:04:22 /usr/bin/perl
    824   1  22:04:27 /usr/bin/sh
   3720   1  22:04:31 /sleuthkit/sleuthkit-2.03/bin/srch_strings
   1904   1  22:04:31 /sleuthkit/sleuthkit-2.03/bin/dls
   2360   1  23:04:27 /usr/bin/perl
   1484   1  23:04:30 /usr/bin/sh
   1296   1  23:04:31 /sleuthkit/sleuthkit-2.03/bin/dls
   5980   1  23:04:33 /sleuthkit/sleuthkit-2.03/bin/srch_strings
   5668   1  00:04:28 /usr/bin/perl
    420   1  00:04:32 /usr/bin/sh
   4572   1  00:04:35 /sleuthkit/sleuthkit-2.03/bin/dls
   4904   1  00:04:38 /sleuthkit/sleuthkit-2.03/bin/srch_strings
   4124   1  01:04:29 /usr/bin/perl
   4820   1  01:04:35 /usr/bin/sh
   3416   1  01:04:38 /sleuthkit/sleuthkit-2.03/bin/dls
   5924   1  01:04:39 /sleuthkit/sleuthkit-2.03/bin/srch_strings
   6112   1  02:04:30 /usr/bin/perl
   4360   1  02:04:33 /usr/bin/sh
   5908   1  02:04:34 /sleuthkit/sleuthkit-2.03/bin/dls
   4796   1  02:04:35 /sleuthkit/sleuthkit-2.03/bin/srch_strings
   5788   1  03:04:32 /usr/bin/perl
   6072   1  03:04:34 /usr/bin/sh
   4288   1  03:04:35 /sleuthkit/sleuthkit-2.03/bin/dls
   5776   1  03:04:36 /sleuthkit/sleuthkit-2.03/bin/srch_strings
   1412   1  04:04:33 /usr/bin/perl
   3244   1  04:04:34 /usr/bin/sh
   5440   1  04:04:37 /sleuthkit/sleuthkit-2.03/bin/dls
   5208   1  04:04:38 /sleuthkit/sleuthkit-2.03/bin/srch_strings
   5536   1  05:04:34 /usr/bin/perl
   4512   1  05:04:38 /usr/bin/sh
   5180   1  05:04:39 /sleuthkit/sleuthkit-2.03/bin/srch_strings
   3256   1  05:04:39 /sleuthkit/sleuthkit-2.03/bin/dls
   5996   1  06:04:37 /usr/bin/perl
   4528   1  06:04:38 /usr/bin/sh
   4540   1  06:04:40 /sleuthkit/sleuthkit-2.03/bin/dls
   5604   1  06:04:42 /sleuthkit/sleuthkit-2.03/bin/srch_strings
   1924   1  07:04:38 /usr/bin/perl
   4472   1  07:04:41 /usr/bin/sh
   3984   1  07:04:42 /sleuthkit/sleuthkit-2.03/bin/dls
   5052   1  07:04:42 /sleuthkit/sleuthkit-2.03/bin/srch_strings
   5828   1  08:04:40 /usr/bin/perl
    228   1  08:04:43 /usr/bin/sh
   5756   1  08:04:44 /sleuthkit/sleuthkit-2.03/bin/dls
   4160   1  08:04:45 /sleuthkit/sleuthkit-2.03/bin/srch_strings
   5820   1  09:04:42 /usr/bin/perl
   2748   1  09:04:43 /usr/bin/sh
   5912   1  09:04:45 /sleuthkit/sleuthkit-2.03/bin/dls
   3900   1  09:04:46 /sleuthkit/sleuthkit-2.03/bin/srch_strings
   5560   2  10:00:33 /usr/bin/rxvt
   4188   3  10:00:38 /usr/bin/bash
   4208   1  10:04:46 /usr/bin/perl
   6108   1  10:04:48 /usr/bin/sh
   4448   1  10:04:50 /sleuthkit/sleuthkit-2.03/bin/dls
   3652   1  10:04:51 /sleuthkit/sleuthkit-2.03/bin/srch_strings
   4548   3  10:05:20 /usr/bin/ps
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-
F:\sleuthkit-evidence\2006-013\MMA4-T-23GR6\output>dir
 Volume in drive F is Store01
 Volume Serial Number is E8EA-BBB0

 Directory of F:\sleuthkit-evidence\2006-013\MMA4-T-23GR6\output

03/16/2006  10:04 AM    <DIR>          .
03/16/2006  10:04 AM    <DIR>          ..
03/15/2006  06:04 PM     1,273,554,944 hdd.raw-0-0-ntfs-1.asc
03/16/2006  03:04 AM       294,304,768 hdd.raw-0-0-ntfs-10.asc
03/16/2006  04:04 AM       228,928,512 hdd.raw-0-0-ntfs-11.asc
03/16/2006  05:04 AM       159,662,080 hdd.raw-0-0-ntfs-12.asc
03/16/2006  06:04 AM       114,588,672 hdd.raw-0-0-ntfs-13.asc
03/16/2006  07:04 AM     1,130,283,008 hdd.raw-0-0-ntfs-14.asc
03/16/2006  08:04 AM        59,233,280 hdd.raw-0-0-ntfs-15.asc
03/16/2006  09:04 AM         9,054,208 hdd.raw-0-0-ntfs-16.asc
03/16/2006  10:04 AM            18,432 hdd.raw-0-0-ntfs-17.asc
03/15/2006  07:04 PM       952,222,720 hdd.raw-0-0-ntfs-2.asc
03/15/2006  08:04 PM       651,894,784 hdd.raw-0-0-ntfs-3.asc
03/15/2006  09:04 PM    10,184,050,688 hdd.raw-0-0-ntfs-4.asc
03/15/2006  10:04 PM       425,999,360 hdd.raw-0-0-ntfs-5.asc
03/15/2006  11:04 PM       393,921,536 hdd.raw-0-0-ntfs-6.asc
03/16/2006  12:04 AM       374,238,208 hdd.raw-0-0-ntfs-7.asc
03/16/2006  01:04 AM       345,949,184 hdd.raw-0-0-ntfs-8.asc
03/16/2006  02:04 AM       323,683,328 hdd.raw-0-0-ntfs-9.asc
03/15/2006  05:03 PM     2,038,089,728 hdd.raw-0-0-ntfs.asc
              18 File(s) 18,959,677,440 bytes
               2 Dir(s)  71,763,845,120 bytes free
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-

Is this normal, expected behavior?

-Jason

Re: [sleuthkit-users] Errors with Autopsy

[Brian C. <ca...@sl...>]

Yea, those should be DATADIR.  Those are the only two instances of =20
that.  I just fixed that.

thanks,
brian


On Mar 15, 2006, at 6:08 PM, DePriest, Jason R. wrote:

> Forgot to mention: I have replaced both DATA_DIR instances with
> DATADIR and I am doing the extraction again.  I may take a few hours
> for me to get to a section that generated the errors, so I probably
> won't post a pass / fail message until tomorrow.
>
> On 3/15/06, DePriest, Jason R. <> wrote:
>> It is in there with the underscore twice.
>>
>> A70067@ebizsrvb /sleuthkit/autopsy/lib
>> $ grep -n 'DATA_DIR' Caseman.pm
>> 3752:                . "$::DATA_DIR/"
>> 3976:            . "$::DATA_DIR/"
>> A70067@ebizsrvb /sleuthkit/autopsy/lib
>> $ grep -n 'DATADIR' Caseman.pm
>> 484:    print CASE_CONFIG "data         $::DATADIR\n";
>> 1724:    unless (mkdir "$::host_dir" . "$::DATADIR", $::MKDIR_MASK) {
>> 1727:        Print::print_err("Error making $::host_dir" . =20
>> "$::DATADIR");
>> 1732:        rmdir "$::host_dir" . "$::DATADIR";
>> 1741:        rmdir "$::host_dir" . "$::DATADIR";
>> 1751:        rmdir "$::host_dir" . "$::DATADIR";
>> 3746:        my $fname_rel =3D "$::DATADIR/${base_name}-$ftype.asc";
>> 3755:            $fname_rel =3D "$::DATADIR/${base_name}-$ftype-=20
>> $i.asc";
>> 3843:        my $fname_rel =3D "$::DATADIR/${base_name}-$ftype.uni";
>> 3849:                . "$::DATADIR/"
>> 3852:            $fname_rel =3D "$::DATADIR/${base_name}-$ftype-=20
>> $i.uni";
>> 3970:    my $fname_rel =3D "$::DATADIR/${base_name}-$ftype.unalloc";
>> 3979:        $fname_rel =3D =
"$::DATADIR/${base_name}-$ftype-$i.unalloc"
>>
>> On 3/15/06, Paul Bakker <> wrote:
>>> 3752                    . "$::DATA_DIR/"
>>> ? In the other lines I see  $DATADIR withouth the _
>>> Is this a typo from your side? Or is this actually present in the =20=

>>> file. (I don't have the files present now, so I can't check)
>>>
>>> But all other elements in that statement are already used in =20
>>> lines 3746 and 3747, so I think it might lay with that.
>>>
>>> Paul Bakker
>>>
>>>
>>>
>>> DePriest, Jason R. wrote:
>>>
>>>> I am trying to extract the strings from an image of an NTFS hard =20=

>>>> disk drive.
>>>>
>>>> Periodically, autopsy gives this error:
>>>> Use of uninitialized value in concatenation (.) or string at
>>>> /sleuthkit/autopsy/lib//Caseman.pm line 3751.
>>>>
>>>> It continues running, but spawns a new perl, dls, and srch_strings
>>>> process.  Occasionally, it will start a new output file, too.  =20
>>>> It will
>>>> write data to both output files.
>>>>
>>>> Looking at that line in Caseman.pm, I am not sure what I could =20
>>>> change to fix it.
>>>>
>>>> The section of code looks like this:
>>>> 3743       my $base_name =3D $Caseman::vol2sname{$vol};
>>>> 3744
>>>> 3745       if ($ascii =3D=3D 1) {
>>>> 3746           my $fname_rel =3D "$::DATADIR/${base_name}-=20
>>>> $ftype.asc";
>>>> 3747           my $fname     =3D "$::host_dir" . "$fname_rel";
>>>> 3748
>>>> 3749           if (-e "$fname") {
>>>> 3750               my $i =3D 1;
>>>> 3751               $i++ while (-e "$::host_dir"
>>>> 3752                   . "$::DATA_DIR/"
>>>> 3753                   . "${base_name}-$ftype-$i.asc");
>>>> 3754
>>>> 3755               $fname_rel =3D "$::DATADIR/${base_name}-$ftype-=20=

>>>> $i.asc";
>>>> 3756               $fname     =3D "$::host_dir" . "$fname_rel";
>>>> 3757           }
>>>> 3758
>>>> 3759           print
>>>> 3760   "Extracting ASCII strings from <tt>$Caseman::vol2sname=20
>>>> {$vol}</tt><br>\n";
>>>> 3761
>>>> 3762           Print::log_host_inv(
>>>> 3763               "$Caseman::vol2sname{$vol}: Saving ASCII =20
>>>> strings to
>>>> $fname_rel");
>>>> 3764
>>>> 3765           local *OUT;
>>>>
>>>> -Jason
>>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting =20
> language
> that extends applications into web and mobile media. Attend the =20
> live webcast
> and join the prime developer group breaking into this new coding =20
> territory!
> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=110944&bid$1720&dat=121642=

> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
>

Re: [sleuthkit-users] Errors with Autopsy

[DePriest, J. R. <jrd...@gm...>]

Forgot to mention: I have replaced both DATA_DIR instances with
DATADIR and I am doing the extraction again.  I may take a few hours
for me to get to a section that generated the errors, so I probably
won't post a pass / fail message until tomorrow.

On 3/15/06, DePriest, Jason R. <> wrote:
> It is in there with the underscore twice.
>
> A70067@ebizsrvb /sleuthkit/autopsy/lib
> $ grep -n 'DATA_DIR' Caseman.pm
> 3752:                . "$::DATA_DIR/"
> 3976:            . "$::DATA_DIR/"
> A70067@ebizsrvb /sleuthkit/autopsy/lib
> $ grep -n 'DATADIR' Caseman.pm
> 484:    print CASE_CONFIG "data         $::DATADIR\n";
> 1724:    unless (mkdir "$::host_dir" . "$::DATADIR", $::MKDIR_MASK) {
> 1727:        Print::print_err("Error making $::host_dir" . "$::DATADIR");
> 1732:        rmdir "$::host_dir" . "$::DATADIR";
> 1741:        rmdir "$::host_dir" . "$::DATADIR";
> 1751:        rmdir "$::host_dir" . "$::DATADIR";
> 3746:        my $fname_rel =3D "$::DATADIR/${base_name}-$ftype.asc";
> 3755:            $fname_rel =3D "$::DATADIR/${base_name}-$ftype-$i.asc";
> 3843:        my $fname_rel =3D "$::DATADIR/${base_name}-$ftype.uni";
> 3849:                . "$::DATADIR/"
> 3852:            $fname_rel =3D "$::DATADIR/${base_name}-$ftype-$i.uni";
> 3970:    my $fname_rel =3D "$::DATADIR/${base_name}-$ftype.unalloc";
> 3979:        $fname_rel =3D "$::DATADIR/${base_name}-$ftype-$i.unalloc"
>
> On 3/15/06, Paul Bakker <> wrote:
> > 3752                    . "$::DATA_DIR/"
> > ? In the other lines I see  $DATADIR withouth the _
> > Is this a typo from your side? Or is this actually present in the file.=
 (I don't have the files present now, so I can't check)
> >
> > But all other elements in that statement are already used in lines 3746=
 and 3747, so I think it might lay with that.
> >
> > Paul Bakker
> >
> >
> >
> > DePriest, Jason R. wrote:
> >
> > >I am trying to extract the strings from an image of an NTFS hard disk =
drive.
> > >
> > >Periodically, autopsy gives this error:
> > >Use of uninitialized value in concatenation (.) or string at
> > >/sleuthkit/autopsy/lib//Caseman.pm line 3751.
> > >
> > >It continues running, but spawns a new perl, dls, and srch_strings
> > >process.  Occasionally, it will start a new output file, too.  It will
> > >write data to both output files.
> > >
> > >Looking at that line in Caseman.pm, I am not sure what I could change =
to fix it.
> > >
> > >The section of code looks like this:
> > >3743       my $base_name =3D $Caseman::vol2sname{$vol};
> > >3744
> > >3745       if ($ascii =3D=3D 1) {
> > >3746           my $fname_rel =3D "$::DATADIR/${base_name}-$ftype.asc";
> > >3747           my $fname     =3D "$::host_dir" . "$fname_rel";
> > >3748
> > >3749           if (-e "$fname") {
> > >3750               my $i =3D 1;
> > >3751               $i++ while (-e "$::host_dir"
> > >3752                   . "$::DATA_DIR/"
> > >3753                   . "${base_name}-$ftype-$i.asc");
> > >3754
> > >3755               $fname_rel =3D "$::DATADIR/${base_name}-$ftype-$i.a=
sc";
> > >3756               $fname     =3D "$::host_dir" . "$fname_rel";
> > >3757           }
> > >3758
> > >3759           print
> > >3760   "Extracting ASCII strings from <tt>$Caseman::vol2sname{$vol}</t=
t><br>\n";
> > >3761
> > >3762           Print::log_host_inv(
> > >3763               "$Caseman::vol2sname{$vol}: Saving ASCII strings to
> > >$fname_rel");
> > >3764
> > >3765           local *OUT;
> > >
> > >-Jason
>

Re: [sleuthkit-users] Errors with Autopsy

[DePriest, J. R. <jrd...@gm...>]

It is in there with the underscore twice.

A70067@ebizsrvb /sleuthkit/autopsy/lib
$ grep -n 'DATA_DIR' Caseman.pm
3752:                . "$::DATA_DIR/"
3976:            . "$::DATA_DIR/"
A70067@ebizsrvb /sleuthkit/autopsy/lib
$ grep -n 'DATADIR' Caseman.pm
484:    print CASE_CONFIG "data         $::DATADIR\n";
1724:    unless (mkdir "$::host_dir" . "$::DATADIR", $::MKDIR_MASK) {
1727:        Print::print_err("Error making $::host_dir" . "$::DATADIR");
1732:        rmdir "$::host_dir" . "$::DATADIR";
1741:        rmdir "$::host_dir" . "$::DATADIR";
1751:        rmdir "$::host_dir" . "$::DATADIR";
3746:        my $fname_rel =3D "$::DATADIR/${base_name}-$ftype.asc";
3755:            $fname_rel =3D "$::DATADIR/${base_name}-$ftype-$i.asc";
3843:        my $fname_rel =3D "$::DATADIR/${base_name}-$ftype.uni";
3849:                . "$::DATADIR/"
3852:            $fname_rel =3D "$::DATADIR/${base_name}-$ftype-$i.uni";
3970:    my $fname_rel =3D "$::DATADIR/${base_name}-$ftype.unalloc";
3979:        $fname_rel =3D "$::DATADIR/${base_name}-$ftype-$i.unalloc"

On 3/15/06, Paul Bakker <> wrote:
> 3752                    . "$::DATA_DIR/"
> ? In the other lines I see  $DATADIR withouth the _
> Is this a typo from your side? Or is this actually present in the file. (=
I don't have the files present now, so I can't check)
>
> But all other elements in that statement are already used in lines 3746 a=
nd 3747, so I think it might lay with that.
>
> Paul Bakker
>
>
>
> DePriest, Jason R. wrote:
>
> >I am trying to extract the strings from an image of an NTFS hard disk dr=
ive.
> >
> >Periodically, autopsy gives this error:
> >Use of uninitialized value in concatenation (.) or string at
> >/sleuthkit/autopsy/lib//Caseman.pm line 3751.
> >
> >It continues running, but spawns a new perl, dls, and srch_strings
> >process.  Occasionally, it will start a new output file, too.  It will
> >write data to both output files.
> >
> >Looking at that line in Caseman.pm, I am not sure what I could change to=
 fix it.
> >
> >The section of code looks like this:
> >3743       my $base_name =3D $Caseman::vol2sname{$vol};
> >3744
> >3745       if ($ascii =3D=3D 1) {
> >3746           my $fname_rel =3D "$::DATADIR/${base_name}-$ftype.asc";
> >3747           my $fname     =3D "$::host_dir" . "$fname_rel";
> >3748
> >3749           if (-e "$fname") {
> >3750               my $i =3D 1;
> >3751               $i++ while (-e "$::host_dir"
> >3752                   . "$::DATA_DIR/"
> >3753                   . "${base_name}-$ftype-$i.asc");
> >3754
> >3755               $fname_rel =3D "$::DATADIR/${base_name}-$ftype-$i.asc=
";
> >3756               $fname     =3D "$::host_dir" . "$fname_rel";
> >3757           }
> >3758
> >3759           print
> >3760   "Extracting ASCII strings from <tt>$Caseman::vol2sname{$vol}</tt>=
<br>\n";
> >3761
> >3762           Print::log_host_inv(
> >3763               "$Caseman::vol2sname{$vol}: Saving ASCII strings to
> >$fname_rel");
> >3764
> >3765           local *OUT;
> >
> >-Jason

Re: [sleuthkit-users] Errors with Autopsy

[Paul B. <p.j...@br...>]

3752	                . "$::DATA_DIR/"
? In the other lines I see  $DATADIR withouth the _
Is this a typo from your side? Or is this actually present in the file. (I don't have the files present now, so I can't check)

But all other elements in that statement are already used in lines 3746 and 3747, so I think it might lay with that.

Paul Bakker



DePriest, Jason R. wrote:

>I am trying to extract the strings from an image of an NTFS hard disk drive.
>
>Periodically, autopsy gives this error:
>Use of uninitialized value in concatenation (.) or string at
>/sleuthkit/autopsy/lib//Caseman.pm line 3751.
>
>It continues running, but spawns a new perl, dls, and srch_strings
>process.  Occasionally, it will start a new output file, too.  It will
>write data to both output files.
>
>Looking at that line in Caseman.pm, I am not sure what I could change to fix it.
>
>The section of code looks like this:
>3743	    my $base_name = $Caseman::vol2sname{$vol};
>3744	
>3745	    if ($ascii == 1) {
>3746	        my $fname_rel = "$::DATADIR/${base_name}-$ftype.asc";
>3747	        my $fname     = "$::host_dir" . "$fname_rel";
>3748	
>3749	        if (-e "$fname") {
>3750	            my $i = 1;
>3751	            $i++ while (-e "$::host_dir"
>3752	                . "$::DATA_DIR/"
>3753	                . "${base_name}-$ftype-$i.asc");
>3754	
>3755	            $fname_rel = "$::DATADIR/${base_name}-$ftype-$i.asc";
>3756	            $fname     = "$::host_dir" . "$fname_rel";
>3757	        }
>3758	
>3759	        print
>3760	"Extracting ASCII strings from <tt>$Caseman::vol2sname{$vol}</tt><br>\n";
>3761	
>3762	        Print::log_host_inv(
>3763	            "$Caseman::vol2sname{$vol}: Saving ASCII strings to
>$fname_rel");
>3764	
>3765	        local *OUT;
>
>-Jason
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by xPML, a groundbreaking scripting language
>that extends applications into web and mobile media. Attend the live webcast
>and join the prime developer group breaking into this new coding territory!
>http://sel.as-us.falkag.net/sel?cmd=k&kid0944&bid$1720&dat1642
>_______________________________________________
>sleuthkit-users mailing list
>https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>http://www.sleuthkit.org
>
>
>
>  
>

[sleuthkit-users] Errors with Autopsy

[DePriest, J. R. <jrd...@gm...>]

I am trying to extract the strings from an image of an NTFS hard disk drive=
.

Periodically, autopsy gives this error:
Use of uninitialized value in concatenation (.) or string at
/sleuthkit/autopsy/lib//Caseman.pm line 3751.

It continues running, but spawns a new perl, dls, and srch_strings
process.  Occasionally, it will start a new output file, too.  It will
write data to both output files.

Looking at that line in Caseman.pm, I am not sure what I could change to fi=
x it.

The section of code looks like this:
3743=09    my $base_name =3D $Caseman::vol2sname{$vol};
3744=09
3745=09    if ($ascii =3D=3D 1) {
3746=09        my $fname_rel =3D "$::DATADIR/${base_name}-$ftype.asc";
3747=09        my $fname     =3D "$::host_dir" . "$fname_rel";
3748=09
3749=09        if (-e "$fname") {
3750=09            my $i =3D 1;
3751=09            $i++ while (-e "$::host_dir"
3752=09                . "$::DATA_DIR/"
3753=09                . "${base_name}-$ftype-$i.asc");
3754=09
3755=09            $fname_rel =3D "$::DATADIR/${base_name}-$ftype-$i.asc";
3756=09            $fname     =3D "$::host_dir" . "$fname_rel";
3757=09        }
3758=09
3759=09        print
3760=09"Extracting ASCII strings from <tt>$Caseman::vol2sname{$vol}</tt><br=
>\n";
3761=09
3762=09        Print::log_host_inv(
3763=09            "$Caseman::vol2sname{$vol}: Saving ASCII strings to
$fname_rel");
3764=09
3765=09        local *OUT;

-Jason

Re: [sleuthkit-users] new to the list

[eric <er...@ho...>]

Yes, for the first.  I was trying to analyze a live Windows 98 system,
but could not add c:\ ...I got the picture now thanks.


Brian Carrier wrote:
> On Mar 9, 2006, at 8:37 AM, eric wrote:
> 
>> Thanks Brian, ok so I have another Q.  I can't connect a windows 98
>> machine while it is booted with windows 98 and anylize from my autopsy
>> server can I?
> 
> 
> I'm not quite clear on what you are asking. Are you trying to analyze  a
> live Windows 98 system (i.e. run Autopsy / TSK on Windows 98) or  are
> you trying to use a web browser on a Windows 98 computer to  connect to
> another computer that is running autopsy.  If it is the  first, then it
> can't currently be done.  If it is the second, then  you should be able to.
> 
> brian
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting language
> that extends applications into web and mobile media. Attend the live
> webcast
> and join the prime developer group breaking into this new coding territory!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

Re: [sleuthkit-users] new to the list

[Brian C. <ca...@sl...>]

On Mar 9, 2006, at 8:37 AM, eric wrote:

> Thanks Brian, ok so I have another Q.  I can't connect a windows 98
> machine while it is booted with windows 98 and anylize from my autopsy
> server can I?

I'm not quite clear on what you are asking. Are you trying to analyze  
a live Windows 98 system (i.e. run Autopsy / TSK on Windows 98) or  
are you trying to use a web browser on a Windows 98 computer to  
connect to another computer that is running autopsy.  If it is the  
first, then it can't currently be done.  If it is the second, then  
you should be able to.

brian

Re: [sleuthkit-users] new to the list

[eric <er...@ho...>]

Thanks Brian, ok so I have another Q.  I can't connect a windows 98
machine while it is booted with windows 98 and anylize from my autopsy
server can I?

thanks again,
eric

Brian Carrier wrote:
> The IP address you give on the command line corresponds to the  computer
> that you are connecting from (not the computer autopsy is  running on). 
> It works as a filter to allow only one computer to  connect.
> 
> brian
> 
> 
> On Mar 8, 2006, at 1:13 PM, eric wrote:
> 
>> hmmm, I am using debian, I turned off firestarter and ran nmap on
>> 10.0.0.2 and port 8888 was not filtered and showed as open
>>
>> I feel strongly that it is the way I have it setup ...I'm thinking I
>> need to give permission to some directory on my machine, but I am not
>> sure what directory or what permissions...
>>
>> Thanks again,
>> eric
>>
>> Detective David Vitkus wrote:
>>
>>> eric wrote:
>>>
>>>> Hi, I'll cut to the chase:
>>>>
>>>> I'm trying to get autopsy to act as a server so I use the command:
>>>>
>>>> ./autopsy -p 8888 10.0.0.2
>>>>
>>>> and then go to another computer on the same network open a  browser and
>>>> type in the autopsy url ...I get access denied you have been logged
>>>>
>>>> I am using newest firefox as the browser on the client computer
>>>>
>>>>
>>>> I have installed sleuth kit and autopsy on my home drive ...what 
>>>> would I
>>>> need to do to allow access to the autopsy url?
>>>>
>>>> I am just fooling around with the program right now, so I am not too
>>>> worried about security at this point in time.
>>>>
>>>> Thanks for your time,
>>>> eric
>>>>
>>>>
>>>> -------------------------------------------------------
>>>> This SF.Net email is sponsored by xPML, a groundbreaking scripting
>>>> language
>>>> that extends applications into web and mobile media. Attend the live
>>>> webcast
>>>> and join the prime developer group breaking into this new coding
>>>> territory!
>>>> http://sel.as-us.falkag.net/sel?
>>>> cmd=lnk&kid=110944&bid=241720&dat=121642
>>>> _______________________________________________
>>>> sleuthkit-users mailing list
>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>>> http://www.sleuthkit.org
>>>>
>>>>
>>>
>>>
>>> Eric,
>>> Check the firewall settings on your Autopsy / Sleuthkit machine.   Some
>>> Linux distro's (I'm assuming your using it) install a firewall by
>>> default.  It may be blocking your port.
>>>
>>> Good luck
>>>
>>
>>
>> -------------------------------------------------------
>> This SF.Net email is sponsored by xPML, a groundbreaking scripting 
>> language
>> that extends applications into web and mobile media. Attend the  live
>> webcast
>> and join the prime developer group breaking into this new coding 
>> territory!
>> http://sel.as-us.falkag.net/sel? cmd=lnk&kid=110944&bid=241720&dat=121642
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
>>
>>
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting language
> that extends applications into web and mobile media. Attend the live
> webcast
> and join the prime developer group breaking into this new coding territory!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

Re: [sleuthkit-users] new to the list

[Brian C. <ca...@sl...>]

The IP address you give on the command line corresponds to the  
computer that you are connecting from (not the computer autopsy is  
running on).  It works as a filter to allow only one computer to  
connect.

brian


On Mar 8, 2006, at 1:13 PM, eric wrote:

> hmmm, I am using debian, I turned off firestarter and ran nmap on
> 10.0.0.2 and port 8888 was not filtered and showed as open
>
> I feel strongly that it is the way I have it setup ...I'm thinking I
> need to give permission to some directory on my machine, but I am not
> sure what directory or what permissions...
>
> Thanks again,
> eric
>
> Detective David Vitkus wrote:
>> eric wrote:
>>
>>> Hi, I'll cut to the chase:
>>>
>>> I'm trying to get autopsy to act as a server so I use the command:
>>>
>>> ./autopsy -p 8888 10.0.0.2
>>>
>>> and then go to another computer on the same network open a  
>>> browser and
>>> type in the autopsy url ...I get access denied you have been logged
>>>
>>> I am using newest firefox as the browser on the client computer
>>>
>>>
>>> I have installed sleuth kit and autopsy on my home drive ...what  
>>> would I
>>> need to do to allow access to the autopsy url?
>>>
>>> I am just fooling around with the program right now, so I am not too
>>> worried about security at this point in time.
>>>
>>> Thanks for your time,
>>> eric
>>>
>>>
>>> -------------------------------------------------------
>>> This SF.Net email is sponsored by xPML, a groundbreaking scripting
>>> language
>>> that extends applications into web and mobile media. Attend the live
>>> webcast
>>> and join the prime developer group breaking into this new coding
>>> territory!
>>> http://sel.as-us.falkag.net/sel? 
>>> cmd=lnk&kid=110944&bid=241720&dat=121642
>>> _______________________________________________
>>> sleuthkit-users mailing list
>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>> http://www.sleuthkit.org
>>>
>>>
>>
>>
>> Eric,
>> Check the firewall settings on your Autopsy / Sleuthkit machine.   
>> Some
>> Linux distro's (I'm assuming your using it) install a firewall by
>> default.  It may be blocking your port.
>>
>> Good luck
>>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting  
> language
> that extends applications into web and mobile media. Attend the  
> live webcast
> and join the prime developer group breaking into this new coding  
> territory!
> http://sel.as-us.falkag.net/sel? 
> cmd=lnk&kid=110944&bid=241720&dat=121642
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
>

Re: [sleuthkit-users] new to the list

[eric <er...@ho...>]

hmmm, I am using debian, I turned off firestarter and ran nmap on
10.0.0.2 and port 8888 was not filtered and showed as open

I feel strongly that it is the way I have it setup ...I'm thinking I
need to give permission to some directory on my machine, but I am not
sure what directory or what permissions...

Thanks again,
eric

Detective David Vitkus wrote:
> eric wrote:
> 
>> Hi, I'll cut to the chase:
>>
>> I'm trying to get autopsy to act as a server so I use the command:
>>
>> ./autopsy -p 8888 10.0.0.2
>>
>> and then go to another computer on the same network open a browser and
>> type in the autopsy url ...I get access denied you have been logged
>>
>> I am using newest firefox as the browser on the client computer
>>
>>
>> I have installed sleuth kit and autopsy on my home drive ...what would I
>> need to do to allow access to the autopsy url?
>>
>> I am just fooling around with the program right now, so I am not too
>> worried about security at this point in time.
>>
>> Thanks for your time,
>> eric
>>
>>
>> -------------------------------------------------------
>> This SF.Net email is sponsored by xPML, a groundbreaking scripting
>> language
>> that extends applications into web and mobile media. Attend the live
>> webcast
>> and join the prime developer group breaking into this new coding
>> territory!
>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
>>
>>   
> 
> 
> Eric,
> Check the firewall settings on your Autopsy / Sleuthkit machine.  Some
> Linux distro's (I'm assuming your using it) install a firewall by
> default.  It may be blocking your port.
> 
> Good luck
> 

[sleuthkit-users] new to the list

[eric <er...@ho...>]

Hi, I'll cut to the chase:

I'm trying to get autopsy to act as a server so I use the command:

./autopsy -p 8888 10.0.0.2

and then go to another computer on the same network open a browser and
type in the autopsy url ...I get access denied you have been logged

I am using newest firefox as the browser on the client computer


I have installed sleuth kit and autopsy on my home drive ...what would I
need to do to allow access to the autopsy url?

I am just fooling around with the program right now, so I am not too
worried about security at this point in time.

Thanks for your time,
eric

[sleuthkit-users] RE: Install TSK under SuSe 10

[<Hol...@ar...>]

> I am trying to install TSK under Suse 10. It uses cc1, and I get an
> unrecognized command -c error when tries to run cc1, then error 2 on
no-perl
> and another command.

>
> Any Help?

>
> Thanks Bill

Bill,
i compiled it with no problems under Suse Linux 10.0 OSS Release.
Can you provide me some version numbers of your rpm packages ?

cu
Holgi