sleuthkit-users — List to discuss Autopsy and The Sleuth Kit.

[sleuthkit-users] Question about ifind and indirect blocks

[Nelson G. Mejias-D. <nel...@ne...>]

Hi Everyone,

I'm new to this list and I have a question about ifind and indirect blocks in ext2, using sleuthkit 2.03.  When I use the 'ifind' tool and give an indirect block as an argument, to find its inode number, I get an "Inode not found" message.  I want to know if the tool is working correctly or if this indicates a bug.  I did searches in Google and this mailing list but I haven't found an answer for this.

Here is the output of the command line call:

[root@rush bin]# ./ifind -d 4361910 /dev/hda2
Inode not found
Inode not found

where '4361910' is an indirect block number


I took this number from the output of the 'istat' command shown below.

------------ start of command output ------------

[root@rush bin]# ./istat /dev/hda2 2180294
inode: 2180294
Allocated
Group: 133
Generation Id: 2672944929
uid / gid: 0 / 0
mode: -rw-r--r--
size: 613857
num of links: 1

Inode Times:
Accessed:       Wed Jan 18 14:00:47 2006
File Modified:  Wed Jan 18 14:00:47 2006
Inode Modified: Wed Jan 18 14:00:47 2006

Direct Blocks:
4361893 4361894 4361895 4361896 4361897 4361898 4361899 4361900
4361901 4361902 4361903 4361904 4361911 4361914 4361915 4361916
4361917 4361918 4361919 4361920 4361921 4361922 4361923 4361924
4361925 4361926 4361927 4361928 4361929 4361930 4361931 4361932
4361933 4361934 4361937 4361938 4361939 4361940 4361941 4361942
4361943 4361944 4362303 4362304 4362305 4362306 4362307 4362308
4362309 4362310 4362311 4362312 4362313 4362314 4362315 4362316
4362317 4362318 4362319 4362320 4362321 4362322 4362323 4362324
4362325 4362326 4362407 4362408 4362409 4362410 4362411 4362412
4362413 4362414 4362415 4362416 4362417 4362418 4362419 4362425
4362426 4362427 4362428 4362429 4362430 4362431 4362432 4362433
4362434 4362435 4362436 4362437 4362438 4362459 4362460 4362461
4362462 4362463 4362464 4362465 4362466 4362467 4362468 4362472
4362491 4362492 4362493 4362494 4362495 4362496 4362497 4362498
4362499 4362500 4362501 4362502 4362503 4362504 4362505 4362506
4362507 4362508 4362509 4362510 4362511 4362512 4362513 4362514
4362515 4362516 4362517 4362518 4362519 4362521 4362522 4362523
4362524 4362525 4362526 4362527 4362528 4362529 4362530 4362531
4362532 4362533 4362534 4362535 4362536 4362537

Indirect Blocks:
4361910

------------ end of command output ------------


Thanks for your help,
Nelson

-- 
Nelson G. Mejias-Diaz
Director of Software Development
Netxar Technologies Inc.
phone: (787) 765-0058 ext 2009
email: nel...@ne...
website: www.netxar.com
--

[sleuthkit-users] Analyzing FreeBSD Partition

[Brooks, P. <pre...@tw...>]

Hey All,
    I need some help trying to get sleuthkit to read an image pulled
from a (reportedly) FreeBSD system.  The image was taken using dd of
/dev/hda1.  Attempts to point autopsy at the image file using ufs,
freebsd, and openbsd, all fail reporting that the image is not those
filesystem types.  After reading volume 12 of the informer, I decided to
try ripping the 4.2BSD image out:
=20
mmls output of the resulting image file:
=20
 /usr/local/sleuthkit/bin/mmls -t bsd hda1.img          BSD Disk Label
Sector: 1
Units are in 512-byte sectors
=20
     Slot    Start        End          Length       Description
00:  -----   0000000000   0000000062   0000000063   Unallocated
01:  01      0000000063   0000262206   0000262144   Swap (0x01)
02:  02      0000000063   0019535039   0019534977   Unused (0x00)
03:  00      0000262207   0019535039   0019272833   4.2BSD (0x07)
=20
=20
Using the following dd command: dd if=3Dhda1.img bs=3D512 =
of=3Dfreebsd.dd
skip=3D262207 count=3D19272833
=20
however, the resulting freebsd.dd image has the same failures as the
previous.  I have looked for any other references to the 4.2BSD but
haven't found anything in particular about it.  Am I missing something?
Any help will be greatly appreciated.
=20
Prentis Brooks
Enterprise Security Technical Manager
office: 704-731-3408=20
AIM: TWCPaladin=20
email: pre...@tw...
=20

Re: [sleuthkit-users] NTFS $FILE_NAME timeline?

[Patrick F. <for...@ch...>]

Brian Carrier wrote:
> I've had something to this effect in mind for a while.  My initial 
> solution would be to print two lines for each file in the 'ils'  output,
> which defines the body file before the timeline is made. One  line would
> be for STANDARD_INFO and the other would be for FILE_NAME.  It's doable,
> but I was concerned that it would cause great confusion  because there
> would be two m-times, two a-times, and two c-times for  each file.  It
> would need to be an option for special cases like you  experienced.

Definitely an option. My approach to make the output less confusing was
to prepend the file names of $FILE_NAME mac-times with a "*" which at
least made the output readable to me.

Body example:
0|C:/WINDOWS/system.ini|0|12260-128-3|33279|-/-rwxrwxrwx|1|48|0|0|231|1140016226|1084793695|1140016169|4096|0
0|*C:/WINDOWS/system.ini|0|12260-128-3|33279|-/-rwxrwxrwx|1|48|0|0|231|1084751905|998575105|998575105|4096|0

timeline (sorry if linewrapping makes this unclear)
Thu Aug 23 2001 15:58:25      231 m.c -/-rwxrwxrwx 48       0
12260-128-3 *C:/WINDOWS/system.ini
Mon May 17 2004 01:58:25      231 .a. -/-rwxrwxrwx 48       0
12260-128-3 *C:/WINDOWS/system.ini
Mon May 17 2004 13:34:55      231 m.. -/-rwxrwxrwx 48       0
12260-128-3 C:/WINDOWS/system.ini
Wed Feb 15 2006 16:09:29      231 ..c -/-rwxrwxrwx 48       0
12260-128-3 C:/WINDOWS/system.ini
Wed Feb 15 2006 16:10:26      231 .a. -/-rwxrwxrwx 48       0
12260-128-3 C:/WINDOWS/system.ini


Cheers,

/Patrick

Re: [sleuthkit-users] NTFS $FILE_NAME timeline?

[Brian C. <ca...@sl...>]

On Feb 22, 2006, at 3:11 AM, Patrick Forsberg wrote:

> Hi there.
>
> I have a question (and possibly a feature request for fls)
>
> I've been analyzing a couple of NTFS file systems where the MFT
> MAC-times haven't been enough to get a good timeline, whereas  
> looking at
> the $FILE_NAME MAC-times have. Unfortunately I cannot find a way of
> generating a timeline for $FILE_NAME attributes so I had to write a
> rather slow script using istat on every MFT entry. Is there another  
> way
> or possibly a chance of getting added functionality to sleuthkit.

I've had something to this effect in mind for a while.  My initial  
solution would be to print two lines for each file in the 'ils'  
output, which defines the body file before the timeline is made. One  
line would be for STANDARD_INFO and the other would be for FILE_NAME.  
It's doable, but I was concerned that it would cause great confusion  
because there would be two m-times, two a-times, and two c-times for  
each file.  It would need to be an option for special cases like you  
experienced.

brian

Re: [sleuthkit-users] Autopsy: File Activity Timelines not working

[Brian C. <ca...@sl...>]

On Feb 21, 2006, at 2:12 PM, "" <gim...@we...> <gim...@we...>  
wrote:

> Hi,
>
> i want to create timeline of activities with Autopsy.
> I have build new case, loaded up my image and opened page "File
> Activity Timelines", then clicked on "Create Data File", OK and then
> got this error message:
>
> No images were given for analysis. At least one must be selected.
>
> What could be wrong?
> Perhaps anything is bad with my image file?
> It is a dd dump with 4 Partitions.
> I added Partition 4 to case and it was partition i choosed to make
> timeline of.

Was partition 4 added as a specific file system (i.e. can you go into  
the file analysis mode of Autopsy and view the directory listing?)?   
Only file systems are shown in the timeline view.  If it was added as  
raw or swap then it will not be shown in the timeline view.

brian

[sleuthkit-users] NTFS $FILE_NAME timeline?

[Patrick F. <fo...@ch...>]

Hi there.

I have a question (and possibly a feature request for fls)

I've been analyzing a couple of NTFS file systems where the MFT
MAC-times haven't been enough to get a good timeline, whereas looking at
the $FILE_NAME MAC-times have. Unfortunately I cannot find a way of
generating a timeline for $FILE_NAME attributes so I had to write a
rather slow script using istat on every MFT entry. Is there another way
or possibly a chance of getting added functionality to sleuthkit.

Below is the istat output from istat on a malware component that is hard
to track through the usual fls timeline.

istat -f ntfs -o 63 -i raw PhysDrive.img 112501
MFT Entry Header Values:
Entry: 112501        Sequence: 16
$LogFile Sequence Number: 24867996464
Allocated File
Links: 1

$STANDARD_INFORMATION Attribute Values:
Flags: Archive
Owner ID: 0     Security ID: 260

Original times:
Created:        Sat Feb 11 22:16:02 2006
File Modified:  Thu Jan 19 13:16:50 2006
MFT Modified:   Tue Feb 14 22:31:39 2006
Accessed:       Tue Feb 14 22:31:39 2006

$FILE_NAME Attribute Values:
Flags: Archive
Name: malware.exe
Parent MFT Entry: 9291  Sequence: 9291
Allocated Size: 0       Actual Size: 0

Original times:
Created:        Sat Feb 11 22:16:02 2006
File Modified:  Sat Feb 11 22:16:02 2006
MFT Modified:   Sat Feb 11 22:16:02 2006
Accessed:       Sat Feb 11 22:16:02 2006

Attributes:
Type: $STANDARD_INFORMATION (16-0)   Name: N/A   Resident   size: 72
Type: $FILE_NAME (48-2)   Name: N/A   Resident   size: 90
Type: $DATA (128-3)   Name: $Data   Non-Resident   size: 596295
8839705 8839706 8839707 8839708 8839709 8839710 8839711 8839712
<DELETED BLOCK LIST>

Of all the times available for this particular entry only
$STANDARD_INFORMATION - File Modified, MFT Modified and Accessed are
reported in a fls timeline

By comparing my network logs with the times for
$STANDARD_INFORMATION - Created
and
$FILE_NAME - Created, File Modified, MFT Modified and Accessed

I can deduct that the file was put on the system on
Sat Feb 11 22:16:02 2006

But the MFT was for some reason modified on
Tue Feb 14 22:31:39 2006

Either the malware itstelf modifies MFTs to thwart timeline analysis or
some system tool is doing it but the usual analysis of C-time is more or
less worthless for this system and I have to resort to my "hack" of
generating a timeline with the help of istat.


/Patrick

Re: [sleuthkit-users] Autopsy: delete image file from case

[Brian C. <ca...@sl...>]

On Feb 21, 2006, at 2:38 PM, Barry J. Grundy wrote:

> On Tue, 2006-02-21 at 20:07 +0100, gim...@we... wrote:
>
>> how can i delete an image file from case?
>> On the page "Select a volume to analyze or add a new image file.", i
>> only have option to analyze, add image file, close host but not any
>> option to delete image file.
>
> I'm not sure that there is an option within autopsy to "delete" an  
> image
> file.  Brian would have to comment on this, but I imagine it has
> something to do with maintaining case integrity.

There is not an option.  It is kind of messy and keep everything in  
sync (strings, unallocated space, timelines, body files etc.).  It's  
doable, but has not been a high priority (which I am in the process  
of enumerating as I write this).

brian

Re: [sleuthkit-users] Autopsy: delete image file from case

[Barry J. G. <bg...@im...>]

On Tue, 2006-02-21 at 20:07 +0100, gim...@we... wrote:

> how can i delete an image file from case?
> On the page "Select a volume to analyze or add a new image file.", i
> only have option to analyze, add image file, close host but not any
> option to delete image file.

I'm not sure that there is an option within autopsy to "delete" an image
file.  Brian would have to comment on this, but I imagine it has
something to do with maintaining case integrity.  

If you are testing and playing with the software, you could "remove" the
image by deleting the link (or mv/cp'd) image
from ./CASENAME/HOSTNAME/images/ and then editing the host config
file ./CASENAME/HOSTNAME/images/host.aut (The above paths are within
your evidence locker).

-- 
/***************************************
Special Agent Barry J. Grundy
NASA Office of Inspector General
Computer Crimes Division 
Goddard Space Flight Center
Code 190
Greenbelt Rd.
Greenbelt, MD 20771
(301)286-3358
**************************************/

[sleuthkit-users] Autopsy: File Activity Timelines not working

[<gim...@we...>]

Hi,

i want to create timeline of activities with Autopsy.
I have build new case, loaded up my image and opened page "File
Activity Timelines", then clicked on "Create Data File", OK and then
got this error message:

No images were given for analysis. At least one must be selected.

What could be wrong?
Perhaps anything is bad with my image file?
It is a dd dump with 4 Partitions.
I added Partition 4 to case and it was partition i choosed to make
timeline of.

regards

[sleuthkit-users] Autopsy: delete image file from case

[<gim...@we...>]

Hi,

how can i delete an image file from case?
On the page "Select a volume to analyze or add a new image file.", i
only have option to analyze, add image file, close host but not any
option to delete image file.

How can this be done with Autopsy?

regards

Re: [sleuthkit-users] Restoring files

[Brian C. <ca...@sl...>]

On Feb 20, 2006, at 10:15 AM, gim...@we... wrote:

> On Thu, 16 Feb 2006 11:15:13 -0600
> "DePriest, Jason R." <jrd...@fi...> wrote:
>
>> I restored the file using Sleuthkit which the log says ran this:
>> icat -f ntfs -o 0 -i raw
>> '/sleuthkit-evidence/deadsystem/HOST/images/image.raw' 6754-128-3
>>
>> With 6754-128-3 being the MFT information.
>
> Thanks for the hint, used to build a shell script (ils + icat)!
>
> But what's the reason for Autopsy not providing a function to
> automatically restore large amount of files.

Time.... :)  And it wasn't really intended as a mass recovery tool.

brian

Re: [sleuthkit-users] RE: sleuthkit-users digest, Vol 1 #394 - 1 msg

[<gim...@we...>]

On Sun, 19 Feb 2006 20:05:38 -0500
Brian Carrier <ca...@sl...> wrote:

> There is also a script named recoup by Dave Henkewick that can  
> recreate the directory structure (I've never used it though):
> 
> http://www.sleuthkit.org/sleuthkit/download.php
> 
> brian
> 

First i wrote a little shellscript. This works so far.
But now, when executing this sleuthkit perl script which link is given
above, i get this error:

"main::list() called too early to check prototype at recoup.pl line 33."

line 33: list($FLS_inode);
some lines above: my $FLS_inode="222";

I configured parameters in head of script and verified inode number
222 using fls. This seems to be okay.

Any suggestions?

Re: [sleuthkit-users] Restoring files

[<gim...@we...>]

On Thu, 16 Feb 2006 11:15:13 -0600
"DePriest, Jason R." <jrd...@fi...> wrote:

> I restored the file using Sleuthkit which the log says ran this:
> icat -f ntfs -o 0 -i raw
> '/sleuthkit-evidence/deadsystem/HOST/images/image.raw' 6754-128-3
> 
> With 6754-128-3 being the MFT information.

Thanks for the hint, used to build a shell script (ils + icat)!

But what's the reason for Autopsy not providing a function to
automatically restore large amount of files. Or is there any option i
did overlook?

regards

Re: [sleuthkit-users] RE: sleuthkit-users digest, Vol 1 #394 - 1 msg

[Brian C. <ca...@sl...>]

There is also a script named recoup by Dave Henkewick that can  
recreate the directory structure (I've never used it though):

http://www.sleuthkit.org/sleuthkit/download.php

brian


On Feb 19, 2006, at 7:06 PM, SecMan wrote:

> I generally restore by exporting a file then I can rename it to a more
> managable name.
>
> -----Original Message-----
> From: sle...@li...
> [mailto:sle...@li...]On Behalf Of
> sle...@li...
> Sent: Thursday, February 16, 2006 11:29 PM
> To: sle...@li...
> Subject: sleuthkit-users digest, Vol 1 #394 - 1 msg
>
>
> Send sleuthkit-users mailing list submissions to
> 	sle...@li...
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> or, via email, send a message with subject or body 'help' to
> 	sle...@li...
>
> You can reach the person managing the list at
> 	sle...@li...
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of sleuthkit-users digest..."
>
>
> Today's Topics:
>
>    1. Restoring files (gim...@we...)
>
> --__--__--
>
> Message: 1
> Date: Thu, 16 Feb 2006 17:42:07 +0100
> From: gim...@we...
> To: sle...@li...
> Subject: [sleuthkit-users] Restoring files
>
> Hi,
>
> how can i make Autopsy restoring found files to any medium?
> I did only find option to list and sort found files but
> no way to select them all to restore.
>
> Any suggestions?
>
> regards
>
>
>
> --__--__--
>
> _______________________________________________
> sleuthkit-users mailing list
> sle...@li...
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>
>
> End of sleuthkit-users Digest
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through  
> log files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD  
> SPLUNK!
> http://sel.as-us.falkag.net/sel? 
> cmd=lnk&kid=103432&bid=230486&dat=121642
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
>

[sleuthkit-users] RE: sleuthkit-users digest, Vol 1 #394 - 1 msg

[SecMan <se...@ta...>]

I generally restore by exporting a file then I can rename it to a more
managable name.

-----Original Message-----
From: sle...@li...
[mailto:sle...@li...]On Behalf Of
sle...@li...
Sent: Thursday, February 16, 2006 11:29 PM
To: sle...@li...
Subject: sleuthkit-users digest, Vol 1 #394 - 1 msg


Send sleuthkit-users mailing list submissions to
	sle...@li...

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
or, via email, send a message with subject or body 'help' to
	sle...@li...

You can reach the person managing the list at
	sle...@li...

When replying, please edit your Subject line so it is more specific
than "Re: Contents of sleuthkit-users digest..."


Today's Topics:

   1. Restoring files (gim...@we...)

--__--__--

Message: 1
Date: Thu, 16 Feb 2006 17:42:07 +0100
From: gim...@we...
To: sle...@li...
Subject: [sleuthkit-users] Restoring files

Hi,

how can i make Autopsy restoring found files to any medium?
I did only find option to list and sort found files but
no way to select them all to restore.

Any suggestions?

regards



--__--__--

_______________________________________________
sleuthkit-users mailing list
sle...@li...
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users


End of sleuthkit-users Digest

[sleuthkit-users] Restoring files

[<gim...@we...>]

Hi,

how can i make Autopsy restoring found files to any medium?
I did only find option to list and sort found files but
no way to select them all to restore.

Any suggestions?

regards

Re: [sleuthkit-users] Installation Problems (and hello!)

[farmer d. <far...@ya...>]

Hi Stu,


> Basically, I cannot seem to get "sleuthkit"
> installed on my system.

The Sleuth Kit doesn't get installed on a system,
unless you use a pre-compiled package from someone
else.  A while back I used to build RPMs when I used
RH Linux for The Sleuth Kit so that the executables
would be copied to '/usr/local/bin', the man pages to
their respective directories, etc.



> read 
> the INSTALL.txt and then typed "make".

The key in that file you read is:

"All tools will be compiled into the 'bin' directory. 
All manual pages are located in the 'man' directory. 
To always have access to the manual pages, add the
directory to your MANPATH environment variable. If you
would like the binaries to be placed in a common
directory, such as /usr/local/bin, then it must be
done manually."

So the file holds the key.  You must do it manually.
You could symlink them or copy or move them to where
you like.  Be careful to not overwrite existing
binaries.


cheers!

farmerdude

http://www.farmerdude.com/



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: [sleuthkit-users] Installation Problems (and hello!)

[Barry J. G. <bg...@im...>]

On Wed, 2006-02-08 at 16:16 +0000, Stuart Bird wrote:

> I then tried "man sleuthkit" and got a "not found". I tried a couple of 
> commands on a test dd image. Each time command not found. I tried 
> "whereis sleuthkit" and again nothing found.

Hi Stuart.

The "man sleuthkit" won't work because sleuthkit is the collection of
tools, not the command.  

When you untarred sleuthkit, and typed "make", you ended up with a
number of directories in that current directory.  One of those is ./bin
and another is ./man

./sleuthkit-2.xx/bin
./sleuthkit-2.xx/man/man1 (for command usage)

(note that the "./" indicates "from the current directory".)

in order to use the programs, you have to either call the program with
the explicit path, copy them to a direcory that is in you $PATH
(/usr, /usr/bin/ ...) or add their current directory to your $PATH.  I
usually choose to leave them where they are and either call them
explicity or use symlinks.

So, to use fsstat, I would type:

timmy Exercises # ~/tools/sleuthkit-2.03/bin/fsstat practical.floppy.dd

...to run fsstat on a floppy image in the "Exercises" directory.  Note
that I had to give the full path to the tool.

Again, if you want to run the man page for a given tool, change to
the ./sleuthkit-2.xx/man/man1 directory and look at the man page using:

timmy man1 # man ./fsstat.1

Note again that the ./ indicates that the file "fsstat.1" is located in
the current directory.

Do a little search on "$PATH" and "$MANPATH" to learn more about why you
either need to edit these paths or move/copy/link the files elsewhere.
Remember, Linux does not look in you current directory by default (like
DOS) for a command.  

HTH a litte...

Also, note that "whereis" normally uses hard coded paths, so it most
likely won't find TSK tools unless they are moved/copied/linked to
standard "program" locations for Linux.  You could use "locate", but
would have to run "updatedb" first.

Barry

-- 
/***************************************
Special Agent Barry J. Grundy
NASA Office of Inspector General
Computer Crimes Division 
Goddard Space Flight Center
Code 190
Greenbelt Rd.
Greenbelt, MD 20771
(301)286-3358
**************************************/

Re: [sleuthkit-users] Installation Problems (and hello!)

[J B <je...@ad...>]

Sleuthkit make simply compiles the tools for your system, doesn't copy them 
to /bin or /usr/local or anything like that.

The executeables (many small programs) are to be found in the /bin dir 
inside where you extracted the tarball.

Copy them to wherever you like.  I'm not sure about man pages.. you might 
have to add a path to your environment variables for those, or maybe copy 
them to wherever other mans are.  I don't know that much about configuring 
man.

-Jessop

[sleuthkit-users] Installation Problems (and hello!)

[Stuart B. <e_t...@ya...>]

Hi

I am new to both Sleuthkit and this list so would like to say hello to 
all. I am a serving law enforcement officer working in a busy UK HTCU. I 
have been in post for just over three years, but have been involved with 
computers for over fifteen years. I am a slightly "better than noob" 
linux user and find myself using it more and more in my current role.

Anyway, thats me. Unfortunately I have a problem that I cannot resolve 
so find myself asking for help on my first visit. I hope this is the 
right place for this sort of question.

Basically, I cannot seem to get "sleuthkit" installed on my system.

I am running Zenwalk (slackware based) on a 2.6.14.4 kernel. I 
downloaded the sleuthkit tarball to my home "dir", "untarred" it, read 
the INSTALL.txt and then typed "make". Lots of text went whizzing by and 
the prompt returned with no obvious errors. I gave gcc installed and all 
that.

I then tried "man sleuthkit" and got a "not found". I tried a couple of 
commands on a test dd image. Each time command not found. I tried 
"whereis sleuthkit" and again nothing found.

I tried installing again, this time from the "/usr" folder and the same 
thing happened.

Could anyone please tell me where I am going wrong. I suspect it is 
something simple but I just can't see it.

Many thanks

Stu

		
___________________________________________________________ 
To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com

[sleuthkit-users] Solution to mounting several images as raid..

[J B <je...@ad...>]

----- Original Message ----- 
From: "Mark" <ma...@ti...>
Newsgroups: alt.comp.linux
Sent: Friday, February 03, 2006 4:37 PM
Subject: Re: can I simulate a physical raid using image files (loop device)?


> On Thu, 02 Feb 2006 14:02:00 -0500, J wrote:
>
>> if you can mount a disk image (dd, iso) using a loopx device file, can 
>> you
>> access several of them with linux software raid tools?
>
> Why not just try?
>
> I got curious too and gave it a shot, and seems to work...
>
> #dd if=/dev/zero of=disk1 bs=1k count=102400
> #dd if=/dev/zero of=disk2 bs=1k count=102400
> #losetup /dev/loop0 disk1
> #losetup /dev/loop1 disk2
> #mdadm --create /dev/md0 --level=1 --raid-devices=2 /dev/loop0 /dev/loop1
> #mkfs.ext3 /dev/md0
> #mount /dev/md0 /mnt
> # df -h /mnt
> Filesystem            Size  Used Avail Use% Mounted on
> /dev/md0              97M  4.1M   88M   5% /mnt
> 0# cat /proc/mdstat
> Personalities : [raid1]
> md0 : active raid1 loop1[1] loop0[0]
>      102336 blocks [2/2] [UU]
>
> Rgds,
> Mark.
>
>> I'd like to simulate raid by creating 3 or 4 100MB files, mounting them 
>> as a
>> raid volume and formatting them.
>>
>> Curious,
>>
>> Jessop
> 

Re: [sleuthkit-users] recombine raid images with loopback?

[J B <je...@ad...>]

I like to imagine that you should be able to link a device file to an image 
file, and do what you want with it.  What happened to "everything in unix is 
a file!".

oh well - one day.

Re: [sleuthkit-users] recombine raid images with loopback?

[farmer d. <far...@ya...>]

Jessop and Dave,

RAID acquisitions and analysis are a different beast
than stand alone systems.  Identifying, acquiring, and
analyzing RAIDs require a bit of knowledge, a bit of
skill, and a bit of space.  I've been quite successful
in identifying, acquiring, and analyzing RAID arrays
using Linux and associated components and programs. 
This is something covered in advanced training courses
in detail - either my own or ASR Data's.

I've used both the SMART Linux Boot CD and THE
FARMER'S BOOT CD for this.  SMART for Linux, the
program, has a nice graphical RAID Reconstructor
utility to assist those who don't know the RAID
schematics for the system they're looking to analyze. 


I would recommend acquiring every disk individually, a
physical image.  Acquiring only the RAID array may
leave a lot of data behind.  I would make certain
whatever tool you use to acquire doesn't activate the
RAID array.

While you're there, at the system, get ALL the
information you need before leaving.  RAID level,
stripe size, parity, etc.  THIS is the information you
will NEED to build your software RAID array.  Hardware
RAID systems typically include this in the tools
available at boot time.  Software RAID systems contain
this information in the RAID superblock.  I dissected
the superblock for my advanced training class and
found it to provide the needed information for
reconstruction later.  Note that this superblock has
grown from the 2.4 kernel to the 2.6 kernel.  

I don't know if this helps or not, but I hope it does.
 You can use Linux to acquire and analyze RAID arrays.
 Physical disk images are what you want.  If you use
mdadm you don't need a RAIDTAB file, and I would
strongly recommend *not* defining '/etc/raidtab'.

regards,

farmerdude



--- Dave Gilbert <all...@ya...> wrote:

> Jessop,
> 
> The way you're describing your image operation
> (imaging each disk individually) will likely not
> work.
>  I've tried it in the wild and it just doesn't work
> (unless you're prepared to manually piece together
> the
> data, depending on the RAID config, BTW, I've tried
> that too with varying levels of success...not fun). 
> I
> haven't done much acquisition lately, but I believe
> the best way to go about it is to boot the to be
> imaged system with a Linux distro packaged for
> acquisition, such as Helix or perhaps Farmerdude's
> CD.
>  Essentially what's needed is an acquisition of the
> RAID as a device, i.e., grabbing an image of the
> data
> spanned across the drives in one image, 2nd i.e., as
> if the RAID is just a big drive.  Obviously, speed
> of
> success will be dependent on whether or not your
> particular Linux boot CD distro has the a suitable
> RAID driver and can 'see' the RAID.  You can force
> the
> issue by manually adding a device and installing
> drivers.  I've seen this done, but couldn't begin to
> accurately describe the process in detail.  The
> bottom
> line is a need to image the 'RAID', not the drives. 
> I
> hope this can get you started.
> 
> Dave Gilbert
> 
> --- J B <je...@ad...> wrote:
> 
> > Suppose you have a raid of 8 9GIG disks.
> > You have imaged each disk using dd so that you
> have
> > diskimg0 ... diskimg7
> > 
> > What's the best way to mount this group of images
> in
> > software so that you
> > can then operate on it using TSK?  I assume it
> > involves mounting a loopback
> > device..
> > 
> > it's seems like you'd want to use /dev/loopX in
> > raiddev per disk
> > 
> > but I'm not sure that:
> > mount -ro /evidence/diskimg0 /whocareswhere -t
> > whatevertype -o 
> > loop=/dev/loop0, blocksize= (CHUNKSIZE?)
> > would be appropriate.  Seems like you're mounting
> > the image unneccesarily 
> > leaving the mounted stub at /whocareswhere when
> all
> > you really want is to 
> > tie loop0 to the image...
> > 
> > raiddev /dev/md0
> >         raid-level      linear
> >         nr-raid-disks   2
> >         chunk-size      32
> >         persistent-superblock 1
> >         device          /dev/loop0
> >         raid-disk       0
> >         device          /dev/loop1
> >         raid-disk       1
> > 
> > 
> > Just curious,
> > 
> > -Jessop

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: [sleuthkit-users] recombine raid images with loopback?

[Dave G. <all...@ya...>]

Jessop,

The way you're describing your image operation
(imaging each disk individually) will likely not work.
 I've tried it in the wild and it just doesn't work
(unless you're prepared to manually piece together the
data, depending on the RAID config, BTW, I've tried
that too with varying levels of success...not fun).  I
haven't done much acquisition lately, but I believe
the best way to go about it is to boot the to be
imaged system with a Linux distro packaged for
acquisition, such as Helix or perhaps Farmerdude's CD.
 Essentially what's needed is an acquisition of the
RAID as a device, i.e., grabbing an image of the data
spanned across the drives in one image, 2nd i.e., as
if the RAID is just a big drive.  Obviously, speed of
success will be dependent on whether or not your
particular Linux boot CD distro has the a suitable
RAID driver and can 'see' the RAID.  You can force the
issue by manually adding a device and installing
drivers.  I've seen this done, but couldn't begin to
accurately describe the process in detail.  The bottom
line is a need to image the 'RAID', not the drives.  I
hope this can get you started.

Dave Gilbert

--- J B <je...@ad...> wrote:

> Suppose you have a raid of 8 9GIG disks.
> You have imaged each disk using dd so that you have
> diskimg0 ... diskimg7
> 
> What's the best way to mount this group of images in
> software so that you
> can then operate on it using TSK?  I assume it
> involves mounting a loopback
> device..
> 
> it's seems like you'd want to use /dev/loopX in
> raiddev per disk
> 
> but I'm not sure that:
> mount -ro /evidence/diskimg0 /whocareswhere -t
> whatevertype -o 
> loop=/dev/loop0, blocksize= (CHUNKSIZE?)
> would be appropriate.  Seems like you're mounting
> the image unneccesarily 
> leaving the mounted stub at /whocareswhere when all
> you really want is to 
> tie loop0 to the image...
> 
> raiddev /dev/md0
>         raid-level      linear
>         nr-raid-disks   2
>         chunk-size      32
>         persistent-superblock 1
>         device          /dev/loop0
>         raid-disk       0
>         device          /dev/loop1
>         raid-disk       1
> 
> 
> Just curious,
> 
> -Jessop
> 
> 
> 
> 
>
-------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do
> you grep through log files
> for problems?  Stop!  Download the new AJAX search
> engine that makes
> searching your log files as easy as surfing the 
> web.  DOWNLOAD SPLUNK!
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
> _______________________________________________
> sleuthkit-users mailing list
>
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

[sleuthkit-users] Re: help---metadata tools

[farmer d. <far...@ya...>]

Yes, I figured as much (to some degree, at least).

Essentially a Metadata Assistant program for Linux?

What I mentioned in my reply was that on my CD exists
a tool to pull such metadata from PDF documents.  On
the next release this support will expand to include
DOC files as well.

Timestamps are already available via The Sleuth Kit,
SMART for Linux, etc.  Make certain you use a
program/tool designed for reading date/time stamps. 
IE, most typically *not* a Linux system command
(because going through VFS the program is happy to
report a time ... but it may not be the right time ...
due to structure of VFS).

regards,

farmerdude


--- sr...@nm... wrote:

> hi,
> thanks for replying.
> i mean i want a tool that can give me the
> 1)history of the file(when the file is
> created,modified,printed,edited
> anything that is useful)
> 2)time analysis(i want the tool to display the time
> it is
> created,modified,printed,edited anything that is
> useful)
> 
> i mean i need the complete history of the file.
> 
> please let me know as soon as possible.
> 
> thanks again for replying.
> 
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com