sleuthkit-users Mailing List for The Sleuth Kit (Page 175)
Brought to you by:
carrier
You can subscribe to this list here.
2002 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(6) |
Aug
|
Sep
(11) |
Oct
(5) |
Nov
(4) |
Dec
|
---|---|---|---|---|---|---|---|---|---|---|---|---|
2003 |
Jan
(1) |
Feb
(20) |
Mar
(60) |
Apr
(40) |
May
(24) |
Jun
(28) |
Jul
(18) |
Aug
(27) |
Sep
(6) |
Oct
(14) |
Nov
(15) |
Dec
(22) |
2004 |
Jan
(34) |
Feb
(13) |
Mar
(28) |
Apr
(23) |
May
(27) |
Jun
(26) |
Jul
(37) |
Aug
(19) |
Sep
(20) |
Oct
(39) |
Nov
(17) |
Dec
(9) |
2005 |
Jan
(45) |
Feb
(43) |
Mar
(66) |
Apr
(36) |
May
(19) |
Jun
(64) |
Jul
(10) |
Aug
(11) |
Sep
(35) |
Oct
(6) |
Nov
(4) |
Dec
(13) |
2006 |
Jan
(52) |
Feb
(34) |
Mar
(39) |
Apr
(39) |
May
(37) |
Jun
(15) |
Jul
(13) |
Aug
(48) |
Sep
(9) |
Oct
(10) |
Nov
(47) |
Dec
(13) |
2007 |
Jan
(25) |
Feb
(4) |
Mar
(2) |
Apr
(29) |
May
(11) |
Jun
(19) |
Jul
(13) |
Aug
(15) |
Sep
(30) |
Oct
(12) |
Nov
(10) |
Dec
(13) |
2008 |
Jan
(2) |
Feb
(54) |
Mar
(58) |
Apr
(43) |
May
(10) |
Jun
(27) |
Jul
(25) |
Aug
(27) |
Sep
(48) |
Oct
(69) |
Nov
(55) |
Dec
(43) |
2009 |
Jan
(26) |
Feb
(36) |
Mar
(28) |
Apr
(27) |
May
(55) |
Jun
(9) |
Jul
(19) |
Aug
(16) |
Sep
(15) |
Oct
(17) |
Nov
(70) |
Dec
(21) |
2010 |
Jan
(56) |
Feb
(59) |
Mar
(53) |
Apr
(32) |
May
(25) |
Jun
(31) |
Jul
(36) |
Aug
(11) |
Sep
(37) |
Oct
(19) |
Nov
(23) |
Dec
(6) |
2011 |
Jan
(21) |
Feb
(20) |
Mar
(30) |
Apr
(30) |
May
(74) |
Jun
(50) |
Jul
(34) |
Aug
(34) |
Sep
(12) |
Oct
(33) |
Nov
(10) |
Dec
(8) |
2012 |
Jan
(23) |
Feb
(57) |
Mar
(26) |
Apr
(14) |
May
(27) |
Jun
(27) |
Jul
(60) |
Aug
(88) |
Sep
(13) |
Oct
(36) |
Nov
(97) |
Dec
(85) |
2013 |
Jan
(60) |
Feb
(24) |
Mar
(43) |
Apr
(32) |
May
(22) |
Jun
(38) |
Jul
(51) |
Aug
(50) |
Sep
(76) |
Oct
(65) |
Nov
(25) |
Dec
(30) |
2014 |
Jan
(19) |
Feb
(41) |
Mar
(43) |
Apr
(28) |
May
(61) |
Jun
(12) |
Jul
(10) |
Aug
(37) |
Sep
(76) |
Oct
(31) |
Nov
(41) |
Dec
(12) |
2015 |
Jan
(33) |
Feb
(28) |
Mar
(53) |
Apr
(22) |
May
(29) |
Jun
(20) |
Jul
(15) |
Aug
(17) |
Sep
(52) |
Oct
(3) |
Nov
(18) |
Dec
(21) |
2016 |
Jan
(20) |
Feb
(8) |
Mar
(21) |
Apr
(7) |
May
(13) |
Jun
(35) |
Jul
(34) |
Aug
(11) |
Sep
(14) |
Oct
(22) |
Nov
(31) |
Dec
(23) |
2017 |
Jan
(20) |
Feb
(7) |
Mar
(5) |
Apr
(6) |
May
(6) |
Jun
(22) |
Jul
(11) |
Aug
(16) |
Sep
(8) |
Oct
(1) |
Nov
(1) |
Dec
(1) |
2018 |
Jan
|
Feb
|
Mar
(16) |
Apr
(2) |
May
(6) |
Jun
(5) |
Jul
|
Aug
(2) |
Sep
(4) |
Oct
|
Nov
(16) |
Dec
(13) |
2019 |
Jan
|
Feb
(1) |
Mar
(25) |
Apr
(9) |
May
(2) |
Jun
(1) |
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2020 |
Jan
(2) |
Feb
|
Mar
(1) |
Apr
|
May
(1) |
Jun
(3) |
Jul
(2) |
Aug
|
Sep
|
Oct
(5) |
Nov
|
Dec
|
2021 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(4) |
Jul
(1) |
Aug
|
Sep
(1) |
Oct
|
Nov
(1) |
Dec
|
2022 |
Jan
|
Feb
(2) |
Mar
|
Apr
|
May
(2) |
Jun
|
Jul
(3) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2023 |
Jan
(2) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
2024 |
Jan
|
Feb
(3) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2025 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Chuck <chu...@gm...> - 2005-09-30 12:48:45
|
On 9/29/05, Paulo Renato Silva <pau...@gm...> wrote: > I've used helix in some projets and I've had good results with it. But t= he > sleuthkit is a little outdated in Helix CD. The Helix CD contains sleuth= kit > v. 1.73 and the v. 2.02 was realeased in July 8, 2005. However, I think > that Helix is a good choice. I think the Helix "CD Contents" web page for Helix is just a little out of date. The changelog lists the most recent, stable Helix (Helix 1.6: 28.July.2005) as having Autopsy 2.05 and Sleuthtkit 2.02 (the most recent versions). The changelog also lists Helix 1.7 as coming out 1.Oct.2005 (tomorrow), but I am not sure if that is a definite date or the planned release. The download page says 1.7 is only 5% done and I don't see any mention of it on the Helix forums, so I would guess the release date will slip. Chuck |
From: Priscilla O. <pri...@ya...> - 2005-09-30 01:31:27
|
Thanks for all the recommendations. I will try the Helix CD. It sounds great. I had liked the sound of the Penguin one because of all the network utilities in addition to forensics utilities, but the Helix one has that too. Hooray. :-) I did finally find the sleuthkit tools when booted from the Penguin CD, by the way. (They were in /usr/bin/ but I missed them because I was looking for them to be in a folder called sleuthkit or something of that sort. Learning some cool stuff! Thanks. Priscilla Oppenheimer --- Paulo Renato Silva <pau...@gm...> wrote: > I've used helix in some projets and I've had good > results with it. But the > sleuthkit is a little outdated in Helix CD. The > Helix CD contains sleuthkit > v. 1.73 and the v. 2.02 was realeased in July 8, > 2005. However, I think that > Helix is a good choice. > > Paulo Renato Silva > > On 9/29/05, Chuck <chu...@gm...> wrote: > > > > The Penguin Sleuth Kit (which has really nothing > to do with Brian's > > sleuthkit) hasn't been updated in quite a while > (over 2 years now) and > > I'm not sure if the plain Knoppix CD has > sleuthkit/autopsy. I'd > > recommend using the Helix CD available at: > > > > http://www.e-fense.com/helix/ > > > > I've has very good luck with it and it is updated > frequently. Have fun. > > > > Chuck > > > > On 9/29/05, Priscilla Oppenheimer > <pri...@ya...> wrote: > > > Does anyone use The Penguin Sleuth Kit Linux > bootable > > > CD? The list of included software here: > > > > > > http://luge.cc.emory.edu/psl.html > > > > > > says that The Sleuthkit (www.sleuthkit.org > <http://www.sleuthkit.org>) > > is > > > included with the boot CD. It's not!? Or am I > > > misunderstanding how to find it? > > > > > > I downloaded the iso image from the site. I got > the > > > file called penguinsleuth-07-05-2003.iso and > burned it > > > to CD. It boots fine. I don't have any problems > > > running other tools, such as Ethereal, but > sleuthkit > > > tools aren't there. > > > > > > I also tried a plain vanilla Knoppix Linux > bootable CD > > > and can't find The Sleuthkit with that either, > > > although it's supposedly on that too, so I > suspect > > > that the problem may be user error. > > > > > > I opened a root shell, so it's not that I'm not > root. > > > I think it's something else. > > > > > > Please help. > > > > > > Thanks. > > > __________________ > > > > > > Priscilla Oppenheimer > > > Adjunct Faculty > > > Southern Oregon University > > > http://www.priscilla.com > > > > > > > __________________________________________________ > > > Do You Yahoo!? > > > Tired of spam? Yahoo! Mail has the best spam > protection around > > > http://mail.yahoo.com > > > > > > > > > > ------------------------------------------------------- > > > This SF.Net email is sponsored by: > > > Power Architecture Resource Center: Free > content, downloads, > > discussions, > > > and more. > http://solutions.newsforge.com/ibmarch.tmpl > > > _______________________________________________ > > > sleuthkit-users mailing list > > > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > > http://www.sleuthkit.org > > > > > > > > > > ------------------------------------------------------- > > This SF.Net email is sponsored by: > > Power Architecture Resource Center: Free content, > downloads, discussions, > > and more. > http://solutions.newsforge.com/ibmarch.tmpl > > _______________________________________________ > > sleuthkit-users mailing list > > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > http://www.sleuthkit.org > > > > > > -- > ------------------------------------------ > Paulo Renato S. Silva > ICQ: 12395936 > Skype: paulorenato_silva > ------------------------------------------ > Priscilla Oppenheimer Adjunct Faculty Southern Oregon University www.priscilla.com __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com |
From: Ty B. <teb...@gm...> - 2005-09-29 23:45:52
|
On 9/29/05, Slade E. Griffin <sl...@ss...> wrote: > > Brian et-al, > > I would be interested in hearing some comments on the writeup and > presentation contained here. Any thoughts? > http://www.metasploit.com/projects/antiforensics/ > Thanks in advance for those who participate. > > Slade E. Griffin, GCIH GCFA Between the concepts presented at http://www.metasploit.com/projects/antiforensics/ and the always evolving "Art of Defiling" materials from the Grugq ( latest? slides here: http://blackhat.com/presentations/bh-usa-05/bh-us-05-grugq.pdf ) there coul= d be some serious improvement done in the investigative process. Both of these presentations feature points that exploit the forensics investigation process and/or the examiner. The specific holes in forensic software can be fixed and hopefully they will be soon but the "exploits" fo= r the investigative process, etc need more thought. Some of the mentioned exploits of the process aren't practical to fix. For example both of the above presentations mention exhausting the typical resources (mostly time which in turn equals money) available examiner. I'm not sure this has a practical fix, I mean if more resources could be allocated to the process they would be but we don't have time to chase down every bit on all the evidence because it is suspected that anti-forensics measures were taken in the attack/case. I'd like to writeup some ideas on possible solutions to "exploits" in this process and more ideas to improve robustness of the systems/network arch. (to give examiners more potential evidence via the network or host-based measures). Thoughts anyone? Thanks, Ty E. Bodell, CCE |
From: Paulo R. S. <pau...@gm...> - 2005-09-29 21:41:54
|
I've used helix in some projets and I've had good results with it. But the sleuthkit is a little outdated in Helix CD. The Helix CD contains sleuthkit v. 1.73 and the v. 2.02 was realeased in July 8, 2005. However, I think tha= t Helix is a good choice. Paulo Renato Silva On 9/29/05, Chuck <chu...@gm...> wrote: > > The Penguin Sleuth Kit (which has really nothing to do with Brian's > sleuthkit) hasn't been updated in quite a while (over 2 years now) and > I'm not sure if the plain Knoppix CD has sleuthkit/autopsy. I'd > recommend using the Helix CD available at: > > http://www.e-fense.com/helix/ > > I've has very good luck with it and it is updated frequently. Have fun. > > Chuck > > On 9/29/05, Priscilla Oppenheimer <pri...@ya...> wrote: > > Does anyone use The Penguin Sleuth Kit Linux bootable > > CD? The list of included software here: > > > > http://luge.cc.emory.edu/psl.html > > > > says that The Sleuthkit (www.sleuthkit.org <http://www.sleuthkit.org>) > is > > included with the boot CD. It's not!? Or am I > > misunderstanding how to find it? > > > > I downloaded the iso image from the site. I got the > > file called penguinsleuth-07-05-2003.iso and burned it > > to CD. It boots fine. I don't have any problems > > running other tools, such as Ethereal, but sleuthkit > > tools aren't there. > > > > I also tried a plain vanilla Knoppix Linux bootable CD > > and can't find The Sleuthkit with that either, > > although it's supposedly on that too, so I suspect > > that the problem may be user error. > > > > I opened a root shell, so it's not that I'm not root. > > I think it's something else. > > > > Please help. > > > > Thanks. > > __________________ > > > > Priscilla Oppenheimer > > Adjunct Faculty > > Southern Oregon University > > http://www.priscilla.com > > > > __________________________________________________ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam protection around > > http://mail.yahoo.com > > > > > > ------------------------------------------------------- > > This SF.Net email is sponsored by: > > Power Architecture Resource Center: Free content, downloads, > discussions, > > and more. http://solutions.newsforge.com/ibmarch.tmpl > > _______________________________________________ > > sleuthkit-users mailing list > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > http://www.sleuthkit.org > > > > > ------------------------------------------------------- > This SF.Net email is sponsored by: > Power Architecture Resource Center: Free content, downloads, discussions, > and more. http://solutions.newsforge.com/ibmarch.tmpl > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > -- ------------------------------------------ Paulo Renato S. Silva ICQ: 12395936 Skype: paulorenato_silva ------------------------------------------ |
From: Chuck <chu...@gm...> - 2005-09-29 20:54:26
|
The Penguin Sleuth Kit (which has really nothing to do with Brian's sleuthkit) hasn't been updated in quite a while (over 2 years now) and I'm not sure if the plain Knoppix CD has sleuthkit/autopsy. I'd recommend using the Helix CD available at: http://www.e-fense.com/helix/ I've has very good luck with it and it is updated frequently. Have fun. Chuck On 9/29/05, Priscilla Oppenheimer <pri...@ya...> wrote: > Does anyone use The Penguin Sleuth Kit Linux bootable > CD? The list of included software here: > > http://luge.cc.emory.edu/psl.html > > says that The Sleuthkit (www.sleuthkit.org) is > included with the boot CD. It's not!? Or am I > misunderstanding how to find it? > > I downloaded the iso image from the site. I got the > file called penguinsleuth-07-05-2003.iso and burned it > to CD. It boots fine. I don't have any problems > running other tools, such as Ethereal, but sleuthkit > tools aren't there. > > I also tried a plain vanilla Knoppix Linux bootable CD > and can't find The Sleuthkit with that either, > although it's supposedly on that too, so I suspect > that the problem may be user error. > > I opened a root shell, so it's not that I'm not root. > I think it's something else. > > Please help. > > Thanks. > __________________ > > Priscilla Oppenheimer > Adjunct Faculty > Southern Oregon University > http://www.priscilla.com > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > > ------------------------------------------------------- > This SF.Net email is sponsored by: > Power Architecture Resource Center: Free content, downloads, discussions, > and more. http://solutions.newsforge.com/ibmarch.tmpl > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > |
From: Priscilla O. <pri...@ya...> - 2005-09-29 20:47:26
|
Does anyone use The Penguin Sleuth Kit Linux bootable CD? The list of included software here: http://luge.cc.emory.edu/psl.html says that The Sleuthkit (www.sleuthkit.org) is included with the boot CD. It's not!? Or am I misunderstanding how to find it? I downloaded the iso image from the site. I got the file called penguinsleuth-07-05-2003.iso and burned it to CD. It boots fine. I don't have any problems running other tools, such as Ethereal, but sleuthkit tools aren't there. I also tried a plain vanilla Knoppix Linux bootable CD and can't find The Sleuthkit with that either, although it's supposedly on that too, so I suspect that the problem may be user error. I opened a root shell, so it's not that I'm not root. I think it's something else. Please help. Thanks. __________________ Priscilla Oppenheimer Adjunct Faculty Southern Oregon University http://www.priscilla.com __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com |
From: Angus M. <an...@n-...> - 2005-09-29 15:56:20
|
Thanks Dennis - that does exactly what I need, and it even seems to work on AOL8. On Thu Sep 29 5:59 , 'OFD Land Schreiber, Dennis' <DSc...@of...> sent: >Hi, > >try PFC-Viewer (http://members.aol.com/pfcviewer/) > >Dennis > >>-----Original Message----- >>From: Angus Marshall [an...@n-...] >>Sent: Wednesday, September 28, 2005 10:32 PM >>To: sle...@li... >>Subject: [sleuthkit-users] AOL .pfc files >> >> >>Not strictly a sleuthkit question, but definitely one for >>sleuthkit users ;-) >> >>Does anyone know of something which can decode AOL .PFC files >>(originating on >>Windows) on a *nix platform ? Alternatively, does anyone know >>where I might >>be able to find some info. on the file structure ? >> >> >>------------------------------------------------------- >>This SF.Net email is sponsored by: >>Power Architecture Resource Center: Free content, downloads, >>discussions, >>and more. http://solutions.newsforge.com/ibmarch.tmpl >>_______________________________________________ >>sleuthkit-users mailing list >>https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>http://www.sleuthkit.org >> > > >------------------------------------------------------- >This SF.Net email is sponsored by: >Power Architecture Resource Center: Free content, downloads, discussions, >and more. http://solutions.newsforge.com/ibmarch.tmpl >_______________________________________________ >sleuthkit-users mailing list >https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >http://www.sleuthkit.org |
From: Angus M. <an...@n-...> - 2005-09-29 15:55:40
|
FAT32 does not record the access time - only the access date. All you know is that the files were accessed at SOME time on that date. On Thu Sep 29 16:26 , Geert VAN ACKER <gee...@pa...> sent: >Dear list, > >after creating a timelime with sleuthkit, I get app 700 files with the >same date-time stamp. It's on a FAT32 volume and all the files have an >"a" (accessed) timestamp. Most of the files belong to a game, and a few >system files (dll's, vga driver, ...) are in between it. > >The timestamp is Fri Jul 29 2005 00:00:00 after the 700 files, the next >entry is Fri Jul 29 2005 19:35:46 and from there the files have >timestamps who are more "logic", I mean they have 1 or 2 second intervals. > >Could it be a backup or antivirus prog that accessed all these files, >700 in one second just seems a lot. > >Does anyone has a better explanation ? > >Thanks in advance, > >Geert VAN ACKER > > >------------------------------------------------------- >This SF.Net email is sponsored by: >Power Architecture Resource Center: Free content, downloads, discussions, >and more. http://solutions.newsforge.com/ibmarch.tmpl >_______________________________________________ >sleuthkit-users mailing list >https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >http://www.sleuthkit.org |
From: Chuck <chu...@gm...> - 2005-09-29 15:54:44
|
On 9/29/05, Geert VAN ACKER <gee...@pa...> wrote: > after creating a timelime with sleuthkit, I get app 700 files with the > same date-time stamp. It's on a FAT32 volume and all the files have an > "a" (accessed) timestamp. Most of the files belong to a game, and a few > system files (dll's, vga driver, ...) are in between it. > > The timestamp is Fri Jul 29 2005 00:00:00 after the 700 files, the next > entry is Fri Jul 29 2005 19:35:46 and from there the files have > timestamps who are more "logic", I mean they have 1 or 2 second intervals= . I believe FAT only stores the date of last access, not the time, so sleuthkit just puts them all at midnight. Chuck |
From: Slade E. G. <sl...@ss...> - 2005-09-29 15:53:03
|
Brian et-al, I would be interested in hearing some comments on the writeup and presentation contained here. Any thoughts? http://www.metasploit.com/projects/antiforensics/ Thanks in advance for those who participate. Slade E. Griffin, GCIH GCFA |
From: Geert V. A. <gee...@pa...> - 2005-09-29 15:26:17
|
Dear list, after creating a timelime with sleuthkit, I get app 700 files with the same date-time stamp. It's on a FAT32 volume and all the files have an "a" (accessed) timestamp. Most of the files belong to a game, and a few system files (dll's, vga driver, ...) are in between it. The timestamp is Fri Jul 29 2005 00:00:00 after the 700 files, the next entry is Fri Jul 29 2005 19:35:46 and from there the files have timestamps who are more "logic", I mean they have 1 or 2 second intervals. Could it be a backup or antivirus prog that accessed all these files, 700 in one second just seems a lot. Does anyone has a better explanation ? Thanks in advance, Geert VAN ACKER |
From: OFD L. S. D. <DSc...@of...> - 2005-09-29 05:05:17
|
Hi, try PFC-Viewer (http://members.aol.com/pfcviewer/) Dennis >-----Original Message----- >From: Angus Marshall [mailto:an...@n-...] >Sent: Wednesday, September 28, 2005 10:32 PM >To: sle...@li... >Subject: [sleuthkit-users] AOL .pfc files > > >Not strictly a sleuthkit question, but definitely one for >sleuthkit users ;-) > >Does anyone know of something which can decode AOL .PFC files >(originating on >Windows) on a *nix platform ? Alternatively, does anyone know >where I might >be able to find some info. on the file structure ? > > >------------------------------------------------------- >This SF.Net email is sponsored by: >Power Architecture Resource Center: Free content, downloads, >discussions, >and more. http://solutions.newsforge.com/ibmarch.tmpl >_______________________________________________ >sleuthkit-users mailing list >https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >http://www.sleuthkit.org > |
From: Angus M. <an...@n-...> - 2005-09-28 20:26:31
|
Not strictly a sleuthkit question, but definitely one for sleuthkit users ;-) Does anyone know of something which can decode AOL .PFC files (originating on Windows) on a *nix platform ? Alternatively, does anyone know where I might be able to find some info. on the file structure ? |
From: Brian C. <ca...@sl...> - 2005-09-27 15:05:05
|
It looks like the block that used to hold the other block pointers has been reused. You can sometimes make some assumptions about where the data was, but Solaris fragments the files quite a bit so that they are spread around the file system. For example, the indirect block is in block 60,018,960 while the last direct block was 1,566,824 (in your system). Solaris frequently puts the blocks after the first 12 direct blocks in a different cylinder group. So, I'm afraid that you could be out of luck since the usual carving tools won't help. brian On Sep 26, 2005, at 11:14 AM, Monserrat Ramirez wrote: > Hello everyone! > > I'm a new user of the Sleuth Kit and I don't know if > I'm doing something wrong... I lost a entire FS (the > super block was damaged... the backup copies either) > but I only want to recover one file; by now I know > that the inode that this file use is the 182584, but > when I ran the icat command with the verbose option, > the output is as follow: > > inodes 12393472 root ino 2 cyl groups 2128 blocks > 104587230 > fs_read_block: read block 1525976 offs 1562599424 len > 8192 (inode block) > fs_read_block: read block 1525720 offs 1562337280 len > 8192 (cylinder block) > fs_read_block: read block 1566736 offs 1604337664 len > 8192 (data block) > fs_read_block: read block 1566744 offs 1604345856 len > 8192 (data block) > fs_read_block: read block 1566752 offs 1604354048 len > 8192 (data block) > fs_read_block: read block 1566760 offs 1604362240 len > 8192 (data block) > fs_read_block: read block 1566768 offs 1604370432 len > 8192 (data block) > fs_read_block: read block 1566776 offs 1604378624 len > 8192 (data block) > fs_read_block: read block 1566784 offs 1604386816 len > 8192 (data block) > fs_read_block: read block 1566792 offs 1604395008 len > 8192 (data block) > fs_read_block: read block 1566800 offs 1604403200 len > 8192 (data block) > fs_read_block: read block 1566808 offs 1604411392 len > 8192 (data block) > fs_read_block: read block 1566816 offs 1604419584 len > 8192 (data block) > fs_read_block: read block 1566824 offs 1604427776 len > 8192 (data block) > ffs_file_walk_indir: level 1 block 60018960 > fs_read_block: read block 60018960 offs 61459415040 > len 8192 (disk address block) > fs_read_block: read block 26886951 offs 27532237824 > len 8192 (data block) > Invalid address in indirect list (too large): > 965017603 > > My guess is that I have troubles with the reference > with the reference to the indirect blocks... in fact, > in the output file the output from the direct blocks > are consistent with the info I'm expecting but the > indirect blocks aren't. > > Any help? I running the Sleuth kit in a Solaris 8 > environment... believe me, any help will be > appreciate. |
From: Monserrat R. <mrg...@ya...> - 2005-09-26 16:14:51
|
Hello everyone! I'm a new user of the Sleuth Kit and I don't know if I'm doing something wrong... I lost a entire FS (the super block was damaged... the backup copies either) but I only want to recover one file; by now I know that the inode that this file use is the 182584, but when I ran the icat command with the verbose option, the output is as follow: inodes 12393472 root ino 2 cyl groups 2128 blocks 104587230 fs_read_block: read block 1525976 offs 1562599424 len 8192 (inode block) fs_read_block: read block 1525720 offs 1562337280 len 8192 (cylinder block) fs_read_block: read block 1566736 offs 1604337664 len 8192 (data block) fs_read_block: read block 1566744 offs 1604345856 len 8192 (data block) fs_read_block: read block 1566752 offs 1604354048 len 8192 (data block) fs_read_block: read block 1566760 offs 1604362240 len 8192 (data block) fs_read_block: read block 1566768 offs 1604370432 len 8192 (data block) fs_read_block: read block 1566776 offs 1604378624 len 8192 (data block) fs_read_block: read block 1566784 offs 1604386816 len 8192 (data block) fs_read_block: read block 1566792 offs 1604395008 len 8192 (data block) fs_read_block: read block 1566800 offs 1604403200 len 8192 (data block) fs_read_block: read block 1566808 offs 1604411392 len 8192 (data block) fs_read_block: read block 1566816 offs 1604419584 len 8192 (data block) fs_read_block: read block 1566824 offs 1604427776 len 8192 (data block) ffs_file_walk_indir: level 1 block 60018960 fs_read_block: read block 60018960 offs 61459415040 len 8192 (disk address block) fs_read_block: read block 26886951 offs 27532237824 len 8192 (data block) Invalid address in indirect list (too large): 965017603 My guess is that I have troubles with the reference with the reference to the indirect blocks... in fact, in the output file the output from the direct blocks are consistent with the info I'm expecting but the indirect blocks aren't. Any help? I running the Sleuth kit in a Solaris 8 environment... believe me, any help will be appreciate. Thanks in advance, Monserrat. |
From: Monserrat R. <mrg...@ya...> - 2005-09-26 16:14:50
|
Hello everyone! I'm a new user of the Sleuth Kit and I don't know if I'm doing something wrong... I lost a entire FS (the super block was damaged... the backup copies either) but I only want to recover one file; by now I know that the inode that this file use is the 182584, but when I ran the icat command with the verbose option, the output is as follow: inodes 12393472 root ino 2 cyl groups 2128 blocks 104587230 fs_read_block: read block 1525976 offs 1562599424 len 8192 (inode block) fs_read_block: read block 1525720 offs 1562337280 len 8192 (cylinder block) fs_read_block: read block 1566736 offs 1604337664 len 8192 (data block) fs_read_block: read block 1566744 offs 1604345856 len 8192 (data block) fs_read_block: read block 1566752 offs 1604354048 len 8192 (data block) fs_read_block: read block 1566760 offs 1604362240 len 8192 (data block) fs_read_block: read block 1566768 offs 1604370432 len 8192 (data block) fs_read_block: read block 1566776 offs 1604378624 len 8192 (data block) fs_read_block: read block 1566784 offs 1604386816 len 8192 (data block) fs_read_block: read block 1566792 offs 1604395008 len 8192 (data block) fs_read_block: read block 1566800 offs 1604403200 len 8192 (data block) fs_read_block: read block 1566808 offs 1604411392 len 8192 (data block) fs_read_block: read block 1566816 offs 1604419584 len 8192 (data block) fs_read_block: read block 1566824 offs 1604427776 len 8192 (data block) ffs_file_walk_indir: level 1 block 60018960 fs_read_block: read block 60018960 offs 61459415040 len 8192 (disk address block) fs_read_block: read block 26886951 offs 27532237824 len 8192 (data block) Invalid address in indirect list (too large): 965017603 My guess is that I have troubles with the reference with the reference to the indirect blocks... in fact, in the output file the output from the direct blocks are consistent with the info I'm expecting but the indirect blocks aren't. Any help? I running the Sleuth kit in a Solaris 8 environment... believe me, any help will be appreciate. Thanks in advance, Monserrat. |
From: youcef b. <ybi...@ya...> - 2005-09-22 22:07:48
|
Hi, I need to have your feedback on your experience of using TSK following a forensic methodology. I have found some limitations but this could be just my little exposure to the tool. I am currently use Eoghan Caseys methodology and trying to follow it using TSK. In brief the steps of such methodology are: - Preparation (we can ignore it) - Listing : fully supported in TSK via fls - Recovery: o Unallocated space (supported via dls) o Slack space (supported via dls s) o Deleted files (manually by not fully automated) - Filtering (manually by not automated) - Process identification/classification (supported via sorter) The problem encountered is that the recovery of deleted files cannot be accomplished automatically. There is no TSK command that will recursively parse the image and dumps all the deleted files. Same thing could be said for filtering, the fact that we needed to recover the content first of both allocated and unallocated files to be able to create an MD5 hash of the image media, means that the filtering is exposed to the same limitation. I know that some of you may say that sorter will accomplish both tasks: recovering deleted files, hashing them, apply the filtering and dumping their content. But the problem with sorter is its versatility. I wish I could use a switch to instruct it do one thing at the time. The problem I am having, at least methodology wise, is that sorter breaks the boundaries of a structured methodology (like the one I am try to follow) by merging several steps into one action. My question is: - Is it possible to accomplish the above missing , in my understanding, steps using TSK (i.e. recursively recover deleted files and filtering) as separate tasks. - What sort of methodology are you using when doing forensic using TSK/autopsy. My approach to the subject is purely academic, as I am trying to adopt it for educational purposes. I know that in real some of you guys my burn all the steps and dont care about strict methodology. Any feedback or code examples that do the trick are all welcomed. ___________________________________________________________ How much free photo storage do you get? Store your holiday snaps for FREE with Yahoo! Photos http://uk.photos.yahoo.com |
From: youcef b. <ybi...@ya...> - 2005-09-22 21:41:29
|
Thanks for the clarification. I was using the last sector instead of total sectors that's why I needed to add 1. regards youcef --- Brian Carrier <ca...@sl...> wrote: > > On Sep 21, 2005, at 4:57 PM, youcef bichbiche wrote: > > > Hi Brian, > > > > > >> how many sectors do you get if you image the > device? > >> > > this is the ouptut of the dd command: > > > > 252840+0 records in > > 252840+0 records out > > 129454080 bytes (129 MB) copied, 144.047 seconds, > 899 > > kB/s > > That is fewer than expected based on the mmls and > fsstat output. > > > Brian I was following your wondefull book for the > FAT > > analysis and I stumbled on page 225 when you gave > a > > formula on how to determine if there are unused > > sectors. > > > > the fomular says: > > (total sectors - address of cluster 2) / (number > of > > clusters per cluster) > > > > my understanding is that the formual should be: > > > > (total sectors - address of cluster 2)+1 / (number > of > > clusters per cluster) > > > > Am I correct or is it just one of my late night > > reading syndrome. > > nope, the formula in the book is correct. Consider a > very small > example where there are 9 sectors (0 to 8) and > cluster 2 starts in > sector 2 (i.e. 2 sectors before data area and 7 in > the data area). > Let each cluster be 2 sectors: > > (9 - 2) / 2 = 3.5 > > There is a remainder, which means there is an unused > sector (sector 8 > in this case). > > brian > > ___________________________________________________________ Yahoo! Messenger - NEW crystal clear PC to PC calling worldwide with voicemail http://uk.messenger.yahoo.com |
From: Brian C. <ca...@sl...> - 2005-09-22 06:30:13
|
On Sep 21, 2005, at 4:57 PM, youcef bichbiche wrote: > Hi Brian, > > >> how many sectors do you get if you image the device? >> > this is the ouptut of the dd command: > > 252840+0 records in > 252840+0 records out > 129454080 bytes (129 MB) copied, 144.047 seconds, 899 > kB/s That is fewer than expected based on the mmls and fsstat output. > Brian I was following your wondefull book for the FAT > analysis and I stumbled on page 225 when you gave a > formula on how to determine if there are unused > sectors. > > the fomular says: > (total sectors - address of cluster 2) / (number of > clusters per cluster) > > my understanding is that the formual should be: > > (total sectors - address of cluster 2)+1 / (number of > clusters per cluster) > > Am I correct or is it just one of my late night > reading syndrome. nope, the formula in the book is correct. Consider a very small example where there are 9 sectors (0 to 8) and cluster 2 starts in sector 2 (i.e. 2 sectors before data area and 7 in the data area). Let each cluster be 2 sectors: (9 - 2) / 2 = 3.5 There is a remainder, which means there is an unused sector (sector 8 in this case). brian |
From: youcef b. <ybi...@ya...> - 2005-09-21 21:58:03
|
Hi Brian, >how many sectors do you get if you image the device? this is the ouptut of the dd command: 252840+0 records in 252840+0 records out 129454080 bytes (129 MB) copied, 144.047 seconds, 899 kB/s Brian I was following your wondefull book for the FAT analysis and I stumbled on page 225 when you gave a formula on how to determine if there are unused sectors. the fomular says: (total sectors - address of cluster 2) / (number of clusters per cluster) my understanding is that the formual should be: (total sectors - address of cluster 2)+1 / (number of clusters per cluster) Am I correct or is it just one of my late night reading syndrome. regards youcef --- Brian Carrier <ca...@sl...> wrote: > > - what puzzles me about the mmls output is that > adding > > all the sectors (1+31+252896) will give me a size > > around 126M and not 128M. > > It depends on if you divide by 1000 or 1024 to get > KB and MB and the > partition may not occupy the full disk. I don't > think all storage > devices are exactly the size they say they are. how > many sectors do > you get if you image the device? > > > > - The other puzzling thing is the fsstat output. > the > > FAT table is 247 sectors and therefore capable of > > holding 31616 entries (128 * 247), whereas the > cluster > > range is 2-63093. This means that we have a lot of > > clusters which cannot be referenced via the FAT > table. > > Eamonn is correct, each FAT entry in FAT16 is 2 > bytes, not 4 bytes so > there are 256 entries per sector. > > brian > > ___________________________________________________________ Yahoo! Messenger - NEW crystal clear PC to PC calling worldwide with voicemail http://uk.messenger.yahoo.com |
From: Brian C. <ca...@sl...> - 2005-09-21 14:47:27
|
> - what puzzles me about the mmls output is that adding > all the sectors (1+31+252896) will give me a size > around 126M and not 128M. It depends on if you divide by 1000 or 1024 to get KB and MB and the partition may not occupy the full disk. I don't think all storage devices are exactly the size they say they are. how many sectors do you get if you image the device? > - The other puzzling thing is the fsstat output. the > FAT table is 247 sectors and therefore capable of > holding 31616 entries (128 * 247), whereas the cluster > range is 2-63093. This means that we have a lot of > clusters which cannot be referenced via the FAT table. Eamonn is correct, each FAT entry in FAT16 is 2 bytes, not 4 bytes so there are 256 entries per sector. brian |
From: Eamonn S. <ea...@ya...> - 2005-09-21 14:05:54
|
Wrt your question about the number of clusters...your calculation is based on 4 bytes being used per cluster. This is a FAT16 file system so only 2 bytes will be used per cluster. I believe the correct calculation is number of FAT sectors * bytes per sector / number of bytes per cluster i.e. (247 * 512) / 2 = 63232. HTH Eamonn --- youcef bichbiche <ybi...@ya...> wrote: > Hi, > > I have a 128 MB USB flash disk which I imaged using > the dd tool. > > the mmls command on the image is giving me this > output: > > Slot Start End Length > Description > 00: ----- 0000000000 0000000000 0000000001 > Primary Table (#0) > 01: ----- 0000000001 0000000031 0000000031 > Unallocated > 02: 00:00 0000000032 0000252927 0000252896 > DOS FAT16 (0x06) > > the fssat is giving me this output: > > File System Type: FAT16 > > OEM Name: MSDOS5.0 > Volume ID: 0x1c52e261 > Volume Label (Boot Sector): NO NAME > Volume Label (Root Directory): FORENSIC > File System Type Label: FAT16 > > Sectors before file system: 32 > > File System Layout (in sectors) > Total Range: 0 - 252895 > * Reserved: 0 - 0 > ** Boot Sector: 0 > * FAT 0: 1 - 247 > * FAT 1: 248 - 494 > * Data Area: 495 - 252895 > ** Root Directory: 495 - 526 > ** Cluster Area: 527 - 252894 > ** Non-clustered: 252895 - 252895 > > > > > -------------------------------------------------------------------------------- > METADATA INFORMATION > Range: 2 - 4037890 > Root Directory: 2 > > > > > -------------------------------------------------------------------------------- > CONTENT INFORMATION > Sector Size: 512 > Cluster Size: 2048 > Total Cluster Range: 2 - 63093 > > > - what puzzles me about the mmls output is that > adding > all the sectors (1+31+252896) will give me a size > around 126M and not 128M. > > - The other puzzling thing is the fsstat output. the > FAT table is 247 sectors and therefore capable of > holding 31616 entries (128 * 247), whereas the > cluster > range is 2-63093. This means that we have a lot of > clusters which cannot be referenced via the FAT > table. > > > can anyone shed a light on this please > > > > > > > > ___________________________________________________________ > > How much free photo storage do you get? Store your > holiday > snaps for FREE with Yahoo! Photos > http://uk.photos.yahoo.com > > > ------------------------------------------------------- > SF.Net email is sponsored by: > Tame your development challenges with Apache's > Geronimo App Server. Download > it for free - -and be entered to win a 42" plasma tv > or your very own > Sony(tm)PSP. Click here to play: > http://sourceforge.net/geronimo.php > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com |
From: youcef b. <ybi...@ya...> - 2005-09-20 20:52:54
|
Hi, I have a 128 MB USB flash disk which I imaged using the dd tool. the mmls command on the image is giving me this output: Slot Start End Length Description 00: ----- 0000000000 0000000000 0000000001 Primary Table (#0) 01: ----- 0000000001 0000000031 0000000031 Unallocated 02: 00:00 0000000032 0000252927 0000252896 DOS FAT16 (0x06) the fssat is giving me this output: File System Type: FAT16 OEM Name: MSDOS5.0 Volume ID: 0x1c52e261 Volume Label (Boot Sector): NO NAME Volume Label (Root Directory): FORENSIC File System Type Label: FAT16 Sectors before file system: 32 File System Layout (in sectors) Total Range: 0 - 252895 * Reserved: 0 - 0 ** Boot Sector: 0 * FAT 0: 1 - 247 * FAT 1: 248 - 494 * Data Area: 495 - 252895 ** Root Directory: 495 - 526 ** Cluster Area: 527 - 252894 ** Non-clustered: 252895 - 252895 -------------------------------------------------------------------------------- METADATA INFORMATION Range: 2 - 4037890 Root Directory: 2 -------------------------------------------------------------------------------- CONTENT INFORMATION Sector Size: 512 Cluster Size: 2048 Total Cluster Range: 2 - 63093 - what puzzles me about the mmls output is that adding all the sectors (1+31+252896) will give me a size around 126M and not 128M. - The other puzzling thing is the fsstat output. the FAT table is 247 sectors and therefore capable of holding 31616 entries (128 * 247), whereas the cluster range is 2-63093. This means that we have a lot of clusters which cannot be referenced via the FAT table. can anyone shed a light on this please ___________________________________________________________ How much free photo storage do you get? Store your holiday snaps for FREE with Yahoo! Photos http://uk.photos.yahoo.com |
From: <fu...@gm...> - 2005-09-19 08:06:19
|
Dear list I wrote a small tool for doing time intensive sleuhkit/autopsy tasks in one turn and also time scheduled. It's at the moment more in testing phase, so I would like to ask if you can test the application in test cases. The tool can do: - Extract unallocated - Extract ascii and unicode strings from both allocated and unallocated - Sort file types - Sort images You can get it on http://www.netmon.ch/allin1.html Any feedback would be appreciated Thank you and regards Fuerst -- Lust, ein paar Euro nebenbei zu verdienen? Ohne Kosten, ohne Risiko! Satte Provisionen für GMX Partner: http://www.gmx.net/de/go/partner |
From: Brian C. <ca...@sl...> - 2005-09-16 15:47:42
|
All other programs compiled though? I haven't had any problems with TSK on Tiger. A more detailed error report from 'file' compiling is needed. brian On Sep 15, 2005, at 6:30 PM, Priscilla Oppenheimer wrote: > Hello TSK gurus, > > This is my first post, so let me know if I don't > follow protocol. > > I'll be using The Sleuth Kit in a forensics class I'll > be teaching at Southern Oregon Univerisity. > > Any ideas why the TSK file tool didn't install on Mac > OS X, Tiger, 10.4.2? > > I'd like to use the sorter cmd, actually, but it says > this when I try to run it: > > Missing Sleuth Kit file executable: > /Applications/sleuthkit/sleuthkit-2.02//bin/file > > The check-install also says that file tool is indeed > missing. > > I just ran a generic make after downloading version > 2.02 of The Sleuth Kit. I didn't watch for any errors, > so don't know what's going on. > > Any suggestions for what went wrong, how to > troubleshoot this, or workarounds? > > Thank-you. > > Priscilla Oppenheimer > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > > ------------------------------------------------------- > SF.Net email is sponsored by: > Tame your development challenges with Apache's Geronimo App Server. > Download > it for free - -and be entered to win a 42" plasma tv or your very own > Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > > |