sleuthkit-users — List to discuss Autopsy and The Sleuth Kit.

[sleuthkit-users] Corrupted floppy

[Pradeep M <pra...@gm...>]

Hi=20
        Is it possible to recover data from  a corrupted floppy using
sleuthkit and autopsy.
I tried using the tool but first of all its not possible to mount the
floppy itself. I want to know whether it is possible to recover data
from a corrupted floppy using this tool and if its not possible then
which tool should be used. Pls help.

Pradeep

RE: [sleuthkit-users] Opening Application Files

[youcef b. <ybi...@ya...>]

> 
> Where can I find these apps?  Are there any linux
> based apps that can do
> this?  Is there one app that can understand the
> structure of many different
> application files?


QuickView Plus does a good job of recognising and
viewing several applicaitons format. it's also a
prefered way of viewing MS offices suits specially if
you are paranoid about viruses.


regards

youcef




Send instant messages to your online friends http://uk.messenger.yahoo.com 

RE: [sleuthkit-users] Opening Application Files

[Barry J. G. <bg...@im...>]

On Thu, 2005-04-21 at 08:56 -0700, Brian Starr wrote:

> Are there any tools that can recover fat32 fragmented files from unallocated
> disk space, outside of what foremost and the sorter can do?

Brian,

This is difficult at best.  Consider what you are asking.  If a file is
deleted, or otherwise "unlinked" from it's directory entry (in the case
of a FAT system), then the ability of the recovery tool to "follow" the
file fragments is severely hampered.

The file allocation table holds pointers that describe a particular
file's cluster location(s).  While (IIRC) the starting cluster is
normally not zeroed from the dir entry, the remaining clusters *are*
(talking about FAT here).  

This makes recovery of fragmented files difficult, *especially* if there
are unallocated clusters from other (deleted) files intermixed with the
one you are looking for.  In that case, even having the starting cluster
and the size of the file does not help.  There's no way for the recovery
tool to "follow the bread crumbs" around the remnants of other deleted
files.

Tools like "dls" can help with this, but in most cases, only when the
fragmented deleted file clusters are surrounded by *allocated* file
clusters.  In which case "icat -r" is easier anyway (assuming the
inode/dir entry info is still there...)

I'm sure this does not help you much, but hopefully you can see why it's
more difficult that it appears.  If my explaination is "clear as mud",
then just ignore the whole thing... ;-)

Barry
-- 
/***************************************
Special Agent Barry J. Grundy
NASA Office of Inspector General
Computer Crimes Division 
Goddard Space Flight Center
Code 190
Greenbelt Rd.
Greenbelt, MD 20771
(301)286-3358
**************************************/

RE: [sleuthkit-users] Opening Application Files

[Brian S. <Br...@Pe...>]

One other question:

Are there any tools that can recover fat32 fragmented files from =
unallocated
disk space, outside of what foremost and the sorter can do?

Thanks,
Brian

-----Original Message-----
From: Brian Carrier [mailto:ca...@sl...]
Sent: Thursday, April 21, 2005 7:01 AM
To: Brian Starr
Cc: sle...@li...
Subject: Re: [sleuthkit-users] Opening Application Files



On Apr 20, 2005, at 5:54 PM, Brian Starr wrote:

> Hi everyone,
> =A0
> I am new to the forensic world using TSK and other tools, and any =
help=20
> is GREATLY appreciated!=A0 I know I have a lot of=A0questions, so =
any=A0help=20
> is=A0received with gladness:=A0
> =A0
> =A0
> Foremost (I know this is not a foremost forum, so hopefully=A0some of =

> you can help me.)
> =A0
> I have recovered several different file types from fat32 unallocated=20
> disk space (dls file) using foremost.=A0 I have=A0some questions:=A0
> =A0
> 1)=A0 Why does foremost make many of the file sizes the max file size =
as=20
> specified in the foremost.conf file?=A0 In other words, is their a =
way=20
> to compress them down.=A0 For example, I retrieved about 1000 .doc =
files=20
> (MS Office), but because of the max file size, the total disk space =
is=20
> showing as 2 gigs, which cannot be the case.=A0

If it doesn't find the footer value (or if the application type doesn't =

have a footer value), it goes until the maximum length.

> =A02)=A0 Of the .doc files retrieved, half will not open in MS =
Word.=A0 Why=20
> is that?=A0 I understand that other office application data files =
have=20
> the same file headers.=A0 Is this because I do not have the right=20
> application to open them, or because the files are corrupted?=A0 If=20
> corrupted, is there any way to recover it, or view the content,=20
> outside of viewing the strings with a hex editor?

foremost only looks for a basic signature value, which could be 2 or 4=20
bytes long.  Random data is bound to eventually have the same value in=20
that location so you will get false positives.

> =A03)=A0 None of the database files recovered with foremost open in =
the=20
> application associated with them, whereas half of word/excel files=20
> open.=A0 Why is that?=A0 Are db files just more difficult to recover?

Could just be a more common signature value or because database files=20
tend to be larger and more fragmented so you are not recovering the=20
full file.  foremost recovers only files that are not fragmented.

> =A0Sorter
> =A0
> 4)=A0 When I run the sorter, I have the same file types in the 'data' =

> and 'documents' directories (for instance, there will be .doc files =
in=20
> both directories).=A0

What is the file type reported for those in the data directory?  'file' =

puts things in 'data' if it doesn't know the type.

> In addition, many common file types are labeled as unknown (for=20
> instance, a .pst file - MS Outlook). Is this because I do not have =
the=20
> NIST NSRL database installed?

It has nothing to do with NSRL.  I thought pst was in the rules though. =

  If you send me the unknown file I can add more rules to the next=20
release (this goes for anyone who finds lots of stuff in unknown.  I=20
haven't updated the rules in a while).

> 5)=A0 Does the sorter pull files from unallocated as well as =
allocated=20
> disk space?

It pulls stuff from unallocated space IF there is a metadata structure=20
(i.e. inode / MFT entry etc.) that points to the data.  It does not do=20
carving like foremost does.

> Other Questions
> =A0
> 6)=A0 If data files are recovered, is the only way to view their =
content=20
> through the application that is associated with them?=A0 For example, =

> must a Microsoft Money data file be viewed with the MS Money=20
> application in order to=A0see the content?=A0 I know when a hex =
editor is=20
> used, it is impossible to see what is in the file.=A0 I have had =
success=20
> with getting text from a file with a hex editor, however, with=20
> database apps I have no such luck.=A0 Is there some kind of tool that =

> allows me to see the tables of a db, or do I need to open it in the=20
> application that is associated with it?

If you want more than just strings, you will need an app that=20
understands the structure of the application file (just like you need a =

tool that can understand the structure of a specific file system to=20
view a file system image file).

> =A07)=A0 How could I view the content of .dat files?=A0 Is their a =
specific=20
> tool, or do I view the strings with a hex editor?

'.dat' is a generic extension.  You really need to base it on what=20
'file' (or similar) tool tells you about the file type.

brian

RE: [sleuthkit-users] Opening Application Files

[Brian S. <Br...@Pe...>]

Thanks for all of your help, Brian.  I have a follow up question (see
below):

> 6)=A0 If data files are recovered, is the only way to view their =
content=20
> through the application that is associated with them?=A0 For example, =

> must a Microsoft Money data file be viewed with the MS Money=20
> application in order to=A0see the content?=A0 I know when a hex =
editor is=20
> used, it is impossible to see what is in the file.=A0 I have had =
success=20
> with getting text from a file with a hex editor, however, with=20
> database apps I have no such luck.=A0 Is there some kind of tool that =

> allows me to see the tables of a db, or do I need to open it in the=20
> application that is associated with it?

If you want more than just strings, you will need an app that=20
understands the structure of the application file (just like you need a =

tool that can understand the structure of a specific file system to=20
view a file system image file).



Where can I find these apps?  Are there any linux based apps that can =
do
this?  Is there one app that can understand the structure of many =
different
application files?


Thanks,

Brian


-----Original Message-----
From: Brian Carrier [mailto:ca...@sl...]
Sent: Thursday, April 21, 2005 7:01 AM
To: Brian Starr
Cc: sle...@li...
Subject: Re: [sleuthkit-users] Opening Application Files



On Apr 20, 2005, at 5:54 PM, Brian Starr wrote:

> Hi everyone,
> =A0
> I am new to the forensic world using TSK and other tools, and any =
help=20
> is GREATLY appreciated!=A0 I know I have a lot of=A0questions, so =
any=A0help=20
> is=A0received with gladness:=A0
> =A0
> =A0
> Foremost (I know this is not a foremost forum, so hopefully=A0some of =

> you can help me.)
> =A0
> I have recovered several different file types from fat32 unallocated=20
> disk space (dls file) using foremost.=A0 I have=A0some questions:=A0
> =A0
> 1)=A0 Why does foremost make many of the file sizes the max file size =
as=20
> specified in the foremost.conf file?=A0 In other words, is their a =
way=20
> to compress them down.=A0 For example, I retrieved about 1000 .doc =
files=20
> (MS Office), but because of the max file size, the total disk space =
is=20
> showing as 2 gigs, which cannot be the case.=A0

If it doesn't find the footer value (or if the application type doesn't =

have a footer value), it goes until the maximum length.

> =A02)=A0 Of the .doc files retrieved, half will not open in MS =
Word.=A0 Why=20
> is that?=A0 I understand that other office application data files =
have=20
> the same file headers.=A0 Is this because I do not have the right=20
> application to open them, or because the files are corrupted?=A0 If=20
> corrupted, is there any way to recover it, or view the content,=20
> outside of viewing the strings with a hex editor?

foremost only looks for a basic signature value, which could be 2 or 4=20
bytes long.  Random data is bound to eventually have the same value in=20
that location so you will get false positives.

> =A03)=A0 None of the database files recovered with foremost open in =
the=20
> application associated with them, whereas half of word/excel files=20
> open.=A0 Why is that?=A0 Are db files just more difficult to recover?

Could just be a more common signature value or because database files=20
tend to be larger and more fragmented so you are not recovering the=20
full file.  foremost recovers only files that are not fragmented.

> =A0Sorter
> =A0
> 4)=A0 When I run the sorter, I have the same file types in the 'data' =

> and 'documents' directories (for instance, there will be .doc files =
in=20
> both directories).=A0

What is the file type reported for those in the data directory?  'file' =

puts things in 'data' if it doesn't know the type.

> In addition, many common file types are labeled as unknown (for=20
> instance, a .pst file - MS Outlook). Is this because I do not have =
the=20
> NIST NSRL database installed?

It has nothing to do with NSRL.  I thought pst was in the rules though. =

  If you send me the unknown file I can add more rules to the next=20
release (this goes for anyone who finds lots of stuff in unknown.  I=20
haven't updated the rules in a while).

> 5)=A0 Does the sorter pull files from unallocated as well as =
allocated=20
> disk space?

It pulls stuff from unallocated space IF there is a metadata structure=20
(i.e. inode / MFT entry etc.) that points to the data.  It does not do=20
carving like foremost does.

> Other Questions
> =A0
> 6)=A0 If data files are recovered, is the only way to view their =
content=20
> through the application that is associated with them?=A0 For example, =

> must a Microsoft Money data file be viewed with the MS Money=20
> application in order to=A0see the content?=A0 I know when a hex =
editor is=20
> used, it is impossible to see what is in the file.=A0 I have had =
success=20
> with getting text from a file with a hex editor, however, with=20
> database apps I have no such luck.=A0 Is there some kind of tool that =

> allows me to see the tables of a db, or do I need to open it in the=20
> application that is associated with it?

If you want more than just strings, you will need an app that=20
understands the structure of the application file (just like you need a =

tool that can understand the structure of a specific file system to=20
view a file system image file).

> =A07)=A0 How could I view the content of .dat files?=A0 Is their a =
specific=20
> tool, or do I view the strings with a hex editor?

'.dat' is a generic extension.  You really need to base it on what=20
'file' (or similar) tool tells you about the file type.

brian

Re: [sleuthkit-users] Opening Application Files

[Brian C. <ca...@sl...>]

On Apr 20, 2005, at 5:54 PM, Brian Starr wrote:

> Hi everyone,
> =A0
> I am new to the forensic world using TSK and other tools, and any help=20=

> is GREATLY appreciated!=A0 I know I have a lot of=A0questions, so =
any=A0help=20
> is=A0received with gladness:=A0
> =A0
> =A0
> Foremost (I know this is not a foremost forum, so hopefully=A0some of=20=

> you can help me.)
> =A0
> I have recovered several different file types from fat32 unallocated=20=

> disk space (dls file) using foremost.=A0 I have=A0some questions:=A0
> =A0
> 1)=A0 Why does foremost make many of the file sizes the max file size =
as=20
> specified in the foremost.conf file?=A0 In other words, is their a way=20=

> to compress them down.=A0 For example, I retrieved about 1000 .doc =
files=20
> (MS Office), but because of the max file size, the total disk space is=20=

> showing as 2 gigs, which cannot be the case.=A0

If it doesn't find the footer value (or if the application type doesn't=20=

have a footer value), it goes until the maximum length.

> =A02)=A0 Of the .doc files retrieved, half will not open in MS Word.=A0 =
Why=20
> is that?=A0 I understand that other office application data files have=20=

> the same file headers.=A0 Is this because I do not have the right=20
> application to open them, or because the files are corrupted?=A0 If=20
> corrupted, is there any way to recover it, or view the content,=20
> outside of viewing the strings with a hex editor?

foremost only looks for a basic signature value, which could be 2 or 4=20=

bytes long.  Random data is bound to eventually have the same value in=20=

that location so you will get false positives.

> =A03)=A0 None of the database files recovered with foremost open in =
the=20
> application associated with them, whereas half of word/excel files=20
> open.=A0 Why is that?=A0 Are db files just more difficult to recover?

Could just be a more common signature value or because database files=20
tend to be larger and more fragmented so you are not recovering the=20
full file.  foremost recovers only files that are not fragmented.

> =A0Sorter
> =A0
> 4)=A0 When I run the sorter, I have the same file types in the 'data'=20=

> and 'documents' directories (for instance, there will be .doc files in=20=

> both directories).=A0

What is the file type reported for those in the data directory?  'file'=20=

puts things in 'data' if it doesn't know the type.

> In addition, many common file types are labeled as unknown (for=20
> instance, a .pst file - MS Outlook). Is this because I do not have the=20=

> NIST NSRL database installed?

It has nothing to do with NSRL.  I thought pst was in the rules though.=20=

  If you send me the unknown file I can add more rules to the next=20
release (this goes for anyone who finds lots of stuff in unknown.  I=20
haven't updated the rules in a while).

> 5)=A0 Does the sorter pull files from unallocated as well as allocated=20=

> disk space?

It pulls stuff from unallocated space IF there is a metadata structure=20=

(i.e. inode / MFT entry etc.) that points to the data.  It does not do=20=

carving like foremost does.

> Other Questions
> =A0
> 6)=A0 If data files are recovered, is the only way to view their =
content=20
> through the application that is associated with them?=A0 For example,=20=

> must a Microsoft Money data file be viewed with the MS Money=20
> application in order to=A0see the content?=A0 I know when a hex editor =
is=20
> used, it is impossible to see what is in the file.=A0 I have had =
success=20
> with getting text from a file with a hex editor, however, with=20
> database apps I have no such luck.=A0 Is there some kind of tool that=20=

> allows me to see the tables of a db, or do I need to open it in the=20
> application that is associated with it?

If you want more than just strings, you will need an app that=20
understands the structure of the application file (just like you need a=20=

tool that can understand the structure of a specific file system to=20
view a file system image file).

> =A07)=A0 How could I view the content of .dat files?=A0 Is their a =
specific=20
> tool, or do I view the strings with a hex editor?

'.dat' is a generic extension.  You really need to base it on what=20
'file' (or similar) tool tells you about the file type.

brian

[sleuthkit-users] Opening Application Files

[Brian S. <Br...@Pe...>]

Hi everyone,
 
I am new to the forensic world using TSK and other tools, and any help is
GREATLY appreciated!  I know I have a lot of questions, so any help is
received with gladness: 
 
 
Foremost (I know this is not a foremost forum, so hopefully some of you can
help me.)
 
I have recovered several different file types from fat32 unallocated disk
space (dls file) using foremost.  I have some questions:  
 
1)  Why does foremost make many of the file sizes the max file size as
specified in the foremost.conf file?  In other words, is their a way to
compress them down.  For example, I retrieved about 1000 .doc files (MS
Office), but because of the max file size, the total disk space is showing
as 2 gigs, which cannot be the case.  
 
2)  Of the .doc files retrieved, half will not open in MS Word.  Why is
that?  I understand that other office application data files have the same
file headers.  Is this because I do not have the right application to open
them, or because the files are corrupted?  If corrupted, is there any way to
recover it, or view the content, outside of viewing the strings with a hex
editor?
 
3)  None of the database files recovered with foremost open in the
application associated with them, whereas half of word/excel files open.
Why is that?  Are db files just more difficult to recover?
 
 
 
Sorter
 
4)  When I run the sorter, I have the same file types in the 'data' and
'documents' directories (for instance, there will be .doc files in both
directories).  In addition, many common file types are labeled as unknown
(for instance, a .pst file - MS Outlook). Is this because I do not have the
NIST NSRL database installed?
 
5)  Does the sorter pull files from unallocated as well as allocated disk
space?
 
 
Other Questions
 
6)  If data files are recovered, is the only way to view their content
through the application that is associated with them?  For example, must a
Microsoft Money data file be viewed with the MS Money application in order
to see the content?  I know when a hex editor is used, it is impossible to
see what is in the file.  I have had success with getting text from a file
with a hex editor, however, with database apps I have no such luck.  Is
there some kind of tool that allows me to see the tables of a db, or do I
need to open it in the application that is associated with it?
 
7)  How could I view the content of .dat files?  Is their a specific tool,
or do I view the strings with a hex editor?
 
 
Again, any help is mucho appreciated!  Thanks.
 
Brian

Re: [sleuthkit-users] Issue with Extracting Strings from 40gb NTFS Volume

[Brian C. <ca...@sl...>]

So, there seems to be an issue with Autopsy making an empty host 
configuration file after adding a new image file or strings file etc.  
I added some checks to the last version to help fix or detect it, but 
they were not enough. If this happens, there should be a copy of the 
original config file in the host directory.  You can copy that to 
'host.aut' and try the process again.

brian

[sleuthkit-users] Issue with Extracting Strings from 40gb NTFS Volume

[Surago J. <su...@sj...>]

Hi,

I have configured a new case with Autopsy v2.05, and have added an Image
of a HDD which contained a single NTFS volume as C:\

At this stage everything worked fine, from within the Host Manager I
selected details for the NTFS partition contained within the volume
image.  Then selected to extract the Strings from the image where I
received the following errors in the autopsy command line window...

Keep this process running and use <ctrl-c> to exit
Use of uninitialized value in string eq at
/forensics/thesis/tools/autopsy-2.05/lib//Args.pm line 831.
Use of uninitialized value in string eq at
/forensics/thesis/tools/autopsy-2.05/lib//Args.pm line 831.
Use of uninitialized value in string eq at
/forensics/thesis/tools/autopsy-2.05/lib//Args.pm line 831.
Use of uninitialized value in string eq at
/forensics/thesis/tools/autopsy-2.05/lib//Args.pm line 831.
Use of uninitialized value in concatenation (.) or string at
/forensics/thesis/tools/autopsy-2.05/lib//Args.pm line 866.
Use of uninitialized value in concatenation (.) or string at
/forensics/thesis/tools/autopsy-2.05/lib//Args.pm line 866.
Use of uninitialized value in concatenation (.) or string at
/forensics/thesis/tools/autopsy-2.05/lib//Args.pm line 866.
Use of uninitialized value in concatenation (.) or string at
/forensics/thesis/tools/autopsy-2.05/lib//Args.pm line 866.
Missing image name and/or address
usage: /forensics/thesis/tools/sleuthkit-2.01/bin/dcat [-ahsvVw] [-f
fstype] [-i imgtype] [-o imgoffset] [-u usize] image [images] unit_addr
[num]

An error was also displayed in the browser window, however I do not have
a copy of that error as I tried to re-open the case, and unfortunately
the volume for this host is not longer available...

Here are the listings from the host exec log for the host...

Mon Apr 18 03:44:34 2005:
'/forensics/thesis/tools/sleuthkit-2.01/bin/img_stat' -t
"/forensicsbig/stickhdd/hdb.img"
Mon Apr 18 03:44:34 2005:
'/forensics/thesis/tools/sleuthkit-2.01/bin/mmstat' -i raw
"/forensicsbig/stickhdd/hdb.img"
Mon Apr 18 03:44:34 2005:
'/forensics/thesis/tools/sleuthkit-2.01/bin/mmls' -i raw -t dos -r
"/forensicsbig/stickhdd/hdb.img"
Mon Apr 18 03:44:34 2005:
'/forensics/thesis/tools/sleuthkit-2.01/bin/fsstat' -o 63 -i raw -t
"/forensicsbig/stickhdd/hdb.img"
Mon Apr 18 03:44:34 2005:
'/forensics/thesis/tools/sleuthkit-2.01/bin/mmls' -t dos -r
"/forensicsbig/stickhdd/hdb.img"
Mon Apr 18 03:44:51 2005:
'/forensics/thesis/tools/sleuthkit-2.01/bin/img_stat' -t
"/forensicsbig/stickhdd/hdb.img"
Mon Apr 18 03:44:51 2005:
'/forensics/thesis/tools/sleuthkit-2.01/bin/dls' -f raw -e
"/forensicsbig/stickhdd/hdb.img" |
'/forensics/thesis/tools/sleuthkit-2.01/bin/md5'
Mon Apr 18 04:14:46 2005:
'/forensics/thesis/tools/sleuthkit-2.01/bin/fsstat' -o 63 -i raw -f ntfs
"/forensicsbig/stickhdd/hdb.img"
Mon Apr 18 04:14:47 2005: /bin/ln -s '/forensicsbig/stickhdd/hdb.img'
'/forensics/thesis/ev.locker/StickBeetle/homepc/images/hdb.img'
Mon Apr 18 12:28:12 2005:
'/forensics/thesis/tools/sleuthkit-2.01/bin/dcat' -f ntfs -s -o 63 -i
raw '/forensics/thesis/ev.locker/StickBeetle/homepc/images/hdb.img'
Mon Apr 18 12:28:17 2005:
'/forensics/thesis/tools/sleuthkit-2.01/bin/dls' -e -f ntfs -o 63 -i raw
'/forensics/thesis/ev.locker/StickBeetle/homepc/images/hdb.img' |
'/forensics/thesis/tools/sleuthkit-2.01/bin/srch_strings' -a -t d >
'/forensics/thesis/ev.locker/StickBeetle/homepc/output/hdb.img-63-781401
59-ntfs.asc'
Mon Apr 18 16:08:58 2005:
'/forensics/thesis/tools/sleuthkit-2.01/bin/md5'
/forensics/thesis/ev.locker/StickBeetle/homepc/output/hdb.img-63-7814015
9-ntfs.asc
Mon Apr 18 16:10:12 2005:
'/forensics/thesis/tools/sleuthkit-2.01/bin/dls' -e -f ntfs -o 63 -i raw
'/forensics/thesis/ev.locker/StickBeetle/homepc/images/hdb.img' |
'/forensics/thesis/tools/sleuthkit-2.01/bin/srch_strings' -a -t d -e l
>
'/forensics/thesis/ev.locker/StickBeetle/homepc/output/hdb.img-63-781401
59-ntfs.uni'
Mon Apr 18 18:43:36 2005:
'/forensics/thesis/tools/sleuthkit-2.01/bin/md5'
/forensics/thesis/ev.locker/StickBeetle/homepc/output/hdb.img-63-7814015
9-ntfs.uni
Mon Apr 18 18:43:46 2005:
'/forensics/thesis/tools/sleuthkit-2.01/bin/dcat' -f  -s -o  -i =20

And here is the host log...

Mon Apr 18 03:43:39 2005: Host homepc added to case StickBeetle
Mon Apr 18 03:43:47 2005: Host homepc opened by Ants
Mon Apr 18 04:14:47 2005: Sym Linking image
/forensicsbig/stickhdd/hdb.img into StickBeetle:homepc
Mon Apr 18 04:14:47 2005: Image added: image img1 raw  images/hdb.img
Mon Apr 18 04:14:47 2005: Volume added: disk  vol1 img1    dos
Mon Apr 18 04:14:47 2005: Volume added: part  vol2 img1	63  78140159
ntfs  C:
Mon Apr 18 16:08:58 2005: Volume added: strings  vol3 vol2
output/hdb.img-63-78140159-ntfs.asc
Mon Apr 18 18:43:36 2005: Volume added: unistrings  vol1 vol2
output/hdb.img-63-78140159-ntfs.uni
Mon Apr 18 18:45:10 2005: Host homepc opened by Ants
Mon Apr 18 18:45:33 2005: Host homepc opened by Ants

As you can see I have done very little with this host.  At this stage I
haven't tried to re-add the image to the host as I wanted to check to
see if there were any comments/ideas on this list first?

Also, one possible suggestion for a future version, might be to include
a timing function on the search for ascii and Unicode strings on an
image, as on this 40gb drive it took a considerable amount of a time,
and it would be useful to have a reference for future purposes.

Any thoughts/ideas would be much appreciated.

Cheers

Surago.

[sleuthkit-users] DFRWS Paper Submission

[Gary P. <pa...@mi...>]

Hello All,

The DFRWS paper submission system is now on-line.
You can access the system in one of two ways:
1 - Go to http://www.dfrws.org and scroll down to Submissions in the 
Call For Papers (CFP). The link is posted there
2 - Go directly to http://www.cs.uno.edu/WIMPE/forms/authpaper_reg.html 
. (It may be a good idea to check the submission criteria listed in the 
CFP first.)

We look forward to reviewing your work and seeing you in August for some 
serious "forensic" fun in the Big Easy.

Gary

[sleuthkit-users] New Versions

[Brian C. <ca...@sl...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

New versions of both tools are available. Both have minor bug fixes 
from the new 2.00 TSK features.  There is one bug that impacts split 
image users, so everyone should upgrade TSK.   Autopsy also has a new 
feature that shows the thumbnail of a picture when it is selected in 
File Mode (patch by Guy Voncken).

TSK 2.01
MD5: e84ed011e7b999abc08174e239ecb474
http://www.sleuthkit.org/sleuthkit/

Autopsy 2.05
MD5: adfbb31ce665cc8efdbf8711bbd97483
http://www.sleuthkit.org/autopsy/

brian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFCVvVcOK1gLsdFTIsRAmewAJ0UoZQxiB3fjpZbtYABe2lk0a/BUwCfYlKF
Mf1zcz/vdWWEQWUgR/H5lAI=
=HePw
-----END PGP SIGNATURE-----

Re: [sleuthkit-users] File Headers/Footers in Foremost

[Barry J. G. <bg...@im...>]

On Thu, 2005-04-07 at 09:43 -0700, Brian Starr wrote:
> How can I view a file header/footer?  Thanks so much in advance!  

Use a hex editor.  On the command line you can use:

xxd filename | head

xxd filename | tail

look at several files of the same type to see the header/footer pattern.
 
-- 
/***************************************
Special Agent Barry J. Grundy
NASA Office of Inspector General
Computer Crimes Division 
Goddard Space Flight Center
Code 190
Greenbelt Rd.
Greenbelt, MD 20771
(301)286-3358
**************************************/

[sleuthkit-users] File Headers/Footers in Foremost

[Brian S. <Br...@Pe...>]

Hi everyone,
 
Does anyone have a more comprehensive list of file headers/footers for the
foremost.conf file?  In particular, I am looking for and need to locate a
Microsoft Money file (.mny).  
 
If not, is there a way to obtain it by looking at the file header/footer
myself?  How can I view a file header/footer?  Thanks so much in advance!  

Brian

 

Re: [sleuthkit-users] Doubt on file formats

[Barry J. G. <bg...@im...>]

On Thu, 2005-04-07 at 17:59 +0530, Pradeep M wrote:
>  My
> problem is I dont understand the file format of the image.

I'm not completely sure I understand your question.  The "file format"
of an image to be used with TSK/Autopsy is a "raw" image.  In other
words, the floppy was acquired with something like dd.

>               When I created files in a floppy and deleted it, I am
> not able to recover it using autopsy. Autopsy could not recognise the
> file format. Can anyone help to solve this problem?

Could you give more info about the specific errors you encountered?
When you created files in the floppy, then deleted them, did you then dd
the floppy and load that image (result of the dd)?

What happens when you simply run "fsstat" on the image (assuming you
created one)? See if TSK recognizes the image.  Like this:  

# /path/to/sleuthkit-2.00/bin/fsstat /path/to/image

-- 
/***************************************
Special Agent Barry J. Grundy
NASA Office of Inspector General
Computer Crimes Division 
Goddard Space Flight Center
Code 190
Greenbelt Rd.
Greenbelt, MD 20771
(301)286-3358
**************************************/

Re: [sleuthkit-users] Doubt on file formats

[Brian C. <ca...@sl...>]

If you 'dd' the floppy, you should import it into Autopsy as a volume 
(there is typically no partition table on floppies).  Autopsy should 
then detect it as FAT12.

brian


On Apr 7, 2005, at 7:29 AM, Pradeep M wrote:

>                I am new to Linux and I have been assigned a task of
> recovering data from a floppy. I am also new to Autopsy. Actually when
>  I went through the Honeynet site I saw similar exercises. In one of
> the scans they had a challenge of recovering files from a floppy. They
> gave some image.zip
> (http://www.honeynet.org/scans/scan24/image.zip)  which contains a
> image and we have to recover deleted files from it. What I did was I
> used the same image and recovered deleted files by using auotpsy. My
> problem is I dont understand the file format of the image.
>               When I created files in a floppy and deleted it, I am
> not able to recover it using autopsy. Autopsy could not recognise the
> file format. Can anyone help to solve this problem?

[sleuthkit-users] Doubt on file formats

[Pradeep M <pra...@gm...>]

               I am new to Linux and I have been assigned a task of
recovering data from a floppy. I am also new to Autopsy. Actually when
 I went through the Honeynet site I saw similar exercises. In one of
the scans they had a challenge of recovering files from a floppy. They
gave some image.zip
(http://www.honeynet.org/scans/scan24/image.zip)  which contains a
image and we have to recover deleted files from it. What I did was I
used the same image and recovered deleted files by using auotpsy. My
problem is I dont understand the file format of the image.
              When I created files in a floppy and deleted it, I am
not able to recover it using autopsy. Autopsy could not recognise the
file format. Can anyone help to solve this problem?

Pradeep

RE: [sleuthkit-users] TSK Installation Issues

[Brian S. <Br...@Pe...>]

Thanks - I am up and rolling now.  I appreciate your help!

-----Original Message-----
From: Barry J. Grundy [mailto:bg...@im...]
Sent: Tuesday, April 05, 2005 12:38 PM
To: sle...@li...
Cc: Sleuthkit List
Subject: Re: [sleuthkit-users] TSK Installation Issues


On Tue, 2005-04-05 at 11:54 -0700, Brian Starr wrote:

> After it finished I attempted to use fls, and it said the tool is not
found.
> What am I doing wrong?  

/home/brian/sleuthkit-2.00/bin is not in your path, so when you try and
execute fls, you get a not found error.  Unlike DOS/Win, Linux only
looks in your path, not in the current directory.  you have to be
explicit.  The commands are located in the sleuthkit-2.00/bin directory.
Change into that dir and use "./" in front of the command to execute
from the current dir.  "./fls -o xxxxx..etc" or use the full path to the
command: "~brian/sleuthkit-2.00/bin/fls -o xxx..etc".

You could also just move all the bins to a directory in your path, but I
prefer to leave them where they are.

> Is it possible to recover a deleted file created
> from within a previous operating system.  
<snip>
> A simple yes or no will really help.  

Possible, yes.  Trivial, no.
  
-- 
/***************************************
Special Agent Barry J. Grundy
NASA Office of Inspector General
Computer Crimes Division 
Goddard Space Flight Center
Code 190
Greenbelt Rd.
Greenbelt, MD 20771
(301)286-3358
**************************************/





-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org

Re: [sleuthkit-users] TSK Installation Issues

[Brian C. <ca...@sl...>]

On Apr 5, 2005, at 1:54 PM, Brian Starr wrote:

> Hi everyone,
>
> I have installed Red Hat 9.0.  I am a little unsure as to how I get 
> Sleuth
> Kit on my hard disk now.  Here is what I have done:
>
> Downloaded the source code from your website.  Extracted the archived
> contents to my /home/brian directory.  There is now a folder called
> Sleuthkit-2.00.  I opened up the terminal window and logged in as 
> root.  I
> then went to the directory /home/brian/sleuthkit-2.00 and typed 'make'.
> After it finished I attempted to use fls, and it said the tool is not 
> found.
> What am I doing wrong?  I am obviously not a linux guru.

As Barry said, edit your path or just go into the bin directory in TSK 
and use './fls'.

> Also, one other question.  Is it possible to recover a deleted file 
> created
> from within a previous operating system.  For example, let's say I 
> created a
> Microsoft Excel file using Windows 98.  Then, I decided to format my 
> entire
> hard disk and install Windows ME.  I now have the image of the hard 
> disk
> with the Windows ME operating system on it.  Assuming the new operating
> system has not written to any of the sectors the Excel file is stored 
> in, is
> it possible to restore the Excel file to its .xls format, or can we 
> only
> view the strings from that file (keyword search through unallocated 
> space)?
> A simple yes or no will really help.

The files may still be there if they have not been overwritten, but TSK 
will not find them.   You need a carving tool, such as foremost 
(http://foremost.sf.net).

brian

Re: [sleuthkit-users] TSK Installation Issues

[Barry J. G. <bg...@im...>]

On Tue, 2005-04-05 at 11:54 -0700, Brian Starr wrote:

> After it finished I attempted to use fls, and it said the tool is not found.
> What am I doing wrong?  

/home/brian/sleuthkit-2.00/bin is not in your path, so when you try and
execute fls, you get a not found error.  Unlike DOS/Win, Linux only
looks in your path, not in the current directory.  you have to be
explicit.  The commands are located in the sleuthkit-2.00/bin directory.
Change into that dir and use "./" in front of the command to execute
from the current dir.  "./fls -o xxxxx..etc" or use the full path to the
command: "~brian/sleuthkit-2.00/bin/fls -o xxx..etc".

You could also just move all the bins to a directory in your path, but I
prefer to leave them where they are.

> Is it possible to recover a deleted file created
> from within a previous operating system.  
<snip>
> A simple yes or no will really help.  

Possible, yes.  Trivial, no.
  
-- 
/***************************************
Special Agent Barry J. Grundy
NASA Office of Inspector General
Computer Crimes Division 
Goddard Space Flight Center
Code 190
Greenbelt Rd.
Greenbelt, MD 20771
(301)286-3358
**************************************/

Re: [sleuthkit-users] Question on image files

[Brian C. <ca...@sl...>]

On Apr 4, 2005, at 6:59 AM, Christian Buchter wrote:

> I was wondering if there is any way to compile a list of sources which
> will produce an acceptable .img file? I have software that can attain
> this easily (ghosting software) but so far I have just used a distro of
> Knoppix to boot off and then dd from one machine to another. But the
> file format is F32 and it needs to be repartitioned, etc... And I was
> just curious if there's an easier, non-command line way of 
> accomplishing
> this goal.

There are a couple of GUIs to dd.  AIR and Grab are two examples 
(although I have used neither).

brian

[sleuthkit-users] TSK Installation Issues

[Brian S. <Br...@Pe...>]

Hi everyone,

I have installed Red Hat 9.0.  I am a little unsure as to how I get Sleuth
Kit on my hard disk now.  Here is what I have done:

Downloaded the source code from your website.  Extracted the archived
contents to my /home/brian directory.  There is now a folder called
Sleuthkit-2.00.  I opened up the terminal window and logged in as root.  I
then went to the directory /home/brian/sleuthkit-2.00 and typed 'make'.
After it finished I attempted to use fls, and it said the tool is not found.
What am I doing wrong?  I am obviously not a linux guru. 

 

Also, one other question.  Is it possible to recover a deleted file created
from within a previous operating system.  For example, let's say I created a
Microsoft Excel file using Windows 98.  Then, I decided to format my entire
hard disk and install Windows ME.  I now have the image of the hard disk
with the Windows ME operating system on it.  Assuming the new operating
system has not written to any of the sectors the Excel file is stored in, is
it possible to restore the Excel file to its .xls format, or can we only
view the strings from that file (keyword search through unallocated space)?
A simple yes or no will really help.  

Thanks so much!  

Brian

-----Original Message-----
From: Brian Carrier [mailto:ca...@sl...]
Sent: Thursday, March 24, 2005 7:00 PM
To: Brian Starr
Subject: Re: [sleuthkit-users] dls



On Mar 24, 2005, at 5:13 PM, Brian Starr wrote:

> Thanks, Brian.  I guess the dls file does not have a number.  I guess 
> I need
> to figure out how to get from a byte offset to the exact location in 
> the
> image.  I just ordered your book.  Does it go into all of this??

No.  The book is more general and not specific about Linux or TSK.

How did you make the file?  What did you type? Or, where did you get it 
from?

> Anyways, I have another issue.  I am using the Penquin Sleuth Kit 
> Bootable
> CD.  When running the sorter on my image (using the command line), I 
> get the
> following error:

The error is because the people who made the CD compiled TSK in one 
location and then moved it to a different one on the CD.  I have 
nothing to do with the people who make the CD, they just have similar 
names.

brian

RE: [sleuthkit-users] Error Adding Disk Image To Host in Autopsy - TSK 2.00, Autopsy 2.04

[Bradley B <br...@de...>]

I put the new Caseman.pm file in the lib directory of autopsy and now I can
add the image and it works fine.
- Bradley Bitzkowski

-----Original Message-----
From: sle...@li...
[mailto:sle...@li...] On Behalf Of Brian
Carrier
Sent: Monday, April 04, 2005 10:57 AM
To: Bradley B
Cc: sle...@li...
Subject: Re: [sleuthkit-users] Error Adding Disk Image To Host in Autopsy -
TSK 2.00, Autopsy 2.04



On Apr 4, 2005, at 5:35 AM, Bradley B wrote:

> Hello, I created a case in Autopsy and added a host. I then attempted 
> to add
> a Disk Image (eg. dd if=/dev/had, not /dev/hda1) as now is possible in
> Autopsy. It is a disk image of a machine running DOS with a FAT16 
> partition.
> The output of mmls is as follows:

...

> In Autopsy I get the message:
> Testing partitions
> Linking image(s) into evidence locker
> Image file added with ID img1
> Missing Volume System Type

...

> When restarting Autopsy I cannot access the image, it does not seem to 
> show
> up in the image chooser.

Did autopsy show any errors before the missing volume system  type 
error? Did it say that it could not determine the volume system type or 
did you initially choose volume instead of disk? I can't find a way 
that the type would be missing, so I'm not sure if there is some other 
path that I missed.

Anyway, I changed the code a little to  make sure that the type is 
determined in case there is a situation that I missed.  Replace the 
lib/Caseman.pm file with the one at the below URL and try again.  If 
you haven't added anything to the host, you are probably best off to 
delete the host directory in the case directory of the evidence locker 
and add it again.

http://sleuthkit.sourceforge.net/autopsy/Caseman.pm

thanks,
brian




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org

Re: [sleuthkit-users] Error Adding Disk Image To Host in Autopsy - TSK 2.00, Autopsy 2.04

[Brian C. <ca...@sl...>]

On Apr 4, 2005, at 5:35 AM, Bradley B wrote:

> Hello, I created a case in Autopsy and added a host. I then attempted 
> to add
> a Disk Image (eg. dd if=/dev/had, not /dev/hda1) as now is possible in
> Autopsy. It is a disk image of a machine running DOS with a FAT16 
> partition.
> The output of mmls is as follows:

...

> In Autopsy I get the message:
> Testing partitions
> Linking image(s) into evidence locker
> Image file added with ID img1
> Missing Volume System Type

...

> When restarting Autopsy I cannot access the image, it does not seem to 
> show
> up in the image chooser.

Did autopsy show any errors before the missing volume system  type 
error? Did it say that it could not determine the volume system type or 
did you initially choose volume instead of disk? I can't find a way 
that the type would be missing, so I'm not sure if there is some other 
path that I missed.

Anyway, I changed the code a little to  make sure that the type is 
determined in case there is a situation that I missed.  Replace the 
lib/Caseman.pm file with the one at the below URL and try again.  If 
you haven't added anything to the host, you are probably best off to 
delete the host directory in the case directory of the evidence locker 
and add it again.

http://sleuthkit.sourceforge.net/autopsy/Caseman.pm

thanks,
brian

[sleuthkit-users] Question on image files

[Christian B. <cbu...@e-...>]

I=20was=20wondering=20if=20there=20is=20any=20way=20to=20compile=20a=20lis=
t=20of=20sources=20which
will=20produce=20an=20acceptable=20.img=20file?=20I=20have=20software=20th=
at=20can=20attain
this=20easily=20(ghosting=20software)=20but=20so=20far=20I=20have=20just=20=
used=20a=20distro=20of
Knoppix=20to=20boot=20off=20and=20then=20dd=20from=20one=20machine=20to=20=
another.=20But=20the
file=20format=20is=20F32=20and=20it=20needs=20to=20be=20repartitioned,=20e=
tc...=20And=20I=20was
just=20curious=20if=20there's=20an=20easier,=20non-command=20line=20way=20=
of=20accomplishing
this=20goal.

Thanks=20in=20advance,
Christian


_____________________________________________________________
This=20email=20has=20been=20scanned=20by=20MessageLabs=20on=20behalf=20of=20=
E-INS

[sleuthkit-users] Error Adding Disk Image To Host in Autopsy - TSK 2.00, Autopsy 2.04

[Bradley B <br...@de...>]

Hello, I created a case in Autopsy and added a host. I then attempted to =
add
a Disk Image (eg. dd if=3D/dev/had, not /dev/hda1) as now is possible in
Autopsy. It is a disk image of a machine running DOS with a FAT16 =
partition.
The output of mmls is as follows:

$ /usr/local/sleuthkit/bin/mmls -r "/usr/local/images/c.img"
DOS Partition Table
Sector: 0
Units are in 512-byte sectors

     Slot    Start        End          Length       Description
00:  -----   0000000000   0000000000   0000000001   Primary Table (#0)
01:  -----   0000000001   0000000062   0000000062   Unallocated
02:  00:00   0000000063   0000100799   0000100737   DOS FAT16 (0x06)

In Autopsy I get the message:
Testing partitions
Linking image(s) into evidence locker
Image file added with ID img1
Missing Volume System Type

The output of the command using fsstat is:
$ '/usr/local/sleuthkit/bin/fsstat' -o 63 -i raw -f fat16
"/usr/local/images/c.
img"
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: FAT16

OEM Name: MSDOS5.0
Volume ID: 0x2e471cd7
Volume Label (Boot Sector): MSDOS622
Volume Label (Root Directory):
File System Type Label: FAT16

Sectors before file system: 63

File System Layout (in sectors)
Total Range: 0 - 100736
* Reserved: 0 - 0
** Boot Sector: 0
* FAT 0: 1 - 99
* FAT 1: 100 - 198
* Data Area: 199 - 100736
** Root Directory: 199 - 230
** Cluster Area: 231 - 100734
** Non-clustered: 100735 - 100736

METADATA INFORMATION
--------------------------------------------
Range: 2 - 1608066
Root Directory: 2

CONTENT INFORMATION
--------------------------------------------
Sector Size: 512
Cluster Size: 2048
Total Cluster Range: 2 - 25127

FAT CONTENTS (in sectors)
--------------------------------------------
231-310 (80) -> EOF
311-386 (76) -> EOF
387-518 (132) -> EOF
... More data follows -END

When restarting Autopsy I cannot access the image, it does not seem to =
show
up in the image chooser.

- Bradley Bitzkowski