sleuthkit-users Mailing List for The Sleuth Kit (Page 3)
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users — List to discuss Autopsy and The Sleuth Kit.
You can subscribe to this list here.
| 2002 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(6) |
Aug
|
Sep
(11) |
Oct
(5) |
Nov
(4) |
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 |
Jan
(1) |
Feb
(20) |
Mar
(60) |
Apr
(40) |
May
(24) |
Jun
(28) |
Jul
(18) |
Aug
(27) |
Sep
(6) |
Oct
(14) |
Nov
(15) |
Dec
(22) |
| 2004 |
Jan
(34) |
Feb
(13) |
Mar
(28) |
Apr
(23) |
May
(27) |
Jun
(26) |
Jul
(37) |
Aug
(19) |
Sep
(20) |
Oct
(39) |
Nov
(17) |
Dec
(9) |
| 2005 |
Jan
(45) |
Feb
(43) |
Mar
(66) |
Apr
(36) |
May
(19) |
Jun
(64) |
Jul
(10) |
Aug
(11) |
Sep
(35) |
Oct
(6) |
Nov
(4) |
Dec
(13) |
| 2006 |
Jan
(52) |
Feb
(34) |
Mar
(39) |
Apr
(39) |
May
(37) |
Jun
(15) |
Jul
(13) |
Aug
(48) |
Sep
(9) |
Oct
(10) |
Nov
(47) |
Dec
(13) |
| 2007 |
Jan
(25) |
Feb
(4) |
Mar
(2) |
Apr
(29) |
May
(11) |
Jun
(19) |
Jul
(13) |
Aug
(15) |
Sep
(30) |
Oct
(12) |
Nov
(10) |
Dec
(13) |
| 2008 |
Jan
(2) |
Feb
(54) |
Mar
(58) |
Apr
(43) |
May
(10) |
Jun
(27) |
Jul
(25) |
Aug
(27) |
Sep
(48) |
Oct
(69) |
Nov
(55) |
Dec
(43) |
| 2009 |
Jan
(26) |
Feb
(36) |
Mar
(28) |
Apr
(27) |
May
(55) |
Jun
(9) |
Jul
(19) |
Aug
(16) |
Sep
(15) |
Oct
(17) |
Nov
(70) |
Dec
(21) |
| 2010 |
Jan
(56) |
Feb
(59) |
Mar
(53) |
Apr
(32) |
May
(25) |
Jun
(31) |
Jul
(36) |
Aug
(11) |
Sep
(37) |
Oct
(19) |
Nov
(23) |
Dec
(6) |
| 2011 |
Jan
(21) |
Feb
(20) |
Mar
(30) |
Apr
(30) |
May
(74) |
Jun
(50) |
Jul
(34) |
Aug
(34) |
Sep
(12) |
Oct
(33) |
Nov
(10) |
Dec
(8) |
| 2012 |
Jan
(23) |
Feb
(57) |
Mar
(26) |
Apr
(14) |
May
(27) |
Jun
(27) |
Jul
(60) |
Aug
(88) |
Sep
(13) |
Oct
(36) |
Nov
(97) |
Dec
(85) |
| 2013 |
Jan
(60) |
Feb
(24) |
Mar
(43) |
Apr
(32) |
May
(22) |
Jun
(38) |
Jul
(51) |
Aug
(50) |
Sep
(76) |
Oct
(65) |
Nov
(25) |
Dec
(30) |
| 2014 |
Jan
(19) |
Feb
(41) |
Mar
(43) |
Apr
(28) |
May
(61) |
Jun
(12) |
Jul
(10) |
Aug
(37) |
Sep
(76) |
Oct
(31) |
Nov
(41) |
Dec
(12) |
| 2015 |
Jan
(33) |
Feb
(28) |
Mar
(53) |
Apr
(22) |
May
(29) |
Jun
(20) |
Jul
(15) |
Aug
(17) |
Sep
(52) |
Oct
(3) |
Nov
(18) |
Dec
(21) |
| 2016 |
Jan
(20) |
Feb
(8) |
Mar
(21) |
Apr
(7) |
May
(13) |
Jun
(35) |
Jul
(34) |
Aug
(11) |
Sep
(14) |
Oct
(22) |
Nov
(31) |
Dec
(23) |
| 2017 |
Jan
(20) |
Feb
(7) |
Mar
(5) |
Apr
(6) |
May
(6) |
Jun
(22) |
Jul
(11) |
Aug
(16) |
Sep
(8) |
Oct
(1) |
Nov
(1) |
Dec
(1) |
| 2018 |
Jan
|
Feb
|
Mar
(16) |
Apr
(2) |
May
(6) |
Jun
(5) |
Jul
|
Aug
(2) |
Sep
(4) |
Oct
|
Nov
(16) |
Dec
(13) |
| 2019 |
Jan
|
Feb
(1) |
Mar
(25) |
Apr
(9) |
May
(2) |
Jun
(1) |
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2020 |
Jan
(2) |
Feb
|
Mar
(1) |
Apr
|
May
(1) |
Jun
(3) |
Jul
(2) |
Aug
|
Sep
|
Oct
(5) |
Nov
|
Dec
|
| 2021 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(4) |
Jul
(1) |
Aug
|
Sep
(1) |
Oct
|
Nov
(1) |
Dec
|
| 2022 |
Jan
|
Feb
(2) |
Mar
|
Apr
|
May
(2) |
Jun
|
Jul
(3) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2023 |
Jan
(2) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
| 2024 |
Jan
|
Feb
(3) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2025 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: MBR <mb...@ar...> - 2019-03-30 08:36:54
|
Are you sure it's Google Groups that's ending? I thought it was Google
Plus that's ending, not Google Groups.
Mark Rosenthal
On 3/28/19 5:49 AM, Stephen Pearson wrote:
>
> Brian,
>
> Google groups will end soon. I would be happy to help where I can.
>
> V/r
>
> Stephen
>
> *From:* Brian Carrier <ca...@sl...>
> *Sent:* Wednesday, March 27, 2019 10:58 PM
> *To:* sleuthkit-users <sle...@li...>
> *Subject:* [sleuthkit-users] Forum Moderators
>
> Hello,
>
> As many may know, forum.sleuthkit.org <http://forum.sleuthkit.org> has
> not really been working for a while. I'd like to do a test and setup
> a Q&A forum on Google Groups. It's kind of like Stack Overflow and
> allows people to submit answers to questions and vote on them so that
> the best answer is at the top.
>
> But, I need help. I am terrible at checking forums and would like some
> volunteers who can serve as moderators on the group to make sure new
> members are not sending SPAM and things are kept orderly.
>
> If you'd like to help out with that, let me know and I'll set you up.
>
> thanks,
>
> brian
>
> HTCI offers Training Software and Consultation. See all of our latest
> tools at http://www.gohtci.com , training.gohtci.com ,
> dart.gohtci.com, and maplink.gohtci.com High Tech Crime Institute is a
> Verified Service Disabled Veteran Owned Small Business. We are of the
> Troops and still serving the Troops CONFIDENTIALITY NOTICE: This
> message contains confidential information and is intended only for
> this email's recipient. If you are not the named addressee, you should
> not disseminate, distribute or copy this e-mail. Please notify
> tec...@go... immediately by e-mail if you have received this
> e-mail by mistake, delete this e-mail from your system. E-mail
> transmission cannot be guaranteed to be secure or error-free as
> information could be intercepted, corrupted, lost, destroyed, arrive
> late or incomplete or contain viruses. High Tech Crime Institute Inc
> therefore does not accept liability for any errors or omissions in the
> contents of this message, which arise as a result of e-mail
> transmission. If verification is required please request a hard-copy
> version. High Tech Crime Institute Group Inc., 695 Alderman Road Palm
> Harbor, FL 34683
>
>
>
>
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
|
|
From: <yve...@fc...> - 2019-03-28 15:33:40
|
Hi everyone, Here are 2 commands I ran with their result. Does anyone can tell me why such a difference ? The first command : $ fls -f hfs -i ewf -o 256 -r -F image.e01 | wc -l 591608 and the second one : $ ils -f hfs -i ewf -e -o 256 image.e01 | wc -l 2217 Here is the result of the command fsstat : $ fsstat -o 256 image.e01 FILE SYSTEM INFORMATION -------------------------------------------- File System Type: HFS+ File System Version: HFS+ Volume Name: Macintosh HD Volume Identifier: 840630f0c37165bc Last Mounted By: Mac OS X, Journaled Volume Unmounted Properly Mount Count: 42789665 Creation Date: 2018-03-24 05:55:41 (CET) Last Written Date: 2018-10-08 13:56:01 (CEST) Last Backup Date: 0000-00-00 00:00:00 (UTC) Last Checked Date: 2018-03-24 13:55:41 (CET) Journal Info Block: 7447 METADATA INFORMATION -------------------------------------------- Range: 2 - 2250393 Bootable Folder ID: 1293853 [/System/Library/CoreServices] Startup App ID: 1764666 [/System/Library/CoreServices/boot.efi] Startup Open Folder ID: 0 Mac OS 8/9 Blessed System Folder ID: 0 Mac OS X Blessed System Folder ID: 1293853 [/System/Library/CoreServices] Number of files: 591603 Number of folders: 138787 CONTENT INFORMATION -------------------------------------------- Block Range: 0 - 243980743 Allocation Block Size: 4096 Number of Free Blocks: 226403853 Thanks in advance ! Yves |
|
From: Stephen P. <st...@go...> - 2019-03-28 14:22:51
|
Brian, Google groups will end soon. I would be happy to help where I can. V/r Stephen From: Brian Carrier <ca...@sl...> Sent: Wednesday, March 27, 2019 10:58 PM To: sleuthkit-users <sle...@li...> Subject: [sleuthkit-users] Forum Moderators Hello, As many may know, forum.sleuthkit.org<http://forum.sleuthkit.org> has not really been working for a while. I'd like to do a test and setup a Q&A forum on Google Groups. It's kind of like Stack Overflow and allows people to submit answers to questions and vote on them so that the best answer is at the top. But, I need help. I am terrible at checking forums and would like some volunteers who can serve as moderators on the group to make sure new members are not sending SPAM and things are kept orderly. If you'd like to help out with that, let me know and I'll set you up. thanks, brian HTCI offers Training Software and Consultation. See all of our latest tools at http://www.gohtci.com , training.gohtci.com , dart.gohtci.com, and maplink.gohtci.com High Tech Crime Institute is a Verified Service Disabled Veteran Owned Small Business. We are of the Troops and still serving the Troops CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for this email's recipient. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify tec...@go... immediately by e-mail if you have received this e-mail by mistake, delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete or contain viruses. High Tech Crime Institute Inc therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. High Tech Crime Institute Group Inc., 695 Alderman Road Palm Harbor, FL 34683 |
|
From: Stephen P. <st...@go...> - 2019-03-28 12:37:31
|
Got it 😊 V/r Stephen From: Daniel Oliveira <dan...@gm...> Sent: Thursday, March 28, 2019 8:21 AM To: Stephen Pearson <st...@go...> Cc: Patrick Rary - Mazal.biz <in...@ma...>; Brian Carrier <ca...@sl...>; sleuthkit-users <sle...@li...> Subject: Re: [sleuthkit-users] Forum Moderators Hi, Stephen, Thats Discord. Discourse is another tool. Em qui, 28 de mar de 2019 às 09:14, Stephen Pearson <st...@go...<mailto:st...@go...>> escreveu: My son uses discourse to game and says it is a good tool. V/r Stephen From: Daniel Oliveira <dan...@gm...<mailto:dan...@gm...>> Sent: Thursday, March 28, 2019 8:11 AM To: Patrick Rary - Mazal.biz <in...@ma...<mailto:in...@ma...>> Cc: Brian Carrier <ca...@sl...<mailto:ca...@sl...>>; sleuthkit-users <sle...@li...<mailto:sle...@li...>> Subject: Re: [sleuthkit-users] Forum Moderators Hey Brian, i im up for helping moderate the forum, take a look at https://www.discourse.org/ it's really good. Em qui, 28 de mar de 2019 às 06:33, Patrick Rary - Mazal.biz <in...@ma...<mailto:in...@ma...>> escreveu: Hi, If you need technical help on installing and maintaining a forum on your hosting, I’d like to help (much better than messy google groups) Bonne journée, Patrick Rary Le 28 mars 2019 à 08:45, Søren Berggreen <shb...@gm...<mailto:shb...@gm...>> a écrit : Sure, I'd like to help. Best regards Soren Berggreen On Thu, Mar 28, 2019 at 4:24 AM Brian Carrier <ca...@sl...<mailto:ca...@sl...>> wrote: Hello, As many may know, forum.sleuthkit.org<http://forum.sleuthkit.org> has not really been working for a while. I'd like to do a test and setup a Q&A forum on Google Groups. It's kind of like Stack Overflow and allows people to submit answers to questions and vote on them so that the best answer is at the top. But, I need help. I am terrible at checking forums and would like some volunteers who can serve as moderators on the group to make sure new members are not sending SPAM and things are kept orderly. If you'd like to help out with that, let me know and I'll set you up. thanks, brian _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org -- Daniel Oliveira HTCI offers Training Software and Consultation. See all of our latest tools at http://www.gohtci.com , training.gohtci.com<http://training.gohtci.com> , dart.gohtci.com<http://dart.gohtci.com>, and maplink.gohtci.com<http://maplink.gohtci.com> High Tech Crime Institute is a Verified Service Disabled Veteran Owned Small Business. We are of the Troops and still serving the Troops CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for this email's recipient. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify tec...@go...<mailto:tec...@go...> immediately by e-mail if you have received this e-mail by mistake, delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete or contain viruses. High Tech Crime Institute Inc therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. High Tech Crime Institute Group Inc., 695 Alderman Road Palm Harbor, FL 34683 -- Daniel Oliveira HTCI offers Training Software and Consultation. See all of our latest tools at http://www.gohtci.com , training.gohtci.com , dart.gohtci.com, and maplink.gohtci.com High Tech Crime Institute is a Verified Service Disabled Veteran Owned Small Business. We are of the Troops and still serving the Troops CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for this email's recipient. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify tec...@go... immediately by e-mail if you have received this e-mail by mistake, delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete or contain viruses. High Tech Crime Institute Inc therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. High Tech Crime Institute Group Inc., 695 Alderman Road Palm Harbor, FL 34683 |
|
From: Stephen P. <st...@go...> - 2019-03-28 12:29:53
|
My son uses discourse to game and says it is a good tool. V/r Stephen From: Daniel Oliveira <dan...@gm...> Sent: Thursday, March 28, 2019 8:11 AM To: Patrick Rary - Mazal.biz <in...@ma...> Cc: Brian Carrier <ca...@sl...>; sleuthkit-users <sle...@li...> Subject: Re: [sleuthkit-users] Forum Moderators Hey Brian, i im up for helping moderate the forum, take a look at https://www.discourse.org/ it's really good. Em qui, 28 de mar de 2019 às 06:33, Patrick Rary - Mazal.biz <in...@ma...<mailto:in...@ma...>> escreveu: Hi, If you need technical help on installing and maintaining a forum on your hosting, I’d like to help (much better than messy google groups) Bonne journée, Patrick Rary Le 28 mars 2019 à 08:45, Søren Berggreen <shb...@gm...<mailto:shb...@gm...>> a écrit : Sure, I'd like to help. Best regards Soren Berggreen On Thu, Mar 28, 2019 at 4:24 AM Brian Carrier <ca...@sl...<mailto:ca...@sl...>> wrote: Hello, As many may know, forum.sleuthkit.org<http://forum.sleuthkit.org> has not really been working for a while. I'd like to do a test and setup a Q&A forum on Google Groups. It's kind of like Stack Overflow and allows people to submit answers to questions and vote on them so that the best answer is at the top. But, I need help. I am terrible at checking forums and would like some volunteers who can serve as moderators on the group to make sure new members are not sending SPAM and things are kept orderly. If you'd like to help out with that, let me know and I'll set you up. thanks, brian _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org -- Daniel Oliveira HTCI offers Training Software and Consultation. See all of our latest tools at http://www.gohtci.com , training.gohtci.com , dart.gohtci.com, and maplink.gohtci.com High Tech Crime Institute is a Verified Service Disabled Veteran Owned Small Business. We are of the Troops and still serving the Troops CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for this email's recipient. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify tec...@go... immediately by e-mail if you have received this e-mail by mistake, delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete or contain viruses. High Tech Crime Institute Inc therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. High Tech Crime Institute Group Inc., 695 Alderman Road Palm Harbor, FL 34683 |
|
From: Daniel O. <dan...@gm...> - 2019-03-28 12:20:58
|
Hi, Stephen, Thats Discord. Discourse is another tool. Em qui, 28 de mar de 2019 às 09:14, Stephen Pearson <st...@go...> escreveu: > My son uses discourse to game and says it is a good tool. > > > > > > V/r > > Stephen > > > > *From:* Daniel Oliveira <dan...@gm...> > *Sent:* Thursday, March 28, 2019 8:11 AM > *To:* Patrick Rary - Mazal.biz <in...@ma...> > *Cc:* Brian Carrier <ca...@sl...>; sleuthkit-users < > sle...@li...> > *Subject:* Re: [sleuthkit-users] Forum Moderators > > > > Hey Brian, > > > > i im up for helping moderate the forum, take a look at > https://www.discourse.org/ it's really good. > > > > Em qui, 28 de mar de 2019 às 06:33, Patrick Rary - Mazal.biz < > in...@ma...> escreveu: > > Hi, > > > > If you need technical help on installing and maintaining a forum on your > hosting, I’d like to help (much better than messy google groups) > > Bonne journée, > > Patrick Rary > > > Le 28 mars 2019 à 08:45, Søren Berggreen <shb...@gm...> a écrit : > > Sure, I'd like to help. > > > > Best regards > Soren Berggreen > > > > > > On Thu, Mar 28, 2019 at 4:24 AM Brian Carrier <ca...@sl...> > wrote: > > Hello, > > > > As many may know, forum.sleuthkit.org has not really been working for a > while. I'd like to do a test and setup a Q&A forum on Google Groups. It's > kind of like Stack Overflow and allows people to submit answers to > questions and vote on them so that the best answer is at the top. > > > > But, I need help. I am terrible at checking forums and would like some > volunteers who can serve as moderators on the group to make sure new > members are not sending SPAM and things are kept orderly. > > > > If you'd like to help out with that, let me know and I'll set you up. > > > > thanks, > > brian > > > > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > > > > -- > > Daniel Oliveira > HTCI offers Training Software and Consultation. See all of our latest > tools at http://www.gohtci.com , training.gohtci.com , dart.gohtci.com, > and maplink.gohtci.com High Tech Crime Institute is a Verified Service > Disabled Veteran Owned Small Business. We are of the Troops and still > serving the Troops CONFIDENTIALITY NOTICE: This message contains > confidential information and is intended only for this email's recipient. > If you are not the named addressee, you should not disseminate, distribute > or copy this e-mail. Please notify tec...@go... immediately by > e-mail if you have received this e-mail by mistake, delete this e-mail from > your system. E-mail transmission cannot be guaranteed to be secure or > error-free as information could be intercepted, corrupted, lost, destroyed, > arrive late or incomplete or contain viruses. High Tech Crime Institute Inc > therefore does not accept liability for any errors or omissions in the > contents of this message, which arise as a result of e-mail transmission. > If verification is required please request a hard-copy version. High Tech > Crime Institute Group Inc., 695 Alderman Road Palm Harbor, FL 34683 > -- Daniel Oliveira |
|
From: Daniel O. <dan...@gm...> - 2019-03-28 12:11:48
|
Hey Brian, i im up for helping moderate the forum, take a look at https://www.discourse.org/ it's really good. Em qui, 28 de mar de 2019 às 06:33, Patrick Rary - Mazal.biz <in...@ma...> escreveu: > Hi, > > If you need technical help on installing and maintaining a forum on your > hosting, I’d like to help (much better than messy google groups) > > Bonne journée, > Patrick Rary > > Le 28 mars 2019 à 08:45, Søren Berggreen <shb...@gm...> a écrit : > > Sure, I'd like to help. > > Best regards > Soren Berggreen > > > On Thu, Mar 28, 2019 at 4:24 AM Brian Carrier <ca...@sl...> > wrote: > >> Hello, >> >> As many may know, forum.sleuthkit.org has not really been working for a >> while. I'd like to do a test and setup a Q&A forum on Google Groups. It's >> kind of like Stack Overflow and allows people to submit answers to >> questions and vote on them so that the best answer is at the top. >> >> But, I need help. I am terrible at checking forums and would like some >> volunteers who can serve as moderators on the group to make sure new >> members are not sending SPAM and things are kept orderly. >> >> If you'd like to help out with that, let me know and I'll set you up. >> >> thanks, >> brian >> >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org >> > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > -- Daniel Oliveira |
|
From: Patrick R. - Mazal.b. <in...@ma...> - 2019-03-28 09:32:16
|
Hi, If you need technical help on installing and maintaining a forum on your hosting, I’d like to help (much better than messy google groups) Bonne journée, Patrick Rary > Le 28 mars 2019 à 08:45, Søren Berggreen <shb...@gm...> a écrit : > > Sure, I'd like to help. > > Best regards > Soren Berggreen > > >> On Thu, Mar 28, 2019 at 4:24 AM Brian Carrier <ca...@sl...> wrote: >> Hello, >> >> As many may know, forum.sleuthkit.org has not really been working for a while. I'd like to do a test and setup a Q&A forum on Google Groups. It's kind of like Stack Overflow and allows people to submit answers to questions and vote on them so that the best answer is at the top. >> >> But, I need help. I am terrible at checking forums and would like some volunteers who can serve as moderators on the group to make sure new members are not sending SPAM and things are kept orderly. >> >> If you'd like to help out with that, let me know and I'll set you up. >> >> thanks, >> brian >> >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: Søren B. <shb...@gm...> - 2019-03-28 07:45:44
|
Sure, I'd like to help. Best regards Soren Berggreen On Thu, Mar 28, 2019 at 4:24 AM Brian Carrier <ca...@sl...> wrote: > Hello, > > As many may know, forum.sleuthkit.org has not really been working for a > while. I'd like to do a test and setup a Q&A forum on Google Groups. It's > kind of like Stack Overflow and allows people to submit answers to > questions and vote on them so that the best answer is at the top. > > But, I need help. I am terrible at checking forums and would like some > volunteers who can serve as moderators on the group to make sure new > members are not sending SPAM and things are kept orderly. > > If you'd like to help out with that, let me know and I'll set you up. > > thanks, > brian > > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > |
|
From: Brian C. <ca...@sl...> - 2019-03-28 03:22:12
|
Hello, As many may know, forum.sleuthkit.org has not really been working for a while. I'd like to do a test and setup a Q&A forum on Google Groups. It's kind of like Stack Overflow and allows people to submit answers to questions and vote on them so that the best answer is at the top. But, I need help. I am terrible at checking forums and would like some volunteers who can serve as moderators on the group to make sure new members are not sending SPAM and things are kept orderly. If you'd like to help out with that, let me know and I'll set you up. thanks, brian |
|
From: Heret, K. M. <kh...@hs...> - 2019-03-25 15:19:28
|
Hello, I can not register to the Forum, because the captcha is down: reCAPTCHA V1 IS SHUTDOWN please fix this. |
|
From: Luís F. N. <lfc...@gm...> - 2019-03-23 17:59:41
|
Actually it is not a fall back mechanism, it is a mimetype refinement strategy. Em sáb, 23 de mar de 2019 às 14:57, Luís Filipe Nassif <lfc...@gm...> escreveu: > Hi Brian, > > If you do not fill Metadata.RESOURCE_NAME_KEY, only content will be used. > But I do not recommend that, because there are many mimetypes detected > based only on filename/extension. > > This logic is in MimeTypes class, unfortunatelly it is final. Will talk to > Tika colleagues to see if we can make that configurable, so filename would > be used only when there is no signature registered for the mimetype. > > Regards, > Luis > > Em sex, 22 de mar de 2019 às 15:55, Brian Carrier <ca...@sl...> > escreveu: > >> Do you know a way to turn off falling back to the extension? I don't see >> anything obvious in the docs. >> >> On Thu, Mar 21, 2019 at 11:46 PM Luís Filipe Nassif <lfc...@gm...> >> wrote: >> >>> Default Tika behaviour is to detect mimetypes based on known signatures >>> or structures (looking inside zip and ole containers). If no known >>> signature/structure is found, Tika falls back to name/file extension >>> detection. >>> >>> Hope this helps, >>> >>> Regards, >>> Luis Nassif >>> >>> Em qui, 21 de mar de 2019 às 11:48, Brian Carrier <ca...@sl...> >>> escreveu: >>> >>>> Interesting. The MIME type is what is throwing it off. Our algorithm >>>> will only flag items that do not have a known type because videos and such >>>> can be big and random. >>>> >>>> We use Apache Tika for file type detection and we recently observed a >>>> file that had an incorrect type applied and Tika seemed to have made the >>>> decision based on the file extension. I wonder if that happened here too. >>>> We'll try to recreate this. >>>> >>>> In the mean time, can you rename the file to something like ".dat" and >>>> see if you get the same results. >>>> >>>> >>>> >>>> On Thu, Mar 21, 2019 at 7:15 AM Søren Berggreen <shb...@gm...> >>>> wrote: >>>> >>>>> Hi >>>>> >>>>> 1) It says application/x-msdownload. >>>>> >>>>> 3) I tried with lower settings, but still no luck. >>>>> >>>>> Best regards >>>>> Soren Berggreen >>>>> >>>>> >>>>> On Thu, Mar 21, 2019 at 4:04 AM Brian Carrier <ca...@sl...> >>>>> wrote: >>>>> >>>>>> Hi Soren, >>>>>> >>>>>> 1) If you navigate to the file in Autopsy, select it, and go to the >>>>>> File Metadata tab, then what MIME type does it say the file is? I'd >>>>>> assume application/octet-stream. >>>>>> >>>>>> 2) The default behavior for the extension mismatch module is to only >>>>>> focus on hidden pictures, videos, executables, etc. So, if the encrypted >>>>>> volume had a type of application/octet-stream, then it is not surprising >>>>>> that it wasn't flagged. The module is flagging known content types (such >>>>>> as JPEG) that have been renamed. >>>>>> >>>>>> 3) The Encryption Detection module does have a setting about entropy >>>>>> levels. I believe the default value is 7.5. If you change it to 7.0 and >>>>>> re-run ingest then does it find the file? >>>>>> >>>>>> thanks, >>>>>> brian >>>>>> >>>>>> >>>>>> On Wed, Mar 20, 2019 at 5:48 AM Søren Berggreen <shb...@gm...> >>>>>> wrote: >>>>>> >>>>>>> Hi. >>>>>>> >>>>>>> I've got this issue that I haven't been able to solve: >>>>>>> >>>>>>> Autopsy 4.10.0 on Windows 10 Pro >>>>>>> >>>>>>> Problem: >>>>>>> A known encrypted file is not flagged when running the Encryption >>>>>>> Detection Module. >>>>>>> >>>>>>> Secondary problem: >>>>>>> The encrypted file is saved as a .dll file, but is not flagged when >>>>>>> running the Extension Mismatch Detector Module. >>>>>>> >>>>>>> Pre: >>>>>>> An encrypted container was created using Veracrypt. The size of the >>>>>>> container was set to 100MB. Hash sha512, encryption serpent, filesystem >>>>>>> NTFS. The container was named "VBoxClient-64bit.dll" and was placed in >>>>>>> folder "C:\Program Files\Oracle\VirtualBox\x86". >>>>>>> >>>>>>> The forensic image on where the container is located, was also >>>>>>> tested using X-Ways and EnCase, and both tools flag the container as >>>>>>> encrypted. >>>>>>> >>>>>>> Best regards >>>>>>> Soren Berggreen >>>>>>> _______________________________________________ >>>>>>> sleuthkit-users mailing list >>>>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>>>>>> http://www.sleuthkit.org >>>>>>> >>>>>> _______________________________________________ >>>> sleuthkit-users mailing list >>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>>> http://www.sleuthkit.org >>>> >>> |
|
From: Luís F. N. <lfc...@gm...> - 2019-03-23 17:57:40
|
Hi Brian, If you do not fill Metadata.RESOURCE_NAME_KEY, only content will be used. But I do not recommend that, because there are many mimetypes detected based only on filename/extension. This logic is in MimeTypes class, unfortunatelly it is final. Will talk to Tika colleagues to see if we can make that configurable, so filename would be used only when there is no signature registered for the mimetype. Regards, Luis Em sex, 22 de mar de 2019 às 15:55, Brian Carrier <ca...@sl...> escreveu: > Do you know a way to turn off falling back to the extension? I don't see > anything obvious in the docs. > > On Thu, Mar 21, 2019 at 11:46 PM Luís Filipe Nassif <lfc...@gm...> > wrote: > >> Default Tika behaviour is to detect mimetypes based on known signatures >> or structures (looking inside zip and ole containers). If no known >> signature/structure is found, Tika falls back to name/file extension >> detection. >> >> Hope this helps, >> >> Regards, >> Luis Nassif >> >> Em qui, 21 de mar de 2019 às 11:48, Brian Carrier <ca...@sl...> >> escreveu: >> >>> Interesting. The MIME type is what is throwing it off. Our algorithm >>> will only flag items that do not have a known type because videos and such >>> can be big and random. >>> >>> We use Apache Tika for file type detection and we recently observed a >>> file that had an incorrect type applied and Tika seemed to have made the >>> decision based on the file extension. I wonder if that happened here too. >>> We'll try to recreate this. >>> >>> In the mean time, can you rename the file to something like ".dat" and >>> see if you get the same results. >>> >>> >>> >>> On Thu, Mar 21, 2019 at 7:15 AM Søren Berggreen <shb...@gm...> >>> wrote: >>> >>>> Hi >>>> >>>> 1) It says application/x-msdownload. >>>> >>>> 3) I tried with lower settings, but still no luck. >>>> >>>> Best regards >>>> Soren Berggreen >>>> >>>> >>>> On Thu, Mar 21, 2019 at 4:04 AM Brian Carrier <ca...@sl...> >>>> wrote: >>>> >>>>> Hi Soren, >>>>> >>>>> 1) If you navigate to the file in Autopsy, select it, and go to the >>>>> File Metadata tab, then what MIME type does it say the file is? I'd >>>>> assume application/octet-stream. >>>>> >>>>> 2) The default behavior for the extension mismatch module is to only >>>>> focus on hidden pictures, videos, executables, etc. So, if the encrypted >>>>> volume had a type of application/octet-stream, then it is not surprising >>>>> that it wasn't flagged. The module is flagging known content types (such >>>>> as JPEG) that have been renamed. >>>>> >>>>> 3) The Encryption Detection module does have a setting about entropy >>>>> levels. I believe the default value is 7.5. If you change it to 7.0 and >>>>> re-run ingest then does it find the file? >>>>> >>>>> thanks, >>>>> brian >>>>> >>>>> >>>>> On Wed, Mar 20, 2019 at 5:48 AM Søren Berggreen <shb...@gm...> >>>>> wrote: >>>>> >>>>>> Hi. >>>>>> >>>>>> I've got this issue that I haven't been able to solve: >>>>>> >>>>>> Autopsy 4.10.0 on Windows 10 Pro >>>>>> >>>>>> Problem: >>>>>> A known encrypted file is not flagged when running the Encryption >>>>>> Detection Module. >>>>>> >>>>>> Secondary problem: >>>>>> The encrypted file is saved as a .dll file, but is not flagged when >>>>>> running the Extension Mismatch Detector Module. >>>>>> >>>>>> Pre: >>>>>> An encrypted container was created using Veracrypt. The size of the >>>>>> container was set to 100MB. Hash sha512, encryption serpent, filesystem >>>>>> NTFS. The container was named "VBoxClient-64bit.dll" and was placed in >>>>>> folder "C:\Program Files\Oracle\VirtualBox\x86". >>>>>> >>>>>> The forensic image on where the container is located, was also tested >>>>>> using X-Ways and EnCase, and both tools flag the container as encrypted. >>>>>> >>>>>> Best regards >>>>>> Soren Berggreen >>>>>> _______________________________________________ >>>>>> sleuthkit-users mailing list >>>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>>>>> http://www.sleuthkit.org >>>>>> >>>>> _______________________________________________ >>> sleuthkit-users mailing list >>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>> http://www.sleuthkit.org >>> >> |
|
From: Brian C. <ca...@sl...> - 2019-03-22 18:55:27
|
Do you know a way to turn off falling back to the extension? I don't see anything obvious in the docs. On Thu, Mar 21, 2019 at 11:46 PM Luís Filipe Nassif <lfc...@gm...> wrote: > Default Tika behaviour is to detect mimetypes based on known signatures or > structures (looking inside zip and ole containers). If no known > signature/structure is found, Tika falls back to name/file extension > detection. > > Hope this helps, > > Regards, > Luis Nassif > > Em qui, 21 de mar de 2019 às 11:48, Brian Carrier <ca...@sl...> > escreveu: > >> Interesting. The MIME type is what is throwing it off. Our algorithm >> will only flag items that do not have a known type because videos and such >> can be big and random. >> >> We use Apache Tika for file type detection and we recently observed a >> file that had an incorrect type applied and Tika seemed to have made the >> decision based on the file extension. I wonder if that happened here too. >> We'll try to recreate this. >> >> In the mean time, can you rename the file to something like ".dat" and >> see if you get the same results. >> >> >> >> On Thu, Mar 21, 2019 at 7:15 AM Søren Berggreen <shb...@gm...> >> wrote: >> >>> Hi >>> >>> 1) It says application/x-msdownload. >>> >>> 3) I tried with lower settings, but still no luck. >>> >>> Best regards >>> Soren Berggreen >>> >>> >>> On Thu, Mar 21, 2019 at 4:04 AM Brian Carrier <ca...@sl...> >>> wrote: >>> >>>> Hi Soren, >>>> >>>> 1) If you navigate to the file in Autopsy, select it, and go to the >>>> File Metadata tab, then what MIME type does it say the file is? I'd >>>> assume application/octet-stream. >>>> >>>> 2) The default behavior for the extension mismatch module is to only >>>> focus on hidden pictures, videos, executables, etc. So, if the encrypted >>>> volume had a type of application/octet-stream, then it is not surprising >>>> that it wasn't flagged. The module is flagging known content types (such >>>> as JPEG) that have been renamed. >>>> >>>> 3) The Encryption Detection module does have a setting about entropy >>>> levels. I believe the default value is 7.5. If you change it to 7.0 and >>>> re-run ingest then does it find the file? >>>> >>>> thanks, >>>> brian >>>> >>>> >>>> On Wed, Mar 20, 2019 at 5:48 AM Søren Berggreen <shb...@gm...> >>>> wrote: >>>> >>>>> Hi. >>>>> >>>>> I've got this issue that I haven't been able to solve: >>>>> >>>>> Autopsy 4.10.0 on Windows 10 Pro >>>>> >>>>> Problem: >>>>> A known encrypted file is not flagged when running the Encryption >>>>> Detection Module. >>>>> >>>>> Secondary problem: >>>>> The encrypted file is saved as a .dll file, but is not flagged when >>>>> running the Extension Mismatch Detector Module. >>>>> >>>>> Pre: >>>>> An encrypted container was created using Veracrypt. The size of the >>>>> container was set to 100MB. Hash sha512, encryption serpent, filesystem >>>>> NTFS. The container was named "VBoxClient-64bit.dll" and was placed in >>>>> folder "C:\Program Files\Oracle\VirtualBox\x86". >>>>> >>>>> The forensic image on where the container is located, was also tested >>>>> using X-Ways and EnCase, and both tools flag the container as encrypted. >>>>> >>>>> Best regards >>>>> Soren Berggreen >>>>> _______________________________________________ >>>>> sleuthkit-users mailing list >>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>>>> http://www.sleuthkit.org >>>>> >>>> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org >> > |
|
From: Luís F. N. <lfc...@gm...> - 2019-03-22 03:46:29
|
Default Tika behaviour is to detect mimetypes based on known signatures or structures (looking inside zip and ole containers). If no known signature/structure is found, Tika falls back to name/file extension detection. Hope this helps, Regards, Luis Nassif Em qui, 21 de mar de 2019 às 11:48, Brian Carrier <ca...@sl...> escreveu: > Interesting. The MIME type is what is throwing it off. Our algorithm will > only flag items that do not have a known type because videos and such can > be big and random. > > We use Apache Tika for file type detection and we recently observed a file > that had an incorrect type applied and Tika seemed to have made the > decision based on the file extension. I wonder if that happened here too. > We'll try to recreate this. > > In the mean time, can you rename the file to something like ".dat" and see > if you get the same results. > > > > On Thu, Mar 21, 2019 at 7:15 AM Søren Berggreen <shb...@gm...> > wrote: > >> Hi >> >> 1) It says application/x-msdownload. >> >> 3) I tried with lower settings, but still no luck. >> >> Best regards >> Soren Berggreen >> >> >> On Thu, Mar 21, 2019 at 4:04 AM Brian Carrier <ca...@sl...> >> wrote: >> >>> Hi Soren, >>> >>> 1) If you navigate to the file in Autopsy, select it, and go to the File >>> Metadata tab, then what MIME type does it say the file is? I'd assume >>> application/octet-stream. >>> >>> 2) The default behavior for the extension mismatch module is to only >>> focus on hidden pictures, videos, executables, etc. So, if the encrypted >>> volume had a type of application/octet-stream, then it is not surprising >>> that it wasn't flagged. The module is flagging known content types (such >>> as JPEG) that have been renamed. >>> >>> 3) The Encryption Detection module does have a setting about entropy >>> levels. I believe the default value is 7.5. If you change it to 7.0 and >>> re-run ingest then does it find the file? >>> >>> thanks, >>> brian >>> >>> >>> On Wed, Mar 20, 2019 at 5:48 AM Søren Berggreen <shb...@gm...> >>> wrote: >>> >>>> Hi. >>>> >>>> I've got this issue that I haven't been able to solve: >>>> >>>> Autopsy 4.10.0 on Windows 10 Pro >>>> >>>> Problem: >>>> A known encrypted file is not flagged when running the Encryption >>>> Detection Module. >>>> >>>> Secondary problem: >>>> The encrypted file is saved as a .dll file, but is not flagged when >>>> running the Extension Mismatch Detector Module. >>>> >>>> Pre: >>>> An encrypted container was created using Veracrypt. The size of the >>>> container was set to 100MB. Hash sha512, encryption serpent, filesystem >>>> NTFS. The container was named "VBoxClient-64bit.dll" and was placed in >>>> folder "C:\Program Files\Oracle\VirtualBox\x86". >>>> >>>> The forensic image on where the container is located, was also tested >>>> using X-Ways and EnCase, and both tools flag the container as encrypted. >>>> >>>> Best regards >>>> Soren Berggreen >>>> _______________________________________________ >>>> sleuthkit-users mailing list >>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>>> http://www.sleuthkit.org >>>> >>> _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > |
|
From: Brian C. <ca...@sl...> - 2019-03-21 14:47:36
|
Interesting. The MIME type is what is throwing it off. Our algorithm will only flag items that do not have a known type because videos and such can be big and random. We use Apache Tika for file type detection and we recently observed a file that had an incorrect type applied and Tika seemed to have made the decision based on the file extension. I wonder if that happened here too. We'll try to recreate this. In the mean time, can you rename the file to something like ".dat" and see if you get the same results. On Thu, Mar 21, 2019 at 7:15 AM Søren Berggreen <shb...@gm...> wrote: > Hi > > 1) It says application/x-msdownload. > > 3) I tried with lower settings, but still no luck. > > Best regards > Soren Berggreen > > > On Thu, Mar 21, 2019 at 4:04 AM Brian Carrier <ca...@sl...> > wrote: > >> Hi Soren, >> >> 1) If you navigate to the file in Autopsy, select it, and go to the File >> Metadata tab, then what MIME type does it say the file is? I'd assume >> application/octet-stream. >> >> 2) The default behavior for the extension mismatch module is to only >> focus on hidden pictures, videos, executables, etc. So, if the encrypted >> volume had a type of application/octet-stream, then it is not surprising >> that it wasn't flagged. The module is flagging known content types (such >> as JPEG) that have been renamed. >> >> 3) The Encryption Detection module does have a setting about entropy >> levels. I believe the default value is 7.5. If you change it to 7.0 and >> re-run ingest then does it find the file? >> >> thanks, >> brian >> >> >> On Wed, Mar 20, 2019 at 5:48 AM Søren Berggreen <shb...@gm...> >> wrote: >> >>> Hi. >>> >>> I've got this issue that I haven't been able to solve: >>> >>> Autopsy 4.10.0 on Windows 10 Pro >>> >>> Problem: >>> A known encrypted file is not flagged when running the Encryption >>> Detection Module. >>> >>> Secondary problem: >>> The encrypted file is saved as a .dll file, but is not flagged when >>> running the Extension Mismatch Detector Module. >>> >>> Pre: >>> An encrypted container was created using Veracrypt. The size of the >>> container was set to 100MB. Hash sha512, encryption serpent, filesystem >>> NTFS. The container was named "VBoxClient-64bit.dll" and was placed in >>> folder "C:\Program Files\Oracle\VirtualBox\x86". >>> >>> The forensic image on where the container is located, was also tested >>> using X-Ways and EnCase, and both tools flag the container as encrypted. >>> >>> Best regards >>> Soren Berggreen >>> _______________________________________________ >>> sleuthkit-users mailing list >>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>> http://www.sleuthkit.org >>> >> |
|
From: Søren B. <shb...@gm...> - 2019-03-21 11:15:50
|
Hi 1) It says application/x-msdownload. 3) I tried with lower settings, but still no luck. Best regards Soren Berggreen On Thu, Mar 21, 2019 at 4:04 AM Brian Carrier <ca...@sl...> wrote: > Hi Soren, > > 1) If you navigate to the file in Autopsy, select it, and go to the File > Metadata tab, then what MIME type does it say the file is? I'd assume > application/octet-stream. > > 2) The default behavior for the extension mismatch module is to only focus > on hidden pictures, videos, executables, etc. So, if the encrypted volume > had a type of application/octet-stream, then it is not surprising that it > wasn't flagged. The module is flagging known content types (such as JPEG) > that have been renamed. > > 3) The Encryption Detection module does have a setting about entropy > levels. I believe the default value is 7.5. If you change it to 7.0 and > re-run ingest then does it find the file? > > thanks, > brian > > > On Wed, Mar 20, 2019 at 5:48 AM Søren Berggreen <shb...@gm...> > wrote: > >> Hi. >> >> I've got this issue that I haven't been able to solve: >> >> Autopsy 4.10.0 on Windows 10 Pro >> >> Problem: >> A known encrypted file is not flagged when running the Encryption >> Detection Module. >> >> Secondary problem: >> The encrypted file is saved as a .dll file, but is not flagged when >> running the Extension Mismatch Detector Module. >> >> Pre: >> An encrypted container was created using Veracrypt. The size of the >> container was set to 100MB. Hash sha512, encryption serpent, filesystem >> NTFS. The container was named "VBoxClient-64bit.dll" and was placed in >> folder "C:\Program Files\Oracle\VirtualBox\x86". >> >> The forensic image on where the container is located, was also tested >> using X-Ways and EnCase, and both tools flag the container as encrypted. >> >> Best regards >> Soren Berggreen >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org >> > |
|
From: Brian C. <ca...@sl...> - 2019-03-21 03:04:39
|
Hi Soren, 1) If you navigate to the file in Autopsy, select it, and go to the File Metadata tab, then what MIME type does it say the file is? I'd assume application/octet-stream. 2) The default behavior for the extension mismatch module is to only focus on hidden pictures, videos, executables, etc. So, if the encrypted volume had a type of application/octet-stream, then it is not surprising that it wasn't flagged. The module is flagging known content types (such as JPEG) that have been renamed. 3) The Encryption Detection module does have a setting about entropy levels. I believe the default value is 7.5. If you change it to 7.0 and re-run ingest then does it find the file? thanks, brian On Wed, Mar 20, 2019 at 5:48 AM Søren Berggreen <shb...@gm...> wrote: > Hi. > > I've got this issue that I haven't been able to solve: > > Autopsy 4.10.0 on Windows 10 Pro > > Problem: > A known encrypted file is not flagged when running the Encryption > Detection Module. > > Secondary problem: > The encrypted file is saved as a .dll file, but is not flagged when > running the Extension Mismatch Detector Module. > > Pre: > An encrypted container was created using Veracrypt. The size of the > container was set to 100MB. Hash sha512, encryption serpent, filesystem > NTFS. The container was named "VBoxClient-64bit.dll" and was placed in > folder "C:\Program Files\Oracle\VirtualBox\x86". > > The forensic image on where the container is located, was also tested > using X-Ways and EnCase, and both tools flag the container as encrypted. > > Best regards > Soren Berggreen > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > |
|
From: Richard C. <rco...@ba...> - 2019-03-20 13:58:47
|
Is it at all possible to share the file (or a similar one that you make that recreates the issue) with us here at Basis Technology so that we can look into this? V/R, Richard Cordovano Autopsy Team Lead Director of Engineering - Cyber Forensics, Basis Technology On Wed, Mar 20, 2019 at 5:48 AM Søren Berggreen <shb...@gm...> wrote: > Hi. > > I've got this issue that I haven't been able to solve: > > Autopsy 4.10.0 on Windows 10 Pro > > Problem: > A known encrypted file is not flagged when running the Encryption > Detection Module. > > Secondary problem: > The encrypted file is saved as a .dll file, but is not flagged when > running the Extension Mismatch Detector Module. > > Pre: > An encrypted container was created using Veracrypt. The size of the > container was set to 100MB. Hash sha512, encryption serpent, filesystem > NTFS. The container was named "VBoxClient-64bit.dll" and was placed in > folder "C:\Program Files\Oracle\VirtualBox\x86". > > The forensic image on where the container is located, was also tested > using X-Ways and EnCase, and both tools flag the container as encrypted. > > Best regards > Soren Berggreen > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > |
|
From: Nanni B. <dig...@gm...> - 2019-03-20 11:54:15
|
I tried and in my test image file (EWF format) it founds two TrueCrypt volumes as encrypted suspects. Il giorno mer 20 mar 2019 alle ore 10:48 Søren Berggreen < shb...@gm...> ha scritto: > Hi. > > I've got this issue that I haven't been able to solve: > > Autopsy 4.10.0 on Windows 10 Pro > > Problem: > A known encrypted file is not flagged when running the Encryption > Detection Module. > > Secondary problem: > The encrypted file is saved as a .dll file, but is not flagged when > running the Extension Mismatch Detector Module. > > Pre: > An encrypted container was created using Veracrypt. The size of the > container was set to 100MB. Hash sha512, encryption serpent, filesystem > NTFS. The container was named "VBoxClient-64bit.dll" and was placed in > folder "C:\Program Files\Oracle\VirtualBox\x86". > > The forensic image on where the container is located, was also tested > using X-Ways and EnCase, and both tools flag the container as encrypted. > > Best regards > Soren Berggreen > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > -- Dott. Nanni Bassetti http://www.nannibassetti.com CAINE project manager - http://www.caine-live.net INFORMATIVA TRATTAMENTO DATI: I dati da voi inviati alla mia e-mail dig...@gm... ( https://www.google.com/intl/it/policies/privacy/) sono trattati esclusivamente da me medesimo (Dott. Giovanni Bassetti) presso la mia sede legale e protetti adeguatamente e gli allegati sono anche conservati cifrati. Per qualsiasi informazione e richiesta non esitate a contattarmi. L'interessato, può chiedere in qualsiasi momento informazioni e/o cancellazione dei suoi dati. La finalità, la tempistica e la modalità del trattamento è formata dalla richiesta stessa dell'interessato e degli accordi intrapresi col sottoscritto.*Si prega di LEGGERE l'informativa completa sulla PRIVACY* https://nannibassetti.com/privacy.html <https://nannibassetti.com/privacy.html> |
|
From: Søren B. <shb...@gm...> - 2019-03-20 09:47:54
|
Hi. I've got this issue that I haven't been able to solve: Autopsy 4.10.0 on Windows 10 Pro Problem: A known encrypted file is not flagged when running the Encryption Detection Module. Secondary problem: The encrypted file is saved as a .dll file, but is not flagged when running the Extension Mismatch Detector Module. Pre: An encrypted container was created using Veracrypt. The size of the container was set to 100MB. Hash sha512, encryption serpent, filesystem NTFS. The container was named "VBoxClient-64bit.dll" and was placed in folder "C:\Program Files\Oracle\VirtualBox\x86". The forensic image on where the container is located, was also tested using X-Ways and EnCase, and both tools flag the container as encrypted. Best regards Soren Berggreen |
|
From: John L. <slo...@gm...> - 2019-03-14 18:25:15
|
If you compile this version of TSK you can achieve support for APFS: https://github.com/blackbagtech/sleuthkit-APFS AFAIK, the APFS support has not been merged with the TSK main development branch. From: Michael Godfrey Sent: Thursday, March 14, 2019 11:04 To: sle...@li... Subject: [sleuthkit-users] TSK - APFS and Snapshots I know that BlackLight incorporates TSK in its framework, and BlackLight is able to process APFS Snapshots in either Windows or macOS versions of BlackLight. Does TSK now parse APFS and APFS snapshots in either macOS or Windows versions? _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org |
|
From: Michael G. <mgo...@gm...> - 2019-03-14 18:03:24
|
I know that BlackLight incorporates TSK in its framework, and BlackLight is able to process APFS Snapshots in either Windows or macOS versions of BlackLight. Does TSK now parse APFS and APFS snapshots in either macOS or Windows versions? |
|
From: Brian C. <ca...@sl...> - 2019-03-08 16:19:54
|
A request at OSDFCon was to get the communications data exported from Autopsy so that it could be imported into I2. We don't have I2. Can any I2 users reach out to me so that we can get some assistance? First question is what format we should export? ANX (XML)? thanks, brian |
|
From: Joseph H. <hyl...@is...> - 2019-02-04 04:31:14
|
Hello fellow sleuths! I just finished my final report for my last digital forensics class. I am slated to graduate in June from Edmonds Community College with my degree in Cyber Defence and Digital Forensics. I mainly used Autopsy, RegRipper, and Log2Timeline for my final project. It worked well except for these issues: 1. I could not display image thumbnails. At all. Every time I would try, Autopsy would throw the following error: java.lang.NoClassDefFoundError: Could not initialize class org.sleuthkit.autopsy.coreutils.ImageUtils at org.sleuthkit.autopsy.corecomponents.ThumbnailViewChildren.isSupported( ThumbnailViewChildren.java:224) [rest of output cut] 2. The same thing would happen when I would try to generate a report when I had bookmarked images. 3. I had trouble extracting certain files, most notably HTML documents and mail messages. When I would try, I would get the familiar "Save File" window, but the "file type" would just change to HTML or whatever the file type was and the file wouldn't save. I could extract other files, e.g., registry files, with no problem. Because of these issues, I had to use the ancient version of FTK that we were provided with to get those files. I checked and libboost is installed. I am running Autopsy version 4.9.1 on Caine 10. Any help would be appreciated. -- "Far better it is to dare mighty things, to win glorious triumphs, even though checkered by failure, than to take rank with those poor spirits who neither enjoy much nor suffer much, because they live in the gray twilight that knows neither victory nor defeat." -- Theodore Roosevelt, "The Strenuous Life." |
38 messages has been excluded from this view by a project administrator.
