sleuthkit-users Mailing List for The Sleuth Kit (Page 202)
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users — List to discuss Autopsy and The Sleuth Kit.
You can subscribe to this list here.
| 2002 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(6) |
Aug
|
Sep
(11) |
Oct
(5) |
Nov
(4) |
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 |
Jan
(1) |
Feb
(20) |
Mar
(60) |
Apr
(40) |
May
(24) |
Jun
(28) |
Jul
(18) |
Aug
(27) |
Sep
(6) |
Oct
(14) |
Nov
(15) |
Dec
(22) |
| 2004 |
Jan
(34) |
Feb
(13) |
Mar
(28) |
Apr
(23) |
May
(27) |
Jun
(26) |
Jul
(37) |
Aug
(19) |
Sep
(20) |
Oct
(39) |
Nov
(17) |
Dec
(9) |
| 2005 |
Jan
(45) |
Feb
(43) |
Mar
(66) |
Apr
(36) |
May
(19) |
Jun
(64) |
Jul
(10) |
Aug
(11) |
Sep
(35) |
Oct
(6) |
Nov
(4) |
Dec
(13) |
| 2006 |
Jan
(52) |
Feb
(34) |
Mar
(39) |
Apr
(39) |
May
(37) |
Jun
(15) |
Jul
(13) |
Aug
(48) |
Sep
(9) |
Oct
(10) |
Nov
(47) |
Dec
(13) |
| 2007 |
Jan
(25) |
Feb
(4) |
Mar
(2) |
Apr
(29) |
May
(11) |
Jun
(19) |
Jul
(13) |
Aug
(15) |
Sep
(30) |
Oct
(12) |
Nov
(10) |
Dec
(13) |
| 2008 |
Jan
(2) |
Feb
(54) |
Mar
(58) |
Apr
(43) |
May
(10) |
Jun
(27) |
Jul
(25) |
Aug
(27) |
Sep
(48) |
Oct
(69) |
Nov
(55) |
Dec
(43) |
| 2009 |
Jan
(26) |
Feb
(36) |
Mar
(28) |
Apr
(27) |
May
(55) |
Jun
(9) |
Jul
(19) |
Aug
(16) |
Sep
(15) |
Oct
(17) |
Nov
(70) |
Dec
(21) |
| 2010 |
Jan
(56) |
Feb
(59) |
Mar
(53) |
Apr
(32) |
May
(25) |
Jun
(31) |
Jul
(36) |
Aug
(11) |
Sep
(37) |
Oct
(19) |
Nov
(23) |
Dec
(6) |
| 2011 |
Jan
(21) |
Feb
(20) |
Mar
(30) |
Apr
(30) |
May
(74) |
Jun
(50) |
Jul
(34) |
Aug
(34) |
Sep
(12) |
Oct
(33) |
Nov
(10) |
Dec
(8) |
| 2012 |
Jan
(23) |
Feb
(57) |
Mar
(26) |
Apr
(14) |
May
(27) |
Jun
(27) |
Jul
(60) |
Aug
(88) |
Sep
(13) |
Oct
(36) |
Nov
(97) |
Dec
(85) |
| 2013 |
Jan
(60) |
Feb
(24) |
Mar
(43) |
Apr
(32) |
May
(22) |
Jun
(38) |
Jul
(51) |
Aug
(50) |
Sep
(76) |
Oct
(65) |
Nov
(25) |
Dec
(30) |
| 2014 |
Jan
(19) |
Feb
(41) |
Mar
(43) |
Apr
(28) |
May
(61) |
Jun
(12) |
Jul
(10) |
Aug
(37) |
Sep
(76) |
Oct
(31) |
Nov
(41) |
Dec
(12) |
| 2015 |
Jan
(33) |
Feb
(28) |
Mar
(53) |
Apr
(22) |
May
(29) |
Jun
(20) |
Jul
(15) |
Aug
(17) |
Sep
(52) |
Oct
(3) |
Nov
(18) |
Dec
(21) |
| 2016 |
Jan
(20) |
Feb
(8) |
Mar
(21) |
Apr
(7) |
May
(13) |
Jun
(35) |
Jul
(34) |
Aug
(11) |
Sep
(14) |
Oct
(22) |
Nov
(31) |
Dec
(23) |
| 2017 |
Jan
(20) |
Feb
(7) |
Mar
(5) |
Apr
(6) |
May
(6) |
Jun
(22) |
Jul
(11) |
Aug
(16) |
Sep
(8) |
Oct
(1) |
Nov
(1) |
Dec
(1) |
| 2018 |
Jan
|
Feb
|
Mar
(16) |
Apr
(2) |
May
(6) |
Jun
(5) |
Jul
|
Aug
(2) |
Sep
(4) |
Oct
|
Nov
(16) |
Dec
(13) |
| 2019 |
Jan
|
Feb
(1) |
Mar
(25) |
Apr
(9) |
May
(2) |
Jun
(1) |
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2020 |
Jan
(2) |
Feb
|
Mar
(1) |
Apr
|
May
(1) |
Jun
(3) |
Jul
(2) |
Aug
|
Sep
|
Oct
(5) |
Nov
|
Dec
|
| 2021 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(4) |
Jul
(1) |
Aug
|
Sep
(1) |
Oct
|
Nov
(1) |
Dec
|
| 2022 |
Jan
|
Feb
(2) |
Mar
|
Apr
|
May
(2) |
Jun
|
Jul
(3) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2023 |
Jan
(2) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
| 2024 |
Jan
|
Feb
(3) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2025 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Eagle I. S. Inc. <in...@ea...> - 2003-08-20 15:31:49
|
Brian, >>I don't know how useful it would be though >>because The Sleuth Kit doesn't automatically do file recovery. Think about: 1. Many times we (investigators) get called by attorneys and clients to look at their computers, or the computers belonging to their clients. In the civil litigation world, the money is doled out slowly and carefully. Telling someone that it will take 10 hours to get all deleted images, at $150 per hour is not appetizing. Especially since you have the to issue the caveat that we may or may not find what they want. Being able to print off pages of preview thumbnails of deleted messages would allow an investigator to simply import his partition image, run sorter with the Deleted Only flag, and let the software run. The print off the pages of graphic file previews and take those to the client. Total investigator hands-on time invested? Probably 2 hours, or $300, tops. Sorter does the work. If the preview thumbnails show some derogatory content, then the customer is much more comfortable spending more money to retrieve or restore those graphic files with timelines etc. 2. SMART has an option to only list deleted files. (All files, not just graphic image files). and then export the graphic files if you like. 3. Encase (as it has been described to me) offers exactly what I describe in scenario 1. Also, having a list of deleted files in text format, by name, would be useful....something like DELETED: c\Documents And Settings\Microsoft Word\Iloveyour***.doc DELETED: c\Roxio\Music Files\SongIBurnedForMyLover.mp3 Just an idea.... >>I was actualy considering making an option to take the deleted files >>out of 'sorter' because I have found they clutter the whole thing >>up more than they help. Well, I just ran it on an NTFS image . I checked some of the files that the preview showed as deleted (maybe 5 or 6 files) and they were, in fact, deleted files. I figured since they were marked as deleted in the browser, it wouldn't be a big deal to separate them in sorter (I am not a coder, just an assumer) I'll go back and see if I can find any that are marked deleted that are not correct. For the preview, I *think* it would be safe enough to have something that would show files that APPEARED to be deleted, and then have further analysis to prove if in fact they were deleted. Maybe two separate output folders? I see the option as a "whet your appetite" option for clients, and others. Niall. Eagle Investigative Services, Inc. -----Original Message----- From: sle...@li... [mailto:sle...@li...]On Behalf Of Brian Carrier Sent: Wednesday, August 20, 2003 9:58 AM To: in...@ea...; sle...@li... Cc: sle...@li... Subject: Re: [sleuthkit-users] Feature request On 19 Aug 2003 23:52 PDT you wrote: > It'd be really nice if the sorter would allow you to choose > only deleted files when searching for images. > > It'd also be very useful since many times, as an investigator > I'm only interested in deleted files. > > Is there a way to modify sorter on the fly to accomplish this? I guess I could add that. I don't know how useful it would be though because The Sleuth Kit doesn't automatically do file recovery. For a FAT deleted file, it will find the first sector (which should work for running 'file' on it), but I'm not sure about other file systems and such. Even if it found the header with FAT, the full file will only be recovered if it is done by hand. I was actualy considering making an option to take the deleted files out of 'sorter' because I have found they clutter the whole thing up more than they help. I was just running it on a Linux system and it hundreds of deleted file entries and almost none of them were correct. In what scenarios do you think it will be useful? brian ------------------------------------------------------- This SF.net email is sponsored by Dice.com. Did you know that Dice has over 25,000 tech jobs available today? From careers in IT to Engineering to Tech Sales, Dice has tech jobs from the best hiring companies. http://www.dice.com/index.epl?rel_code=104 _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org |
|
From: Brian C. <ca...@sl...> - 2003-08-20 14:05:50
|
On 19 Aug 2003 23:52 PDT you wrote: > It'd be really nice if the sorter would allow you to choose > only deleted files when searching for images. > > It'd also be very useful since many times, as an investigator > I'm only interested in deleted files. > > Is there a way to modify sorter on the fly to accomplish this? I guess I could add that. I don't know how useful it would be though because The Sleuth Kit doesn't automatically do file recovery. For a FAT deleted file, it will find the first sector (which should work for running 'file' on it), but I'm not sure about other file systems and such. Even if it found the header with FAT, the full file will only be recovered if it is done by hand. I was actualy considering making an option to take the deleted files out of 'sorter' because I have found they clutter the whole thing up more than they help. I was just running it on a Linux system and it hundreds of deleted file entries and almost none of them were correct. In what scenarios do you think it will be useful? brian |
|
From: Eagle I. S. Inc. <in...@ea...> - 2003-08-20 06:48:02
|
It'd be really nice if the sorter would allow you to choose only deleted files when searching for images. It'd also be very useful since many times, as an investigator I'm only interested in deleted files. Is there a way to modify sorter on the fly to accomplish this? TIA Niall. |
|
From: Brian C. <ca...@sl...> - 2003-08-18 20:39:19
|
On 18 Aug 2003 13:27 PDT you wrote: > Perl version is 5.8. I would suggest using 5.6 if you have it on your system (/usr/bin/perl5.6 sometimes). You can change it by editing the first line in 'autopsy'. I'm going to look into how to fix the 5.8 problems. thanks, brian |
|
From: Eagle I. S. Inc. <in...@ea...> - 2003-08-18 20:27:24
|
Brian, Perl version is 5.8. The exact message came after I hit OK to add the host, and it said (as far as I can remember) The image is not a valid ntfs file system. Thanks Niall. -----Original Message----- From: sle...@li... [mailto:sle...@li...]On Behalf Of Brian Carrier Sent: Monday, August 18, 2003 4:20 PM To: in...@ea...; do...@es...; sle...@li... Subject: RE: [sleuthkit-users] NTFS problems. On 18 Aug 2003 13:16 PDT you wrote: > Brian, > > I had the file named, simple imghdf1 with no extension. > > When I renamed it to imghdf1.dd it worked fine. > > I did not test with imghdf1.img or any other extensions. > Hmmm, I can import an image with that name: Linking /users/bcarrier/imghdf1 to /users/bcarrier//ev_lock//debug/test//images/imghdf1 Image: /users/bcarrier//imghdf1 added to config file as images/imghdf1 What version of Perl are you using? You can do 'perl -v' to find out. What was the exact error message that you got? thanks, brian ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org |
|
From: Brian C. <ca...@sl...> - 2003-08-18 20:21:27
|
On 18 Aug 2003 13:16 PDT you wrote: > Brian, > > I had the file named, simple imghdf1 with no extension. > > When I renamed it to imghdf1.dd it worked fine. > > I did not test with imghdf1.img or any other extensions. > Hmmm, I can import an image with that name: Linking /users/bcarrier/imghdf1 to /users/bcarrier//ev_lock//debug/test//images/imghdf1 Image: /users/bcarrier//imghdf1 added to config file as images/imghdf1 What version of Perl are you using? You can do 'perl -v' to find out. What was the exact error message that you got? thanks, brian |
|
From: Eagle I. S. Inc. <in...@ea...> - 2003-08-18 20:11:06
|
Brian, I had the file named, simple imghdf1 with no extension. When I renamed it to imghdf1.dd it worked fine. I did not test with imghdf1.img or any other extensions. Regards, Niall. -----Original Message----- From: sle...@li... [mailto:sle...@li...]On Behalf Of Brian Carrier Sent: Monday, August 18, 2003 4:06 PM To: in...@ea...; do...@es...; sle...@li... Subject: RE: [sleuthkit-users] NTFS problems. On 18 Aug 2003 12:54 PDT you wrote: > I revisited this thread after having tried unsuccessfully to add > a NTFS image host to Sleuthkit. > > The resulting image file, which Autopsy uses, MUST have a ".dd" > extension. Without that, it won't recognize the file system as > being NTFS. At least, that was my finding. > > In my case, I simply renamed the file to image.dd and it symlinked just > fine. It shouldn't behave that way. I just added a file called fat-test.img and it was fine: Linking /users/bcarrier/fat-test.img to /users/bcarrier/ev_lock/debug/test/images/fat-test.img Image: /users/bcarrier/fat-test.img added to config file as images/fat-test.img There are two things that I can suggest. I have noticed that when I upgraded my Perl to 5.8 that the output of some of the commands was not being displayed in Autopsy. For example, the file listing would be empty. I changed back to 5.6 and it works fine. I need to investigate this further, but that could be the problem if you are using 5.8. The other is that the original file name had characters that Autopsy did not like (not just the extension). Autopsy allows words, numbers, _, -, ., and /. What file name did you have that did not work? brian ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org |
|
From: Brian C. <ca...@sl...> - 2003-08-18 20:07:07
|
On 18 Aug 2003 12:54 PDT you wrote: > I revisited this thread after having tried unsuccessfully to add > a NTFS image host to Sleuthkit. > > The resulting image file, which Autopsy uses, MUST have a ".dd" > extension. Without that, it won't recognize the file system as > being NTFS. At least, that was my finding. > > In my case, I simply renamed the file to image.dd and it symlinked just > fine. It shouldn't behave that way. I just added a file called fat-test.img and it was fine: Linking /users/bcarrier/fat-test.img to /users/bcarrier/ev_lock/debug/test/images/fat-test.img Image: /users/bcarrier/fat-test.img added to config file as images/fat-test.img There are two things that I can suggest. I have noticed that when I upgraded my Perl to 5.8 that the output of some of the commands was not being displayed in Autopsy. For example, the file listing would be empty. I changed back to 5.6 and it works fine. I need to investigate this further, but that could be the problem if you are using 5.8. The other is that the original file name had characters that Autopsy did not like (not just the extension). Autopsy allows words, numbers, _, -, ., and /. What file name did you have that did not work? brian |
|
From: Eagle I. S. Inc. <in...@ea...> - 2003-08-18 19:53:31
|
I revisited this thread after having tried unsuccessfully to add a NTFS image host to Sleuthkit. The resulting image file, which Autopsy uses, MUST have a ".dd" extension. Without that, it won't recognize the file system as being NTFS. At least, that was my finding. In my case, I simply renamed the file to image.dd and it symlinked just fine. Regards, Niall. -----Original Message----- From: sle...@li... [mailto:sle...@li...]On Behalf Of Brian Carrier Sent: Thursday, June 26, 2003 1:37 PM To: Domingo Cardona; sle...@li... Subject: Re: [sleuthkit-users] NTFS problems. On 26 Jun 2003 10:21 PDT you wrote: > > > > I dd'ed /dev/hda... any solution to get /dev/hda1 from the image file? check out: http://www.sleuthkit.org/informer/sleuthkit-informer-2.html#split I'm confused about what you got a seek error though. The Sleuth kit should have returned an error about an invalid file system before the seek error occured. I'll have to look into that more. Can you send me the output of the following: dd if=image.img count=1 | xxd That will put the first sector of the image you collected in a hexdump format. I want to find out why the sanity check did not work. No sensitive data is located in there. brian ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org |
|
From: David B. <to...@so...> - 2003-08-15 10:36:37
|
* Brian Carrier (ca...@sl...) wrote: > > > For those that were on linux_forensics@yahoo and saw its fate today ... > it is back. Enda got it back and you can re-subscribe - although the > archives are gone. It's a pity all the archives are gone, I've learnt a lot from them. Let's give a second chance! |
|
From: Brian C. <ca...@sl...> - 2003-08-15 02:16:04
|
For those that were on linux_forensics@yahoo and saw its fate today ... it is back. Enda got it back and you can re-subscribe - although the archives are gone. brian |
|
From: Hideaki I. <hi...@po...> - 2003-08-14 21:50:53
|
Takahashi, Thank you for help. He updates "UTF-8 output" patch. However, a problem of a time zone occurs by an original. UTF-8 output patch for task-1.60/sleuthkit-1.6x http://www.monyo.com/technical/unix/TASK/ This Patch is necessary if you want to use multi-byte character string in Autopsy. http://www.asahi-net.or.jp/~uu8m-kbys/autopsy/ (It is a Japanese page.) for Autopsy 1.73 (Perl5.8.0 or later) http://www.asahi-net.or.jp/~uu8m-kbys/autopsy/autopsy-utf8-8_5.8.patch for Autopsy 1.73 (Perl5.6.0 or later) http://www.asahi-net.or.jp/~uu8m-kbys/autopsy/autopsy-utf8-8.patch -- Hideaki Ihara <hi...@po...> Port139 URL: http://www.port139.co.jp/ Microsoft MVP (Security) PGP PUBLIC KEY: http://www.port139.co.jp/pgp/ |
|
From: Brian C. <ca...@sl...> - 2003-08-14 21:49:50
|
> >Interesting. I'm going to need some more information. What > >happens if you run 'fls' with '-z JST'? > > This is a result experimentally. > > $ ./fls -z JST -l -f ntfs /home/hideaki/evidence/6gtest/RedHat9/images/thinkpad.dd > r/r 4-128-4: $AttrDef 2003.08.01 23:33:30 (JST) 2003.08.01 23:33 > :30 (JST) 2003.08.01 23:33:30 (JST) 2560 0 48 > > When I set -z JST, the time becomes incorrect. > > >What did you enter into the Host configuration for the timezone? > > I set JST as of installation. > Do I have to install a system in GMT? Google shows that JST-9 is the appropriate timezone variable. Try that. What do you use Takahashi? brian |
|
From: Hideaki I. <hi...@po...> - 2003-08-14 21:41:36
|
Brian, On Thu, 14 Aug 2003 07:46:16 PDT Brian Carrier <ca...@sl...> wrote: >> [The Sleuth Kit ver 1.64] >> $ ./fls -8 -l -f ntfs /home/hideaki/evidence/6gtest/RedHat9/images/thinkpad.dd >> >> r/r 4-128-4: $AttrDef 2003.08.02 08:33:30 (JST) 2003.08.02 08:33 >> :30 (JST) 2003.08.02 08:33:30 (JST) 2560 0 48 > >Interesting. I'm going to need some more information. What >happens if you run 'fls' with '-z JST'? This is a result experimentally. $ ./fls -z JST -l -f ntfs /home/hideaki/evidence/6gtest/RedHat9/images/thinkpad.dd r/r 4-128-4: $AttrDef 2003.08.01 23:33:30 (JST) 2003.08.01 23:33 :30 (JST) 2003.08.01 23:33:30 (JST) 2560 0 48 When I set -z JST, the time becomes incorrect. >What did you enter into the Host configuration for the timezone? I set JST as of installation. Do I have to install a system in GMT? -- Hideaki Ihara <hi...@po...> Port139 URL: http://www.port139.co.jp/ Microsoft MVP (Security) PGP PUBLIC KEY: http://www.port139.co.jp/pgp/ |
|
From: Brian C. <ca...@sl...> - 2003-08-14 16:55:07
|
On 14 Aug 2003 08:45 PDT you wrote: > > Hideaki Ihara wrote: > >I am troubled in a thyme zone. > >TSK and Autopsy display a different value in the same thyme zone. > >A fls command displays the correct time. > > The similar problem was reported on 8th May, > > <http://sourceforge.net/mailarchive/forum.php?forum_id=10358&max_rows=25&style=flat&viewmonth=200305&viewday=8> > This problem is different though because the (JST) is being reported in the Autopsy times. If an invalid timezone is entered into Autopsy, the time will be reported with (GMT) next to it. > Brian Carrier wrote: > >Actually, which time is correct? > > He says fls shows correct time. Oh yea, I missed that line :) > And -8 options is UTF-8 output option made by me, please refer to the > list-archives which subject is "ntfs.c.patch". I know. I'm just trying simplify the test cases so that we can reduce the places where an error could occur. brian |
|
From: TAKAHASHI M. <mo...@ho...> - 2003-08-14 15:43:08
|
Hideaki Ihara wrote: >I am troubled in a thyme zone. >TSK and Autopsy display a different value in the same thyme zone. >A fls command displays the correct time. The similar problem was reported on 8th May, <http://sourceforge.net/mailarchive/forum.php?forum_id=10358&max_rows=25&style=flat&viewmonth=200305&viewday=8> Brian Carrier wrote: >Actually, which time is correct? He says fls shows correct time. And -8 options is UTF-8 output option made by me, please refer to the list-archives which subject is "ntfs.c.patch". ----- TAKAHASHI, Motonobu (monyo) mo...@ho... http://www.monyo.com/ |
|
From: Brian C. <ca...@sl...> - 2003-08-14 14:50:14
|
On 13 Aug 2003 18:50 PDT you wrote: > Hi All, > > I am troubled in a thyme zone. > TSK and Autopsy display a different value in the same thyme zone. > A fls command displays the correct time. > Autopsy generates a gap for nine hours. > Do I have a solution method? > > > [The Sleuth Kit ver 1.64] > $ ./fls -8 -l -f ntfs /home/hideaki/evidence/6gtest/RedHat9/images/thinkpad.dd > > r/r 4-128-4: $AttrDef 2003.08.02 08:33:30 (JST) 2003.08.02 08:33 > :30 (JST) 2003.08.02 08:33:30 (JST) 2560 0 48 Interesting. I'm going to need some more information. What happens if you run 'fls' with '-z JST'? What if you skip the -8? What did you enter into the Host configuration for the timezone? Enter that with the -z and fls and see what that shows. Actually, which time is correct? thanks, brian > > [autopsy-1.73] > r / r $AttrDef 2003.08.01 23:33:30 (JST) 2003.08.01 23:33:30 (JST) 2003.08.01 23:33:30 (JST) 2560 48 0 4-128-4 > |
|
From: Hideaki I. <hi...@po...> - 2003-08-14 01:46:52
|
Hi All, I am troubled in a thyme zone. TSK and Autopsy display a different value in the same thyme zone. A fls command displays the correct time. Autopsy generates a gap for nine hours. Do I have a solution method? [The Sleuth Kit ver 1.64] $ ./fls -8 -l -f ntfs /home/hideaki/evidence/6gtest/RedHat9/images/thinkpad.dd r/r 4-128-4: $AttrDef 2003.08.02 08:33:30 (JST) 2003.08.02 08:33 :30 (JST) 2003.08.02 08:33:30 (JST) 2560 0 48 [autopsy-1.73] r / r $AttrDef 2003.08.01 23:33:30 (JST) 2003.08.01 23:33:30 (JST) 2003.08.01 23:33:30 (JST) 2560 48 0 4-128-4 Best regards, -- Hideaki Ihara <hi...@po...> Port139 URL: http://www.port139.co.jp/ Microsoft MVP (Security) PGP PUBLIC KEY: http://www.port139.co.jp/pgp/ |
|
From: Brian C. <ca...@sl...> - 2003-08-13 04:53:34
|
Hello All,
I have created a new list to discuss the development of new features
and the design of Autopsy and The Sleuth Kit. That way people do
not duplicate efforts and this list does not get cluttered with
development threads.
Example topics include the best way for me to re-design the code in
Autopsy to allow new features to be easily added, the indexed search
code, and integrating other tools.
Anyone can signup (as long as they like reading code) and the archive
is open to the public.
http://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
brian
|
|
From: Paul B. <ba...@fo...> - 2003-08-08 08:05:36
|
=20 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, I work at a company doing Forensic IT investigations in the Netherlands = called Fox-IT (http://www.fox-it.com). We are working on an all-Linux = environment for Forensic research. As the main Forensic tool we would like to use Autopsy/Sleuthkit. As it = is missing some features in comparison to (commercial) Windows products, = we've decided to contribute and add some new features to Autopsy and = Sleuthkit. We're doing this in cooperation with Brian Carrier. =20 One of the major missing features is indexed searching. Indexed = searching greatly speeds up searches for words during investigations. In May 2003 we released a first implementation for indexed searching in = Autopsy and Sleuthkit. This has resulted in a lot of feedback and = feature requests. This e-mail announces the release of the second version of indexed = searching in Autopsy and Sleuthkit. The patch can be downloaded from=20 http://www.fox-it.com/files/autopsy-indexing-2.patch.tar.gz (MD5 http://www.fox-it.com/files/autopsy-indexing-2.patch.tar.gz.md5) (MD5: 9889 52cf dcb3 a318 f3c8 9920 43b8 d6fb) This second version uses a different and better technique for indexing = image files that has support for more advanced future options. The new version has the following improvements and features: * Tools for Indexed searching in sleuthkit. * Creation of necessary files integrated into Autopsy interface. * Indexed Search field (At the bottom of the "Keyword search" page). * Case insensitive searching. * Possibility to search for whole words only or parts of words. * No strings file necessary. Only the Image file is needed for = indexing. The size for a normal combined index is about the same as a = strings file for the same image. (This depends on the settings used for = indexing). * Can be used to index image files of any size. (Indexing results in = multiple small indexes). * Includes a tool to combine multiple index files of the same image. * The Autopsy interface is currently only useable for "small" images, = because it will combine index files into a single index files thus = taking a long time for very large images (> 20 Gb) Future version will = add more flexibility here. * Support for different default index-character sets. This release lets = you index using: - Alphabet [a-z,A-Z] - Alphanumeric [a-z,A-Z,0-9] - EMail and Alphanumeric [a-z,A-Z,0-9,.,_,-,@] The smaller the set, the smaller the index file. * Lots of flexibility for the index proces. (Specify the maximum memory = usage, the minimum and maximum indexword length and more) The next version will include: * Folding (Mapping diacritic characters to their normal equivalent, = allowing for more powerful searches.) * Default support for folding of the default ISO-8859-1 character set = and perhaps for others too. * Better flexibility in the Autopsy interface. * Allows the use of index specification files. These files describe = exactly what characters should indexed and how they should be folded. = Thus allowing full control over the indexing process. * More documentation on the format used in the index file and the = process involved. It has been tested on a Debian Linux system and on a number of forensic = images. The following statistics have been gathered: * Index time. The index time is dependent on the index character set = used, the minimum and maximum indexword size and the maximum memory that = is available. Indexing a 5 Gb image with only 200 Mb of memory to use, = using the Alphanumeric character set requires 74 minutes and results in = 39 index files with a total size of 3.8 Gb. * Combine time. Multiple index files can be combined into a single = index file. This decreases the size of the index file and increases the = search speed. Combining requires about 33 minutes to combine 3.8 Gb of = index files into a single 2.4 Gb index file (The strings file for the = same image is 2.0 Gb). * Search time. The search time is dependent on the number of results = that are returned. The more results, the longer the search as it has to = access the original image file for every hit. The speedup for searching = is very great. Searches on a 5 Gb image file for a single word: - in less than 1 second (Resulting in 4935 hits), compared to 111 = seconds using the regular grepping on the strings file. - in 66 seconds (Resulting in 366587 hits), compared to 111 seconds = using the regular grepping on the strings file. The available patches are for Autopsy 1.72 and Sleuthkit 1.64. They add = the second beta version of indexed searching to Autopsy. =20 It is still in beta and therefore I would greatly appreciate it if = people would test the indexed searching on other machines and images and = send their problems, feedback and feature requests to me. All feedback is appreciated! My goal is to add useful features (like = indexed searching) to Autopsy and Sleuthkit. This requires feedback! ;-) - -- Paul Bakker Fox-IT Experts in IT Security! Haagweg 137=20 2281 AG RIJSWIJK=20 T 070 336 9999=20 F 070 336 9990=20 I www.fox-it.com=20 E ba...@fo... 57A6 C5EA 55E4 CC1C A967 B13C F8C0 C0FB 8135 E225 Disclaimer: This email may contain confidential information. If this = message is not addressed to you, you may not retain or use the = information in it for any purpose. If you have received it in error, = please notify the sender and delete this message. We try to screen out = viruses but take no responsibility if this email contains a virus.=20 -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPzNZpfjAwPuBNeIlEQJQwQCePQG2bhGRBG6qtz67obh9DfxllnUAoLsY Is+Scu1ZsBYrlMyjVbReB/t9 =3Dvjyl -----END PGP SIGNATURE----- |
|
From: Ralf S. <li...@sp...> - 2003-08-03 07:22:31
|
Hi Brian, Am Sam, 2003-08-02 um 23.29 schrieb Brian Carrier: > Thanks Ralf. There was also a typo in the docs that Jake pointed out, > that Sun VTOC stands for Volume TOC and not Virtual TOC (and I'm > not quite sure why I thought it was "virtual"). New sleuthkit RPMs available at the usual locations: http://www.spenneberg.org/Forensics/sleuthkit and http://www.spenneberg.com/6.html?subject=3D%2FForensics%2Fsleuthkit%2F Have fun downloading. Cheers, Ralf --=20 Ralf Spenneberg RHCE, RHCX Book: Intrusion Detection f=FCr Linux Server http://www.spenneberg.com IPsec-Howto http://www.ipsec-howto.org Honeynet Project Mirror: http://honeynet.spenneberg.org |
|
From: Brian C. <ca...@sl...> - 2003-08-02 21:30:20
|
Ralf said: > Although there is an issue compiling on Red Hat Linux 9 at least: > mmls.c:39: initializer element is not constant Brian's lesson of the day is to never again say "I don't need to test the extra debug / verbose messages on all platforms". Thanks Ralf. There was also a typo in the docs that Jake pointed out, that Sun VTOC stands for Volume TOC and not Virtual TOC (and I'm not quite sure why I thought it was "virtual"). MD5 (sleuthkit-1.64.tar.gz) = 12e01373f06ec3dcf73283fca64b30d4 http://www.sleuthkit.org/sleuthkit/download.php brian |
|
From: Ralf S. <li...@sp...> - 2003-08-02 09:29:23
|
Hello Brian, Am Fre, 2003-08-01 um 21.32 schrieb Brian Carrier: > The Sleuth Kit ver 1.63 has been released. > > http://www.sleuthkit.org/sleuthkit/index.php > Great work. Although there is an issue compiling on Red Hat Linux 9 at least: mmls.c:39: initializer element is not constant This attached patch fixes it. Sleuthkit-1.63 RPMs are available at: https://www.spenneberg.com/Downloads/6.html?subject=%2FForensics%2F Cheers, Ralf -- Ralf Spenneberg RHCE, RHCX Book: Intrusion Detection fr Linux Server http://www.spenneberg.com IPsec-Howto http://www.ipsec-howto.org Honeynet Project Mirror: http://honeynet.spenneberg.org |
|
From: Brian C. <ca...@sl...> - 2003-08-01 19:34:00
|
The Sleuth Kit ver 1.63 has been released.
http://www.sleuthkit.org/sleuthkit/index.php
Updates
- Added Media Management Tools so that partitions can be
analyzed and extracted. Support exists for DOS partitions, BSD
partitions, Mac partitions, and Sun slices. The 'mmls' tool works
like fdisk, but supports the above formats and lists the unallocated
space. There are sample outputs in the 'Tool Description' page.
(This is useful for OS X users that have no way of listing DOS
partition layouts).
- Relaxed the requirements for listing DOS directory entries so that the
wtime can now be 0 (Adam Uccello).
Bug Fixes
- 'sorter' had a regular expression bug that did not process all
unallocated meta data structures. (Jeff Reava)
MD5 (sleuthkit-1.63.tar.gz) = df31503389419cebc95465e6aa31c0ca
brian
|
|
From: Keith R W. <kw...@be...> - 2003-07-31 11:13:43
|
Thanks for the feedback. I commented out the line in autopsyfunc.pm, but
still had the problem with not finding the dll. I saw where it was
resetting the PATH later on in the initialization file and commented out
that line as well, but to no avail. After flailing around a while I
finally decided to take a look inside the autopsy script itself. It was
doing the same thing with resetting the PATH to be blank. I commented
out that line and things took off.
Also thanks for the comment on the image file. I had a fundamental
misunderstanding of how it was working. I thought the image import was
actually doing the "dd" for me. Sorry for the total ignorance, but I am
just learning.
Thanks again
krw
Brian Carrier wrote:
On 25 Jul 2003 19:24 PDT you wrote:
> I am running on a windows 2000 workstation with cygwin installed. When
> I try to add an image to a case file it tells me that it can't find:
> cygwin1.dll on the path, even though the path has /bin on it. The
> error is coming from fsstat.
>
Autopsy removes the original path, try and remove that line in
Autopsy and see if it works. it is line 75 in autopsyfunc.pm:
$ENV{PATH} = "";
Remove that, restart, and try it again. I haven't done much with
Autopsy and CYGWIN before, but maybe others on this list can
provide assistance.
> When I try to run fsstat from the command line I get the following:
> $ /cygdrive/d/sleuthkit/bin/fsstat.exe /cygdrive/a
> /cygdrive/d/sleuthkit/bin/fsstat: /cygdrive/a: read superblock: Is a
> directory
>
>
The Sleuth Kit tools need a file system image to process. The
mounted directory does not give The Sleuth Kit the needed information.
You will have to make an image of the partition
(using a 'dd' port for example) and run the tools on that
image.
brian
|
38 messages has been excluded from this view by a project administrator.
