sleuthkit-users Mailing List for The Sleuth Kit (Page 206)
Brought to you by:
carrier
You can subscribe to this list here.
2002 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(6) |
Aug
|
Sep
(11) |
Oct
(5) |
Nov
(4) |
Dec
|
---|---|---|---|---|---|---|---|---|---|---|---|---|
2003 |
Jan
(1) |
Feb
(20) |
Mar
(60) |
Apr
(40) |
May
(24) |
Jun
(28) |
Jul
(18) |
Aug
(27) |
Sep
(6) |
Oct
(14) |
Nov
(15) |
Dec
(22) |
2004 |
Jan
(34) |
Feb
(13) |
Mar
(28) |
Apr
(23) |
May
(27) |
Jun
(26) |
Jul
(37) |
Aug
(19) |
Sep
(20) |
Oct
(39) |
Nov
(17) |
Dec
(9) |
2005 |
Jan
(45) |
Feb
(43) |
Mar
(66) |
Apr
(36) |
May
(19) |
Jun
(64) |
Jul
(10) |
Aug
(11) |
Sep
(35) |
Oct
(6) |
Nov
(4) |
Dec
(13) |
2006 |
Jan
(52) |
Feb
(34) |
Mar
(39) |
Apr
(39) |
May
(37) |
Jun
(15) |
Jul
(13) |
Aug
(48) |
Sep
(9) |
Oct
(10) |
Nov
(47) |
Dec
(13) |
2007 |
Jan
(25) |
Feb
(4) |
Mar
(2) |
Apr
(29) |
May
(11) |
Jun
(19) |
Jul
(13) |
Aug
(15) |
Sep
(30) |
Oct
(12) |
Nov
(10) |
Dec
(13) |
2008 |
Jan
(2) |
Feb
(54) |
Mar
(58) |
Apr
(43) |
May
(10) |
Jun
(27) |
Jul
(25) |
Aug
(27) |
Sep
(48) |
Oct
(69) |
Nov
(55) |
Dec
(43) |
2009 |
Jan
(26) |
Feb
(36) |
Mar
(28) |
Apr
(27) |
May
(55) |
Jun
(9) |
Jul
(19) |
Aug
(16) |
Sep
(15) |
Oct
(17) |
Nov
(70) |
Dec
(21) |
2010 |
Jan
(56) |
Feb
(59) |
Mar
(53) |
Apr
(32) |
May
(25) |
Jun
(31) |
Jul
(36) |
Aug
(11) |
Sep
(37) |
Oct
(19) |
Nov
(23) |
Dec
(6) |
2011 |
Jan
(21) |
Feb
(20) |
Mar
(30) |
Apr
(30) |
May
(74) |
Jun
(50) |
Jul
(34) |
Aug
(34) |
Sep
(12) |
Oct
(33) |
Nov
(10) |
Dec
(8) |
2012 |
Jan
(23) |
Feb
(57) |
Mar
(26) |
Apr
(14) |
May
(27) |
Jun
(27) |
Jul
(60) |
Aug
(88) |
Sep
(13) |
Oct
(36) |
Nov
(97) |
Dec
(85) |
2013 |
Jan
(60) |
Feb
(24) |
Mar
(43) |
Apr
(32) |
May
(22) |
Jun
(38) |
Jul
(51) |
Aug
(50) |
Sep
(76) |
Oct
(65) |
Nov
(25) |
Dec
(30) |
2014 |
Jan
(19) |
Feb
(41) |
Mar
(43) |
Apr
(28) |
May
(61) |
Jun
(12) |
Jul
(10) |
Aug
(37) |
Sep
(76) |
Oct
(31) |
Nov
(41) |
Dec
(12) |
2015 |
Jan
(33) |
Feb
(28) |
Mar
(53) |
Apr
(22) |
May
(29) |
Jun
(20) |
Jul
(15) |
Aug
(17) |
Sep
(52) |
Oct
(3) |
Nov
(18) |
Dec
(21) |
2016 |
Jan
(20) |
Feb
(8) |
Mar
(21) |
Apr
(7) |
May
(13) |
Jun
(35) |
Jul
(34) |
Aug
(11) |
Sep
(14) |
Oct
(22) |
Nov
(31) |
Dec
(23) |
2017 |
Jan
(20) |
Feb
(7) |
Mar
(5) |
Apr
(6) |
May
(6) |
Jun
(22) |
Jul
(11) |
Aug
(16) |
Sep
(8) |
Oct
(1) |
Nov
(1) |
Dec
(1) |
2018 |
Jan
|
Feb
|
Mar
(16) |
Apr
(2) |
May
(6) |
Jun
(5) |
Jul
|
Aug
(2) |
Sep
(4) |
Oct
|
Nov
(16) |
Dec
(13) |
2019 |
Jan
|
Feb
(1) |
Mar
(25) |
Apr
(9) |
May
(2) |
Jun
(1) |
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2020 |
Jan
(2) |
Feb
|
Mar
(1) |
Apr
|
May
(1) |
Jun
(3) |
Jul
(2) |
Aug
|
Sep
|
Oct
(5) |
Nov
|
Dec
|
2021 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(4) |
Jul
(1) |
Aug
|
Sep
(1) |
Oct
|
Nov
(1) |
Dec
|
2022 |
Jan
|
Feb
(2) |
Mar
|
Apr
|
May
(2) |
Jun
|
Jul
(3) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2023 |
Jan
(2) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
2024 |
Jan
|
Feb
(3) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2025 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Brian C. <ca...@sl...> - 2003-04-21 02:33:03
|
Rich, The error is likely from the permissions on the autopsy.log file in the Evidence Locker. You will need write permissions on that file so that it can be updated when autopsy is started and cases are opened. The first issue of the Sleuth Kit Informer has an article on the required permissions for Autopsy. http://www.sleuthkit.org/informer brian Rich Thompson <te...@ya...> said: > OK, > > This may sound dumb, but how do you stop autopsy. I > was playing with it after install, and decided to > close my case and exit the browser. Now I can't get > back in to autopsy to run this case or others... What > did I do wong? > > I'm using Autopsy 1.70 and Slethkit 1.60 > > FYI- > > When I run ./autopsy 8888 localhost it gives me the > URL but it also says "can't open log autopsy.log at > ./autopsy line 128" > > So how do I get in and how do i close properly next > time? > > Thanks in advance, > texatl -- |
From: Rich T. <te...@ya...> - 2003-04-20 19:14:52
|
OK, This may sound dumb, but how do you stop autopsy. I was playing with it after install, and decided to close my case and exit the browser. Now I can't get back in to autopsy to run this case or others... What did I do wong? I'm using Autopsy 1.70 and Slethkit 1.60 FYI- When I run ./autopsy 8888 localhost it gives me the URL but it also says "can't open log autopsy.log at ./autopsy line 128" So how do I get in and how do i close properly next time? Thanks in advance, texatl __________________________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo http://search.yahoo.com |
From: Josep M H. <jm...@me...> - 2003-04-15 14:56:40
|
Brian Carrier wrote: > Have you downloaded the 'binutils' package from GNU and compiled it? > I haven't tried it with FreeBSD, but that usually works. > > brian > Yes , I have done this also , without any special configure argument dont work , now I am reviewing the configure options , but maybe the problem come from some shared library. Thanks , Josep M Homs |
From: Brian C. <ca...@sl...> - 2003-04-15 00:03:32
|
Can you run the following for me and send me the output (off list since it maybe big): /forensics/task-1.60/bin/fls -f FS_TYPE -v IMG.DD and replace FS_TYPE with the file system type (ntfs for example) and IMG.DD with the partition image. This will run in verbose mode. Is it for the root directory or other directories? brian Terry Lamar <tl...@te...> said: > I'm pretty sure this is caused by something I did wrong with the dd > command. when I add an image and go to File Analysis it gives me the > following error. > > /forensics/task-1.60/bin/fls: fs_read_block: Block Read Request with > length (20487) not a multiple of 512 > > > Any Suggestions, > Terry Lamar > > > > > > > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > _______________________________________________ > sleuthkit-users mailing list > sle...@li... > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > -- |
From: Brian C. <ca...@sl...> - 2003-04-14 23:59:27
|
Have you downloaded the 'binutils' package from GNU and compiled it? I haven't tried it with FreeBSD, but that usually works. brian Josep M Homs <jm...@me...> said: > Hi , > my two past problems were solved , thanks Brian ! > Now I have another issue , this time is more OS related , > but maybe someone here have seen it before , so I hope that nobody > cares about this semi offtopic. > The following message appears in the left frame while doing a keyword > search within autopsy: > > ERROR: Negative byte offset (-1268053040) Your version of strings likely > does not support large files: lsof_filters > > The message is quite self explanatory , > so anyone with previous experience rebuilding strings in FreeBSD in > order to work propertly ? > > Informational note for other FreeBSD users : I solved a Perl issue with > large files in the default FreeBSD installation by installing v 5.8 > from ports three. > > Best regards , > Josep M Homs > > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > _______________________________________________ > sleuthkit-users mailing list > sle...@li... > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > -- |
From: Brian C. <ca...@sl...> - 2003-04-14 23:56:46
|
This was fixed and Josep has the patch. You can now read the final fragments in a FFS image that are not a multiple of a block (which seems to be rare). If anyone else needs it before the next version is released, let me know. brian |
From: Terry L. <tl...@te...> - 2003-04-14 19:46:28
|
I'm pretty sure this is caused by something I did wrong with the dd command. when I add an image and go to File Analysis it gives me the following error. /forensics/task-1.60/bin/fls: fs_read_block: Block Read Request with length (20487) not a multiple of 512 Any Suggestions, Terry Lamar |
From: Josep M H. <jm...@me...> - 2003-04-14 14:53:01
|
Hi , my two past problems were solved , thanks Brian ! Now I have another issue , this time is more OS related , but maybe someone here have seen it before , so I hope that nobody cares about this semi offtopic. The following message appears in the left frame while doing a keyword search within autopsy: ERROR: Negative byte offset (-1268053040) Your version of strings likely does not support large files: lsof_filters The message is quite self explanatory , so anyone with previous experience rebuilding strings in FreeBSD in order to work propertly ? Informational note for other FreeBSD users : I solved a Perl issue with large files in the default FreeBSD installation by installing v 5.8 from ports three. Best regards , Josep M Homs |
From: Brian C. <ca...@sl...> - 2003-04-11 19:52:08
|
That was a bug, that I just fixed. The 'False Hit' code was added to the latest release. Autopsy reports how many hits it found in the search and then prints them out. In some cases, it used to claim 100 hits, but only show 99 entries. So, I added code to report the false 1 hit so that people could account for it. But, the logic had a slight bug that printed even when the word was found and there was a previous hit in the same data unit. The fix is to move the '}' on line 4905 to before the '$found++' statement on line 4904 in base/autopsyfunc.pm/base. Re-run make and you should be set. So, it should be: $prev = $b; } $found++; print "- offset $o bytes<BR>\n"; $idx++; As a note about what causes false hits. The strings file has the ASCII stings and the byte offset. If you search for a numerical value, then 'grep' could find the "string" in the numerical offset field. So, that would count as a false hit. thanks, brian "Buckman, Cathy" <Buc...@dc...> said: > > I downloaded the latest version of the autopsy and sleuthkit, and am running > it on Solaris 8. I created a search on the dd image file, and it returned > the following: > > 4053 (Hex-Ascii) > offset 16 bytes > False Hit Offset 232 bytes > > What does 'False Hit' mean and why is it showing up under the search > results? Other than the false hit message, the search seems to be working > fine. > > Thanks. > Cathy > -- |
From: Buckman, C. <Buc...@dc...> - 2003-04-11 17:06:24
|
I downloaded the latest version of the autopsy and sleuthkit, and am running it on Solaris 8. I created a search on the dd image file, and it returned the following: 4053 (Hex-Ascii) offset 16 bytes False Hit Offset 232 bytes What does 'False Hit' mean and why is it showing up under the search results? Other than the false hit message, the search seems to be working fine. Thanks. Cathy |
From: Josep M H. <jm...@me...> - 2003-04-11 15:10:09
|
Brian Carrier wrote: > Interesting. FFS actually allows you to have a file system size that is not a > multiple of the block size, but it is a multiple of the fragment size. In > this case, it appears that you have data in the last 4 fragments and it is > trying to read the full block and just extract the fragments. Can you run the > 'fls -rp' with '-v' as well to get the verbose output? I need to find out > where it is being called from. > /usr/local/bin/sleuthkit/bin/fls -f solaris -rp -v ./c0t0d0s6-usr.dd inodes 1477504 root ino 2 cyl groups 238 blocks 12328948 fs_read_block: read block 32 offs 32768 len 8192 (inode block) fs_read_block: read block 24 offs 24576 len 8192 (cylinder block) fs_read_block: read block 824 offs 843776 len 8192 (data block) -/d 3: lost+found fs_read_block: read block 816 offs 835584 len 8192 (data block) fs_read_block: read block 5859232 offs 5999853568 len 8192 (inode block) fs_read_block: read block 5859216 offs 5999837184 len 8192 (cylinder block) -------- [cut] ---------------------- -/d 1465088: lib/devfsadm fs_read_block: read block 12232360 offs 12525936640 len 8192 (data block) fs_read_block: read block 103952 offs 106446848 len 8192 (inode block) fs_read_block: read block 103944 offs 106438656 len 8192 (cylinder block) fs_read_block: read block 12233920 offs 12527534080 len 8192 (inode block) fs_read_block: read block 12232361 offs 12525937664 len 1024 (link block) fs_read_block: read block 12233912 offs 12527525888 len 8192 (cylinder block) -/l 1465089: lib/devfsadm/devfsadmd fs_read_block: read block 12285880 offs 12580741120 len 8192 (inode block) fs_read_block: read block 12285872 offs 12580732928 len 8192 (cylinder block) -/d 1471296: lib/devfsadm/linkmod fs_read_block: read block 12328944 offs 12624838656 len 8192 (data block) /usr/local/bin/sleuthkit/bin/fls: read block read error (8192@12624838656): Unknown error: 0 > I just fixed a bug in 'fsstat' that takes this into account (notice that the > last fragments in the group extend beyond the final fragment). > > brian > |
From: Brian C. <ca...@sl...> - 2003-04-11 14:49:10
|
Interesting. FFS actually allows you to have a file system size that is not a multiple of the block size, but it is a multiple of the fragment size. In this case, it appears that you have data in the last 4 fragments and it is trying to read the full block and just extract the fragments. Can you run the 'fls -rp' with '-v' as well to get the verbose output? I need to find out where it is being called from. I just fixed a bug in 'fsstat' that takes this into account (notice that the last fragments in the group extend beyond the final fragment). brian |
From: Josep M H. <jm...@me...> - 2003-04-11 13:32:05
|
>> >>>How big exactly is the image? >> >>-rw-r--r-- 1 root wheel 12624842752 Apr 9 20:34 c0t0d0s6-usr.dd >> > > > .. > > >>-/d 1471296: lib/devfsadm/linkmod >>/usr/local/bin/sleuthkit/bin/fls: read block read error >>(8192@12624838656): Unknown error: 0 > > > It is trying to read 8192 bytes at 12624838656, but there is only 4096 bytes > left in the image. So, there are either invalid pointers or you are missing > part of the image. I tranferred again the image and the exact size remains the same. What is the 'fsstat' output for the image. That will give > the total number of blocks in the file system. As the image size is not a > multiple of 8192 (the block size), I would guess that you do not have the full > image. The 'fsstat' output contains the required info. /usr/local/bin/sleuthkit/bin/fsstat -f solaris ./c0t0d0s6-usr.dd FILE SYSTEM INFORMATION -------------------------------------------- File System Type: FFS Last Written: Wed Apr 9 15:42:50 2003 META-DATA INFORMATION -------------------------------------------- Inode Range: 0 - 1477503 Root Directory: 2 CONTENT-DATA INFORMATION -------------------------------------------- Fragment Range: 0 - 12328947 Block Size: 8192 Fragment Size: 1024 CYLINDER GROUP INFORMATION -------------------------------------------- Number of Cylinder Groups: 238 Inodes per group: 6208 Fragments per group: 51832 Group 0: Inode Range: 0 - 6207 Fragment Range: 0 - 51831 Boot Block: 0 - 7 Super Block: 8 - 9 Super Block: 16 - 17 Group Desc: 24 - 24 Inode Table: 32 - 807 Data Fragments: 808 - 51831 -------[cut]------- Group 237: Inode Range: 1471296 - 1477503 Fragment Range: 12284184 - 12328947 Super Block: 12285864 - 12285865 Group Desc: 12285872 - 12285872 Inode Table: 12285880 - 12286655 Data Fragments: 12284184 - 12285863, 12286656 - 12336015 If needed i can send the full output. > > > brian > > Thanks , Josep M Homs |
From: Brian C. <ca...@sl...> - 2003-04-10 22:17:25
|
Josep M Homs <jm...@me...> said: > Brian Carrier wrote: > > How big exactly is the image? > > -rw-r--r-- 1 root wheel 12624842752 Apr 9 20:34 c0t0d0s6-usr.dd > .. > > -/d 1471296: lib/devfsadm/linkmod > /usr/local/bin/sleuthkit/bin/fls: read block read error > (8192@12624838656): Unknown error: 0 It is trying to read 8192 bytes at 12624838656, but there is only 4096 bytes left in the image. So, there are either invalid pointers or you are missing part of the image. What is the 'fsstat' output for the image. That will give the total number of blocks in the file system. As the image size is not a multiple of 8192 (the block size), I would guess that you do not have the full image. The 'fsstat' output contains the required info. brian |
From: Josep M H. <jm...@me...> - 2003-04-10 16:32:20
|
Brian Carrier wrote: > How big exactly is the image? -rw-r--r-- 1 root wheel 12624842752 Apr 9 20:34 c0t0d0s6-usr.dd that message usually appears when it > tries to read past the end of the file (if a few blocks were missed) or > if it is trying to read invalid data. Invalid data usually exists > because the file was deleted and the block pointers were written over > with different data. > > Run 'fls' from the command line (with -rp) to see where the error > occurs. Then do an istat on the file. > > fls -f ntfs -rp IMG > #/usr/local/bin/sleuthkit/bin/fls -f solaris -rp ./c0t0d0s6-usr.dd ---[cut]----- -/d 1465088: lib/devfsadm -/l 1465089: lib/devfsadm/devfsadmd -/d 1471296: lib/devfsadm/linkmod /usr/local/bin/sleuthkit/bin/fls: read block read error (8192@12624838656): Unknown error: 0 #/usr/local/bin/sleuthkit/bin/istat -f solaris ./c0t0d0s6-usr.dd 1471296 inode: 1471296 Allocated Group: 237 uid / gid: 0 / 3 mode: drwxr-xr-x size: 512 num of links: 2 Inode Times: Accessed: Mon Mar 17 16:16:24 2003 File Modified: Thu Oct 17 12:21:23 2002 Inode Modified: Thu Oct 17 12:21:23 2002 Direct Blocks: 12328944 > brian > > On Thu, Apr 10, 2003 at 04:18:13PM +0200, Josep M Homs wrote: > >>All my past problems with fls were solved , >>but i still have problems with the biggest partition (12Gb). >>While creating the timeline body file the following read error appears : >> >>/usr/local/bin/sleuthkit/bin/fls: read block read error >>(8192@12624838656): Unknown error: 0 Running ils -m on >>images/c0t0d0s6-usr.dd >> >>I copied this partition thru dd/ssh with the source system up and >>running , could that be the problem ? >>must i boot from a live cd system in order to produce a good image ? >>note that I have no problem with the other partitions that were copied >>that way ... >> >>Thanks , >>Josep M Homs >> >> >> >>------------------------------------------------------- >>This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger >>for complex code. Debugging C/C++ programs can leave you feeling lost and >>disoriented. TotalView can help you find your way. Available on major UNIX >>and Linux platforms. Try it free. www.etnus.com >>_______________________________________________ >>sleuthkit-users mailing list >>sle...@li... >>https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > > |
From: Brian C. <ca...@ce...> - 2003-04-10 15:43:10
|
How big exactly is the image? that message usually appears when it tries to read past the end of the file (if a few blocks were missed) or if it is trying to read invalid data. Invalid data usually exists because the file was deleted and the block pointers were written over with different data. Run 'fls' from the command line (with -rp) to see where the error occurs. Then do an istat on the file. fls -f ntfs -rp IMG brian On Thu, Apr 10, 2003 at 04:18:13PM +0200, Josep M Homs wrote: > All my past problems with fls were solved , > but i still have problems with the biggest partition (12Gb). > While creating the timeline body file the following read error appears : > > /usr/local/bin/sleuthkit/bin/fls: read block read error > (8192@12624838656): Unknown error: 0 Running ils -m on > images/c0t0d0s6-usr.dd > > I copied this partition thru dd/ssh with the source system up and > running , could that be the problem ? > must i boot from a live cd system in order to produce a good image ? > note that I have no problem with the other partitions that were copied > that way ... > > Thanks , > Josep M Homs > > > > ------------------------------------------------------- > This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger > for complex code. Debugging C/C++ programs can leave you feeling lost and > disoriented. TotalView can help you find your way. Available on major UNIX > and Linux platforms. Try it free. www.etnus.com > _______________________________________________ > sleuthkit-users mailing list > sle...@li... > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users |
From: Josep M H. <jm...@me...> - 2003-04-10 14:41:22
|
Brian Carrier wrote: > philippe jarlov <phi...@wa...> said: >=20 >=20 >=20 >>My name is Philippe Jarlov, I'm working for french governement and doin= g=20 >>investigations on pedophilia cases on >>the net. Thank you for your work about autopsy. I want to try it, the=20 >>install on Linux Mandrake 9.0 was ok. Now >>I'm on the graphical environment, I don't how to put information at "ad= d=20 >>a new host" -> 1 Host Name, and 3. Timezone. >>Perhaps if someone can give me an exemple I could understand ...or if=20 >>there is a doc with exemples.... >=20 >=20 > The hostname can be anything you want. it is only for your record keepi= ng. if > you had a DNS server and a web server, you could call one web_server an= d the > other dns_server. Or, you can just call it host1. >=20 > I'm not sure what the timezone would be in France. It would be somethi= ng like > XXX1YYY. The East Coast US value is EST5EDT. Or, you could just do GM= T. =20 >=20 I guess that both timeskew and timezone must be set accordingly with the=20 originating system , nothing to do with the time in the analisys=20 station. If this works this way , we could get the correct values=20 issuing a "date" in the source system ... =BF > I'll add examples to the help documents for the next version. >=20 > brian >=20 >=20 > ------------------------------------------------------- > This SF.net email is sponsored by: Etnus, makers of TotalView, The debu= gger=20 > for complex code. Debugging C/C++ programs can leave you feeling lost a= nd=20 > disoriented. TotalView can help you find your way. Available on major U= NIX=20 > and Linux platforms. Try it free. www.etnus.com > _______________________________________________ > sleuthkit-users mailing list > sle...@li... > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >=20 >=20 Thanks , Josep M Homs |
From: Josep M H. <jm...@me...> - 2003-04-10 14:19:51
|
All my past problems with fls were solved , but i still have problems with the biggest partition (12Gb). While creating the timeline body file the following read error appears : /usr/local/bin/sleuthkit/bin/fls: read block read error (8192@12624838656): Unknown error: 0 Running ils -m on images/c0t0d0s6-usr.dd I copied this partition thru dd/ssh with the source system up and running , could that be the problem ? must i boot from a live cd system in order to produce a good image ? note that I have no problem with the other partitions that were copied that way ... Thanks , Josep M Homs |
From: philippe j. <phi...@wa...> - 2003-04-10 05:34:10
|
Brian Carrier wrote: >philippe jarlov <phi...@wa...> said: > > > > >>My name is Philippe Jarlov, I'm working for french governement and doing >>investigations on pedophilia cases on >>the net. Thank you for your work about autopsy. I want to try it, the >>install on Linux Mandrake 9.0 was ok. Now >>I'm on the graphical environment, I don't how to put information at "add >>a new host" -> 1 Host Name, and 3. Timezone. >>Perhaps if someone can give me an exemple I could understand ...or if >>there is a doc with exemples.... >> >> > >The hostname can be anything you want. it is only for your record keeping. if >you had a DNS server and a web server, you could call one web_server and the >other dns_server. Or, you can just call it host1. > >I'm not sure what the timezone would be in France. It would be something like >XXX1YYY. The East Coast US value is EST5EDT. Or, you could just do GMT. > >I'll add examples to the help documents for the next version. > >brian > > > Thank you very much ! It's working well with GMT. Philippe Jarlov |
From: Brian C. <ca...@sl...> - 2003-04-09 21:31:22
|
philippe jarlov <phi...@wa...> said: > My name is Philippe Jarlov, I'm working for french governement and doing > investigations on pedophilia cases on > the net. Thank you for your work about autopsy. I want to try it, the > install on Linux Mandrake 9.0 was ok. Now > I'm on the graphical environment, I don't how to put information at "add > a new host" -> 1 Host Name, and 3. Timezone. > Perhaps if someone can give me an exemple I could understand ...or if > there is a doc with exemples.... The hostname can be anything you want. it is only for your record keeping. if you had a DNS server and a web server, you could call one web_server and the other dns_server. Or, you can just call it host1. I'm not sure what the timezone would be in France. It would be something like XXX1YYY. The East Coast US value is EST5EDT. Or, you could just do GMT. I'll add examples to the help documents for the next version. brian |
From: philippe j. <phi...@wa...> - 2003-04-09 20:09:33
|
Hi My name is Philippe Jarlov, I'm working for french governement and doing investigations on pedophilia cases on the net. Thank you for your work about autopsy. I want to try it, the install on Linux Mandrake 9.0 was ok. Now I'm on the graphical environment, I don't how to put information at "add a new host" -> 1 Host Name, and 3. Timezone. Perhaps if someone can give me an exemple I could understand ...or if there is a doc with exemples.... Thank you very much Philippe Jarlov |
From: Tanaka S. <so...@is...> - 2003-04-09 07:08:21
|
Hello, Mr. Takahashi updated a patch. UTF-8 output patch for task-1.60/sleuthkit-1.61 http://www.monyo.com/technical/unix/TASK/ Thanks. On Thu, 3 Apr 2003 22:03:04 -0000 "Brian Carrier" <ca...@sl...> wrote: >The Sleuth Kit version 1.61 and Autopsy version 1.71 are now >available. > > http://www.sleuthkit.org/sleuthkit > http://www.sleuthkit.org/autopsy -- Tanaka Souji <so...@is...> |
From: Brian C. <ca...@sl...> - 2003-04-04 15:44:39
|
This is related to the error messages that have been discussed a few times on this list. It came from the tct-users list. Thanks Ralf! brian Forwarded From: Ralf Spenneberg <sp...@sp...> > Am Fre, 2003-04-04 um 06.55 schrieb Brian Carrier: > > This is caused by the new Perl in RH 8.0. The DateManip library that > > mactime uses has some international values that Perl 5.8 does not > > like. The errors do not affect the output (unless you enter a date in > > Portuguese). > You should be able to use the following line as a workaround: > LANG=C LC_ALL=C mactime > This disables UTF. Otherwise you can edit /etc/sysconfig/i18n > > Cheers, > > Ralf > -- > Ralf Spenneberg > UNIX/Linux Trainer and Consultant, RHCE, RHCX > Waldring 34 48565 Steinfurt Germany > Fon: +49(0)2552 638 755 Fax: +49(0)2552 638 757 > Mobil: +49(0)177 567 27 40 > > Markt+Technik Buch: Intrusion Detection für Linux > Server > IPsec/PPTP Kernels for Red Hat Linux: > http://www.spenneberg.com/.net/.org/.de > Honeynet Project Mirror: http://honeynet.spenneberg.org > Snort Mirror: http://snort.spenneberg.org > > -- |
From: Ralf S. <li...@sp...> - 2003-04-04 07:53:45
|
Am Fre, 2003-04-04 um 00.03 schrieb Brian Carrier: > The Sleuth Kit version 1.61 and Autopsy version 1.71 are now > available. Great work Brian! I have generated the appropiate RPM packages and they are available at their usual location: http://www.spenneberg.com/index.php?id=6&subject=%2FForensics%2F or http://www.spenneberg.org/Forensics Cheers, Ralf -- Ralf Spenneberg RHCE, RHCX IPsec/PPTP Kernels for Red Hat Linux: http://www.spenneberg.com/.net/.org/.de Honeynet Project Mirror: http://honeynet.spenneberg.org Snort Mirror: http://snort.spenneberg.org |
From: Brian C. <ca...@sl...> - 2003-04-04 04:15:38
|
> > > I've also noticed a curious behaviopur with FAT12 on the latest sleuthkit > > > release. Files on a floppy were written to it at 21:45BST, with the > > > timezone set to GMT0BST, they show as 2:45 tomorrow in the timeline. > > > (file writes and analysis done on the same machine btw) > > > > What does a 'ls' or 'dir' show? > > ls gives the correct modification time of 21:45 Are all (W, A, and C) of the times set to 2:45 or just some of them? You can get all of them via the File Mode in Autopsy. I've seen some FAT images with a couple of random times that are way off. If they are all way off, can you send me the parent directory contents (off list)? This is easily done by finding out the meta data address of the parent directory (800 for example) and using icat: # icat -f fat12 img.dd 800 > dir.dat The only thing in there are the file names, times, and starting cluster. Nothing sensitive. brian |