sleuthkit-users — List to discuss Autopsy and The Sleuth Kit.

Re: [sleuthkit-users] fls core

[Josep M H. <jm...@me...>]

Brian Carrier wrote:
> Hmm.  Can you send me the contents of the 'host.aut' file in the host
> directory?
> 

desc Server
timezone  CET
timeskew  1
image  images/c0t0d0s0-root.dd    solaris    /mnt/host/
body  output/body
timeline  output/mactime-test
timeline  output/mactime-test
body  output/body
body  output/body
body  output/body
body  output/body
body  output/body


> Also, can you run:
> 
> 	# fls -f solaris -la -z CET -s 1 path/c0t0d0s0-root.dd
> 
> Does it core?
> 

Yes , it does.

> 
> brian
> 
> 

Thanks ,
Josep M Homs

Re: [sleuthkit-users] fls core

[Brian C. <ca...@ce...>]

Hmm.  Can you send me the contents of the 'host.aut' file in the host
directory?

Also, can you run:

	# fls -f solaris -la -z CET -s 1 path/c0t0d0s0-root.dd

Does it core?


brian

Re: [sleuthkit-users] fls core

[Josep M H. <jm...@me...>]

Brian Carrier wrote:
>  
> 
> 
>>when i run fls from the shell as follows :
>>
>>/usr/local/bin/task/bin# ./fls -r -m on /somepath/images/c0t0d0s0-root.dd
>>
>>i dont get any core.
> 
> 
> That is very strange.  Save the 'fls' output to a file.  How big is the
> file?  I've never seen perl core though because the output was so big.
> What do you have the timezone, timeskew, and mounting point set as?
> Those are also passed when Autopsy actually runs the tools.


I have the following dd images ,
one for each mont point in the original filesystem :
-rw-r--r--  1 root  wheel   1075994624 Mar 16 22:08 c0t0d0s0-root.dd
-rw-r--r--  1 root  wheel   1075994624 Mar 18 15:42 c0t0d0s1-var.dd
-rw-r--r--  1 root  wheel    106151936 Mar 18 15:56 c0t0d0s5-opt.dd
-rw-r--r--  1 root  wheel  12624842752 Mar 17 22:29 c0t0d0s6-usr.dd
-rw-r--r--  1 root  wheel   2149576704 Mar 18 16:45 c0t0d0s7-exporthome.dd

Inside Autopsy host definition :
/mnt/host/ 		images/c0t0d0s0-root.dd details
/mnt/host/export/home/ 	images/c0t0d0s7-exporthome.dd details
/mnt/host/opt/ 		images/c0t0d0s5-opt.dd details
/mnt/host/usr/ 		images/c0t0d0s6-usr.dd details
/mnt/host/var/ 		images/c0t0d0s1-var.dd

Timezone: CET
Timeskew: 1

 From the command line :

blackbox:/usr/local/bin/task/bin# ./fls -r -m on 
/somepath/images/c0t0d0s0-root.dd > c0t0d0s0.txt
blackbox:/usr/local/bin/task/bin# ls -la c0t0d0s0.txt
-rw-r--r--  1 root  staff  672014 Mar 24 15:47 c0t0d0s0.txt

blackbox:/usr/local/bin/task/bin# ./fls -r -m on 
/somepath/images/c0t0d0s1-var.dd > c0t0d0s1.txt
blackbox:/usr/local/bin/task/bin# ls -la c0t0d0s1.txt
-rw-r--r--  1 root  staff  626144 Mar 24 15:56 c0t0d0s1.txt

blackbox:/usr/local/bin/task/bin# ./fls -r -m on 
/somepath/images/c0t0d0s5-opt.dd > c0t0d0s5.txt
blackbox:/usr/local/bin/task/bin# ls -la c0t0d0s5.txt
-rw-r--r--  1 root  staff  421 Mar 24 15:58 c0t0d0s5.txt

blackbox:/usr/local/bin/task/bin# ./fls -r -m on 
/somepath/images/c0t0d0s6-usr.dd > c0t0d0s6.txt
./fls: read block read error (8192@12624838656): Unknown error: 0
blackbox:/usr/local/bin/task/bin# ls -la c0t0d0s6.txt
-rw-r--r--  1 root  staff  545931 Mar 24 15:59 c0t0d0s6.txt

blackbox:/usr/local/bin/task/bin# ./fls -r -m on 
/somepath/images/c0t0d0s7-exporthome.dd > c0t0d0s7.txt
blackbox:/usr/local/bin/task/bin# ls -la c0t0d0s7.txt
-rw-r--r--  1 root  staff  184 Mar 24 16:00 c0t0d0s7.txt


As i pasted in the previous email ,
several core messages appear in the Autopsy browser ,
not only in the creation of the data file in timeline section,
also for example when i go to file analysis :
Deleted Files      Type
dir  / in    File Name    Modified Time    Access Time    Change Time 
  Size    UID    GID    Meta
Error parsing string: Segmentation fault (core dumped)

I removed from config the biggest image that gives a read error ,
but the cores remains , also if i work with only the smallest one.


Best regards ,
Josep M Homs

Re: [sleuthkit-users] fls core

[Brian C. <ca...@ce...>]

 

> when i run fls from the shell as follows :
> 
> /usr/local/bin/task/bin# ./fls -r -m on /somepath/images/c0t0d0s0-root.dd
> 
> i dont get any core.

That is very strange.  Save the 'fls' output to a file.  How big is the
file?  I've never seen perl core though because the output was so big.
What do you have the timezone, timeskew, and mounting point set as?
Those are also passed when Autopsy actually runs the tools.

brian

[sleuthkit-users] fls core

[Josep M H. <jm...@me...>]

Hi ,
i have just installed TASK v1.60 and Autopsy v1.70
in a FreeBSD 4.8RC box.
It seems to be a problem with the base system Perl in FreeBSD with
the large files , so i installed the Perl 5.8 port version ,
and the problem at make time seems to disappear.
But now (also before Perl upgrade) i receive some coredumps from fls 
while working with some dd Solaris images from the browser with Autopsy.
For example , while creating data file in timeline section :

Running fls -r -m on images/c0t0d0s0-root.dd
Segmentation fault (core dumped)
Running ils -m on images/c0t0d0s0-root.dd
Running fls -r -m on images/c0t0d0s7-exporthome.dd
Running ils -m on images/c0t0d0s7-exporthome.dd
Running fls -r -m on images/c0t0d0s6-usr.dd
Segmentation fault (core dumped)
Running ils -m on images/c0t0d0s6-usr.dd
Running fls -r -m on images/c0t0d0s1-var.dd
Segmentation fault (core dumped)
Running ils -m on images/c0t0d0s1-var.dd
Running fls -r -m on images/c0t0d0s5-opt.dd
Segmentation fault (core dumped)
Running ils -m on images/c0t0d0s5-opt.dd

when i run fls from the shell as follows :

/usr/local/bin/task/bin# ./fls -r -m on /somepath/images/c0t0d0s0-root.dd

i dont get any core.

Any idea ?

Thanks in advance ,
Josep M Homs

Re: [sleuthkit-users] Autopsy-1.70 UTF-8 patch

[Minoru K. <co...@ex...>]

Brian Carrier wrote <200...@ba...>:

>> And, I found a problem of Autopsy when a browser send a long long 
>> request to Autopsy (see 
>http://www.asahi-net.or.jp/~uu8m-kbys/long-request.txt).
>> 
>> If a long request is sent, Autopsy will not be processed normally.
>> A file content frame and a file type frame are not displayed.
>
>I just tried the NTFS image you supplied and it worked for me 
>(w/out either of the the UNICODE patches).  What browser are
>you using?  Try to open each of the frames in their own window
>and see what it does.

This problem occurs only when a UNICODE patch is applied.
It will occur, if a very long Japanese file name is accessed within a 
file list frame (I use Phoenix for the browser).

The Japanese file name expressed with UTF-8 is processed with a 
'url_encode' function, and becomes still longer. Therefore, the link 
of a very long name is generated in the file list frame. The request 
and reply when clicking this link are as follows.

Request 1: http://www.asahi-net.or.jp/~uu8m-kbys/autopsy/request1.txt
Request 2: http://www.asahi-net.or.jp/~uu8m-kbys/autopsy/request2.txt
Request 3: http://www.asahi-net.or.jp/~uu8m-kbys/autopsy/request3.txt

Please see request 2. Autopsy will not output after the reply of 
"HTTP/1.0 200 OK". This seems not to invoke the 'autopsy_main' 
function.

This problem is occured even when the 'dir' argument is the usual 
alphabet. For example, also in continuous 'A' of about 2000 
characters, the contents of the 'dir' argument occur.

# However, it is sometimes displayed normally.
# I do not understand a cause.

>                       I'm also curious to see what your patch
>passes in the 'dir' argument on the GET request.

My patch shortens a character sequence, when the 'dir' argument is 
256 or more characters, in order to avoid the above-mentioned 
problem. However, this code is imperfect.

http://www.asahi-net.or.jp/~uu8m-kbys/autopsy/mypatched-request.txt

>                                                  I'm not sure
>if the url_decode and url_encode function will handle the UTF-8
>correctly.  

As for these functions, I seem to be able to handle UTF-8 correctly.
However, please remember that I am not Perl wizard. Furthermore, I 
am not detailed to UTF-8, either.

And, I corrected the 'check_inode' function.
New patch is here.
http://www.asahi-net.or.jp/~uu8m-kbys/autopsy/autopsy-utf8-6.patch


Best regards.

-- 
Minoru Kobayashi mailto:co...@ex...

Re: [sleuthkit-users] Autopsy-1.70 UTF-8 patch

[Brian C. <ca...@ce...>]

On Sun, Mar 16, 2003 at 08:24:18PM +0900, Minoru Kobayashi wrote:
> Hi.
> 
> I wrote the Autopsy-1.70 patch to use UTF-8 option of TASK command.
> The UTF-8 option is used only when a disk image is NTFS.
> 
> http://www.asahi-net.or.jp/~uu8m-kbys/autopsy-utf8-5.patch

Great!  I'm going to have some time next week to incorporate these.

> And, I found a problem of Autopsy when a browser send a long long 
> request to Autopsy (see http://www.asahi-net.or.jp/~uu8m-kbys/long-request.txt).
> 
> If a long request is sent, Autopsy will not be processed normally.
> A file content frame and a file type frame are not displayed.

I just tried the NTFS image you supplied and it worked for me 
(w/out either of the the UNICODE patches).  What browser are
you using?  Try to open each of the frames in their own window
and see what it does.  I'm also curious to see what your patch
passes in the 'dir' argument on the GET request.  I'm not sure
if the url_decode and url_encode function will handle the UTF-8
correctly.  

thanks,

brian

Re: [sleuthkit-users] Refining keyword searches

[Brian C. <bca...@at...>]

On Sat, Mar 15, 2003 at 09:51:58PM -0000, Silent Partner wrote:
> Quoting: "Brian Carrier"
> > Your best bet would be to mount the image in loopback and run a grep
> > script.  I have no clue exactly what it would be though.  It would look
> > something like this for one keyword:
> 
> Task/Autopsy have information regarding hidden / deleted files. When it works
> with images, does it undelete such files into the image so that they are
> available for manual searching if the image is mounted in loopback?

No! That would be very bad since it would modify the image and any
integrity checks would fail.  TASK isn't an automated file recovery
tool yet. It gives you all the information about where stuff is on the
disk, but in general it requires manual recovery.

brian

[sleuthkit-users] Autopsy-1.70 UTF-8 patch

[Minoru K. <co...@ex...>]

Hi.

I wrote the Autopsy-1.70 patch to use UTF-8 option of TASK command.
The UTF-8 option is used only when a disk image is NTFS.

http://www.asahi-net.or.jp/~uu8m-kbys/autopsy-utf8-5.patch


And, I found a problem of Autopsy when a browser send a long long 
request to Autopsy (see http://www.asahi-net.or.jp/~uu8m-kbys/long-request.txt).

If a long request is sent, Autopsy will not be processed normally.
A file content frame and a file type frame are not displayed.

http://www.asahi-net.or.jp/~uu8m-kbys/autopsy-problem.jpg


I verified in the following disk images.
http://www.port139.co.jp/task/ads01.dd


Best regards.

-- 
Minoru Kobayashi mailto:co...@ex...

Re: [sleuthkit-users] Refining keyword searches

[Silent P. <sp...@si...>]

Quoting: "Brian Carrier"
> Your best bet would be to mount the image in loopback and run a grep
> script.  I have no clue exactly what it would be though.  It would look
> something like this for one keyword:

Task/Autopsy have information regarding hidden / deleted files. When it works
with images, does it undelete such files into the image so that they are
available for manual searching if the image is mounted in loopback?

Sid.

Re: [sleuthkit-users] Refining keyword searches

[Brian C. <bca...@at...>]

On Wed, Mar 12, 2003 at 10:27:03PM -0500, Eagle Investigative Services wrote:
> Hello group, 
> 
> Does anyone know how I could do the following from within 
> Autopsy? 
> 
> I want to search for a certain name, say Foo, and then 
> search only the results for another term - bar? How can this be done?

The short answer is probably no.  You can try the regular expression
of:

	"foo.*bar"

The long answer is that it may not work as well as you would like
because Autopsy does not search by file.  it searches by logical
units.  It just does a grep on the image file and when the keyword is
found, it goes up the tree to find out which inode/MFT allocated the
unit and which file name points to the inode/MFT.  Therefore it has no
notion of ensuring that a file has both keywords in it.

> Can it be done from the command line in TASK? if so
> can someone please walk me through it?

Your best bet would be to mount the image in loopback and run a grep
script.  I have no clue exactly what it would be though.  It would look
something like this for one keyword:

	# grep -H -d recurse "foo" *

Good luck.

brian

[sleuthkit-users] Refining keyword searches

[Eagle I. S. <in...@ea...>]

Hello group, 

Does anyone know how I could do the following from within 
Autopsy? 

I want to search for a certain name, say Foo, and then 
search only the results for another term - bar? How can this be done?

Can it be done from the command line in TASK? if so
can someone please walk me through it?

Thank you 

Niall

-----Original Message-----
From: Brian Carrier [mailto:bca...@at...]
Sent: Tuesday, March 11, 2003 12:27 AM
To: Eagle Investigative Services
Cc: sle...@li...
Subject: Re: [sleuthkit-users] Question regarding keyword search


> I'm searching a drive for a keyword "Linda".
>   
> It returns 143 hits, all listed like this::
> 	
>   438592 (Hex - Ascii)
>     offset 419 bytes

The 438592 is the data unit address that contains the keyword.  You can
also view this via the 'Data Unit' interface.  The 419 means that the
string is 419 bytes into the data unit.  
 
> However, some of these show data and some do not. 
> Example I could have another hit that has a size of 419 bytes
> and when I click on the Ascii link, all I get is:
> 
> Error identifying block size (dcat -s output)
> 
> How can I see what's there?

That is strange.  Can you edit the 'autopsyfunc.pm' file and add the
following:

		print "$dcat_out\n";

after line 8148:
		print "Error identifying block size (dcat -s output)\n";

So, you should have:

		print "Error identifying block size (dcat -s output)\n";
		print "$dcat_out\n";
		exit(1);

Restart Autopsy and try the search again.  

What are you searching?  Is it a live device or a dead image?  What
file system type?  Is it just the unallocated space or all of the
partition?  Did you make a strings file?  

What happens when you enter the address from the Data Unit mode?  Is
the message in the top half, the bottom half, or both halves of the
right-side of the screen?  Does the link always generate the error, or
just sometimes?  Does it happen for both Ascii and Hex mode?

thanks,
brian

Re: [sleuthkit-users] Question regarding keyword search

[Brian C. <bca...@at...>]

> >> Is it just the unallocated space or all of the
> >>partition?
> 
> As far as I can tell, I'm searching the entire partition. The page is
> titled "Keyword search on images/hdb1 - which is the name of the
> image.

This is true.  You can also just search the unallocated space by
using the 'Extract Unallocated Space' button on the bottom.
 
> I left the defaults with regard to Strings file etc. However, when I
> unchecked
> the MD5 options, in an effort to speed searching, 

The initial MD5 check value will have no impact on the speed of the
process.  The MD5 only takes longer when the image is initially
imported.

> I got the same error in
> the
> LHS frame : "Error identifying block size (dcat -s output)", and of course
> no results.

The error is on the left-hand side now?  That is very strange, since it
means that sometimes it works and sometimes it doesn't.  The errors last
night were on the right-hand side correct?

> No, I repeated the search for Linda, and got a different result but still
> a blank ascii data page. The message was :
> 
> ASII Contents of Sector 1205162 (512 bytes) in images/hdb1
> 
> and that was all that was displayed.
> 
> I clicked on the Hex tab and it displayed the data in that sector.
> 
> When I clicked on the Ascii tab after that the ASCII characters were
> displayed.
> 
> Could this be a browser problem? I'm using Konqueror 3.03 (using KDE 3.03)

The above sounds like a browser issue.  I use Mozilla and it also sometimes 
does not display a page.  But, it is rare.

> I have not edited the files you referred to as of yet.

That would be the most helpful.  I can send you the file with the
edits in it if you send me a copy of your autopsyfunc.pm (off line).

thanks,
brian

Re: [sleuthkit-users] Binary outputs from task (SEC: UNCLASSIFIED)

[Brian C. <bca...@at...>]

On Tue, Mar 11, 2003 at 02:00:30PM +1100, Lisman, Jarrad FLGOFF wrote:
> Hi, I am just experimenting with task and autopsy and am having some
> troubles. Every time (I have done it on two different systems now) that I
> try to create the data and timeline files in autopsy, the data creation
> seems to go fine but when doing the timeline I get a Malformed UTF-8
> Character error. 

This message is a known 'bug', but I'm not sure if it has an effect on
the output.  It is from a Perl module that mactime uses (DateManip)
and the new Perl that comes with RH 8.0 does not like some of the
international encodings.  If I knew Portuguese, I would fix it.  I
emailed the author a while back, but did not hear back.  If you are
using "american"-style dates though, then I think it is ok.


> This then brings up garbage in the timeline file. On
> further inspection I find that there is spurious characters indicitive of
> binary in the body file (These are causing the Malformed UTF Character error
> I would say) So that implies to me that fls and ils seem to be outputting
> some binary stuff where they are not meant to be.

What version of TASK do you have?  Version 1.60 fixed a bug that
existed in timelines where the destination of symbolic links was
not null terminated.

If you are using 1.60, can you send me a copy of the body file or
at least the offending lines (off list).


brian

RE: [sleuthkit-users] Question regarding keyword search

[Eagle I. S. <in...@ea...>]

Brian,

Sorry for not giving more details.

I am searching a dead image, FAT32, WIN95, 6 Gigs. single partition.

It's a wrongful death case and I'm searching for conversations between
a daughter and her deceased father, about his doctor, named "Linda".

>> Is it just the unallocated space or all of the
>>partition?

As far as I can tell, I'm searching the entire partition. The page is
titled "Keyword search on images/hdb1 - which is the name of the
image.

I left the defaults with regard to Strings file etc. However, when I
unchecked
the MD5 options, in an effort to speed searching, I got the same error in
the
LHS frame : "Error identifying block size (dcat -s output)", and of course
no results.

No, I repeated the search for Linda, and got a different result but still
a blank ascii data page. The message was :

ASII Contents of Sector 1205162 (512 bytes) in images/hdb1

and that was all that was displayed.

I clicked on the Hex tab and it displayed the data in that sector.

When I clicked on the Ascii tab after that the ASCII characters were
displayed.

Could this be a browser problem? I'm using Konqueror 3.03 (using KDE 3.03)

Another anomaly, I've found that clicking the Ascii link several times
eventually (sometimes
2, sometimes 4 clicks) brings up the data.

I have not edited the files you referred to as of yet.

Regards,

Niall.







-----Original Message-----
From: Brian Carrier [mailto:bca...@at...]
Sent: Tuesday, March 11, 2003 12:27 AM
To: Eagle Investigative Services
Cc: sle...@li...
Subject: Re: [sleuthkit-users] Question regarding keyword search


> I'm searching a drive for a keyword "Linda".
>
> It returns 143 hits, all listed like this::
>
>   438592 (Hex - Ascii)
>     offset 419 bytes

The 438592 is the data unit address that contains the keyword.  You can
also view this via the 'Data Unit' interface.  The 419 means that the
string is 419 bytes into the data unit.

> However, some of these show data and some do not.
> Example I could have another hit that has a size of 419 bytes
> and when I click on the Ascii link, all I get is:
>
> Error identifying block size (dcat -s output)
>
> How can I see what's there?

That is strange.  Can you edit the 'autopsyfunc.pm' file and add the
following:

		print "$dcat_out\n";

after line 8148:
		print "Error identifying block size (dcat -s output)\n";

So, you should have:

		print "Error identifying block size (dcat -s output)\n";
		print "$dcat_out\n";
		exit(1);

Restart Autopsy and try the search again.

What are you searching?  Is it a live device or a dead image?  What
file system type?  Is it just the unallocated space or all of the
partition?  Did you make a strings file?

What happens when you enter the address from the Data Unit mode?  Is
the message in the top half, the bottom half, or both halves of the
right-side of the screen?  Does the link always generate the error, or
just sometimes?  Does it happen for both Ascii and Hex mode?

thanks,
brian

[sleuthkit-users] Binary outputs from task (SEC: UNCLASSIFIED)

[Lisman, J. F. <Jar...@de...>]

Hi, I am just experimenting with task and autopsy and am having some
troubles. Every time (I have done it on two different systems now) that I
try to create the data and timeline files in autopsy, the data creation
seems to go fine but when doing the timeline I get a Malformed UTF-8
Character error. This then brings up garbage in the timeline file. On
further inspection I find that there is spurious characters indicitive of
binary in the body file (These are causing the Malformed UTF Character error
I would say) So that implies to me that fls and ils seem to be outputting
some binary stuff where they are not meant to be.
The drive I have the image from is formatted in ext3, could this be the
problem? I am also using RH 8.0 to run autopsy and task.

Does anyone know where I have gone wrong?

Thanks

Jarrad

Re: [sleuthkit-users] Question regarding keyword search

[Brian C. <bca...@at...>]

> I'm searching a drive for a keyword "Linda".
>   
> It returns 143 hits, all listed like this::
> 	
>   438592 (Hex - Ascii)
>     offset 419 bytes

The 438592 is the data unit address that contains the keyword.  You can
also view this via the 'Data Unit' interface.  The 419 means that the
string is 419 bytes into the data unit.  
 
> However, some of these show data and some do not. 
> Example I could have another hit that has a size of 419 bytes
> and when I click on the Ascii link, all I get is:
> 
> Error identifying block size (dcat -s output)
> 
> How can I see what's there?

That is strange.  Can you edit the 'autopsyfunc.pm' file and add the
following:

		print "$dcat_out\n";

after line 8148:
		print "Error identifying block size (dcat -s output)\n";

So, you should have:

		print "Error identifying block size (dcat -s output)\n";
		print "$dcat_out\n";
		exit(1);

Restart Autopsy and try the search again.  

What are you searching?  Is it a live device or a dead image?  What
file system type?  Is it just the unallocated space or all of the
partition?  Did you make a strings file?  

What happens when you enter the address from the Data Unit mode?  Is
the message in the top half, the bottom half, or both halves of the
right-side of the screen?  Does the link always generate the error, or
just sometimes?  Does it happen for both Ascii and Hex mode?

thanks,
brian

[sleuthkit-users] Question regarding keyword search

[Eagle I. S. <in...@ea...>]

I'm searching a drive for a keyword "Linda". 

It returns 143 hits, all listed like this::

438592 (Hex - Ascii)
offset 419 bytes

However, some of these show data and some do not. 
Example I could have another hit that has a size of 419 bytes
and when I click on the Ascii link, all I get is:

Error identifying block size (dcat -s output)

How can I see what's there?

Also, is there a way to enter multiple keywords in the search box?

TIA

Niall.

Re: [sleuthkit-users] ntfs.c.patch

[Hideaki I. <hi...@po...>]

On Sun, 9 Mar 2003 22:07:54 -0500
Brian Carrier <ca...@ce...> wrote:

>> Mr.Takahashi and I have tried to solve this problem in these days.
>> http://www.securiteam.com/windowsntfocus/5QP08156AQ.html
>
>Interesting.  The only place that TASK would have a problem with this
>though is with 'ffind'.  The path in 'ffind' is limited to 2048.  If
>you were to browse via directories though (like in Autopsy) it should
>not matter.  Is there another place that I am not thinking of?

It is OK as long as I checked.
(But I have not tested all functions.)
I will let you know if I find another problem.

-- 
Hideaki Ihara <hi...@po...>
Port139 URL: http://www.port139.co.jp/
PGP PUBLIC KEY: http://www.port139.co.jp/pgp/

Re: [sleuthkit-users] RE: Problem adding image

[Brian C. <bca...@at...>]

On Mon, Mar 10, 2003 at 12:36:43PM -0000, Silent Partner wrote:
> Brian,
> 
> > As sid alluded to, it took so long because it was calculating the MD5
> > value of the partition (Although that is really long and slow!).
> 
> Perhaps an animated gif on the page to give people the feeling they've not been
> forgotten about? Just something to consider for roadmap / wishlist.

I've thought of that, but there are two issues:

1.  This would require two pages.  One that displays the progress bar
and the second that displays the "results" (either an MD5 value or
search results).  The current design does not really handle that.  

2.  I'm not a graphics guy and have no clue how to make an animated
gif and will not use javascript.

This is one of the limitations of only using basic HTML.

brian

Re: [sleuthkit-users] RE: searching times was - Problem adding image

[Brian C. <bca...@at...>]

On Sun, Mar 09, 2003 at 11:07:27PM -0500, Eagle Investigative Services wrote:
> Thanks Brian,
> 
> I have to re-red the docs, but when I ran a keyword search on
> the string " *.eml ", it was still searching after an hour and a half.
> Is this normal?

For your file system size and based on how long your MD5 took, yes.

 
> Is there a way to speed up the process in Autopsy? For example
> if I was looking for a person's name that I know is contained in
> a deleted email. Is there a way to quickly search for that or do I need
> to sit it out?

Use the 'Extract Strings' button from the bottom of the keyword search
screen.

brian

Re: [sleuthkit-users] Extended Partitions [was] RE: Problem adding image

[Silent P. <sp...@si...>]

Quoting: "Silent Partner"
> I've not discovered any limitation to the number of partitions / logical
drives
> that an extended partition can have.

Now I have, its 32.

> Just some partition-trivia.....
>
> Sid.
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> sleuthkit-users mailing list
> sle...@li...
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>

Re: [sleuthkit-users] Extended Partitions [was] RE: Problem adding image

[Silent P. <sp...@si...>]

Quoting: "Brian Carrier"
> Extended are still needed.  The partition table in the first block of
> the disk has four entries in it.  So, you can describe three primary
> partitions and then fill the rest of the disk with an extended
> partition.  The extended partition has another table in it that is used
> to describe partitions in it.  This repeats until all needed partitions
> can be described.

Just been doing some digging on this and have found out that a "pc style"
partition map can have up to four primary partitions in it, but that the
microsoft tools only allow the creation of 1 primary partition. Microsoft can
use and read up to four primary partitions created by other tools.

The notion of an extended partition was apparently a microsoft hack to get
around the limitation of 4 primary partitions, and to allow its own tools to
create more than 1 primary partition. The extended partition consumes the
remainder of the disk space not consumed by the primary partition, and holds its
own partition table to reference the "logical" drives as Brian points out.

I've not discovered any limitation to the number of partitions / logical drives
that an extended partition can have.

Just some partition-trivia.....

Sid.

Re: [sleuthkit-users] RE: Problem adding image

[Silent P. <sp...@si...>]

Brian,

> As sid alluded to, it took so long because it was calculating the MD5
> value of the partition (Although that is really long and slow!).

Perhaps an animated gif on the page to give people the feeling they've not been
forgotten about? Just something to consider for roadmap / wishlist.

Sid

Re: [sleuthkit-users] RE: Problem adding image

[Silent P. <sp...@si...>]

Quoting: "Eagle Investigative Services"
> Also, is there an archive of these messages anywhere? Maybe some of my
> future
> questions have already been discussed and I'd like not to waste anyone's
> time.

List-Help: <mailto:sle...@li...?subject=help>
List-Post: <mailto:sle...@li...>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/sleuthkit-users>,
 <mailto:sle...@li...?subject=subscribe>
List-Id: TASK Discussion List <sleuthkit-users.lists.sourceforge.net>
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/sleuthkit-users>,
 <mailto:sle...@li...?subject=unsubscribe>
List-Archive:
<http://sourceforge.net/mailarchive/forum.php?forum=sleuthkit-users>

This type of information is usually always to be found inside the headers of
mailing list email.

Sid.