sleuthkit-users Mailing List for The Sleuth Kit (Page 209)
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users — List to discuss Autopsy and The Sleuth Kit.
You can subscribe to this list here.
| 2002 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(6) |
Aug
|
Sep
(11) |
Oct
(5) |
Nov
(4) |
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 |
Jan
(1) |
Feb
(20) |
Mar
(60) |
Apr
(40) |
May
(24) |
Jun
(28) |
Jul
(18) |
Aug
(27) |
Sep
(6) |
Oct
(14) |
Nov
(15) |
Dec
(22) |
| 2004 |
Jan
(34) |
Feb
(13) |
Mar
(28) |
Apr
(23) |
May
(27) |
Jun
(26) |
Jul
(37) |
Aug
(19) |
Sep
(20) |
Oct
(39) |
Nov
(17) |
Dec
(9) |
| 2005 |
Jan
(45) |
Feb
(43) |
Mar
(66) |
Apr
(36) |
May
(19) |
Jun
(64) |
Jul
(10) |
Aug
(11) |
Sep
(35) |
Oct
(6) |
Nov
(4) |
Dec
(13) |
| 2006 |
Jan
(52) |
Feb
(34) |
Mar
(39) |
Apr
(39) |
May
(37) |
Jun
(15) |
Jul
(13) |
Aug
(48) |
Sep
(9) |
Oct
(10) |
Nov
(47) |
Dec
(13) |
| 2007 |
Jan
(25) |
Feb
(4) |
Mar
(2) |
Apr
(29) |
May
(11) |
Jun
(19) |
Jul
(13) |
Aug
(15) |
Sep
(30) |
Oct
(12) |
Nov
(10) |
Dec
(13) |
| 2008 |
Jan
(2) |
Feb
(54) |
Mar
(58) |
Apr
(43) |
May
(10) |
Jun
(27) |
Jul
(25) |
Aug
(27) |
Sep
(48) |
Oct
(69) |
Nov
(55) |
Dec
(43) |
| 2009 |
Jan
(26) |
Feb
(36) |
Mar
(28) |
Apr
(27) |
May
(55) |
Jun
(9) |
Jul
(19) |
Aug
(16) |
Sep
(15) |
Oct
(17) |
Nov
(70) |
Dec
(21) |
| 2010 |
Jan
(56) |
Feb
(59) |
Mar
(53) |
Apr
(32) |
May
(25) |
Jun
(31) |
Jul
(36) |
Aug
(11) |
Sep
(37) |
Oct
(19) |
Nov
(23) |
Dec
(6) |
| 2011 |
Jan
(21) |
Feb
(20) |
Mar
(30) |
Apr
(30) |
May
(74) |
Jun
(50) |
Jul
(34) |
Aug
(34) |
Sep
(12) |
Oct
(33) |
Nov
(10) |
Dec
(8) |
| 2012 |
Jan
(23) |
Feb
(57) |
Mar
(26) |
Apr
(14) |
May
(27) |
Jun
(27) |
Jul
(60) |
Aug
(88) |
Sep
(13) |
Oct
(36) |
Nov
(97) |
Dec
(85) |
| 2013 |
Jan
(60) |
Feb
(24) |
Mar
(43) |
Apr
(32) |
May
(22) |
Jun
(38) |
Jul
(51) |
Aug
(50) |
Sep
(76) |
Oct
(65) |
Nov
(25) |
Dec
(30) |
| 2014 |
Jan
(19) |
Feb
(41) |
Mar
(43) |
Apr
(28) |
May
(61) |
Jun
(12) |
Jul
(10) |
Aug
(37) |
Sep
(76) |
Oct
(31) |
Nov
(41) |
Dec
(12) |
| 2015 |
Jan
(33) |
Feb
(28) |
Mar
(53) |
Apr
(22) |
May
(29) |
Jun
(20) |
Jul
(15) |
Aug
(17) |
Sep
(52) |
Oct
(3) |
Nov
(18) |
Dec
(21) |
| 2016 |
Jan
(20) |
Feb
(8) |
Mar
(21) |
Apr
(7) |
May
(13) |
Jun
(35) |
Jul
(34) |
Aug
(11) |
Sep
(14) |
Oct
(22) |
Nov
(31) |
Dec
(23) |
| 2017 |
Jan
(20) |
Feb
(7) |
Mar
(5) |
Apr
(6) |
May
(6) |
Jun
(22) |
Jul
(11) |
Aug
(16) |
Sep
(8) |
Oct
(1) |
Nov
(1) |
Dec
(1) |
| 2018 |
Jan
|
Feb
|
Mar
(16) |
Apr
(2) |
May
(6) |
Jun
(5) |
Jul
|
Aug
(2) |
Sep
(4) |
Oct
|
Nov
(16) |
Dec
(13) |
| 2019 |
Jan
|
Feb
(1) |
Mar
(25) |
Apr
(9) |
May
(2) |
Jun
(1) |
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2020 |
Jan
(2) |
Feb
|
Mar
(1) |
Apr
|
May
(1) |
Jun
(3) |
Jul
(2) |
Aug
|
Sep
|
Oct
(5) |
Nov
|
Dec
|
| 2021 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(4) |
Jul
(1) |
Aug
|
Sep
(1) |
Oct
|
Nov
(1) |
Dec
|
| 2022 |
Jan
|
Feb
(2) |
Mar
|
Apr
|
May
(2) |
Jun
|
Jul
(3) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2023 |
Jan
(2) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
| 2024 |
Jan
|
Feb
(3) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2025 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Eagle I. S. <in...@ea...> - 2003-03-10 04:12:50
|
Thanks Brian, >>Also, if you >>choose the wrong file system type, you can just edit the 'host.aut' >>file by hand and change the 'bsdi' field to 'ntfs'. That's good to know. I'm up and running with Autopsy now. I have to re-red the docs, but when I ran a keyword search on the string " *.eml ", it was still searching after an hour and a half. Is this normal? I know that Encase uses a version of grep that takes all night to search its proprietary images. Is there a way to speed up the process in Autopsy? For example if I was looking for a person's name that I know is contained in a deleted email. Is there a way to quickly search for that or do I need to sit it out? Thanks again in advance for all the help..... Niall. -----Original Message----- From: sle...@li... [mailto:sle...@li...]On Behalf Of Brian Carrier Sent: Sunday, March 09, 2003 9:51 PM To: Eagle Investigative Services Cc: sle...@li... Subject: Re: [sleuthkit-users] RE: Problem adding image On Sun, Mar 09, 2003 at 05:42:53PM -0500, Eagle Investigative Services wrote: > It appears that Autopsy takes a looong time to load the image. > 3 hours for my 20 Gig partition. Only to find that I had forgotten > to select NTFS on the drop down and was greeted with "error - not > an FFS system". As sid alluded to, it took so long because it was calculating the MD5 value of the partition (Although that is really long and slow!). Uncheck the 'Calculate MD5' if you need to to go faster. Also, if you choose the wrong file system type, you can just edit the 'host.aut' file by hand and change the 'bsdi' field to 'ntfs'. > > Some other newbie points: > > I found I could only create the symbolic link to dev/hda1 when I had > navigated to the images directory within which I wished to create the > symbolic link. Maybe this is something all experts > of Unix know you should do, but I was logged in as root, so I assumed > I had God-like powers to create links and directories at will. Not so, at > least > in my case. Symbolic links can be tricky about where they point to. In general, it is best to provide full paths for the source and destination. For example: ln -s /dev/hda1 /usr/local/forensics/locker/case1/host1/images/hda1 > > When I did a dmesg on my drive, it came back with the following: > > hda1 hda2 <hda3 hda4 hda5> > > Can anyone explain what's between the angled brackets? Hidden > partitions? I know there's only two partitions on the drive. They are partitions. Use 'mount' to find out how many you are actually using. > Also, is there an archive of these messages anywhere? Maybe some of my > future > questions have already been discussed and I'd like not to waste anyone's > time. There should be on the sourceforge site. brian ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com _______________________________________________ sleuthkit-users mailing list sle...@li... https://lists.sourceforge.net/lists/listinfo/sleuthkit-users |
|
From: Brian C. <ca...@ce...> - 2003-03-10 03:08:14
|
On Mon, Mar 10, 2003 at 10:06:11AM +0900, Hideaki Ihara wrote: > Brian Carrier <ca...@at...> wrote: > > >It would be useful if you could make a small partition (10 MB or so > >that is wiped so it compresses nicely) with Japanese characters in it. > > I made a NTFS image of eight mega size. > http://www.port139.co.jp/task/ads02.dd > > It includes a Japanese character. > In addition, it has 255 characters as length of a file name. Great, I'll check it out. > > Mr.Takahashi and I have tried to solve this problem in these days. > http://www.securiteam.com/windowsntfocus/5QP08156AQ.html Interesting. The only place that TASK would have a problem with this though is with 'ffind'. The path in 'ffind' is limited to 2048. If you were to browse via directories though (like in Autopsy) it should not matter. Is there another place that I am not thinking of? brian |
|
From: Brian C. <bca...@at...> - 2003-03-10 02:51:52
|
On Sun, Mar 09, 2003 at 05:42:53PM -0500, Eagle Investigative Services wrote: > It appears that Autopsy takes a looong time to load the image. > 3 hours for my 20 Gig partition. Only to find that I had forgotten > to select NTFS on the drop down and was greeted with "error - not > an FFS system". As sid alluded to, it took so long because it was calculating the MD5 value of the partition (Although that is really long and slow!). Uncheck the 'Calculate MD5' if you need to to go faster. Also, if you choose the wrong file system type, you can just edit the 'host.aut' file by hand and change the 'bsdi' field to 'ntfs'. > > Some other newbie points: > > I found I could only create the symbolic link to dev/hda1 when I had > navigated to the images directory within which I wished to create the > symbolic link. Maybe this is something all experts > of Unix know you should do, but I was logged in as root, so I assumed > I had God-like powers to create links and directories at will. Not so, at > least > in my case. Symbolic links can be tricky about where they point to. In general, it is best to provide full paths for the source and destination. For example: ln -s /dev/hda1 /usr/local/forensics/locker/case1/host1/images/hda1 > > When I did a dmesg on my drive, it came back with the following: > > hda1 hda2 <hda3 hda4 hda5> > > Can anyone explain what's between the angled brackets? Hidden > partitions? I know there's only two partitions on the drive. They are partitions. Use 'mount' to find out how many you are actually using. > Also, is there an archive of these messages anywhere? Maybe some of my > future > questions have already been discussed and I'd like not to waste anyone's > time. There should be on the sourceforge site. brian |
|
From: Brian C. <bca...@at...> - 2003-03-10 02:42:26
|
> What happened to the notion of extended partitions? Is this now obsolete with > new IDE technology? Or just uncessary for linux, and still used by Windows? Extended are still needed. The partition table in the first block of the disk has four entries in it. So, you can describe three primary partitions and then fill the rest of the disk with an extended partition. The extended partition has another table in it that is used to describe partitions in it. This repeats until all needed partitions can be described. brian |
|
From: Brian C. <bca...@at...> - 2003-03-10 02:31:50
|
On Sat, Mar 08, 2003 at 11:19:05AM -0500, Eagle Investigative Services wrote: > > All to no avail. The Konqueror browser would attempt to load the data and > then > stall. > > What should I enter as the mounting point? The mounting point is purely cosmetic for reports and other places where the full path is given. It should be something like '/usr/' if the device is for the user partition or C: if it is from a Windows system. Does it hang when the image is first opened or just with certain directories? Many browsers will hang when opening a large directory such as '/dev/' and some Windows directories. brian |
|
From: Hideaki I. <hi...@po...> - 2003-03-10 01:05:54
|
Hi On Tue, 4 Mar 2003 09:24:10 -0500 Brian Carrier <ca...@at...> wrote: >It would be useful if you could make a small partition (10 MB or so >that is wiped so it compresses nicely) with Japanese characters in it. I made a NTFS image of eight mega size. http://www.port139.co.jp/task/ads02.dd It includes a Japanese character. In addition, it has 255 characters as length of a file name. Mr.Takahashi and I have tried to solve this problem in these days. http://www.securiteam.com/windowsntfocus/5QP08156AQ.html He made a new patch.(utf8-5.patch ) UTF-8 output patch for task-1.60 http://www.monyo.com/technical/unix/TASK/ >echo "Test" > JAPANESE_NAME.txt >echo "Hidden Test" > JAPANESE_NAME.txt:JAPANESE_NAME2 > >Then, do an 'istat' on the file and make sure that the attribute name >appears. ./istat -f ntfs -8 ads02.dd 30 It's OK. -- Hideaki Ihara <hi...@po...> Port139 URL: http://www.port139.co.jp/ PGP PUBLIC KEY: http://www.port139.co.jp/pgp/ |
|
From: Eagle I. S. <in...@ea...> - 2003-03-09 22:48:08
|
It appears that Autopsy takes a looong time to load the image. 3 hours for my 20 Gig partition. Only to find that I had forgotten to select NTFS on the drop down and was greeted with "error - not an FFS system". Some other newbie points: I found I could only create the symbolic link to dev/hda1 when I had navigated to the images directory within which I wished to create the symbolic link. Maybe this is something all experts of Unix know you should do, but I was logged in as root, so I assumed I had God-like powers to create links and directories at will. Not so, at least in my case. When I did a dmesg on my drive, it came back with the following: hda1 hda2 <hda3 hda4 hda5> Can anyone explain what's between the angled brackets? Hidden partitions? I know there's only two partitions on the drive. Thanks for all the advice so far, and any pointers on the above. Niall. Also, is there an archive of these messages anywhere? Maybe some of my future questions have already been discussed and I'd like not to waste anyone's time. -----Original Message----- From: sle...@li... [mailto:sle...@li...]On Behalf Of Sid Porter - Silent Partner Sent: Sunday, March 09, 2003 10:16 AM To: sle...@li... Subject: [sleuthkit-users] Extended Partitions [was] RE: Problem adding image On Sunday 09 March 2003 14:58, Sid Porter - Silent Partner wrote: > Your disk will have primary partition /dev/hda1 and also partitions > /dev/hda2 /dev/hda3 /dev/hda4 When I compiled this information I presented actual data from my own system which is a notebook computer with a single IDE disk partitioned as above. However, when I got the above labels from Fdisk, I had to delete a large chunk of my pre-composed info that talked about a disk having max two partitions, primary and extended, and the extended holding logical partitions. My own setup contradicts this, and I can't even remember installing this system its that long ago. What happened to the notion of extended partitions? Is this now obsolete with new IDE technology? Or just uncessary for linux, and still used by Windows? Sid. ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com _______________________________________________ sleuthkit-users mailing list sle...@li... https://lists.sourceforge.net/lists/listinfo/sleuthkit-users |
|
From: Sid P. - S. P. <sp...@si...> - 2003-03-09 15:16:18
|
On Sunday 09 March 2003 14:58, Sid Porter - Silent Partner wrote: > Your disk will have primary partition /dev/hda1 and also partitions > /dev/hda2 /dev/hda3 /dev/hda4 When I compiled this information I presented actual data from my own syst= em=20 which is a notebook computer with a single IDE disk partitioned as above. However, when I got the above labels from Fdisk, I had to delete a large = chunk=20 of my pre-composed info that talked about a disk having max two partition= s,=20 primary and extended, and the extended holding logical partitions. My own= =20 setup contradicts this, and I can't even remember installing this system = its=20 that long ago.=20 What happened to the notion of extended partitions? Is this now obsolete = with=20 new IDE technology? Or just uncessary for linux, and still used by Window= s? Sid. |
|
From: Sid P. - S. P. <sp...@si...> - 2003-03-09 14:58:35
|
On Saturday 08 March 2003 16:19, Eagle Investigative Services wrote: > Ok, My machine is a 18GHz P4, 512 RAM, 60 Gig WD 7200 HD, Win2k install= ed > on 20 Gigs, and SuSE 8.1 installed on the 404 Gig portion. 20Gigs is the size of the partition you're analysing then.... > So I got my image to appear in Autopsy. However, when I went to add the > image > I ran into a snag, which I believe is due to the mounting point paramet= er. It looks like you don't understand the concept of a mounting point, and I= =20 notice that its not documented in the online help. Here is my explainatio= n=20 for it, and others can pick up on where I go wrong or make wrong assumpti= ons=20 regarding task / autopsy. A hard disk is a physical device that is loaded into your system. It typi= cally=20 is very large, in your case 60Gigs. You have broken your disk into two, a= nd I=20 suspect 5 partitions. Windows gets a 20 gig partition, linux /boot maybe = gets=20 a 20Mb partition, linux swap gets probably 128Mb, and the balance goes fo= r=20 root. Your disk will have primary partition /dev/hda1 and also partitions /dev/= hda2=20 /dev/hda3 /dev/hda4 These /dev/hdx are how we reference the partitions in linux, this informa= tion=20 is linux specific. Windows does not provide you with addressible device=20 labels such as this and internally references the partitions somthing lik= e=20 ide0:1 to say first partition on IDE Bus 0 The target operating system that uses the partitions mounts them into mou= nt=20 points. In linux your partitions might get mounted as: /dev/hda1 could get mounted to /windows/C /dev/hda2 could get mounted to /boot /dev/hda3 might not get mounted at all as it is swap /dev/hda4 might get mounted as / I could have another disk, /dev/hdb that I use for /var/logs in which cas= e=20 /devhdb1 would get mounted to /var/logs If I ran windows on the same machine, windows would probably mount /dev/h= da1=20 as C: (this is not guaranteed). If I had filesystem drivers for windows t= o=20 read the linux partitions, it might mount /dev/hda2 as E: (assuming CD is= =20 D:), /dev/hda4 as F: , and /dev/hdb1 as F: These are all mount points, / /boot C: D: E: F: There is no information in the imaged partition to say what they are moun= ted=20 as under a specific operating system, and can be mounted under multiple=20 operating systems as different mountpoints and used withing the confines = of=20 that os as that mountpoint. Autopsy has no way then of knowing what the full path of a file was on a=20 target system. It finds a deleted file temp/bossescc#.txt and on the orig= inal=20 system that would have possibly been C:/temp/bossescc#.txt On a linux system it might have been /temp/bossescc#.txt C: and / are the mount points on the two respective systems, and this=20 information needs to be given to autopsy in order for it to give you prop= er=20 file paths back in its reports. > I entered the following attempts > > /dev/hda1 > /home/niallc/Desktop/Locker/Thismachine/WIN2000/images > /home/niallc/Desktop/Locker/Thismachine/WIN2000/images/hda1 > 0 The mounting point is just a label that autopsy is going to stick infront= of=20 all file paths that it gathers, so all of the above are relevant and "ok"= to=20 provide as mount points, but not necessarily correct when compaired with = the=20 actual file system that you are analysing. They would not cause you any=20 problems though. > All to no avail. The Konqueror browser would attempt to load the data a= nd > then > stall. I assume that you saw "Stalled" in the status bar of Konqueror? That means that Konqueror is stalled, waiting for more information, it do= es=20 not mean that the process has failed. You were trying to load a 20gig=20 partition, in my test I loaded a 10gig partition in the same manner as yo= u,=20 and it probably took a whole 10 mins to load, I actually left it run and = came=20 back to it a while later and went again and came back to find: ----- Begin Sample Output ----- Calculating MD5 of images/hda1 Current MD5: 81C534B8FA3AACDC70E507A2975223A7 <BR>Image: images/hda1 added to config file [OK] ----- End Sample Output ----- Sounds to me like you didnt wait long enough for the processing to get th= is=20 far, 20gigs is a LOT of data to load, imagine how long it would take to l= oad=20 a text file 20gigs in size..... > What should I enter as the mounting point? Whatever the partitions mounting point was on the original system, presum= ably,=20 but not always C: in terms of the first partition on a windows system. It is conceivable that on some machines, running dual OS, that a partitio= n=20 could get mounted under both OS, and you might have to run your analyses=20 twice one for each OS context. An example from my machine is my windows=20 C:/documents and settings/administrator/my documents folder is actually a= =20 link that points to E:/home/dindang/Documents so that both my windows and= =20 linux profiles share the same "documents" folder. Obviously in the window= s=20 context the mount point for the partition that holds this folder is E: bu= t on=20 linux its / > I was running Autopsy as the root user (i.e. from the prompt > linux:/home/niallc) Sounds ok, little scary, but ok. Havent actually tried to run autopsy as = an=20 unprivilaged user, would probably work just fine as user niallc maybe som= eone=20 can confirm? > At a loss at what to try next - any ideas greatly appreciated. Do it again, and this time instead of panic'ing, go and have a few beers. The "Stalled" status in Konqueror is not a panic signal, you should have = been=20 able to hear plenty of disk activity going on, and the "cog" in the top r= ight=20 hand corner of Konqueror's window should have been spinning. When that st= ops=20 spinning, and you havent got your output, then panic! > Thank you all again, More than welcome, HTH, Sid. |
|
From: Eagle I. S. <in...@ea...> - 2003-03-08 16:24:30
|
Ok, My machine is a 18GHz P4, 512 RAM, 60 Gig WD 7200 HD, Win2k installed
on 20 Gigs, and SuSE 8.1 installed on the 404 Gig portion.
After walking through Sid's descriptions, and checks, I was able to add the
link. I won't bore you with the details. Thanks for the descriptions Sid, it
provided a flashlight in an otherwise dark tunnel.
So I got my image to appear in Autopsy. However, when I went to add the
image
I ran into a snag, which I believe is due to the mounting point parameter.
I entered the following attempts
/dev/hda1
/home/niallc/Desktop/Locker/Thismachine/WIN2000/images
/home/niallc/Desktop/Locker/Thismachine/WIN2000/images/hda1
0
All to no avail. The Konqueror browser would attempt to load the data and
then
stall.
What should I enter as the mounting point?
I was running Autopsy as the root user (i.e. from the prompt
linux:/home/niallc)
At a loss at what to try next - any ideas greatly appreciated.
Thank you all again,
Niall.
-----Original Message-----
From: sle...@li...
[mailto:sle...@li...]On Behalf Of Silent
Partner
Sent: Friday, March 07, 2003 4:09 PM
To: Sleuthkit-Users@Lists. Sourceforge. Net
Subject: Re: [sleuthkit-users] RE: Problem adding image
Quoting: "Brian Carrier":
> > ln -s /dev/hda1 /home/niallc/Desktop/Locker/Thismachine/WIN2000/images
> >
> > and
> >
> > ln -s /dev/hda1 /home/niallc/Desktop/Locker//Thismachine/WIN2000/images
> >
> > I entered both exactly as typed above. In both cases when I hit refresh
> > there was no sign of my link/image.
> >
> What does
>
> ls -l /home/niallc/Desktop/Locker/Thismachine/WIN2000/images/hda1
>
> show?
Here is a step by step guide to achieve what you are trying to achieve, and
verify as you are going along, composed in mini-howto style:
***** Step 1, use the GUI, but empower yourself with the command line
I login to my linux box, and I bring up an xterm / "command prompt" and I
get:
dindang:~ #
***** Step 2, know your hard disk.
I know that there is an IDE hard disk in my machine that contains a
partition
which I would like to analyse, to get more info, I examine what the kernel
knows
about IDE hard disks in my machine, and I already know they get mounted as
/dev/hd??? so I use the dmesg command, I can use the man command to find out
more about dmesg:
dindang:~ # man dmesg
NAME
dmesg - print or control the kernel ring buffer
SYNOPSIS
dmesg [ -c ] [ -n level ] [ -s bufsize ]
DESCRIPTION
dmesg is used to examine or control the kernel ring
buffer.
The program helps users to print out their bootup mes
sages. Instead of copying the messages by hand, the user
need only:
dmesg > boot.messages
and mail the boot.messages file to whoever can debug their
problem.
Basically at boot / start of any system device will result in a message
being
posted to the kernel ring buffer, you hotplug a USB device, what the kernel
does
with it gets noted here.... so we are looking for kernel messages relating
to
hda or if it was a scsi disk we would have used sda etc. Dmesg on its own
will
give back a lot of information, but I will pipe the output of it using |
into
the grep command which I will use to filter for hda
dindang:~ # dmesg | grep hda
ide0: BM-DMA at 0xfcd0-0xfcd7, BIOS settings: hda:pio, hdb:pio
hda: IC25N020ATCS04-0, ATA DISK drive
hda: safely enabled flush
hda: 39070080 sectors (20004 MB) w/1768KiB Cache, CHS=41344/15/63, UDMA(33)
hda: hda1 hda2 hda3 hda4
I could have just searched for hda1 and got:
dindang:~ # dmesg | grep hda1
hda: hda1 hda2 hda3 hda4
But basically I know from the above that there is a drive on my system
mounted
as hda and it has 4 partitions, hda1-4
To find out whats in thos partitions use fdisk:
dindang:~ # fdisk
Usage: fdisk [-l] [-b SSZ] [-u] device
E.g.: fdisk /dev/hda (for the first IDE disk)
or: fdisk /dev/sdc (for the third SCSI disk)
or: fdisk /dev/eda (for the first PS/2 ESDI drive)
or: fdisk /dev/rd/c0d0 or: fdisk /dev/ida/c0d0 (for RAID devices)
...
Woops! I forgot that I must specify a paramater, the parameter must be a
device,
not a partition, so /dev/hda1 can't be fdisked becuase its not a disk, but
/dev/hda can:
dindang:~ # fdisk /dev/hda
The number of cylinders for this disk is set to 41344.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
(e.g., DOS FDISK, OS/2 FDISK)
Command (m for help): p
Disk /dev/hda: 15 heads, 63 sectors, 41344 cylinders
Units = cylinders of 945 * 512 bytes
Device Boot Start End Blocks Id System
/dev/hda1 1 19672 9294988+ c Win95 FAT32 (LBA)
/dev/hda2 * 19673 19714 19845 83 Linux
/dev/hda3 19715 20795 510772+ 82 Linux swap
/dev/hda4 20796 41344 9709402+ 83 Linux
Command (m for help): q
dindang:~ #
>From this I can see that /dev/hda1 is the windows partition using a FAT32
filesystem, and this I want to analyse / play with!
***** Step 3, checkout your current directory.
first I check to see where I am, this is important because all operations
that I
do will take place wherever I am, unless I fully qualify the paths. I check
this
with the print working directory command:
dindang:~ # pwd
/root
dindang:~ #
I am currently in /root, and lets see what I've got here, do a directory
listing:
dindang:~ #
dindang:~ #
dindang:~ # ls
dindang:~ #
Now I am going to make a directory test, this is to hold my "images", and is
the
equivalent of the task / autopsy image hold directory:
dindang:~ #
dindang:~ # mkdir test
dindang:~ #
Now, it makes sense to VERIFY what you've done, so do another directory
listing:
dindang:~ # ls
Yes, test is there, its in the list, lets see whats in the directory test:
dindang:~ # ls test
dindang:~ #
just . and .. which are direcory navigation stubs, so the directory is
empty.
dindang:~ # ln -s /dev/hda1 /root/test
dindang:~ # ls test
dindang:~ # cd test
dindang:~/test # ls -l
total 8
drwxr-xr-x 2 root root 4096 Mar 7 20:03 .
drwx------ 15 root root 4096 Mar 7 20:03 ..
lrwxrwxrwx 1 root root 9 Mar 7 20:03 hda1 -> /dev/hda1
dindang:~/test #
***** Step 4, Link the partition you want to analyse into the "hold"
directoy
To do this, we use the ln command, its the equivalent of making an alias to
somthing on a mac or a shortcut to somthing in windows.
first a little info on the ln command:
dindang:~/test # man ln
NAME
ln - make links between files
SYNOPSIS
ln [OPTION]... TARGET [LINK_NAME]
ln [OPTION]... TARGET... DIRECTORY
ln [OPTION]... --target-directory=DIRECTORY TARGET...
DESCRIPTION
Create a link to the specified TARGET with optional
LINK_NAME. If LINK_NAME is omitted, a link with the same
basename as the TARGET is created in the current direc
tory. When using the second form with more than one TAR
GET, the last argument must be a directory; create links
in DIRECTORY to each TARGET. Create hard links by
default, symbolic links with --symbolic. When creating
hard links, each TARGET must exist.
Btw.... I'm deliberately not showing all the info that man throws back, try
the
command youself to get the full picture. Next I will link /dev/hda1 into
/root/test using the ln command:
dindang:~ # ln -s /dev/hda1 /root/test
Now if I do a directory listing of test:
dindang:~ # ls test
dindang:~ #
I can see that along with the navigation stubs, there is somthing called
hda1 in
there. Lets change our working directory from /root into /root/test and see
more
whats in there:
dindang:~ # cd test
dindang:~/test # ls -l
total 8
drwxr-xr-x 2 root root 4096 Mar 7 20:03 .
drwx------ 15 root root 4096 Mar 7 20:03 ..
lrwxrwxrwx 1 root root 9 Mar 7 20:03 hda1 -> /dev/hda1
dindang:~/test #
The output of the ls -l tells us quite a bit:
drwxr-xr-x tells us that entry is a directory, it belongs to user root in
the
group root, and time stamps associated with the file, and finally its name
lrwxrwxrwx tells us its a link, and after the hda1 (the file name) there is
a ->
/dev/hda1 which tells us that its linked to /dev/hda1
***** Step 5, lets get our image another way.
The way above links the physical partition to the "image file" that will be
analysed by task / autopsy, anything we do to this will modify the original
item, so maybe we should actually image the partition instead of just
creating a
shortcut to it. This we do using the dd command.
First we delete the symbolic link:
dindang:~ /test# rm hda1
verify its gone....
dindang:~/test # ls
Get some info on dd.....
dindang:~/test # man dd
NAME
dd - convert and copy a file
SYNOPSIS
dd [OPTION]...
DESCRIPTION
Copy a file, converting and formatting according to the
options.
dindang:~/test #
Run DD using the options required:
dindang:~/test # dd if=/dev/hda1 of=/root/test/hda1
Lets verify what it's done:
dindang:~/test #
dindang:~/test # ls
dindang:~/test #
The difference here is that this is not a link, its an actual image to work
on,
and it consumes disk space etc.
***** Step 6, get help if it don't work
If you run the commands above, but it just don't happen, and you want to
contact
a list, then give a bit of info about the system you run. The OS /
Distribution
etc, Output above was generated on SuSE 8.0 with a custom built kernel that
I
made a long time ago, hmm... don't know / can't remember the kernel? uname
will
help
dindang:~ # uname -a
Linux dindang 2.4.18-4GB #1 Thu May 16 13:22:19 GMT 2002 i686 unknown
I should post that info, along with references to the SuSE 8.0 in a brief
into
paragraph. Maybe theres somthing wrong with the binaries on my platform.
Also, what user are you logged in as? Do you have access to the devices as
this
user? Notice I done everything as root, if I was a restricted user I could
have
run into problems... (I don;t actually know for sure with the above
commands,
and I dont particularly care to reboot and find out).
***** Step 7, have fun, happy sluething....
HTH,
Sid.
-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger
for complex code. Debugging C/C++ programs can leave you feeling lost and
disoriented. TotalView can help you find your way. Available on major UNIX
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
sleuthkit-users mailing list
sle...@li...
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
|
|
From: Silent P. <sp...@si...> - 2003-03-07 21:09:19
|
Quoting: "Brian Carrier":
> > ln -s /dev/hda1 /home/niallc/Desktop/Locker/Thismachine/WIN2000/images
> >
> > and
> >
> > ln -s /dev/hda1 /home/niallc/Desktop/Locker//Thismachine/WIN2000/images
> >
> > I entered both exactly as typed above. In both cases when I hit refresh
> > there was no sign of my link/image.
> >
> What does
>
> ls -l /home/niallc/Desktop/Locker/Thismachine/WIN2000/images/hda1
>
> show?
Here is a step by step guide to achieve what you are trying to achieve, and
verify as you are going along, composed in mini-howto style:
***** Step 1, use the GUI, but empower yourself with the command line
I login to my linux box, and I bring up an xterm / "command prompt" and I get:
dindang:~ #
***** Step 2, know your hard disk.
I know that there is an IDE hard disk in my machine that contains a partition
which I would like to analyse, to get more info, I examine what the kernel knows
about IDE hard disks in my machine, and I already know they get mounted as
/dev/hd??? so I use the dmesg command, I can use the man command to find out
more about dmesg:
dindang:~ # man dmesg
NAME
dmesg - print or control the kernel ring buffer
SYNOPSIS
dmesg [ -c ] [ -n level ] [ -s bufsize ]
DESCRIPTION
dmesg is used to examine or control the kernel ring
buffer.
The program helps users to print out their bootup mes
sages. Instead of copying the messages by hand, the user
need only:
dmesg > boot.messages
and mail the boot.messages file to whoever can debug their
problem.
Basically at boot / start of any system device will result in a message being
posted to the kernel ring buffer, you hotplug a USB device, what the kernel does
with it gets noted here.... so we are looking for kernel messages relating to
hda or if it was a scsi disk we would have used sda etc. Dmesg on its own will
give back a lot of information, but I will pipe the output of it using | into
the grep command which I will use to filter for hda
dindang:~ # dmesg | grep hda
ide0: BM-DMA at 0xfcd0-0xfcd7, BIOS settings: hda:pio, hdb:pio
hda: IC25N020ATCS04-0, ATA DISK drive
hda: safely enabled flush
hda: 39070080 sectors (20004 MB) w/1768KiB Cache, CHS=41344/15/63, UDMA(33)
hda: hda1 hda2 hda3 hda4
I could have just searched for hda1 and got:
dindang:~ # dmesg | grep hda1
hda: hda1 hda2 hda3 hda4
But basically I know from the above that there is a drive on my system mounted
as hda and it has 4 partitions, hda1-4
To find out whats in thos partitions use fdisk:
dindang:~ # fdisk
Usage: fdisk [-l] [-b SSZ] [-u] device
E.g.: fdisk /dev/hda (for the first IDE disk)
or: fdisk /dev/sdc (for the third SCSI disk)
or: fdisk /dev/eda (for the first PS/2 ESDI drive)
or: fdisk /dev/rd/c0d0 or: fdisk /dev/ida/c0d0 (for RAID devices)
...
Woops! I forgot that I must specify a paramater, the parameter must be a device,
not a partition, so /dev/hda1 can't be fdisked becuase its not a disk, but
/dev/hda can:
dindang:~ # fdisk /dev/hda
The number of cylinders for this disk is set to 41344.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
(e.g., DOS FDISK, OS/2 FDISK)
Command (m for help): p
Disk /dev/hda: 15 heads, 63 sectors, 41344 cylinders
Units = cylinders of 945 * 512 bytes
Device Boot Start End Blocks Id System
/dev/hda1 1 19672 9294988+ c Win95 FAT32 (LBA)
/dev/hda2 * 19673 19714 19845 83 Linux
/dev/hda3 19715 20795 510772+ 82 Linux swap
/dev/hda4 20796 41344 9709402+ 83 Linux
Command (m for help): q
dindang:~ #
From this I can see that /dev/hda1 is the windows partition using a FAT32
filesystem, and this I want to analyse / play with!
***** Step 3, checkout your current directory.
first I check to see where I am, this is important because all operations that I
do will take place wherever I am, unless I fully qualify the paths. I check this
with the print working directory command:
dindang:~ # pwd
/root
dindang:~ #
I am currently in /root, and lets see what I've got here, do a directory
listing:
dindang:~ #
dindang:~ #
dindang:~ # ls
. .bash_history .jbuilder4 .qt .w3m Desktop
.. .exrc .kde .skel .wmrc KDesktop
.ICEauthority .gnupg .mcop .ssh .xinitrc bin
.Xauthority .gtkrc-kde .mcoprc .viminfo .xsession-errors lucent
dindang:~ #
Now I am going to make a directory test, this is to hold my "images", and is the
equivalent of the task / autopsy image hold directory:
dindang:~ #
dindang:~ # mkdir test
dindang:~ #
Now, it makes sense to VERIFY what you've done, so do another directory listing:
dindang:~ # ls
. .exrc .mcop .viminfo Desktop
.. .gnupg .mcoprc .w3m KDesktop
.ICEauthority .gtkrc-kde .qt .wmrc bin
.Xauthority .jbuilder4 .skel .xinitrc lucent
.bash_history .kde .ssh .xsession-errors test
Yes, test is there, its in the list, lets see whats in the directory test:
dindang:~ # ls test
. ..
dindang:~ #
just . and .. which are direcory navigation stubs, so the directory is empty.
dindang:~ # ln -s /dev/hda1 /root/test
dindang:~ # ls test
. .. hda1
dindang:~ # cd test
dindang:~/test # ls -l
total 8
drwxr-xr-x 2 root root 4096 Mar 7 20:03 .
drwx------ 15 root root 4096 Mar 7 20:03 ..
lrwxrwxrwx 1 root root 9 Mar 7 20:03 hda1 -> /dev/hda1
dindang:~/test #
***** Step 4, Link the partition you want to analyse into the "hold" directoy
To do this, we use the ln command, its the equivalent of making an alias to
somthing on a mac or a shortcut to somthing in windows.
first a little info on the ln command:
dindang:~/test # man ln
NAME
ln - make links between files
SYNOPSIS
ln [OPTION]... TARGET [LINK_NAME]
ln [OPTION]... TARGET... DIRECTORY
ln [OPTION]... --target-directory=DIRECTORY TARGET...
DESCRIPTION
Create a link to the specified TARGET with optional
LINK_NAME. If LINK_NAME is omitted, a link with the same
basename as the TARGET is created in the current direc
tory. When using the second form with more than one TAR
GET, the last argument must be a directory; create links
in DIRECTORY to each TARGET. Create hard links by
default, symbolic links with --symbolic. When creating
hard links, each TARGET must exist.
Btw.... I'm deliberately not showing all the info that man throws back, try the
command youself to get the full picture. Next I will link /dev/hda1 into
/root/test using the ln command:
dindang:~ # ln -s /dev/hda1 /root/test
Now if I do a directory listing of test:
dindang:~ # ls test
. .. hda1
dindang:~ #
I can see that along with the navigation stubs, there is somthing called hda1 in
there. Lets change our working directory from /root into /root/test and see more
whats in there:
dindang:~ # cd test
dindang:~/test # ls -l
total 8
drwxr-xr-x 2 root root 4096 Mar 7 20:03 .
drwx------ 15 root root 4096 Mar 7 20:03 ..
lrwxrwxrwx 1 root root 9 Mar 7 20:03 hda1 -> /dev/hda1
dindang:~/test #
The output of the ls -l tells us quite a bit:
drwxr-xr-x tells us that entry is a directory, it belongs to user root in the
group root, and time stamps associated with the file, and finally its name
lrwxrwxrwx tells us its a link, and after the hda1 (the file name) there is a ->
/dev/hda1 which tells us that its linked to /dev/hda1
***** Step 5, lets get our image another way.
The way above links the physical partition to the "image file" that will be
analysed by task / autopsy, anything we do to this will modify the original
item, so maybe we should actually image the partition instead of just creating a
shortcut to it. This we do using the dd command.
First we delete the symbolic link:
dindang:~ /test# rm hda1
verify its gone....
dindang:~/test # ls
. ..
Get some info on dd.....
dindang:~/test # man dd
NAME
dd - convert and copy a file
SYNOPSIS
dd [OPTION]...
DESCRIPTION
Copy a file, converting and formatting according to the
options.
dindang:~/test #
Run DD using the options required:
dindang:~/test # dd if=/dev/hda1 of=/root/test/hda1
Lets verify what it's done:
dindang:~/test #
dindang:~/test # ls
. .. hda1
dindang:~/test #
The difference here is that this is not a link, its an actual image to work on,
and it consumes disk space etc.
***** Step 6, get help if it don't work
If you run the commands above, but it just don't happen, and you want to contact
a list, then give a bit of info about the system you run. The OS / Distribution
etc, Output above was generated on SuSE 8.0 with a custom built kernel that I
made a long time ago, hmm... don't know / can't remember the kernel? uname will
help
dindang:~ # uname -a
Linux dindang 2.4.18-4GB #1 Thu May 16 13:22:19 GMT 2002 i686 unknown
I should post that info, along with references to the SuSE 8.0 in a brief into
paragraph. Maybe theres somthing wrong with the binaries on my platform.
Also, what user are you logged in as? Do you have access to the devices as this
user? Notice I done everything as root, if I was a restricted user I could have
run into problems... (I don;t actually know for sure with the above commands,
and I dont particularly care to reboot and find out).
***** Step 7, have fun, happy sluething....
HTH,
Sid.
|
|
From: Brian C. <ca...@at...> - 2003-03-07 14:44:48
|
> > i.e. > > ln -s /dev/hda1 /home/niallc/Desktop/Locker/Thismachine/WIN2000/images > > and > > ln -s /dev/hda1 /home/niallc/Desktop/Locker//Thismachine/WIN2000/images > > I entered both exactly as typed above. In both cases when I hit refresh > there was no sign of my link/image. > What does ls -l /home/niallc/Desktop/Locker/Thismachine/WIN2000/images/hda1 show? brian |
|
From: Eagle I. S. <in...@ea...> - 2003-03-07 14:04:00
|
Brian. With regard to your message below. I logged in as root and started Autopsy. My Settings are as follows: Case Name: Thismachine Host: WIN2000 I tried to create the following symbolic link as you suggested and entered it as you outlines below and also as the directory appeared in the autopsy screen (i.e with the two "//" before Thismachine/) i.e. ln -s /dev/hda1 /home/niallc/Desktop/Locker/Thismachine/WIN2000/images and ln -s /dev/hda1 /home/niallc/Desktop/Locker//Thismachine/WIN2000/images I entered both exactly as typed above. In both cases when I hit refresh there was no sign of my link/image. /dev/hda1 is definitely the name of my Win2k partition. What am I missing, or doing wrong? Thanks in advance, Niall. -----Original Message----- From: Brian Carrier [mailto:bca...@at...] Sent: Friday, February 14, 2003 12:44 PM To: Eagle Investigative Services Cc: sle...@li... Subject: Re: [sleuthkit-users] Autopsy beginner question On Fri, Feb 14, 2003 at 09:17:19AM -0500, Eagle Investigative Services wrote: > When I specified the Evidence Locker I specified it as the "base" > directory > that was in the Autopsy folder. Is this correct? I wasn't sure where > to put it. The Evidence Locker is where all of your case data will be saved. So, no it should not be the installation folder. It will work, but it is not recommended. You could use something like /usr/local/forensics/locker. > > Also, I have dual boot machine, Linux and Win2K. My plan is to work > with TASK/Autopsy to examine the Win2K partition. > > For example, I will do something in Win2K then delete it, and then > switch to Linux to find it. Is this going to be possible? Yes. Make a case and host in Autopsy and make a symlink from /dev/hda1 (or whichever partition it is) to the 'images' directory. % ln -s /dev/hda1 /usr/local/forensics/locker/case1/host1/images Autopsy must be running as root so that it has read permissions on the device. brian |
|
From: Brian C. <ca...@at...> - 2003-03-06 16:07:44
|
As you have probably noticed, TASK ships with a version of the 'file' command. A vulnerability was recently found in it that can be exploited by a malicious file. The next release of the sleuth kit will have the latest version of 'file', but until then you can get an updated version from: ftp://ftp.astron.com/pub/file/ brian |
|
From: Brian C. <ca...@at...> - 2003-03-04 14:27:15
|
>>OK, I created the refined one. Please examine again. >>http://www.monyo.com/technical/unix/TASK/utf8-3.patch > > Thank you for a new patch. > I tested utf8-3.patch. > utf8-3.patch is wonderful. :-) Great! I am swamped right now, but will work on incorporating this later. For scaling reasons, I'm more inclined to make a new flag that specifies ASCII or UTF-8 and just have fls and ffind set the flag and not have to deal with different function calls. It would be useful if you could make a small partition (10 MB or so that is wiped so it compresses nicely) with Japanese characters in it. Can you run one more test? Can you make a second data attribute with a Japanese name (aka alternate data stream)? echo "Test" > JAPANESE_NAME.txt echo "Hidden Test" > JAPANESE_NAME.txt:JAPANESE_NAME2 Then, do an 'istat' on the file and make sure that the attribute name appears. thanks a lot! brian |
|
From: Hideaki I. <hi...@po...> - 2003-03-02 01:57:47
|
Hi On Sat, 01 Mar 2003 21:22:53 +0900 TAKAHASHI Motonobu <mo...@ho...> wrote: >OK, I created the refined one. Please examine again. >http://www.monyo.com/technical/unix/TASK/utf8-3.patch Thank you for a new patch. I tested utf8-3.patch. utf8-3.patch is wonderful. :-) 1.[OK] ./fls -f ntfs -8 -l ntfs.dd 2.[OK] ./fls -f ntfs -8 -l -D ntfs.dd 3.[OK] ./fls -f ntfs -8 -l -p ntfs.dd 4.[OK] ./fls -f ntfs -8 -l -p -r ntfs.dd 5.[OK] ./fls -d -f ntfs -8 ntfs.dd 6.[OK] ./fls -u -f ntfs -8 ntfs.dd 7.[OK] ./fls -m /body -f ntfs -8 ntfs.dd 8.[OK] ./ffind -f ntfs -8 -a ntfs.dd 34 9.[OK] ./istat -f ntfs ntfs.dd 34 10.[OK] ./icat -f ntfs ntfs.dd 34 You can confirm a test result. http://www.port139.co.jp/task/test03/ Best regards, -- Hideaki Ihara <hi...@po...> Port139 URL: http://www.port139.co.jp/ PGP PUBLIC KEY: http://www.port139.co.jp/pgp/ |
|
From: TAKAHASHI M. <mo...@ho...> - 2003-03-01 12:26:11
|
Hideaki Ihara wrote: >I tested utf8.patch. >(http://www.port139.co.jp/task/ntfs.dd) >fls and ffind displayed Japanese file names in Unicode correctly. >However, icat and istat displayed error 'Segmentation fault'. OK, I created the refined one. Please examine again. The patch is available at http://www.monyo.com/technical/unix/TASK/utf8-3.patch In the prior version, the pointer for UCS-2 conversion function is NULL by default, so we need explicitly to initialise that on each command. Now the default is pointed to original uni2ascii() function. This makes the commands which need not to support UTF-8 (such as icat) are not required to modify its source. I added -8 option to fls, ffind and istat. ----- TAKAHASHI, Motonobu (monyo) mo...@ho... http://www.monyo.com/ |
|
From: Hideaki I. <hi...@po...> - 2003-03-01 05:50:42
|
Hi On Wed, 26 Feb 2003 04:37:39 +0900 TAKAHASHI Motonobu <mo...@ho...> wrote: >I added -8 (Use UTF-8) option for fls and ffind. >I have not enough time to examine if other tools need to modify or >not. Please examine others > Hideaki :-) I tested utf8.patch. (http://www.port139.co.jp/task/ntfs.dd) fls and ffind displayed Japanese file names in Unicode correctly. However, icat and istat displayed error 'Segmentation fault'. [OK] ./fls -f ntfs -8 -l ntfs.dd [OK] ./fls -f ntfs -8 -l -D ntfs.dd [OK] ./fls -f ntfs -8 -l -p ntfs.dd [OK] ./fls -f ntfs -8 -l -p -r ntfs.dd [OK] ./fls -d -f ntfs -8 ntfs.dd [OK] ./fls -u -f ntfs -8 ntfs.dd [OK] ./fls -m /body -f ntfs -8 ntfs.dd [OK] ./ffind -f ntfs -8 -a ntfs.dd 34 [NG] ./istat -f ntfs ntfs.dd 34 Segmentation fault [NG] ./icat -f ntfs ntfs.dd 34 Segmentation fault Are there other commands that I must test? Please advise me. > all -- Hideaki Ihara <hi...@po...> Port139 URL: http://www.port139.co.jp/ PGP PUBLIC KEY: http://www.port139.co.jp/pgp/ |
|
From: Hideaki I. <hi...@po...> - 2003-02-26 23:18:03
|
Hi On Wed, 26 Feb 2003 04:37:39 +0900 TAKAHASHI Motonobu <mo...@ho...> wrote: >I added -8 (Use UTF-8) option for fls and ffind. >I have not enough time to examine if other tools need to modify or >not. Please examine others > Hideaki :-) I will test a patch. :-) # I'm sorry, I need a few days for a test. Best regards, -- Hideaki Ihara <hi...@po...> Port139 URL: http://www.port139.co.jp/ PGP PUBLIC KEY: http://www.port139.co.jp/pgp/ |
|
From: Brian C. <ca...@at...> - 2003-02-26 15:19:22
|
> =A0=A0=A0=A0=A0=A0=A0 = http://localhost:8888/225181695407371775/autopsy. > > > It gave out this message.. and i tried to connect through a=20 > web-browser from my PC.. and it gave out an error message saying that > > You are not authorized to view this page > > I was wondering if I missed out anything.. or made some mistake.. Pls=20= > help me on this. > The second argument to Autopsy is the host that you will be connecting=20= from. Any connections from other hosts are denied access. 'localhost'=20= is used if you are connecting from the same system. If you are going=20 to connect from your PC, then supply the hostname or IP address on the=20= command line. For example: ./autopsy 8888 10.0.0.1 If connecting from a remote system, you may want to also provide the=20 '-C' flag. That forces Autopsy to not use a cookie (which is difficult=20= to cut & paste between systems). Plus, the cookie only protects you=20 from multiple people on the same system. > Also another=A0 question on NSRL.. I went into the web page of NSRL.. = it=20 > said it is available only with ordering and distribution with=20 > payment... Is it required to have this or is there any isssues without=20= > this. > It is not required. It just allows you to identify if a file can be=20 "trusted" or not. If it is in the database, then NIST has identified=20 it as a trusted binary. It is only used as a data reduction tool,=20 mainly in the File Type mode. brian |
|
From: Ralf S. <li...@sp...> - 2003-02-26 14:44:07
|
Am Mit, 2003-02-26 um 12.45 schrieb Mallik Prasad.S: > Hello everybody, > > Paste this as your browser URL on localhost: > http://localhost:8888/225181695407371775/autopsy. > > > It gave out this message.. and i tried to connect through a web-browser from > my PC.. and it gave out an error message saying that You have to run the browser on the same machine autopsy is running on, since autopsy only binds to localhost. Otherwise you have to start autopsy with port and ip address given on the commandline, like: autopsy 8888 192.168.0.5 Cheers, Ralf -- Ralf Spenneberg RHCE, RHCX IPsec/PPTP Kernels for Red Hat Linux: http://www.spenneberg.com/.net/.org/.de Honeynet Project Mirror: http://honeynet.spenneberg.org Snort Mirror: http://snort.spenneberg.org |
|
From: Mallik Prasad.S <S.M...@ce...> - 2003-02-26 11:46:10
|
Hello everybody,
Sorry if I am asking a basic questions., I went through the early mails on
the web.. but did not find much stuff.
I installed TASK/Autopsy on Sun Solaris system 5.8 with all patches... after
running "make" on both of this and installation successfully.... without the
NSRL.
Autopsy Forensic Browser
ver 1.70
============================================================================
Evidence Locker: /export/home/locker/
Start Time: Wed Feb 26 06:52:52 2003
Paste this as your browser URL on localhost:
http://localhost:8888/225181695407371775/autopsy.
It gave out this message.. and i tried to connect through a web-browser from
my PC.. and it gave out an error message saying that
You are not authorized to view this page
I was wondering if I missed out anything.. or made some mistake.. Pls help
me on this.
Also another question on NSRL.. I went into the web page of NSRL.. it said
it is available only with ordering and distribution with payment... Is it
required to have this or is there any isssues without this.
I did the installation, without the NSRL during Autopsy installation.
Thanks for your thoughts and pointers.
Best Regards,
Mallik Prasad S
|
|
From: TAKAHASHI M. <mo...@ho...> - 2003-02-25 19:40:51
|
Brian Carrier wrote: >Please send me your patch that allows it to be turned off and on. OK, the patch and simple description are available from http://www.monyo.com/technical/unix/TASK/utf8.patch http://www.monyo.com/technical/unix/TASK/README.txt And I attached it in this mail. I added -8 (Use UTF-8) option for fls and ffind. I have not enough time to examine if other tools need to modify or not. Please examine others > Hideaki :-) >What happens when you run 'fls -m' on an image and then import the data >into mactime? Does mactime care that it is not ASCII? Japanese filenames can be correctly displayed with UTF-8'ed fls. Although perl does not care Japanese, it does not modify anything in the file name string. ----- TAKAHASHI, Motonobu (monyo) mo...@ho... http://www.monyo.com/ |
|
From: Brian C. <ca...@at...> - 2003-02-24 17:18:43
|
> Why I did not create the complete patch is that I do not want to > distribute and maintainance another (Japanese local) version TASK > and hope that TASK natively support UTF-8. > Also that what character to use for UTF-8 option and how to keep this > option in TASK is a matter of coding policy. Takahashi, Please send me your patch that allows it to be turned off and on. I would rather provide a flag to the tools that would need UTF-8 (fls, ffind, and maybe others) instead of making it the default action (I haven't examined what that may screw up yet). What happens when you run 'fls -m' on an image and then import the data into mactime? Does mactime care that it is not ASCII? thanks, brian |
|
From: TAKAHASHI M. <mo...@ho...> - 2003-02-24 16:40:23
|
Hello I am the author of the ntfs.c.patch. >> Mr.Takahashi wrote the patch which converted file >> names into Unicode(UTF-8). >> http://damedame.monyo.com/ntfs.c.patch >> >> However, it is not a complete patch. >> If I use a long file name, Buffer over flow occurs. > >This is because the bounds on the 'asc' array are not being checked. Yes, I know this patch is incomplete and a quick hack is to extend the length of "char *asc" 3 times. Also it's easy to add an option which controls whether UTF-8 feature is enabled or not. I've done on my private version TASK. Why I did not create the complete patch is that I do not want to distribute and maintainance another (Japanese local) version TASK and hope that TASK natively support UTF-8. Also that what character to use for UTF-8 option and how to keep this option in TASK is a matter of coding policy. In Japan, we usually use Japanese filenames for business use and Windows Japanese version also creates Japanese file names as its default. So we strongly need to support Japanese filenames. >>What happens when you run this on the command line? Does the shell >>display the Japanese symbols? For example: >> >> fls -f ntfs img.dd > >http://www.port139.co.jp/task/jp.dd (Size:8M NTFS image) > >A shell cannot display Japanese character (Unicode). >Therefore we have to use Autopsy and Web browser. >A general browser supports Unicode(UTF-8). IE, Netscape,Opera... Indeed, as Hideaki said, we do not widely use UTF-8 as the encoding method for Japanese. Most 'Japanese shell' can treat the UTF-8 only as '8 bit data string' but can display only traditional Japanese encoding method such as EUC-JP and Shift_JIS. But using UTF-8 has several merits: - UTF-8 can support all characters (scripts) which NTFS supports. - Using UTF-8, the ASCII characters are not converted. - The code conversion is reversible between UTF-8 and UTF-16(UCS-2). In historical reason, the code conversion between Japanese traditional encoding method (also character set) and Unicode is not reversible and has severe complex problems. (for example there is no standard conversion table! / Unicode has much characters than Japanese traditional character set.) Correctly supporting such traditional Japanese character sets / encoding method requires lots of Japanese knowledge and codes. Using UTF-8, the code conversion can work automatically and there needs small codes for supporting UTF-8. And we have lots of code conversion tools for Japanese. Once task wrote the file names using UTF-8, we can easily convert them with such tools as we like. The important issue is that currently uni2ascii() function wastes the code information during code conversion, because this checks the even byte only and if the even byte is not printable, converts that byte to '?'. To use my UTF-8 patch, we can keep code informations completely and converts my favorite code later with other tools. ----- TAKAHASHI, Motonobu (monyo) mo...@ho... http://www.monyo.com/ |
38 messages has been excluded from this view by a project administrator.
