sleuthkit-users — List to discuss Autopsy and The Sleuth Kit.

Re: [sleuthkit-users] Autopsy Question - ZIP files that can't be opened

[Ketil F. <ke...@fr...>]

On 29 Sep 2015 04:45, "Brian Carrier" <ca...@sl...> wrote:

> They are both equivalent.  Any strong opinions?

Not really.

> Is this task tracking of interest?

For me again, not really. I work in an environment where we use several
different tools, and I find it unlikely that we'd use tracking of this sort
in one of the tools.

Regards, Ketil

Re: [sleuthkit-users] Autopsy Question - ZIP files that can't be opened

[Simson G. <si...@ac...>]

Brian,

Interesting files seems like a fine approach.

If you are going to add task management, then are you going to allow it to host on MySQL and have multi-user support?

Pretty soon, you will have re-implemented PyFlag...


> On Sep 28, 2015, at 10:44 PM, Brian Carrier <ca...@sl...> wrote:
> 
> Flagging the file so that it is in the tree for easy follow on analysis seems to be a common theme with the suggestions.
> 
> We could do a few things:
> 1) Make a new artifact, such as “TSK_FILE_CANNOT_OPEN” that could have a description that says why.
> 
> 2) Use the generic “TSK_INTERESTING_FILES” artifact with a set name that is why it could not be opened. 
> — For those who have not used the Interesting Files module yet, it exists to flag files that meet certain criteria and there is a special section in the tree for them. 
> 
> They are both equivalent.  Any strong opinions?
> 
> This is also making me think about adding “task management” to Autopsy to help people track what needs to be done because it occurred to me that we could also make “tasks” to help you track which of the unsupported files that you have looked at yet or not. We could do this either with specially named tags (that can be deleted or moved to different “priorities”) or a new data type.
> 
> Is this task tracking of interest?
> 
> 
> 
> 
> 
> 
> 
> 
> 
>> On Sep 24, 2015, at 4:14 PM, Derrick Karpo <dk...@gm...> wrote:
>> 
>> I don't mind the log message with an additional pop up in the lower
>> right.  That works for me.  I don't recall but, are those problematic
>> files marked somehow so that we can manually examine them after
>> without digging through the log to identify them?
>> 
>> Derrick
>> 
>> 
>> On Thu, Sep 24, 2015 at 1:57 PM, Simson Garfinkel <si...@ac...> wrote:
>>> I think that there should be a general "alert" framework where any scanner can post processing alerts, and have them show up in the results like other results.
>>> 
>>>> On Sep 24, 2015, at 3:50 PM, Brian Carrier <ca...@sl...> wrote:
>>>> 
>>>> Autopsy will sometimes encounter allocated ZIP files that cannot be opened by 7Zip (or other tools).  We’re currently creating a log message, but no one probably sees though.   Would you rather that we pop up an error message in the lower right?  I’d suggest this only be done for allocated files rather than deleted files (that could be corrupt).
>>>> 
>>>> Opinions?
>>>> 
>>>> 
>>>> 
>>>> ------------------------------------------------------------------------------
>>>> _______________________________________________
>>>> sleuthkit-users mailing list
>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>>> http://www.sleuthkit.org
>>> 
>>> 
>>> ------------------------------------------------------------------------------
>>> _______________________________________________
>>> sleuthkit-users mailing list
>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>> http://www.sleuthkit.org
>> 
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
> 
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

Re: [sleuthkit-users] Autopsy Question - ZIP files that can't be opened

[Brian C. <ca...@sl...>]

Flagging the file so that it is in the tree for easy follow on analysis seems to be a common theme with the suggestions.

We could do a few things:
1) Make a new artifact, such as “TSK_FILE_CANNOT_OPEN” that could have a description that says why.

2) Use the generic “TSK_INTERESTING_FILES” artifact with a set name that is why it could not be opened. 
— For those who have not used the Interesting Files module yet, it exists to flag files that meet certain criteria and there is a special section in the tree for them. 

They are both equivalent.  Any strong opinions?

This is also making me think about adding “task management” to Autopsy to help people track what needs to be done because it occurred to me that we could also make “tasks” to help you track which of the unsupported files that you have looked at yet or not. We could do this either with specially named tags (that can be deleted or moved to different “priorities”) or a new data type.

Is this task tracking of interest?









> On Sep 24, 2015, at 4:14 PM, Derrick Karpo <dk...@gm...> wrote:
> 
> I don't mind the log message with an additional pop up in the lower
> right.  That works for me.  I don't recall but, are those problematic
> files marked somehow so that we can manually examine them after
> without digging through the log to identify them?
> 
> Derrick
> 
> 
> On Thu, Sep 24, 2015 at 1:57 PM, Simson Garfinkel <si...@ac...> wrote:
>> I think that there should be a general "alert" framework where any scanner can post processing alerts, and have them show up in the results like other results.
>> 
>>> On Sep 24, 2015, at 3:50 PM, Brian Carrier <ca...@sl...> wrote:
>>> 
>>> Autopsy will sometimes encounter allocated ZIP files that cannot be opened by 7Zip (or other tools).  We’re currently creating a log message, but no one probably sees though.   Would you rather that we pop up an error message in the lower right?  I’d suggest this only be done for allocated files rather than deleted files (that could be corrupt).
>>> 
>>> Opinions?
>>> 
>>> 
>>> 
>>> ------------------------------------------------------------------------------
>>> _______________________________________________
>>> sleuthkit-users mailing list
>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>> http://www.sleuthkit.org
>> 
>> 
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

Re: [sleuthkit-users] Autopsy Question - ZIP files that can't be opened

[Simson G. <si...@ac...>]

Yes, the alerts would go in the tree. That way they could be reviewed as a set, and any technology for annotating or selecting tree leafs could be used for alerts as well.

> On Sep 24, 2015, at 5:13 PM, Brian Carrier <ca...@sl...> wrote:
> 
> Do you mean the alert would be in the tree (at the same level as say Web Bookmarks)?  
> 
> 
> 
>> On Sep 24, 2015, at 3:57 PM, Simson Garfinkel <si...@ac...> wrote:
>> 
>> I think that there should be a general "alert" framework where any scanner can post processing alerts, and have them show up in the results like other results.
>> 
>>> On Sep 24, 2015, at 3:50 PM, Brian Carrier <ca...@sl...> wrote:
>>> 
>>> Autopsy will sometimes encounter allocated ZIP files that cannot be opened by 7Zip (or other tools).  We’re currently creating a log message, but no one probably sees though.   Would you rather that we pop up an error message in the lower right?  I’d suggest this only be done for allocated files rather than deleted files (that could be corrupt).  
>>> 
>>> Opinions?
>>> 
>>> 
>>> 
>>> ------------------------------------------------------------------------------
>>> _______________________________________________
>>> sleuthkit-users mailing list
>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>> http://www.sleuthkit.org
>> 
>> 
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
> 

Re: [sleuthkit-users] Autopsy Question - ZIP files that can't be opened

[Brian C. <ca...@sl...>]

Do you mean the alert would be in the tree (at the same level as say Web Bookmarks)?  



> On Sep 24, 2015, at 3:57 PM, Simson Garfinkel <si...@ac...> wrote:
> 
> I think that there should be a general "alert" framework where any scanner can post processing alerts, and have them show up in the results like other results.
> 
>> On Sep 24, 2015, at 3:50 PM, Brian Carrier <ca...@sl...> wrote:
>> 
>> Autopsy will sometimes encounter allocated ZIP files that cannot be opened by 7Zip (or other tools).  We’re currently creating a log message, but no one probably sees though.   Would you rather that we pop up an error message in the lower right?  I’d suggest this only be done for allocated files rather than deleted files (that could be corrupt).  
>> 
>> Opinions?
>> 
>> 
>> 
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
> 
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

Re: [sleuthkit-users] Autopsy Question - ZIP files that can't be opened

[Ketil F. <ke...@fr...>]

How about adding an artifact group for files that can't be opened, and
adding them there in addition to logging the reason? That would make it
easier to automate reruns with tools to repair broken zip-files or try to
decrypt encrypted files, and it'd still be possible to look in the log to
find the reason it didn't open initially.

Regards, Ketil
On 24 Sep 2015 21:51, "Brian Carrier" <ca...@sl...> wrote:

> Autopsy will sometimes encounter allocated ZIP files that cannot be opened
> by 7Zip (or other tools).  We’re currently creating a log message, but no
> one probably sees though.   Would you rather that we pop up an error
> message in the lower right?  I’d suggest this only be done for allocated
> files rather than deleted files (that could be corrupt).
>
> Opinions?
>
>
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>

Re: [sleuthkit-users] Autopsy Question - ZIP files that can't be opened

[Derrick K. <dk...@gm...>]

I don't mind the log message with an additional pop up in the lower
right.  That works for me.  I don't recall but, are those problematic
files marked somehow so that we can manually examine them after
without digging through the log to identify them?

Derrick


On Thu, Sep 24, 2015 at 1:57 PM, Simson Garfinkel <si...@ac...> wrote:
> I think that there should be a general "alert" framework where any scanner can post processing alerts, and have them show up in the results like other results.
>
>> On Sep 24, 2015, at 3:50 PM, Brian Carrier <ca...@sl...> wrote:
>>
>> Autopsy will sometimes encounter allocated ZIP files that cannot be opened by 7Zip (or other tools).  We’re currently creating a log message, but no one probably sees though.   Would you rather that we pop up an error message in the lower right?  I’d suggest this only be done for allocated files rather than deleted files (that could be corrupt).
>>
>> Opinions?
>>
>>
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

Re: [sleuthkit-users] Autopsy Question - ZIP files that can't be opened

[Simson G. <si...@ac...>]

I think that there should be a general "alert" framework where any scanner can post processing alerts, and have them show up in the results like other results.

> On Sep 24, 2015, at 3:50 PM, Brian Carrier <ca...@sl...> wrote:
> 
> Autopsy will sometimes encounter allocated ZIP files that cannot be opened by 7Zip (or other tools).  We’re currently creating a log message, but no one probably sees though.   Would you rather that we pop up an error message in the lower right?  I’d suggest this only be done for allocated files rather than deleted files (that could be corrupt).  
> 
> Opinions?
> 
> 
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

[sleuthkit-users] Autopsy Question - ZIP files that can't be opened

[Brian C. <ca...@sl...>]

Autopsy will sometimes encounter allocated ZIP files that cannot be opened by 7Zip (or other tools).  We’re currently creating a log message, but no one probably sees though.   Would you rather that we pop up an error message in the lower right?  I’d suggest this only be done for allocated files rather than deleted files (that could be corrupt).  

Opinions?

Re: [sleuthkit-users] Compiling Framework on 4.2.0

[Brian C. <ca...@sl...>]

Hi John,

At one point it compiled on Linux.  To be honest though, we don’t use the framework anymore in active development.  We’re using Autopsy for all of those projects.

thanks,
brian


> On Sep 23, 2015, at 4:58 PM, slo...@gm... wrote:
> 
> Please disregard the Poco error from make.  I failed to notice that the Ubuntu package was poco version 1.3.8.  I installed poco 1.6 from source and compiled the framework successfully. 
> 
> On Wed, Sep 23, 2015 at 1:11 PM, slo...@gm... <slo...@gm...> wrote:
> I have never installed the framework under linux, but it appears it is possible.  However, I get the following error on ./configure 
> 
> ****************************
> Modules missing dependencies:
> cat: ../*/missing_libs.txt: No such file or directory
> ****************************
> 
> I searched the parent directory and subdirectories, and missing_libs.txt is not present.  Is the missing file critical?  I'm guessing it is not based on it's name...
> 
> Proceeding with the compilation, the make command results in this error:
> 
> In file included from TskServices.cpp:15:0:
> ../../../tsk/framework/services/TskSystemPropertiesImpl.h:87:11: error: 'AutoPtr' in namespace 'Poco' does not name a template type
>      Poco::AutoPtr<Poco::Util::AbstractConfiguration> m_abstractConfig;
>            ^
> ../../../tsk/framework/services/TskSystemPropertiesImpl.h: In constructor 'TskSystemPropertiesImpl::TskSystemPropertiesImpl()':
> ../../../tsk/framework/services/TskSystemPropertiesImpl.h:52:33: error: class 'TskSystemPropertiesImpl' does not have any field named 'm_abstractConfig'
>      TskSystemPropertiesImpl() : m_abstractConfig(static_cast<Poco::Util::AbstractConfiguration*>(NULL)) {}
>                                  ^
> Makefile:425: recipe for target 'TskServices.lo' failed
> 
> I will install poco from source to try to correct the make error, rather than using the Ubuntu 15.04 libpoco-dev package.  However, this doesn't look like a package error.
> 
> Any guidance/installation experience appreciated.
> 
> John
> 
> ------------------------------------------------------------------------------
> Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
> Get real-time metrics from all of your servers, apps and tools
> in one place.
> SourceForge users - Click here to start your Free Trial of Datadog now!
> http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

Re: [sleuthkit-users] Compiling Framework on 4.2.0

[<slo...@gm...>]

Please disregard the Poco error from make.  I failed to notice that the
Ubuntu package was poco version 1.3.8.  I installed poco 1.6 from source
and compiled the framework successfully.

On Wed, Sep 23, 2015 at 1:11 PM, slo...@gm... <slo...@gm...>
wrote:

> I have never installed the framework under linux, but it appears it is
> possible.  However, I get the following error on ./configure
>
> ****************************
> Modules missing dependencies:
> cat: ../*/missing_libs.txt: No such file or directory
> ****************************
>
> I searched the parent directory and subdirectories, and missing_libs.txt
> is not present.  Is the missing file critical?  I'm guessing it is not
> based on it's name...
>
> Proceeding with the compilation, the make command results in this error:
>
> In file included from TskServices.cpp:15:0:
> ../../../tsk/framework/services/TskSystemPropertiesImpl.h:87:11: error:
> 'AutoPtr' in namespace 'Poco' does not name a template type
>      Poco::AutoPtr<Poco::Util::AbstractConfiguration> m_abstractConfig;
>            ^
> ../../../tsk/framework/services/TskSystemPropertiesImpl.h: In constructor
> 'TskSystemPropertiesImpl::TskSystemPropertiesImpl()':
> ../../../tsk/framework/services/TskSystemPropertiesImpl.h:52:33: error:
> class 'TskSystemPropertiesImpl' does not have any field named
> 'm_abstractConfig'
>      TskSystemPropertiesImpl() :
> m_abstractConfig(static_cast<Poco::Util::AbstractConfiguration*>(NULL)) {}
>                                  ^
> Makefile:425: recipe for target 'TskServices.lo' failed
>
> I will install poco from source to try to correct the make error, rather
> than using the Ubuntu 15.04 libpoco-dev package.  However, this doesn't
> look like a package error.
>
> Any guidance/installation experience appreciated.
>
> John
>

[sleuthkit-users] Compiling Framework on 4.2.0

[<slo...@gm...>]

I have never installed the framework under linux, but it appears it is
possible.  However, I get the following error on ./configure

****************************
Modules missing dependencies:
cat: ../*/missing_libs.txt: No such file or directory
****************************

I searched the parent directory and subdirectories, and missing_libs.txt is
not present.  Is the missing file critical?  I'm guessing it is not based
on it's name...

Proceeding with the compilation, the make command results in this error:

In file included from TskServices.cpp:15:0:
../../../tsk/framework/services/TskSystemPropertiesImpl.h:87:11: error:
'AutoPtr' in namespace 'Poco' does not name a template type
     Poco::AutoPtr<Poco::Util::AbstractConfiguration> m_abstractConfig;
           ^
../../../tsk/framework/services/TskSystemPropertiesImpl.h: In constructor
'TskSystemPropertiesImpl::TskSystemPropertiesImpl()':
../../../tsk/framework/services/TskSystemPropertiesImpl.h:52:33: error:
class 'TskSystemPropertiesImpl' does not have any field named
'm_abstractConfig'
     TskSystemPropertiesImpl() :
m_abstractConfig(static_cast<Poco::Util::AbstractConfiguration*>(NULL)) {}
                                 ^
Makefile:425: recipe for target 'TskServices.lo' failed

I will install poco from source to try to correct the make error, rather
than using the Ubuntu 15.04 libpoco-dev package.  However, this doesn't
look like a package error.

Any guidance/installation experience appreciated.

John

Re: [sleuthkit-users] Fiwalk on running system

[Richer, M. (CIV) <mhr...@np...>]

While folks might usually want hashes, it's an expensive operation to perform on every file on a large source. I assume that's why it's an option. I suppose -m could be for md5, -s for sha1 etc so as not to be confused with help.

My 2 cents (likely worth as much),
Mark

On Sep 20, 2015, at 17:33, Rolf Inator <rol...@gm...<mailto:rol...@gm...>> wrote:

This happens when you expect something else...
I thought the hashes are automatically calculated and didn't expect the "-h" switch to be the hash switch (expected "help" when using "h" ^^).

However, thanks guys, this works great on a running Windows!
--Rolf

Gesendet: Sonntag, 20. September 2015 um 20:09 Uhr
Von: "Ketil Froyn" <ke...@fr...<mailto:ke...@fr...>>
An: "Rolf Inator" <rol...@gm...<mailto:rol...@gm...>>
Cc: sleuthkit-users <sle...@li...<mailto:sle...@li...>>, "Derrick Karpo" <dk...@gm...<mailto:dk...@gm...>>
Betreff: Re: [sleuthkit-users] Fiwalk on running system

You have to specify the -h option to calculate md5sums.

http://www.sleuthkit.org/sleuthkit/man/tsk_loaddb.html

Ketil

On 20 Sep 2015 18:38, "Rolf Inator" <rol...@gm...> wrote:
Thanks a lot to both of you! So far I tried tsk_loaddb, since it was included in the sleuthkit 4.2.0 on sourceforge. However, I will give fiwalk another try as soon as I tried out tsk_loaddb!

So, tsk_loaddb is very promising! I tried your suggestion on a Windows 8.1 machine and it worked out pretty good! The sqlite DB was written do disk- the only thing I noticed (and what is a little bit weird), is that the column "md5" in tsk_files is null for every row.
Do you have any idea why this is happening? (I started the cmd as Administrator for C:, so the rights should be fine ;) ).

Thanks again!
--Rolf


> Gesendet: Freitag, 18. September 2015 um 17:14 Uhr
> Von: "Derrick Karpo" <dk...@gm...>
> An: "Rolf Inator" <rol...@gm...>, "sleuthkit-users users" <sle...@li...>
> Betreff: Re: [sleuthkit-users] Fiwalk on running system
>
> Hi Rolf.
>
> I'm not sure if Michael's suggestion works with the latest fiwalk or
> not but if it doesn't, have you looked at tsk_loaddb as an alternative
> to fiwalk?  fiwalk hasn't been getting as much development lately but
> tsk_loaddb is actively developed and outputs all the results into a
> SQLite database.  Something like this would work with tsk_loaddb:
>
>   tsk_loaddb -d myimage.db \\.\c:
>
> Alternatively, for physical disks:
>
>   wmic diskdrive list
>   tsk_loaddb -d myimage.db \\.\PhysicalDrive0
>
> Derrick
>
>
> On Fri, Sep 18, 2015 at 8:05 AM, Michael Cohen <scu...@gm...> wrote:
> > Does it work if you give it the volume name? fiwalk \\.\C:
> >
> > On 18 September 2015 at 14:50, Rolf Inator <rol...@gm...> wrote:
> >> Hi list,
> >>
> >> I wonder if it's possible to run fiwalk on a live system? The documentation says
> >> user@forensicbox:~$ fiwalk
> >> usage: fiwalk [options] iso-name
> >>
> >> The problem I am facing is, that if I want to run fiwalk over a bitlocker encrypted dd image, I have to install Dislocker (a new driver) on my Linux system. It would be more decent if I could just run the fiwalk Windows executable while the suspects system is still running.
> >>
> >> I hope that was clear :)
> >>
> >> Kind regards,
> >> Rolf
> >>
> >> ------------------------------------------------------------------------------
> >> _______________________________________________
> >> sleuthkit-users mailing list
> >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> >> http://www.sleuthkit.org
> >
> > ------------------------------------------------------------------------------
> > _______________________________________________
> > sleuthkit-users mailing list
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > http://www.sleuthkit.org
>

------------------------------------------------------------------------------
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
------------------------------------------------------------------------------
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org

Re: [sleuthkit-users] Fiwalk on running system

[Rolf I. <rol...@gm...>]

<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div>
<div>This happens when you expect something else...</div>

<div>I thought the hashes are automatically calculated and didn&#39;t expect the &quot;-h&quot; switch to be the hash switch (expected &quot;help&quot; when using &quot;h&quot; ^^).</div>

<div>&nbsp;</div>

<div>However, thanks guys, this works great on a running Windows!</div>

<div>--Rolf</div>

<div>&nbsp;
<div name="quote" style="margin:10px 5px 5px 10px; padding: 10px 0 10px 10px; border-left:2px solid #C3D9E5; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style="margin:0 0 10px 0;"><b>Gesendet:</b>&nbsp;Sonntag, 20. September 2015 um 20:09 Uhr<br/>
<b>Von:</b>&nbsp;&quot;Ketil Froyn&quot; &lt;ke...@fr...&gt;<br/>
<b>An:</b>&nbsp;&quot;Rolf Inator&quot; &lt;rol...@gm...&gt;<br/>
<b>Cc:</b>&nbsp;sleuthkit-users &lt;sle...@li...&gt;, &quot;Derrick Karpo&quot; &lt;dk...@gm...&gt;<br/>
<b>Betreff:</b>&nbsp;Re: [sleuthkit-users] Fiwalk on running system</div>

<div name="quoted-content">
<p>You have to specify the -h option to calculate md5sums.</p>

<p><a href="http://www.sleuthkit.org/sleuthkit/man/tsk_loaddb.html" target="_blank">http://www.sleuthkit.org/sleuthkit/man/tsk_loaddb.html</a></p>

<p>Ketil</p>

<div class="gmail_quote">On 20 Sep 2015 18:38, &quot;Rolf Inator&quot; &lt;<a href="rol...@gm..." target="_parent">rol...@gm...</a>&gt; wrote:

<blockquote class="gmail_quote" style="margin: 0 0 0 0.8ex;border-left: 1.0px rgb(204,204,204) solid;padding-left: 1.0ex;">Thanks a lot to both of you! So far I tried tsk_loaddb, since it was included in the sleuthkit 4.2.0 on sourceforge. However, I will give fiwalk another try as soon as I tried out tsk_loaddb!<br/>
<br/>
So, tsk_loaddb is very promising! I tried your suggestion on a Windows 8.1 machine and it worked out pretty good! The sqlite DB was written do disk- the only thing I noticed (and what is a little bit weird), is that the column &quot;md5&quot; in tsk_files is null for every row.<br/>
Do you have any idea why this is happening? (I started the cmd as Administrator for C:, so the rights should be fine ;) ).<br/>
<br/>
Thanks again!<br/>
--Rolf<br/>
<br/>
<br/>
&gt; Gesendet: Freitag, 18. September 2015 um 17:14 Uhr<br/>
&gt; Von: &quot;Derrick Karpo&quot; &lt;<a href="dk...@gm..." target="_parent">dk...@gm...</a>&gt;<br/>
&gt; An: &quot;Rolf Inator&quot; &lt;<a href="rol...@gm..." target="_parent">rol...@gm...</a>&gt;, &quot;sleuthkit-users users&quot; &lt;<a href="sle...@li..." target="_parent">sle...@li...</a>&gt;<br/>
&gt; Betreff: Re: [sleuthkit-users] Fiwalk on running system<br/>
&gt;<br/>
&gt; Hi Rolf.<br/>
&gt;<br/>
&gt; I&#39;m not sure if Michael&#39;s suggestion works with the latest fiwalk or<br/>
&gt; not but if it doesn&#39;t, have you looked at tsk_loaddb as an alternative<br/>
&gt; to fiwalk?&nbsp; fiwalk hasn&#39;t been getting as much development lately but<br/>
&gt; tsk_loaddb is actively developed and outputs all the results into a<br/>
&gt; SQLite database.&nbsp; Something like this would work with tsk_loaddb:<br/>
&gt;<br/>
&gt;&nbsp; &nbsp;tsk_loaddb -d myimage.db &#92;&#92;.&#92;c:<br/>
&gt;<br/>
&gt; Alternatively, for physical disks:<br/>
&gt;<br/>
&gt;&nbsp; &nbsp;wmic diskdrive list<br/>
&gt;&nbsp; &nbsp;tsk_loaddb -d myimage.db &#92;&#92;.&#92;PhysicalDrive0<br/>
&gt;<br/>
&gt; Derrick<br/>
&gt;<br/>
&gt;<br/>
&gt; On Fri, Sep 18, 2015 at 8:05 AM, Michael Cohen &lt;<a href="scu...@gm..." target="_parent">scu...@gm...</a>&gt; wrote:<br/>
&gt; &gt; Does it work if you give it the volume name? fiwalk &#92;&#92;.&#92;C:<br/>
&gt; &gt;<br/>
&gt; &gt; On 18 September 2015 at 14:50, Rolf Inator &lt;<a href="rol...@gm..." target="_parent">rol...@gm...</a>&gt; wrote:<br/>
&gt; &gt;&gt; Hi list,<br/>
&gt; &gt;&gt;<br/>
&gt; &gt;&gt; I wonder if it&#39;s possible to run fiwalk on a live system? The documentation says<br/>
&gt; &gt;&gt; user@forensicbox:~&#36; fiwalk<br/>
&gt; &gt;&gt; usage: fiwalk [options] iso-name<br/>
&gt; &gt;&gt;<br/>
&gt; &gt;&gt; The problem I am facing is, that if I want to run fiwalk over a bitlocker encrypted dd image, I have to install Dislocker (a new driver) on my Linux system. It would be more decent if I could just run the fiwalk Windows executable while the suspects system is still running.<br/>
&gt; &gt;&gt;<br/>
&gt; &gt;&gt; I hope that was clear :)<br/>
&gt; &gt;&gt;<br/>
&gt; &gt;&gt; Kind regards,<br/>
&gt; &gt;&gt; Rolf<br/>
&gt; &gt;&gt;<br/>
&gt; &gt;&gt; ------------------------------------------------------------------------------<br/>
&gt; &gt;&gt; _______________________________________________<br/>
&gt; &gt;&gt; sleuthkit-users mailing list<br/>
&gt; &gt;&gt; <a href="https://lists.sourceforge.net/lists/listinfo/sleuthkit-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/sleuthkit-users</a><br/>
&gt; &gt;&gt; <a href="http://www.sleuthkit.org" target="_blank">http://www.sleuthkit.org</a><br/>
&gt; &gt;<br/>
&gt; &gt; ------------------------------------------------------------------------------<br/>
&gt; &gt; _______________________________________________<br/>
&gt; &gt; sleuthkit-users mailing list<br/>
&gt; &gt; <a href="https://lists.sourceforge.net/lists/listinfo/sleuthkit-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/sleuthkit-users</a><br/>
&gt; &gt; <a href="http://www.sleuthkit.org" target="_blank">http://www.sleuthkit.org</a><br/>
&gt;<br/>
<br/>
------------------------------------------------------------------------------<br/>
_______________________________________________<br/>
sleuthkit-users mailing list<br/>
<a href="https://lists.sourceforge.net/lists/listinfo/sleuthkit-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/sleuthkit-users</a><br/>
<a href="http://www.sleuthkit.org" target="_blank">http://www.sleuthkit.org</a></blockquote>
</div>
</div>
</div>
</div>
</div></div></body></html>

Re: [sleuthkit-users] Fiwalk on running system

[Ketil F. <ke...@fr...>]

You have to specify the -h option to calculate md5sums.

http://www.sleuthkit.org/sleuthkit/man/tsk_loaddb.html

Ketil
On 20 Sep 2015 18:38, "Rolf Inator" <rol...@gm...> wrote:

> Thanks a lot to both of you! So far I tried tsk_loaddb, since it was
> included in the sleuthkit 4.2.0 on sourceforge. However, I will give fiwalk
> another try as soon as I tried out tsk_loaddb!
>
> So, tsk_loaddb is very promising! I tried your suggestion on a Windows 8.1
> machine and it worked out pretty good! The sqlite DB was written do disk-
> the only thing I noticed (and what is a little bit weird), is that the
> column "md5" in tsk_files is null for every row.
> Do you have any idea why this is happening? (I started the cmd as
> Administrator for C:, so the rights should be fine ;) ).
>
> Thanks again!
> --Rolf
>
>
> > Gesendet: Freitag, 18. September 2015 um 17:14 Uhr
> > Von: "Derrick Karpo" <dk...@gm...>
> > An: "Rolf Inator" <rol...@gm...>, "sleuthkit-users users" <
> sle...@li...>
> > Betreff: Re: [sleuthkit-users] Fiwalk on running system
> >
> > Hi Rolf.
> >
> > I'm not sure if Michael's suggestion works with the latest fiwalk or
> > not but if it doesn't, have you looked at tsk_loaddb as an alternative
> > to fiwalk?  fiwalk hasn't been getting as much development lately but
> > tsk_loaddb is actively developed and outputs all the results into a
> > SQLite database.  Something like this would work with tsk_loaddb:
> >
> >   tsk_loaddb -d myimage.db \\.\c:
> >
> > Alternatively, for physical disks:
> >
> >   wmic diskdrive list
> >   tsk_loaddb -d myimage.db \\.\PhysicalDrive0
> >
> > Derrick
> >
> >
> > On Fri, Sep 18, 2015 at 8:05 AM, Michael Cohen <scu...@gm...>
> wrote:
> > > Does it work if you give it the volume name? fiwalk \\.\C:
> > >
> > > On 18 September 2015 at 14:50, Rolf Inator <rol...@gm...>
> wrote:
> > >> Hi list,
> > >>
> > >> I wonder if it's possible to run fiwalk on a live system? The
> documentation says
> > >> user@forensicbox:~$ fiwalk
> > >> usage: fiwalk [options] iso-name
> > >>
> > >> The problem I am facing is, that if I want to run fiwalk over a
> bitlocker encrypted dd image, I have to install Dislocker (a new driver) on
> my Linux system. It would be more decent if I could just run the fiwalk
> Windows executable while the suspects system is still running.
> > >>
> > >> I hope that was clear :)
> > >>
> > >> Kind regards,
> > >> Rolf
> > >>
> > >>
> ------------------------------------------------------------------------------
> > >> _______________________________________________
> > >> sleuthkit-users mailing list
> > >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > >> http://www.sleuthkit.org
> > >
> > >
> ------------------------------------------------------------------------------
> > > _______________________________________________
> > > sleuthkit-users mailing list
> > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > > http://www.sleuthkit.org
> >
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>

Re: [sleuthkit-users] Fiwalk on running system

[Rolf I. <rol...@gm...>]

Thanks a lot to both of you! So far I tried tsk_loaddb, since it was included in the sleuthkit 4.2.0 on sourceforge. However, I will give fiwalk another try as soon as I tried out tsk_loaddb!

So, tsk_loaddb is very promising! I tried your suggestion on a Windows 8.1 machine and it worked out pretty good! The sqlite DB was written do disk- the only thing I noticed (and what is a little bit weird), is that the column "md5" in tsk_files is null for every row.
Do you have any idea why this is happening? (I started the cmd as Administrator for C:, so the rights should be fine ;) ).

Thanks again!
--Rolf


> Gesendet: Freitag, 18. September 2015 um 17:14 Uhr
> Von: "Derrick Karpo" <dk...@gm...>
> An: "Rolf Inator" <rol...@gm...>, "sleuthkit-users users" <sle...@li...>
> Betreff: Re: [sleuthkit-users] Fiwalk on running system
>
> Hi Rolf.
> 
> I'm not sure if Michael's suggestion works with the latest fiwalk or
> not but if it doesn't, have you looked at tsk_loaddb as an alternative
> to fiwalk?  fiwalk hasn't been getting as much development lately but
> tsk_loaddb is actively developed and outputs all the results into a
> SQLite database.  Something like this would work with tsk_loaddb:
> 
>   tsk_loaddb -d myimage.db \\.\c:
> 
> Alternatively, for physical disks:
> 
>   wmic diskdrive list
>   tsk_loaddb -d myimage.db \\.\PhysicalDrive0
> 
> Derrick
> 
> 
> On Fri, Sep 18, 2015 at 8:05 AM, Michael Cohen <scu...@gm...> wrote:
> > Does it work if you give it the volume name? fiwalk \\.\C:
> >
> > On 18 September 2015 at 14:50, Rolf Inator <rol...@gm...> wrote:
> >> Hi list,
> >>
> >> I wonder if it's possible to run fiwalk on a live system? The documentation says
> >> user@forensicbox:~$ fiwalk
> >> usage: fiwalk [options] iso-name
> >>
> >> The problem I am facing is, that if I want to run fiwalk over a bitlocker encrypted dd image, I have to install Dislocker (a new driver) on my Linux system. It would be more decent if I could just run the fiwalk Windows executable while the suspects system is still running.
> >>
> >> I hope that was clear :)
> >>
> >> Kind regards,
> >> Rolf
> >>
> >> ------------------------------------------------------------------------------
> >> _______________________________________________
> >> sleuthkit-users mailing list
> >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> >> http://www.sleuthkit.org
> >
> > ------------------------------------------------------------------------------
> > _______________________________________________
> > sleuthkit-users mailing list
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > http://www.sleuthkit.org
> 

[sleuthkit-users] TskAuto metadata issue

[Michael H. <mi...@ac...>]

Hi,

 

I have an application that sub-classes TskAuto to run through all the files
in an image. I've run into an issue where the file meta-data in the
TSK_FS_FILE structure passed to TskAuto::processFile represents a different
inode than is returned by opening the same file by path/filename using
tsk_fs_file_open. The inode address is different and the file content is
different.  If I look up the inode address passed to TskAuto::process file
using ffind, it indicates that it belongs to a different file.

 

Can someone please explain this behavior?

 

Thanks,

Mike

Re: [sleuthkit-users] how do I get the file location without a scan?

[brads <br...@ny...>]

Thank you very much for clarifying that.

I gotta go brush up on my sed and awk skillz   o.0

 

From: Simson Garfinkel [mailto:si...@gm...] On Behalf Of Simson Garfinkel
Sent: Saturday, September 19, 2015 8:54 PM
To: brads <br...@ny...>
Cc: sle...@li...
Subject: Re: [sleuthkit-users] how do I get the file location without a scan?

 

tsk_recover relies on metadata to recover files.

 

photorec is a carver.  It recovers files based on patterns in the data.

 

They use completely different approaches. As such, they will recover different content. 

 

If you got back the files, and there are only 400 of them, then be grateful and rename them manually.  Either that, or restore from your backups.

 

 

On Sep 19, 2015, at 7:37 PM, brads <br...@ny... <mailto:br...@ny...> > wrote:

 

I think you are correct in your first assessment of how it is created. I was a little off.

 

tsk_recover failed to retrieve unallocated files that photorec was able to retrieve.

I don’t understand why one would fail and the other would not.

 

Brad

 

From: Simson Garfinkel [mailto:si...@gm...] On Behalf Of Simson Garfinkel
Sent: Saturday, September 19, 2015 4:03 PM
To: brads <br...@ny... <mailto:br...@ny...> >
Cc: sle...@li... <mailto:sle...@li...> 
Subject: Re: [sleuthkit-users] how do I get the file location without a scan?

 

Hi Brad.

 

It sounds like you are trying to recover the data from a drive that has been hit by Cryptowall. 

 

Are you sure that it first deletes the file, then make a copy of the file, and encrypt the resulting file. If it does that, then how would it get the data for the deleted file?  More likely, the program encrypts the file to a new, temporary name, deletes the file, and then renames the encrypted file to the new file. Or, alternatively, it could simply encrypt in place. (That's what I would do, if I was writing such a program, as it wouldn't require additional file space.)

 

In any event, you can use tsk_recover to recover all of the unallocated files that can be "undeleted". If you are going to go after this with file carving it's unlikely that you'll like the results, as most file carvers can only recover contiguous files. The except is JPEGs, which isn't what you are trying to recover.

 

Is this your system or a clients? Faced with Cryptowall, your best bet is to go to the backups.

 

Simson

 

 

On Sep 19, 2015, at 2:34 PM, brads <br...@ny... <mailto:br...@ny...> > wrote:

 

Yes, the string in question is the filename.

The data in question fell victim to Cryptowall 3.0

>From what I read and can tell, Cryptowall 3.0 first deletes the file and then makes a copy of the file and encrypts that.

Extundelete fails to undelete the original file. Photorec recovers the original file but blows out the file name with is not acceptable for the 4000 files in question.

All corrupted files are .docx and .pdf formats.

 

My thought is to create a python script that searches the string, then calculates the offset and then use dd to carve out the file and name that file to the proper name.

The image is 189GB and is mounted ro from and EXT4 file system 

 

Thank you sincerely for any guidance you can provide.

 

Brad

 

From: Simson Garfinkel [mailto:si...@gm...] On Behalf Of Simson Garfinkel
Sent: Saturday, September 19, 2015 1:43 PM
To: brads <br...@ny... <mailto:br...@ny...> >
Cc: sle...@li... <mailto:sle...@li...> 
Subject: Re: [sleuthkit-users] how do I get the file location without a scan?

 

Hi Brad.

 

Is the string in the file name, in the file contents, or in unallocated space?  How big are your disk images?

 

Are you trying to probe for the existence of the string, do you need to learn its block number, or are you trying to learn the actual file in which the string resides?

 

Do you know anything else about the files? Such as their file type? Do you need to analyze every file, or just files of a particular type?

 

Simson

 

 

 

 

On Sep 19, 2015, at 1:15 PM, brads <br...@ny... <mailto:br...@ny...> > wrote:

 

I followed the instruction from  http://wiki.sleuthkit.org/index.php?title=FS_Analysis but following the process, I am unable to find a given string  http://i.imgur.com/kYuEatn.png 

I know the string is there because I can locate it using the string command  http://i.imgur.com/alQCRfM.png but, this is not an acceptable solution because the scan takes 3 hrs against the image, I have 400 to do.

How do I get blkfs to work correctly or an alternative to getting a string location at the disk layer like string but more robust?

 

Brad

------------------------------------------------------------------------------
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org <http://www.sleuthkit.org/> 

 

 

 

Re: [sleuthkit-users] how do I get the file location without a scan?

[Simson G. <si...@ac...>]

tsk_recover relies on metadata to recover files.

photorec is a carver.  It recovers files based on patterns in the data.

They use completely different approaches. As such, they will recover different content. 

If you got back the files, and there are only 400 of them, then be grateful and rename them manually.  Either that, or restore from your backups.


> On Sep 19, 2015, at 7:37 PM, brads <br...@ny...> wrote:
> 
> I think you are correct in your first assessment of how it is created. I was a little off.
>  
> tsk_recover failed to retrieve unallocated files that photorec was able to retrieve.
> I don’t understand why one would fail and the other would not.
>  
> Brad
>   <>
> From: Simson Garfinkel [mailto:si...@gm...] On Behalf Of Simson Garfinkel
> Sent: Saturday, September 19, 2015 4:03 PM
> To: brads <br...@ny...>
> Cc: sle...@li...
> Subject: Re: [sleuthkit-users] how do I get the file location without a scan?
>  
> Hi Brad.
>  
> It sounds like you are trying to recover the data from a drive that has been hit by Cryptowall. 
>  
> Are you sure that it first deletes the file, then make a copy of the file, and encrypt the resulting file. If it does that, then how would it get the data for the deleted file?  More likely, the program encrypts the file to a new, temporary name, deletes the file, and then renames the encrypted file to the new file. Or, alternatively, it could simply encrypt in place. (That's what I would do, if I was writing such a program, as it wouldn't require additional file space.)
>  
> In any event, you can use tsk_recover to recover all of the unallocated files that can be "undeleted". If you are going to go after this with file carving it's unlikely that you'll like the results, as most file carvers can only recover contiguous files. The except is JPEGs, which isn't what you are trying to recover.
>  
> Is this your system or a clients? Faced with Cryptowall, your best bet is to go to the backups.
>  
> Simson
>  
>  
>> On Sep 19, 2015, at 2:34 PM, brads <br...@ny... <mailto:br...@ny...>> wrote:
>>  
>> Yes, the string in question is the filename.
>> The data in question fell victim to Cryptowall 3.0
>> From what I read and can tell, Cryptowall 3.0 first deletes the file and then makes a copy of the file and encrypts that.
>> Extundelete fails to undelete the original file. Photorec recovers the original file but blows out the file name with is not acceptable for the 4000 files in question.
>> All corrupted files are .docx and .pdf formats.
>>  
>> My thought is to create a python script that searches the string, then calculates the offset and then use dd to carve out the file and name that file to the proper name.
>> The image is 189GB and is mounted ro from and EXT4 file system
>>  
>> Thank you sincerely for any guidance you can provide.
>>  
>> Brad
>>  
>> From: Simson Garfinkel [mailto:si...@gm... <mailto:si...@gm...>] On Behalf Of Simson Garfinkel
>> Sent: Saturday, September 19, 2015 1:43 PM
>> To: brads <br...@ny... <mailto:br...@ny...>>
>> Cc: sle...@li... <mailto:sle...@li...>
>> Subject: Re: [sleuthkit-users] how do I get the file location without a scan?
>>  
>> Hi Brad.
>>  
>> Is the string in the file name, in the file contents, or in unallocated space?  How big are your disk images?
>>  
>> Are you trying to probe for the existence of the string, do you need to learn its block number, or are you trying to learn the actual file in which the string resides?
>>  
>> Do you know anything else about the files? Such as their file type? Do you need to analyze every file, or just files of a particular type?
>>  
>> Simson
>>  
>>  
>>  
>>  
>>> On Sep 19, 2015, at 1:15 PM, brads <br...@ny... <mailto:br...@ny...>> wrote:
>>>  
>>> I followed the instruction from  http://wiki.sleuthkit.org/index.php?title=FS_Analysis <http://wiki.sleuthkit.org/index.php?title=FS_Analysis> but following the process, I am unable to find a given string  http://i.imgur.com/kYuEatn.png <http://i.imgur.com/kYuEatn.png>
>>> I know the string is there because I can locate it using the string command  http://i.imgur.com/alQCRfM.png <http://i.imgur.com/alQCRfM.png> but, this is not an acceptable solution because the scan takes 3 hrs against the image, I have 400 to do.
>>> How do I get blkfs to work correctly or an alternative to getting a string location at the disk layer like string but more robust?
>>>  
>>> Brad
>>> ------------------------------------------------------------------------------
>>> _______________________________________________
>>> sleuthkit-users mailing list
>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users <https://lists.sourceforge.net/lists/listinfo/sleuthkit-users>
>>> http://www.sleuthkit.org <http://www.sleuthkit.org/>
>>  
> 
>  

Re: [sleuthkit-users] how do I get the file location without a scan?

[brads <br...@ny...>]

I think you are correct in your first assessment of how it is created. I was
a little off.

 

tsk_recover failed to retrieve unallocated files that photorec was able to
retrieve.

I don't understand why one would fail and the other would not.

 

Brad

 

From: Simson Garfinkel [mailto:si...@gm...] On Behalf Of Simson
Garfinkel
Sent: Saturday, September 19, 2015 4:03 PM
To: brads <br...@ny...>
Cc: sle...@li...
Subject: Re: [sleuthkit-users] how do I get the file location without a
scan?

 

Hi Brad.

 

It sounds like you are trying to recover the data from a drive that has been
hit by Cryptowall. 

 

Are you sure that it first deletes the file, then make a copy of the file,
and encrypt the resulting file. If it does that, then how would it get the
data for the deleted file?  More likely, the program encrypts the file to a
new, temporary name, deletes the file, and then renames the encrypted file
to the new file. Or, alternatively, it could simply encrypt in place.
(That's what I would do, if I was writing such a program, as it wouldn't
require additional file space.)

 

In any event, you can use tsk_recover to recover all of the unallocated
files that can be "undeleted". If you are going to go after this with file
carving it's unlikely that you'll like the results, as most file carvers can
only recover contiguous files. The except is JPEGs, which isn't what you are
trying to recover.

 

Is this your system or a clients? Faced with Cryptowall, your best bet is to
go to the backups.

 

Simson

 

 

On Sep 19, 2015, at 2:34 PM, brads <br...@ny...
<mailto:br...@ny...> > wrote:

 

Yes, the string in question is the filename.

The data in question fell victim to Cryptowall 3.0

>From what I read and can tell, Cryptowall 3.0 first deletes the file and
then makes a copy of the file and encrypts that.

Extundelete fails to undelete the original file. Photorec recovers the
original file but blows out the file name with is not acceptable for the
4000 files in question.

All corrupted files are .docx and .pdf formats.

 

My thought is to create a python script that searches the string, then
calculates the offset and then use dd to carve out the file and name that
file to the proper name.

The image is 189GB and is mounted ro from and EXT4 file system 

 

Thank you sincerely for any guidance you can provide.

 

Brad

 

From: Simson Garfinkel [mailto:si...@gm...] On Behalf Of Simson
Garfinkel
Sent: Saturday, September 19, 2015 1:43 PM
To: brads <br...@ny... <mailto:br...@ny...> >
Cc: sle...@li...
<mailto:sle...@li...> 
Subject: Re: [sleuthkit-users] how do I get the file location without a
scan?

 

Hi Brad.

 

Is the string in the file name, in the file contents, or in unallocated
space?  How big are your disk images?

 

Are you trying to probe for the existence of the string, do you need to
learn its block number, or are you trying to learn the actual file in which
the string resides?

 

Do you know anything else about the files? Such as their file type? Do you
need to analyze every file, or just files of a particular type?

 

Simson

 

 

 

 

On Sep 19, 2015, at 1:15 PM, brads <br...@ny...
<mailto:br...@ny...> > wrote:

 

I followed the instruction from
http://wiki.sleuthkit.org/index.php?title=FS_Analysis but following the
process, I am unable to find a given string  http://i.imgur.com/kYuEatn.png 

I know the string is there because I can locate it using the string command
http://i.imgur.com/alQCRfM.png but, this is not an acceptable solution
because the scan takes 3 hrs against the image, I have 400 to do.

How do I get blkfs to work correctly or an alternative to getting a string
location at the disk layer like string but more robust?

 

Brad

----------------------------------------------------------------------------
--
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org <http://www.sleuthkit.org/> 

 

 

Re: [sleuthkit-users] how do I get the file location without a scan?

[brads <br...@ny...>]

As stated before. I can recover the files/data. But Photorec blows out the
file names.

How does extundelete recover the file name for files it undeletes?

It there any reason I cannot manually look for the same data segment with
hexdump the extundelete uses?  That's what I am really looking for.

 

Brad

 

From: Simson Garfinkel [mailto:si...@gm...] On Behalf Of Simson
Garfinkel
Sent: Saturday, September 19, 2015 4:03 PM
To: brads <br...@ny...>
Cc: sle...@li...
Subject: Re: [sleuthkit-users] how do I get the file location without a
scan?

 

Hi Brad.

 

It sounds like you are trying to recover the data from a drive that has been
hit by Cryptowall. 

 

Are you sure that it first deletes the file, then make a copy of the file,
and encrypt the resulting file. If it does that, then how would it get the
data for the deleted file?  More likely, the program encrypts the file to a
new, temporary name, deletes the file, and then renames the encrypted file
to the new file. Or, alternatively, it could simply encrypt in place.
(That's what I would do, if I was writing such a program, as it wouldn't
require additional file space.)

 

In any event, you can use tsk_recover to recover all of the unallocated
files that can be "undeleted". If you are going to go after this with file
carving it's unlikely that you'll like the results, as most file carvers can
only recover contiguous files. The except is JPEGs, which isn't what you are
trying to recover.

 

Is this your system or a clients? Faced with Cryptowall, your best bet is to
go to the backups.

 

Simson

 

 

On Sep 19, 2015, at 2:34 PM, brads <br...@ny...
<mailto:br...@ny...> > wrote:

 

Yes, the string in question is the filename.

The data in question fell victim to Cryptowall 3.0

>From what I read and can tell, Cryptowall 3.0 first deletes the file and
then makes a copy of the file and encrypts that.

Extundelete fails to undelete the original file. Photorec recovers the
original file but blows out the file name with is not acceptable for the
4000 files in question.

All corrupted files are .docx and .pdf formats.

 

My thought is to create a python script that searches the string, then
calculates the offset and then use dd to carve out the file and name that
file to the proper name.

The image is 189GB and is mounted ro from and EXT4 file system 

 

Thank you sincerely for any guidance you can provide.

 

Brad

 

From: Simson Garfinkel [mailto:si...@gm...] On Behalf Of Simson
Garfinkel
Sent: Saturday, September 19, 2015 1:43 PM
To: brads <br...@ny... <mailto:br...@ny...> >
Cc: sle...@li...
<mailto:sle...@li...> 
Subject: Re: [sleuthkit-users] how do I get the file location without a
scan?

 

Hi Brad.

 

Is the string in the file name, in the file contents, or in unallocated
space?  How big are your disk images?

 

Are you trying to probe for the existence of the string, do you need to
learn its block number, or are you trying to learn the actual file in which
the string resides?

 

Do you know anything else about the files? Such as their file type? Do you
need to analyze every file, or just files of a particular type?

 

Simson

 

 

 

 

On Sep 19, 2015, at 1:15 PM, brads <br...@ny...
<mailto:br...@ny...> > wrote:

 

I followed the instruction from
http://wiki.sleuthkit.org/index.php?title=FS_Analysis but following the
process, I am unable to find a given string  http://i.imgur.com/kYuEatn.png 

I know the string is there because I can locate it using the string command
http://i.imgur.com/alQCRfM.png but, this is not an acceptable solution
because the scan takes 3 hrs against the image, I have 400 to do.

How do I get blkfs to work correctly or an alternative to getting a string
location at the disk layer like string but more robust?

 

Brad

----------------------------------------------------------------------------
--
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org <http://www.sleuthkit.org/> 

 

 

Re: [sleuthkit-users] how do I get the file location without a scan?

[Simson G. <si...@ac...>]

Hi Brad.

It sounds like you are trying to recover the data from a drive that has been hit by Cryptowall. 

Are you sure that it first deletes the file, then make a copy of the file, and encrypt the resulting file. If it does that, then how would it get the data for the deleted file?  More likely, the program encrypts the file to a new, temporary name, deletes the file, and then renames the encrypted file to the new file. Or, alternatively, it could simply encrypt in place. (That's what I would do, if I was writing such a program, as it wouldn't require additional file space.)

In any event, you can use tsk_recover to recover all of the unallocated files that can be "undeleted". If you are going to go after this with file carving it's unlikely that you'll like the results, as most file carvers can only recover contiguous files. The except is JPEGs, which isn't what you are trying to recover.

Is this your system or a clients? Faced with Cryptowall, your best bet is to go to the backups.

Simson


> On Sep 19, 2015, at 2:34 PM, brads <br...@ny...> wrote:
> 
> Yes, the string in question is the filename.
> The data in question fell victim to Cryptowall 3.0
> From what I read and can tell, Cryptowall 3.0 first deletes the file and then makes a copy of the file and encrypts that.
> Extundelete fails to undelete the original file. Photorec recovers the original file but blows out the file name with is not acceptable for the 4000 files in question.
> All corrupted files are .docx and .pdf formats.
>  
> My thought is to create a python script that searches the string, then calculates the offset and then use dd to carve out the file and name that file to the proper name.
> The image is 189GB and is mounted ro from and EXT4 file system
>  
> Thank you sincerely for any guidance you can provide.
>  
> Brad
>   <>
> From: Simson Garfinkel [mailto:si...@gm...] On Behalf Of Simson Garfinkel
> Sent: Saturday, September 19, 2015 1:43 PM
> To: brads <br...@ny...>
> Cc: sle...@li...
> Subject: Re: [sleuthkit-users] how do I get the file location without a scan?
>  
> Hi Brad.
>  
> Is the string in the file name, in the file contents, or in unallocated space?  How big are your disk images?
>  
> Are you trying to probe for the existence of the string, do you need to learn its block number, or are you trying to learn the actual file in which the string resides?
>  
> Do you know anything else about the files? Such as their file type? Do you need to analyze every file, or just files of a particular type?
>  
> Simson
>  
>  
>  
>  
>> On Sep 19, 2015, at 1:15 PM, brads <br...@ny... <mailto:br...@ny...>> wrote:
>>  
>> I followed the instruction from  http://wiki.sleuthkit.org/index.php?title=FS_Analysis <http://wiki.sleuthkit.org/index.php?title=FS_Analysis> but following the process, I am unable to find a given string  http://i.imgur.com/kYuEatn.png <http://i.imgur.com/kYuEatn.png>
>> I know the string is there because I can locate it using the string command  http://i.imgur.com/alQCRfM.png <http://i.imgur.com/alQCRfM.png> but, this is not an acceptable solution because the scan takes 3 hrs against the image, I have 400 to do.
>> How do I get blkfs to work correctly or an alternative to getting a string location at the disk layer like string but more robust?
>>  
>> Brad
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users <https://lists.sourceforge.net/lists/listinfo/sleuthkit-users>
>> http://www.sleuthkit.org <http://www.sleuthkit.org/>
>  

Re: [sleuthkit-users] how do I get the file location without a scan?

[Jon S. <JSt...@St...>]

I am not sure I understand--you have 4000 filenames and you want to search for all of these and find where they occur (the disk offset)? And then once you find them... you are going to rename some files you've carved with photorec?

What I don't understand is how finding the filenames will help you rename the carved files. Can you elaborate on that? Note that the location of the filename on disk likely is nowhere near the file contents.

There are good ways* of searching for multiple strings within disk images, but it would be helpful if you could elaborate a bit more on what you're trying to accomplish so that we don't give you irrelevant/confusing/harmful advice.

Cheers,

Jon

*well, maybe only one

Sent from my iPhone

On Sep 19, 2015, at 2:35 PM, brads <br...@ny...<mailto:br...@ny...>> wrote:

Yes, the string in question is the filename.
The data in question fell victim to Cryptowall 3.0
From what I read and can tell, Cryptowall 3.0 first deletes the file and then makes a copy of the file and encrypts that.
Extundelete fails to undelete the original file. Photorec recovers the original file but blows out the file name with is not acceptable for the 4000 files in question.
All corrupted files are .docx and .pdf formats.

My thought is to create a python script that searches the string, then calculates the offset and then use dd to carve out the file and name that file to the proper name.
The image is 189GB and is mounted ro from and EXT4 file system

Thank you sincerely for any guidance you can provide.

Brad

From: Simson Garfinkel [mailto:si...@gm...] On Behalf Of Simson Garfinkel
Sent: Saturday, September 19, 2015 1:43 PM
To: brads <br...@ny...<mailto:br...@ny...>>
Cc: sle...@li...<mailto:sle...@li...>
Subject: Re: [sleuthkit-users] how do I get the file location without a scan?

Hi Brad.

Is the string in the file name, in the file contents, or in unallocated space?  How big are your disk images?

Are you trying to probe for the existence of the string, do you need to learn its block number, or are you trying to learn the actual file in which the string resides?

Do you know anything else about the files? Such as their file type? Do you need to analyze every file, or just files of a particular type?

Simson




On Sep 19, 2015, at 1:15 PM, brads <br...@ny...<mailto:br...@ny...>> wrote:

I followed the instruction from  http://wiki.sleuthkit.org/index.php?title=FS_Analysis but following the process, I am unable to find a given string  http://i.imgur.com/kYuEatn.png
I know the string is there because I can locate it using the string command  http://i.imgur.com/alQCRfM.png but, this is not an acceptable solution because the scan takes 3 hrs against the image, I have 400 to do.
How do I get blkfs to work correctly or an alternative to getting a string location at the disk layer like string but more robust?

Brad
------------------------------------------------------------------------------
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org

------------------------------------------------------------------------------
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org

Re: [sleuthkit-users] how do I get the file location without a scan?

[brads <br...@ny...>]

Yes, the string in question is the filename.

The data in question fell victim to Cryptowall 3.0

>From what I read and can tell, Cryptowall 3.0 first deletes the file and
then makes a copy of the file and encrypts that.

Extundelete fails to undelete the original file. Photorec recovers the
original file but blows out the file name with is not acceptable for the
4000 files in question.

All corrupted files are .docx and .pdf formats.

 

My thought is to create a python script that searches the string, then
calculates the offset and then use dd to carve out the file and name that
file to the proper name.

The image is 189GB and is mounted ro from and EXT4 file system 

 

Thank you sincerely for any guidance you can provide.

 

Brad

 

From: Simson Garfinkel [mailto:si...@gm...] On Behalf Of Simson
Garfinkel
Sent: Saturday, September 19, 2015 1:43 PM
To: brads <br...@ny...>
Cc: sle...@li...
Subject: Re: [sleuthkit-users] how do I get the file location without a
scan?

 

Hi Brad.

 

Is the string in the file name, in the file contents, or in unallocated
space?  How big are your disk images?

 

Are you trying to probe for the existence of the string, do you need to
learn its block number, or are you trying to learn the actual file in which
the string resides?

 

Do you know anything else about the files? Such as their file type? Do you
need to analyze every file, or just files of a particular type?

 

Simson

 

 

 

 

On Sep 19, 2015, at 1:15 PM, brads <br...@ny...
<mailto:br...@ny...> > wrote:

 

I followed the instruction from
http://wiki.sleuthkit.org/index.php?title=FS_Analysis but following the
process, I am unable to find a given string  http://i.imgur.com/kYuEatn.png 

I know the string is there because I can locate it using the string command
http://i.imgur.com/alQCRfM.png but, this is not an acceptable solution
because the scan takes 3 hrs against the image, I have 400 to do.

How do I get blkfs to work correctly or an alternative to getting a string
location at the disk layer like string but more robust?

 

Brad

----------------------------------------------------------------------------
--
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org

 

Re: [sleuthkit-users] how do I get the file location without a scan?

[Simson G. <si...@ac...>]

Hi Brad.

Is the string in the file name, in the file contents, or in unallocated space?  How big are your disk images?

Are you trying to probe for the existence of the string, do you need to learn its block number, or are you trying to learn the actual file in which the string resides?

Do you know anything else about the files? Such as their file type? Do you need to analyze every file, or just files of a particular type?

Simson




> On Sep 19, 2015, at 1:15 PM, brads <br...@ny...> wrote:
> 
> I followed the instruction from  http://wiki.sleuthkit.org/index.php?title=FS_Analysis <http://wiki.sleuthkit.org/index.php?title=FS_Analysis> but following the process, I am unable to find a given string  http://i.imgur.com/kYuEatn.png <http://i.imgur.com/kYuEatn.png>
> I know the string is there because I can locate it using the string command  http://i.imgur.com/alQCRfM.png <http://i.imgur.com/alQCRfM.png> but, this is not an acceptable solution because the scan takes 3 hrs against the image, I have 400 to do.
> How do I get blkfs to work correctly or an alternative to getting a string location at the disk layer like string but more robust?
>  
> Brad
> ------------------------------------------------------------------------------
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org