sleuthkit-users Mailing List for The Sleuth Kit (Page 211)
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users — List to discuss Autopsy and The Sleuth Kit.
You can subscribe to this list here.
| 2002 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(6) |
Aug
|
Sep
(11) |
Oct
(5) |
Nov
(4) |
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 |
Jan
(1) |
Feb
(20) |
Mar
(60) |
Apr
(40) |
May
(24) |
Jun
(28) |
Jul
(18) |
Aug
(27) |
Sep
(6) |
Oct
(14) |
Nov
(15) |
Dec
(22) |
| 2004 |
Jan
(34) |
Feb
(13) |
Mar
(28) |
Apr
(23) |
May
(27) |
Jun
(26) |
Jul
(37) |
Aug
(19) |
Sep
(20) |
Oct
(39) |
Nov
(17) |
Dec
(9) |
| 2005 |
Jan
(45) |
Feb
(43) |
Mar
(66) |
Apr
(36) |
May
(19) |
Jun
(64) |
Jul
(10) |
Aug
(11) |
Sep
(35) |
Oct
(6) |
Nov
(4) |
Dec
(13) |
| 2006 |
Jan
(52) |
Feb
(34) |
Mar
(39) |
Apr
(39) |
May
(37) |
Jun
(15) |
Jul
(13) |
Aug
(48) |
Sep
(9) |
Oct
(10) |
Nov
(47) |
Dec
(13) |
| 2007 |
Jan
(25) |
Feb
(4) |
Mar
(2) |
Apr
(29) |
May
(11) |
Jun
(19) |
Jul
(13) |
Aug
(15) |
Sep
(30) |
Oct
(12) |
Nov
(10) |
Dec
(13) |
| 2008 |
Jan
(2) |
Feb
(54) |
Mar
(58) |
Apr
(43) |
May
(10) |
Jun
(27) |
Jul
(25) |
Aug
(27) |
Sep
(48) |
Oct
(69) |
Nov
(55) |
Dec
(43) |
| 2009 |
Jan
(26) |
Feb
(36) |
Mar
(28) |
Apr
(27) |
May
(55) |
Jun
(9) |
Jul
(19) |
Aug
(16) |
Sep
(15) |
Oct
(17) |
Nov
(70) |
Dec
(21) |
| 2010 |
Jan
(56) |
Feb
(59) |
Mar
(53) |
Apr
(32) |
May
(25) |
Jun
(31) |
Jul
(36) |
Aug
(11) |
Sep
(37) |
Oct
(19) |
Nov
(23) |
Dec
(6) |
| 2011 |
Jan
(21) |
Feb
(20) |
Mar
(30) |
Apr
(30) |
May
(74) |
Jun
(50) |
Jul
(34) |
Aug
(34) |
Sep
(12) |
Oct
(33) |
Nov
(10) |
Dec
(8) |
| 2012 |
Jan
(23) |
Feb
(57) |
Mar
(26) |
Apr
(14) |
May
(27) |
Jun
(27) |
Jul
(60) |
Aug
(88) |
Sep
(13) |
Oct
(36) |
Nov
(97) |
Dec
(85) |
| 2013 |
Jan
(60) |
Feb
(24) |
Mar
(43) |
Apr
(32) |
May
(22) |
Jun
(38) |
Jul
(51) |
Aug
(50) |
Sep
(76) |
Oct
(65) |
Nov
(25) |
Dec
(30) |
| 2014 |
Jan
(19) |
Feb
(41) |
Mar
(43) |
Apr
(28) |
May
(61) |
Jun
(12) |
Jul
(10) |
Aug
(37) |
Sep
(76) |
Oct
(31) |
Nov
(41) |
Dec
(12) |
| 2015 |
Jan
(33) |
Feb
(28) |
Mar
(53) |
Apr
(22) |
May
(29) |
Jun
(20) |
Jul
(15) |
Aug
(17) |
Sep
(52) |
Oct
(3) |
Nov
(18) |
Dec
(21) |
| 2016 |
Jan
(20) |
Feb
(8) |
Mar
(21) |
Apr
(7) |
May
(13) |
Jun
(35) |
Jul
(34) |
Aug
(11) |
Sep
(14) |
Oct
(22) |
Nov
(31) |
Dec
(23) |
| 2017 |
Jan
(20) |
Feb
(7) |
Mar
(5) |
Apr
(6) |
May
(6) |
Jun
(22) |
Jul
(11) |
Aug
(16) |
Sep
(8) |
Oct
(1) |
Nov
(1) |
Dec
(1) |
| 2018 |
Jan
|
Feb
|
Mar
(16) |
Apr
(2) |
May
(6) |
Jun
(5) |
Jul
|
Aug
(2) |
Sep
(4) |
Oct
|
Nov
(16) |
Dec
(13) |
| 2019 |
Jan
|
Feb
(1) |
Mar
(25) |
Apr
(9) |
May
(2) |
Jun
(1) |
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2020 |
Jan
(2) |
Feb
|
Mar
(1) |
Apr
|
May
(1) |
Jun
(3) |
Jul
(2) |
Aug
|
Sep
|
Oct
(5) |
Nov
|
Dec
|
| 2021 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(4) |
Jul
(1) |
Aug
|
Sep
(1) |
Oct
|
Nov
(1) |
Dec
|
| 2022 |
Jan
|
Feb
(2) |
Mar
|
Apr
|
May
(2) |
Jun
|
Jul
(3) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2023 |
Jan
(2) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
| 2024 |
Jan
|
Feb
(3) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2025 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: <rmu...@em...> - 2002-09-19 19:44:53
|
Sorry.. I forgot to comment something in the fsmorgue file and that is why I get the error. So, skip the error question and my questions are: 1. how to define live system if I am using Autopsy? 2. (same as previous email) If I try to browse the URL from IE, I either get 'the page cannot be displayed' or 'you are not authorized to view the page' messages. If it is related to permission, can you tell me which file should I change the permission on? Sorry about this double message, Rusma >-- Original Message -- >From: rmu...@em... >Subject: Re: [sleuthkit-users] FW: TASK with live systems >To: sle...@li... >Date: Thu, 19 Sep 2002 12:30:12 -0700 > > >Thanks, Brian! > >Now, I installed Autopsy on top of TASK. I have 2 questions in this regard: >1. Since I plan to use to analyze from live system and I dont have any image >sample, I didnt add any images into the fsmorgue file. However, When I try >to run it, I get the following error. Any inputs? > >Error: image in fsmorgue:1 not found: /Tools/task-1.50/morgue/imagesample >Edit fsmorgue and refresh your browser >(Or your version of Perl does not support large files) > >2. If I try to browse the URL from IE, I either get tha page cannot be displayed >or you are not authorized to view the page messages. If it is related to >permission, can you tell me which file should I change the permission on? > > >Thanks, >Rusma >>-- Original Message -- >>From: Brian Carrier <bca...@at...> >>To: rmu...@em... >>Cc: sle...@li... >>Subject: Re: [sleuthkit-users] FW: TASK with live systems >>Date: Thu, 19 Sep 2002 09:31:08 -0400 >> >> >>Not yet. I think you have to use a different system call to open >>the '\\.\C:' object. I honestly haven't looked into it yet, so I'm >>not sure if it is possible or not. >> >>brian >> >> >>rmu...@em... (Wed, Sep 18, 2002 at 02:12:19PM -0700): >>> Brian, >>> Is it possible to test a live windows 2000 file system? >>> Currently, I have it installed in a solaris machine and want to try to >>use >>> it to test a live remote windows 2000 file system. I don't have enough >>disk >>> space to create an image of the file system. >>> Thanks, >>> Rusma >>> >-- Original Message -- >>> >From: Brian Carrier <bca...@at...> >>> >To: Rusma Mulyadi <rmu...@em...> >>> >Cc: sle...@li... >>> >Subject: Re: [sleuthkit-users] FW: TASK with live systems >>> >Date: Tue, 17 Sep 2002 16:01:54 -0400 >>> > >>> > >>> >Just reference the device. You may need to specify the raw one if it >>> >gives you an error. >>> > >>> >i.e: >>> > >>> >fls -f linux-ext2 /dev/hda1 >>> > >>> >fls -f solaris /dev/rdsk/c0t0d0s6 >>> > >>> >fls -f openbsd /dev/rwd0e >>> > >>> > >>> >brian >>> > >>> >Rusma Mulyadi (Tue, Sep 17, 2002 at 12:41:49PM -0700): >>> >> Hi, >>> >> I want to try the TASK to test from live system instead of images. >>> >> How can I do this? It seems that all of the commands requires image >>as >>> >> of the arguments. >>> >> Thanks, >>> >> Rusma >>> > >>> > >>> >------------------------------------------------------- >>> >This SF.NET email is sponsored by: AMD - Your access to the experts >>> >on Hammer Technology! Open Source & Linux Developers, register now >>> >for the AMD Developer Symposium. Code: EX8664 >>> >http://www.developwithamd.com/developerlab >>> >_______________________________________________ >>> >sleuthkit-users mailing list >>> >sle...@li... >>> >https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>> >>> >>> >>> ------------------------------------------------------- >>> This SF.NET email is sponsored by: AMD - Your access to the experts >>> on Hammer Technology! Open Source & Linux Developers, register now >>> for the AMD Developer Symposium. Code: EX8664 >>> http://www.developwithamd.com/developerlab >>> _______________________________________________ >>> sleuthkit-users mailing list >>> sle...@li... >>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> >> >>------------------------------------------------------- >>This sf.net email is sponsored by:ThinkGeek >>Welcome to geek heaven. >>http://thinkgeek.com/sf >>_______________________________________________ >>sleuthkit-users mailing list >>sle...@li... >>https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > > >------------------------------------------------------- >This sf.net email is sponsored by:ThinkGeek >Welcome to geek heaven. >http://thinkgeek.com/sf >_______________________________________________ >sleuthkit-users mailing list >sle...@li... >https://lists.sourceforge.net/lists/listinfo/sleuthkit-users |
|
From: <rmu...@em...> - 2002-09-19 19:30:19
|
Thanks, Brian! Now, I installed Autopsy on top of TASK. I have 2 questions in this regard: 1. Since I plan to use to analyze from live system and I dont have any image sample, I didnt add any images into the fsmorgue file. However, When I try to run it, I get the following error. Any inputs? Error: image in fsmorgue:1 not found: /Tools/task-1.50/morgue/imagesample Edit fsmorgue and refresh your browser (Or your version of Perl does not support large files) 2. If I try to browse the URL from IE, I either get tha page cannot be displayed or you are not authorized to view the page messages. If it is related to permission, can you tell me which file should I change the permission on? Thanks, Rusma >-- Original Message -- >From: Brian Carrier <bca...@at...> >To: rmu...@em... >Cc: sle...@li... >Subject: Re: [sleuthkit-users] FW: TASK with live systems >Date: Thu, 19 Sep 2002 09:31:08 -0400 > > >Not yet. I think you have to use a different system call to open >the '\\.\C:' object. I honestly haven't looked into it yet, so I'm >not sure if it is possible or not. > >brian > > >rmu...@em... (Wed, Sep 18, 2002 at 02:12:19PM -0700): >> Brian, >> Is it possible to test a live windows 2000 file system? >> Currently, I have it installed in a solaris machine and want to try to >use >> it to test a live remote windows 2000 file system. I don't have enough >disk >> space to create an image of the file system. >> Thanks, >> Rusma >> >-- Original Message -- >> >From: Brian Carrier <bca...@at...> >> >To: Rusma Mulyadi <rmu...@em...> >> >Cc: sle...@li... >> >Subject: Re: [sleuthkit-users] FW: TASK with live systems >> >Date: Tue, 17 Sep 2002 16:01:54 -0400 >> > >> > >> >Just reference the device. You may need to specify the raw one if it >> >gives you an error. >> > >> >i.e: >> > >> >fls -f linux-ext2 /dev/hda1 >> > >> >fls -f solaris /dev/rdsk/c0t0d0s6 >> > >> >fls -f openbsd /dev/rwd0e >> > >> > >> >brian >> > >> >Rusma Mulyadi (Tue, Sep 17, 2002 at 12:41:49PM -0700): >> >> Hi, >> >> I want to try the TASK to test from live system instead of images. >> >> How can I do this? It seems that all of the commands requires image >as >> >> of the arguments. >> >> Thanks, >> >> Rusma >> > >> > >> >------------------------------------------------------- >> >This SF.NET email is sponsored by: AMD - Your access to the experts >> >on Hammer Technology! Open Source & Linux Developers, register now >> >for the AMD Developer Symposium. Code: EX8664 >> >http://www.developwithamd.com/developerlab >> >_______________________________________________ >> >sleuthkit-users mailing list >> >sle...@li... >> >https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> >> >> >> ------------------------------------------------------- >> This SF.NET email is sponsored by: AMD - Your access to the experts >> on Hammer Technology! Open Source & Linux Developers, register now >> for the AMD Developer Symposium. Code: EX8664 >> http://www.developwithamd.com/developerlab >> _______________________________________________ >> sleuthkit-users mailing list >> sle...@li... >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > >------------------------------------------------------- >This sf.net email is sponsored by:ThinkGeek >Welcome to geek heaven. >http://thinkgeek.com/sf >_______________________________________________ >sleuthkit-users mailing list >sle...@li... >https://lists.sourceforge.net/lists/listinfo/sleuthkit-users |
|
From: Brian C. <bca...@at...> - 2002-09-19 13:34:23
|
Not yet. I think you have to use a different system call to open the '\\.\C:' object. I honestly haven't looked into it yet, so I'm not sure if it is possible or not. brian rmu...@em... (Wed, Sep 18, 2002 at 02:12:19PM -0700): > Brian, > Is it possible to test a live windows 2000 file system? > Currently, I have it installed in a solaris machine and want to try to use > it to test a live remote windows 2000 file system. I don't have enough disk > space to create an image of the file system. > Thanks, > Rusma > >-- Original Message -- > >From: Brian Carrier <bca...@at...> > >To: Rusma Mulyadi <rmu...@em...> > >Cc: sle...@li... > >Subject: Re: [sleuthkit-users] FW: TASK with live systems > >Date: Tue, 17 Sep 2002 16:01:54 -0400 > > > > > >Just reference the device. You may need to specify the raw one if it > >gives you an error. > > > >i.e: > > > >fls -f linux-ext2 /dev/hda1 > > > >fls -f solaris /dev/rdsk/c0t0d0s6 > > > >fls -f openbsd /dev/rwd0e > > > > > >brian > > > >Rusma Mulyadi (Tue, Sep 17, 2002 at 12:41:49PM -0700): > >> Hi, > >> I want to try the TASK to test from live system instead of images. > >> How can I do this? It seems that all of the commands requires image as > >> of the arguments. > >> Thanks, > >> Rusma > > > > > >------------------------------------------------------- > >This SF.NET email is sponsored by: AMD - Your access to the experts > >on Hammer Technology! Open Source & Linux Developers, register now > >for the AMD Developer Symposium. Code: EX8664 > >http://www.developwithamd.com/developerlab > >_______________________________________________ > >sleuthkit-users mailing list > >sle...@li... > >https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > > > ------------------------------------------------------- > This SF.NET email is sponsored by: AMD - Your access to the experts > on Hammer Technology! Open Source & Linux Developers, register now > for the AMD Developer Symposium. Code: EX8664 > http://www.developwithamd.com/developerlab > _______________________________________________ > sleuthkit-users mailing list > sle...@li... > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users |
|
From: <rmu...@em...> - 2002-09-18 21:12:30
|
Brian, Is it possible to test a live windows 2000 file system? Currently, I have it installed in a solaris machine and want to try to use it to test a live remote windows 2000 file system. I don't have enough disk space to create an image of the file system. Thanks, Rusma >-- Original Message -- >From: Brian Carrier <bca...@at...> >To: Rusma Mulyadi <rmu...@em...> >Cc: sle...@li... >Subject: Re: [sleuthkit-users] FW: TASK with live systems >Date: Tue, 17 Sep 2002 16:01:54 -0400 > > >Just reference the device. You may need to specify the raw one if it >gives you an error. > >i.e: > >fls -f linux-ext2 /dev/hda1 > >fls -f solaris /dev/rdsk/c0t0d0s6 > >fls -f openbsd /dev/rwd0e > > >brian > >Rusma Mulyadi (Tue, Sep 17, 2002 at 12:41:49PM -0700): >> Hi, >> I want to try the TASK to test from live system instead of images. >> How can I do this? It seems that all of the commands requires image as >> of the arguments. >> Thanks, >> Rusma > > >------------------------------------------------------- >This SF.NET email is sponsored by: AMD - Your access to the experts >on Hammer Technology! Open Source & Linux Developers, register now >for the AMD Developer Symposium. Code: EX8664 >http://www.developwithamd.com/developerlab >_______________________________________________ >sleuthkit-users mailing list >sle...@li... >https://lists.sourceforge.net/lists/listinfo/sleuthkit-users |
|
From: Brian C. <bca...@at...> - 2002-09-17 20:02:30
|
Just reference the device. You may need to specify the raw one if it gives you an error. i.e: fls -f linux-ext2 /dev/hda1 fls -f solaris /dev/rdsk/c0t0d0s6 fls -f openbsd /dev/rwd0e brian Rusma Mulyadi (Tue, Sep 17, 2002 at 12:41:49PM -0700): > Hi, > I want to try the TASK to test from live system instead of images. > How can I do this? It seems that all of the commands requires image as > of the arguments. > Thanks, > Rusma |
|
From: Brian C. <bca...@at...> - 2002-09-17 20:00:29
|
Skip Duckwall - TXDC Sysadmin (Tue, Sep 17, 2002 at 02:34:35PM -0500): > During some security reading that I am fond of doing avery now and > again, I found in phrack# 59 this article > http://www.phrack.com/show.php?p=59&a=6 > which talks about using the bad block inode to hide data that > conventional tools such as TCT and TASK cannot locate. I was wondering > if this had been fixed or even read by the maintainers of TASK... It was actually never a problem with TASK. The design from TCT was changed when NTFS was introduced because NTFS starts with MFT entry 0 and the root directory is #5. So, the other file systems were changed in the process. > I was > also wondering if there was planned support for some of the new > filesystems that are available on linux, such as ext3, xfs, jfs, etc (or > veritas support for that matter).. ext3 is sort of supported. It it is the same on-disk structure as ext2, just the addition of the journal. There is currently no support to dump the journal contents in an intelligent mannor though. Additional file systems depend on available time... brian |
|
From: Rusma M. <rmu...@em...> - 2002-09-17 19:41:26
|
Hi, I want to try the TASK to test from live system instead of images. How can I do this? It seems that all of the commands requires image as of the arguments. Thanks, Rusma |
|
From: Skip D. - T. S. <sk...@cy...> - 2002-09-17 19:35:03
|
During some security reading that I am fond of doing avery now and again, I found in phrack# 59 this article http://www.phrack.com/show.php?p=59&a=6 which talks about using the bad block inode to hide data that conventional tools such as TCT and TASK cannot locate. I was wondering if this had been fixed or even read by the maintainers of TASK... I was also wondering if there was planned support for some of the new filesystems that are available on linux, such as ext3, xfs, jfs, etc (or veritas support for that matter).. I'm also curious about computer forensics in general, as I have worked on compromised boxes before and would like to move from being a sysadmin to being into computer security... are there any decent resources out there on computer forensics? Thanks! Skip Duckwall |
|
From: jim <ji...@is...> - 2002-09-06 13:39:28
|
Hi, Im hoping someone can point me in the right direction. I am trying to do a file recovery using an fat32 image file residing on a Linux system mounted and exported using Samba . I am using Autopsy 1.60 and Task 1.50 and can't seem to figure out how to do a file recovery from the existing file system or from unallocated areas.. Any help would be greatly appreciated |
|
From: Brent D. <bre...@te...> - 2002-07-23 23:23:56
|
I don't know how much of an issue it really is. My solution to it was to build a more-redundant keyword list. In my example to search for "Forensics Investigator" I built a keyword list of "Forensic" and "Investigat" - it's a game of more false positives versus catching something you would have otherwise missed. In my case I didn't catch anything new. Going through the image and doing an icat (I assume icat follows the inodes to get the whole file?) would work. The best solution would be to store the results in one big file that you could parse through. Exactly like what is done currently but having the inode be the key instead of the offset. Then having autopsy accept that format file to use in keyword searches. My first thought was to mount the image read only, recursing through every directory and doing a strings on each file. To cover deleted files use unrm and strings each of those files. You can't cover slack and free space obviously. By doing this I would have missed out on some cool functionality of autopsy though. Is this a feature/method worth implementing or is it really an issue? I think being able to do keyword searches and have the results be keyed to files instead of offsets would be nice - but that functionality is there with ifind already. The current method would still have to be done for free and slack space, while the deleted files could be recovered and run through strings. Good discussion! -- Brent -----Original Message----- From: Brian Carrier [mailto:bca...@at...] Sent: Tuesday, July 23, 2002 5:59 PM To: Brent Deterding Cc: List - Sleuthkit Subject: Re: [sleuthkit-users] Splitting keywords across cluster boundaries? That is a good point. I guess I could easily build in an option to do an 'icat' on every allocated inode and do a grep on the output. I'm sure it would be much slower though. It would be fairly easy though. brian On Tue, Jul 23, 2002 at 05:55:18PM -0500, Brent Deterding wrote: > Thanks for the quick response! Perhaps this is my ignorance or perhaps I > didn't say what I meant to say. > > I understand the image is the image independent of any boundaries. If I'm > searching an image for the keyword "Forensics Investigator" that string > could be found in a file that is fragmented across the disk. "Forensics" may > be at the beginning of the image and "Investigator" may be at the end of the > image. Hence, searching the image for "Forensics Investigator" would not > work, correct? > > In which case should I care? Especially if it's a large image with a lot of > free space (indicating a lower probability of fragmentation and indicating a > larger cluster size which would mean a lower probability that my string just > happens to fall across a boundary). > > Brent Deterding > GSEC, GCFW, GCIA, GCIH, RHCE > Security Engineer > TechGuard Security > E-Mail: bre...@te... > Phone: (636) 519-4848 > > "NOTE: EMAIL IS NOT NECESSARILY SECURE" > > NOTICE: This communication may contain privileged or other confidential > information. If you are not the intended recipient or believe that you may > have received this communication in error, please reply to the sender > indicating that fact and delete the copy you have received. In addition, > you should not print, copy, retransmit, disseminate or otherwise use the > information." > > > -----Original Message----- > From: Brian Carrier [mailto:bca...@at...] > Sent: Tuesday, July 23, 2002 5:29 PM > To: Brent Deterding > Cc: List - Sleuthkit > Subject: Re: [sleuthkit-users] Splitting keywords across cluster > boundaries? > > > You'll find the string. The strings file knows nothing about sectors, > clusters, fragments etc. So, when your string is found, it will know > the byte offset within the full image. It uses that value to calculate > the first cluster / sector it is in and then uses the 'ifind' tool to > identify which dentry / inode / MFT has allocated it (if any). > > The way that Autopsy does searches is likely not the most efficient > time-wise, but it is the most accurate because it doesn't care about > boundaries. > > brian > > NOTE: The tools use the sector number with FAT and not cluster number. > Refer to the docs file for more details. > > HINT: To find the size of a fragment or cluster use either dcat -s or > fsstat. > > > > > > On Tue, Jul 23, 2002 at 04:41:30PM -0500, Brent Deterding wrote: > > Hello, (primarily Brian since no one else is signed up yet probably) > > I'm thinking about the fundamental way I'm going about doing a keyword > > search. I'm using autopsy/task to do the searches (well - the same > > commands). > > > > I'm getting the strings output of the entire image with decimal offsets > > (strings -a -t d <image>). This is on a large image with most of the image > > being free space. It's fat. I'm using the resulting strings file to do > > searches against for keywords. My question being: What if a keyword fell > > across a cluster boundary? > > > > Example: I'm searching for "Forensics Investigator" and it just so > happens > > that "Forensics" is on a different cluster than "Investigator" - the > current > > method would not catch this. > > > > First - should I even worry about this? > > Second - I could make my search strings redundant (Have a "Forensics > > Investigator" and a "Investigator" or "Investigat" or something). > > Third - the surefire method - mount the image read-only, recurse through, > > and strings each file - recover deleted files and strings each of them as > > well. > > > > Thoughts? > > > > Brent Deterding > > GSEC, GCFW, GCIA, GCIH, RHCE > > Security Engineer > > TechGuard Security > > E-Mail: bre...@te... > > Phone: (636) 519-4848 > > > > "NOTE: EMAIL IS NOT NECESSARILY SECURE" > > > > NOTICE: This communication may contain privileged or other confidential > > information. If you are not the intended recipient or believe that you > may > > have received this communication in error, please reply to the sender > > indicating that fact and delete the copy you have received. In addition, > > you should not print, copy, retransmit, disseminate or otherwise use the > > information." > > > > > > > > ------------------------------------------------------- > > This sf.net email is sponsored by:ThinkGeek > > Welcome to geek heaven. > > http://thinkgeek.com/sf > > _______________________________________________ > > sleuthkit-users mailing list > > sle...@li... > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > _______________________________________________ > sleuthkit-users mailing list > sle...@li... > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users |
|
From: Brian C. <bca...@at...> - 2002-07-23 23:03:49
|
That is a good point. I guess I could easily build in an option to do an 'icat' on every allocated inode and do a grep on the output. I'm sure it would be much slower though. It would be fairly easy though. brian On Tue, Jul 23, 2002 at 05:55:18PM -0500, Brent Deterding wrote: > Thanks for the quick response! Perhaps this is my ignorance or perhaps I > didn't say what I meant to say. > > I understand the image is the image independent of any boundaries. If I'm > searching an image for the keyword "Forensics Investigator" that string > could be found in a file that is fragmented across the disk. "Forensics" may > be at the beginning of the image and "Investigator" may be at the end of the > image. Hence, searching the image for "Forensics Investigator" would not > work, correct? > > In which case should I care? Especially if it's a large image with a lot of > free space (indicating a lower probability of fragmentation and indicating a > larger cluster size which would mean a lower probability that my string just > happens to fall across a boundary). > > Brent Deterding > GSEC, GCFW, GCIA, GCIH, RHCE > Security Engineer > TechGuard Security > E-Mail: bre...@te... > Phone: (636) 519-4848 > > "NOTE: EMAIL IS NOT NECESSARILY SECURE" > > NOTICE: This communication may contain privileged or other confidential > information. If you are not the intended recipient or believe that you may > have received this communication in error, please reply to the sender > indicating that fact and delete the copy you have received. In addition, > you should not print, copy, retransmit, disseminate or otherwise use the > information." > > > -----Original Message----- > From: Brian Carrier [mailto:bca...@at...] > Sent: Tuesday, July 23, 2002 5:29 PM > To: Brent Deterding > Cc: List - Sleuthkit > Subject: Re: [sleuthkit-users] Splitting keywords across cluster > boundaries? > > > You'll find the string. The strings file knows nothing about sectors, > clusters, fragments etc. So, when your string is found, it will know > the byte offset within the full image. It uses that value to calculate > the first cluster / sector it is in and then uses the 'ifind' tool to > identify which dentry / inode / MFT has allocated it (if any). > > The way that Autopsy does searches is likely not the most efficient > time-wise, but it is the most accurate because it doesn't care about > boundaries. > > brian > > NOTE: The tools use the sector number with FAT and not cluster number. > Refer to the docs file for more details. > > HINT: To find the size of a fragment or cluster use either dcat -s or > fsstat. > > > > > > On Tue, Jul 23, 2002 at 04:41:30PM -0500, Brent Deterding wrote: > > Hello, (primarily Brian since no one else is signed up yet probably) > > I'm thinking about the fundamental way I'm going about doing a keyword > > search. I'm using autopsy/task to do the searches (well - the same > > commands). > > > > I'm getting the strings output of the entire image with decimal offsets > > (strings -a -t d <image>). This is on a large image with most of the image > > being free space. It's fat. I'm using the resulting strings file to do > > searches against for keywords. My question being: What if a keyword fell > > across a cluster boundary? > > > > Example: I'm searching for "Forensics Investigator" and it just so > happens > > that "Forensics" is on a different cluster than "Investigator" - the > current > > method would not catch this. > > > > First - should I even worry about this? > > Second - I could make my search strings redundant (Have a "Forensics > > Investigator" and a "Investigator" or "Investigat" or something). > > Third - the surefire method - mount the image read-only, recurse through, > > and strings each file - recover deleted files and strings each of them as > > well. > > > > Thoughts? > > > > Brent Deterding > > GSEC, GCFW, GCIA, GCIH, RHCE > > Security Engineer > > TechGuard Security > > E-Mail: bre...@te... > > Phone: (636) 519-4848 > > > > "NOTE: EMAIL IS NOT NECESSARILY SECURE" > > > > NOTICE: This communication may contain privileged or other confidential > > information. If you are not the intended recipient or believe that you > may > > have received this communication in error, please reply to the sender > > indicating that fact and delete the copy you have received. In addition, > > you should not print, copy, retransmit, disseminate or otherwise use the > > information." > > > > > > > > ------------------------------------------------------- > > This sf.net email is sponsored by:ThinkGeek > > Welcome to geek heaven. > > http://thinkgeek.com/sf > > _______________________________________________ > > sleuthkit-users mailing list > > sle...@li... > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > _______________________________________________ > sleuthkit-users mailing list > sle...@li... > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users |
|
From: Brent D. <bre...@te...> - 2002-07-23 22:55:29
|
Thanks for the quick response! Perhaps this is my ignorance or perhaps I didn't say what I meant to say. I understand the image is the image independent of any boundaries. If I'm searching an image for the keyword "Forensics Investigator" that string could be found in a file that is fragmented across the disk. "Forensics" may be at the beginning of the image and "Investigator" may be at the end of the image. Hence, searching the image for "Forensics Investigator" would not work, correct? In which case should I care? Especially if it's a large image with a lot of free space (indicating a lower probability of fragmentation and indicating a larger cluster size which would mean a lower probability that my string just happens to fall across a boundary). Brent Deterding GSEC, GCFW, GCIA, GCIH, RHCE Security Engineer TechGuard Security E-Mail: bre...@te... Phone: (636) 519-4848 "NOTE: EMAIL IS NOT NECESSARILY SECURE" NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient or believe that you may have received this communication in error, please reply to the sender indicating that fact and delete the copy you have received. In addition, you should not print, copy, retransmit, disseminate or otherwise use the information." -----Original Message----- From: Brian Carrier [mailto:bca...@at...] Sent: Tuesday, July 23, 2002 5:29 PM To: Brent Deterding Cc: List - Sleuthkit Subject: Re: [sleuthkit-users] Splitting keywords across cluster boundaries? You'll find the string. The strings file knows nothing about sectors, clusters, fragments etc. So, when your string is found, it will know the byte offset within the full image. It uses that value to calculate the first cluster / sector it is in and then uses the 'ifind' tool to identify which dentry / inode / MFT has allocated it (if any). The way that Autopsy does searches is likely not the most efficient time-wise, but it is the most accurate because it doesn't care about boundaries. brian NOTE: The tools use the sector number with FAT and not cluster number. Refer to the docs file for more details. HINT: To find the size of a fragment or cluster use either dcat -s or fsstat. On Tue, Jul 23, 2002 at 04:41:30PM -0500, Brent Deterding wrote: > Hello, (primarily Brian since no one else is signed up yet probably) > I'm thinking about the fundamental way I'm going about doing a keyword > search. I'm using autopsy/task to do the searches (well - the same > commands). > > I'm getting the strings output of the entire image with decimal offsets > (strings -a -t d <image>). This is on a large image with most of the image > being free space. It's fat. I'm using the resulting strings file to do > searches against for keywords. My question being: What if a keyword fell > across a cluster boundary? > > Example: I'm searching for "Forensics Investigator" and it just so happens > that "Forensics" is on a different cluster than "Investigator" - the current > method would not catch this. > > First - should I even worry about this? > Second - I could make my search strings redundant (Have a "Forensics > Investigator" and a "Investigator" or "Investigat" or something). > Third - the surefire method - mount the image read-only, recurse through, > and strings each file - recover deleted files and strings each of them as > well. > > Thoughts? > > Brent Deterding > GSEC, GCFW, GCIA, GCIH, RHCE > Security Engineer > TechGuard Security > E-Mail: bre...@te... > Phone: (636) 519-4848 > > "NOTE: EMAIL IS NOT NECESSARILY SECURE" > > NOTICE: This communication may contain privileged or other confidential > information. If you are not the intended recipient or believe that you may > have received this communication in error, please reply to the sender > indicating that fact and delete the copy you have received. In addition, > you should not print, copy, retransmit, disseminate or otherwise use the > information." > > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > _______________________________________________ > sleuthkit-users mailing list > sle...@li... > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users |
|
From: Brian C. <bca...@at...> - 2002-07-23 22:34:17
|
You'll find the string. The strings file knows nothing about sectors, clusters, fragments etc. So, when your string is found, it will know the byte offset within the full image. It uses that value to calculate the first cluster / sector it is in and then uses the 'ifind' tool to identify which dentry / inode / MFT has allocated it (if any). The way that Autopsy does searches is likely not the most efficient time-wise, but it is the most accurate because it doesn't care about boundaries. brian NOTE: The tools use the sector number with FAT and not cluster number. Refer to the docs file for more details. HINT: To find the size of a fragment or cluster use either dcat -s or fsstat. On Tue, Jul 23, 2002 at 04:41:30PM -0500, Brent Deterding wrote: > Hello, (primarily Brian since no one else is signed up yet probably) > I'm thinking about the fundamental way I'm going about doing a keyword > search. I'm using autopsy/task to do the searches (well - the same > commands). > > I'm getting the strings output of the entire image with decimal offsets > (strings -a -t d <image>). This is on a large image with most of the image > being free space. It's fat. I'm using the resulting strings file to do > searches against for keywords. My question being: What if a keyword fell > across a cluster boundary? > > Example: I'm searching for "Forensics Investigator" and it just so happens > that "Forensics" is on a different cluster than "Investigator" - the current > method would not catch this. > > First - should I even worry about this? > Second - I could make my search strings redundant (Have a "Forensics > Investigator" and a "Investigator" or "Investigat" or something). > Third - the surefire method - mount the image read-only, recurse through, > and strings each file - recover deleted files and strings each of them as > well. > > Thoughts? > > Brent Deterding > GSEC, GCFW, GCIA, GCIH, RHCE > Security Engineer > TechGuard Security > E-Mail: bre...@te... > Phone: (636) 519-4848 > > "NOTE: EMAIL IS NOT NECESSARILY SECURE" > > NOTICE: This communication may contain privileged or other confidential > information. If you are not the intended recipient or believe that you may > have received this communication in error, please reply to the sender > indicating that fact and delete the copy you have received. In addition, > you should not print, copy, retransmit, disseminate or otherwise use the > information." > > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > _______________________________________________ > sleuthkit-users mailing list > sle...@li... > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users |
|
From: Brent D. <bre...@te...> - 2002-07-23 21:41:40
|
Hello, (primarily Brian since no one else is signed up yet probably) I'm thinking about the fundamental way I'm going about doing a keyword search. I'm using autopsy/task to do the searches (well - the same commands). I'm getting the strings output of the entire image with decimal offsets (strings -a -t d <image>). This is on a large image with most of the image being free space. It's fat. I'm using the resulting strings file to do searches against for keywords. My question being: What if a keyword fell across a cluster boundary? Example: I'm searching for "Forensics Investigator" and it just so happens that "Forensics" is on a different cluster than "Investigator" - the current method would not catch this. First - should I even worry about this? Second - I could make my search strings redundant (Have a "Forensics Investigator" and a "Investigator" or "Investigat" or something). Third - the surefire method - mount the image read-only, recurse through, and strings each file - recover deleted files and strings each of them as well. Thoughts? Brent Deterding GSEC, GCFW, GCIA, GCIH, RHCE Security Engineer TechGuard Security E-Mail: bre...@te... Phone: (636) 519-4848 "NOTE: EMAIL IS NOT NECESSARILY SECURE" NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient or believe that you may have received this communication in error, please reply to the sender indicating that fact and delete the copy you have received. In addition, you should not print, copy, retransmit, disseminate or otherwise use the information." |
|
From: Brent D. <bre...@te...> - 2002-07-23 21:40:35
|
Hello, (primarily Brian since no one else is signed up yet probably) I'm thinking about the fundamental way I'm going about doing a keyword search. I'm using autopsy/task to do the searches (well - the same commands). I'm getting the strings output of the entire image with decimal offsets (strings -a -t d <image>). This is on a large image with most of the image being free space. It's fat. I'm using the resulting strings file to do searches against for keywords. My question being: What if a keyword fell across a cluster boundary? Example: I'm searching for "Forensics Investigator" and it just so happens that "Forensics" is on a different cluster than "Investigator" - the current method would not catch this. First - should I even worry about this? Second - I could make my search strings redundant (Have a "Forensics Investigator" and a "Investigator" or "Investigat" or something). Third - the surefire method - mount the image read-only, recurse through, and strings each file - recover deleted files and strings each of them as well. Thoughts? Brent Deterding GSEC, GCFW, GCIA, GCIH, RHCE Security Engineer TechGuard Security E-Mail: bre...@te... Phone: (636) 519-4848 "NOTE: EMAIL IS NOT NECESSARILY SECURE" NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient or believe that you may have received this communication in error, please reply to the sender indicating that fact and delete the copy you have received. In addition, you should not print, copy, retransmit, disseminate or otherwise use the information." |
38 messages has been excluded from this view by a project administrator.
