sleuthkit-users — List to discuss Autopsy and The Sleuth Kit.

Re: [sleuthkit-users] Clonezilla Multi-Disk

[Tiago F. <tia...@gm...>]

Seems like it. Well, it's going. Still another 50m for the first pen
drive to be converted. I'll make sure to post the update.

Thank you again for the help and guidance!

On Sat, Jul 11, 2015 at 9:44 PM, Derrick Karpo <dk...@gm...> wrote:
> Ah.  Is it perhaps because you now also have to use partclone to restore the
> raw image from your uncompressed file?  Something like what they did here?
>
>
> http://askubuntu.com/questions/453114/restoring-clonezilla-images-cat-gzip-partclone-not-working
>
> Derrick
>
> On Jul 11, 2015 13:14, "Tiago Faria" <tia...@gm...> wrote:
>>
>> Just some more information ... It seems the files I'm using don't
>> contain a valid partition table:
>>
>> fdisk -l sde1.vfat-ptcl-img
>>
>> Disk sde1.vfat-ptcl-img: 15.6 GB, 15580242944 bytes
>> 255 heads, 63 sectors/track, 1894 cylinders, total 30430162 sectors
>> Units = sectors of 1 * 512 = 512 bytes
>> Sector size (logical/physical): 512 bytes / 512 bytes
>> I/O size (minimum/optimal): 512 bytes / 512 bytes
>> Disk identifier: 0x00000000
>>
>> Disk sde1.vfat-ptcl-img doesn't contain a valid partition table
>>
>> Maybe the partition table is stored somewhere else. Here is the full
>> information about a certain disk from the clone:
>>
>> http://i.imgur.com/WqfvwbP.png
>>
>> On Sat, Jul 11, 2015 at 7:53 PM, Tiago Faria
>> <tia...@gm...> wrote:
>> > Hi Derrick,
>> >
>> > First of all, thank you very much for getting back to me. I thought it
>> > could be that so I used 7zip to extract the "main" file. Tried both
>> > USB images I gathered from the evidence PC and the end result was as
>> > expected: two files with the USBs sizes, however, when trying to add
>> > as data source, the error is still there:
>> >
>> > Errors occured while ingesting image
>> > 1. Cannot determine file system type (Sector offset: 0)
>> >
>> > I would have no problem extracting all three images and using the
>> > resulting files as source, but it seems, at least for both these two
>> > vFAT drives, that Autopsy is having a problem with it as well.
>> >
>> > This is happening under v3, however, I also used v2 under GNU/Linux
>> > and had a similar result.
>> >
>> > Any tips?
>> >
>> > Once again, thank you for your help!
>> >
>> > On Sat, Jul 11, 2015 at 7:25 PM, Derrick Karpo <dk...@gm...> wrote:
>> >> Hi Tiago.
>> >>
>> >> I believe the issue you are seeing is that Clonezilla has created a
>> >> split gzip image which sleuthkit does not accept.  Sleuthkit/Autopsy
>> >> will support a split raw image, but not a split gzip image.  What you
>> >> can do is uncompress your split image into a single raw image and that
>> >> should work.  Something like this should work:
>> >>
>> >>   `cat sdd1.vfat-ptcl-img.gz.a* | gzip -d -c > sdd1.vfat-ptcl.img'
>> >>
>> >> Then add 'sdd1.vfat-ptcl.img' to Autopsy and see how that goes!
>> >>
>> >> Derrick
>> >>
>> >>
>> >> On Sat, Jul 11, 2015 at 11:39 AM, Tiago Faria
>> >> <tia...@gm...> wrote:
>> >>> Hi list,
>> >>>
>> >>> I'm having quite a hard time importing a data source of a computer
>> >>> that was clone with CloneZilla. It was a simple clone process with the
>> >>> only different of also cloning the USB disk drives that were also
>> >>> connected to the PC.
>> >>>
>> >>> The end result is something like this (only part of the content):
>> >>>
>> >>> http://i.imgur.com/CHiyGZr.png
>> >>>
>> >>> And I can't seem to add it as a data source, since I get the error:
>> >>>
>> >>> "Errors occured while ingesting image
>> >>> 1. Cannot determine file system type (Sector offset: 0)"
>> >>>
>> >>> Any tips? I'm really worried since this is all I got and I won't have
>> >>> access to the computer again.
>> >>>
>> >>> Thank you in advance!
>> >>>
>> >>> P.S.: Adding all parts of the archive as logical files seems to be
>> >>> accepted, but nothing useful is gathered (not even time stamps are
>> >>> displayed).
>> >>>
>> >>>
>> >>> ------------------------------------------------------------------------------
>> >>> Don't Limit Your Business. Reach for the Cloud.
>> >>> GigeNET's Cloud Solutions provide you with the tools and support that
>> >>> you need to offload your IT needs and focus on growing your business.
>> >>> Configured For All Businesses. Start Your Cloud Today.
>> >>> https://www.gigenetcloud.com/
>> >>> _______________________________________________
>> >>> sleuthkit-users mailing list
>> >>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> >>> http://www.sleuthkit.org

Re: [sleuthkit-users] Clonezilla Multi-Disk

[Derrick K. <dk...@gm...>]

Ah.  Is it perhaps because you now also have to use partclone to restore
the raw image from your uncompressed file?  Something like what they did
here?


http://askubuntu.com/questions/453114/restoring-clonezilla-images-cat-gzip-partclone-not-working

Derrick
 On Jul 11, 2015 13:14, "Tiago Faria" <tia...@gm...> wrote:

> Just some more information ... It seems the files I'm using don't
> contain a valid partition table:
>
> fdisk -l sde1.vfat-ptcl-img
>
> Disk sde1.vfat-ptcl-img: 15.6 GB, 15580242944 bytes
> 255 heads, 63 sectors/track, 1894 cylinders, total 30430162 sectors
> Units = sectors of 1 * 512 = 512 bytes
> Sector size (logical/physical): 512 bytes / 512 bytes
> I/O size (minimum/optimal): 512 bytes / 512 bytes
> Disk identifier: 0x00000000
>
> Disk sde1.vfat-ptcl-img doesn't contain a valid partition table
>
> Maybe the partition table is stored somewhere else. Here is the full
> information about a certain disk from the clone:
>
> http://i.imgur.com/WqfvwbP.png
>
> On Sat, Jul 11, 2015 at 7:53 PM, Tiago Faria
> <tia...@gm...> wrote:
> > Hi Derrick,
> >
> > First of all, thank you very much for getting back to me. I thought it
> > could be that so I used 7zip to extract the "main" file. Tried both
> > USB images I gathered from the evidence PC and the end result was as
> > expected: two files with the USBs sizes, however, when trying to add
> > as data source, the error is still there:
> >
> > Errors occured while ingesting image
> > 1. Cannot determine file system type (Sector offset: 0)
> >
> > I would have no problem extracting all three images and using the
> > resulting files as source, but it seems, at least for both these two
> > vFAT drives, that Autopsy is having a problem with it as well.
> >
> > This is happening under v3, however, I also used v2 under GNU/Linux
> > and had a similar result.
> >
> > Any tips?
> >
> > Once again, thank you for your help!
> >
> > On Sat, Jul 11, 2015 at 7:25 PM, Derrick Karpo <dk...@gm...> wrote:
> >> Hi Tiago.
> >>
> >> I believe the issue you are seeing is that Clonezilla has created a
> >> split gzip image which sleuthkit does not accept.  Sleuthkit/Autopsy
> >> will support a split raw image, but not a split gzip image.  What you
> >> can do is uncompress your split image into a single raw image and that
> >> should work.  Something like this should work:
> >>
> >>   `cat sdd1.vfat-ptcl-img.gz.a* | gzip -d -c > sdd1.vfat-ptcl.img'
> >>
> >> Then add 'sdd1.vfat-ptcl.img' to Autopsy and see how that goes!
> >>
> >> Derrick
> >>
> >>
> >> On Sat, Jul 11, 2015 at 11:39 AM, Tiago Faria
> >> <tia...@gm...> wrote:
> >>> Hi list,
> >>>
> >>> I'm having quite a hard time importing a data source of a computer
> >>> that was clone with CloneZilla. It was a simple clone process with the
> >>> only different of also cloning the USB disk drives that were also
> >>> connected to the PC.
> >>>
> >>> The end result is something like this (only part of the content):
> >>>
> >>> http://i.imgur.com/CHiyGZr.png
> >>>
> >>> And I can't seem to add it as a data source, since I get the error:
> >>>
> >>> "Errors occured while ingesting image
> >>> 1. Cannot determine file system type (Sector offset: 0)"
> >>>
> >>> Any tips? I'm really worried since this is all I got and I won't have
> >>> access to the computer again.
> >>>
> >>> Thank you in advance!
> >>>
> >>> P.S.: Adding all parts of the archive as logical files seems to be
> >>> accepted, but nothing useful is gathered (not even time stamps are
> >>> displayed).
> >>>
> >>>
> ------------------------------------------------------------------------------
> >>> Don't Limit Your Business. Reach for the Cloud.
> >>> GigeNET's Cloud Solutions provide you with the tools and support that
> >>> you need to offload your IT needs and focus on growing your business.
> >>> Configured For All Businesses. Start Your Cloud Today.
> >>> https://www.gigenetcloud.com/
> >>> _______________________________________________
> >>> sleuthkit-users mailing list
> >>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> >>> http://www.sleuthkit.org
>

Re: [sleuthkit-users] Clonezilla Multi-Disk

[Tiago F. <tia...@gm...>]

Just some more information ... It seems the files I'm using don't
contain a valid partition table:

fdisk -l sde1.vfat-ptcl-img

Disk sde1.vfat-ptcl-img: 15.6 GB, 15580242944 bytes
255 heads, 63 sectors/track, 1894 cylinders, total 30430162 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000

Disk sde1.vfat-ptcl-img doesn't contain a valid partition table

Maybe the partition table is stored somewhere else. Here is the full
information about a certain disk from the clone:

http://i.imgur.com/WqfvwbP.png

On Sat, Jul 11, 2015 at 7:53 PM, Tiago Faria
<tia...@gm...> wrote:
> Hi Derrick,
>
> First of all, thank you very much for getting back to me. I thought it
> could be that so I used 7zip to extract the "main" file. Tried both
> USB images I gathered from the evidence PC and the end result was as
> expected: two files with the USBs sizes, however, when trying to add
> as data source, the error is still there:
>
> Errors occured while ingesting image
> 1. Cannot determine file system type (Sector offset: 0)
>
> I would have no problem extracting all three images and using the
> resulting files as source, but it seems, at least for both these two
> vFAT drives, that Autopsy is having a problem with it as well.
>
> This is happening under v3, however, I also used v2 under GNU/Linux
> and had a similar result.
>
> Any tips?
>
> Once again, thank you for your help!
>
> On Sat, Jul 11, 2015 at 7:25 PM, Derrick Karpo <dk...@gm...> wrote:
>> Hi Tiago.
>>
>> I believe the issue you are seeing is that Clonezilla has created a
>> split gzip image which sleuthkit does not accept.  Sleuthkit/Autopsy
>> will support a split raw image, but not a split gzip image.  What you
>> can do is uncompress your split image into a single raw image and that
>> should work.  Something like this should work:
>>
>>   `cat sdd1.vfat-ptcl-img.gz.a* | gzip -d -c > sdd1.vfat-ptcl.img'
>>
>> Then add 'sdd1.vfat-ptcl.img' to Autopsy and see how that goes!
>>
>> Derrick
>>
>>
>> On Sat, Jul 11, 2015 at 11:39 AM, Tiago Faria
>> <tia...@gm...> wrote:
>>> Hi list,
>>>
>>> I'm having quite a hard time importing a data source of a computer
>>> that was clone with CloneZilla. It was a simple clone process with the
>>> only different of also cloning the USB disk drives that were also
>>> connected to the PC.
>>>
>>> The end result is something like this (only part of the content):
>>>
>>> http://i.imgur.com/CHiyGZr.png
>>>
>>> And I can't seem to add it as a data source, since I get the error:
>>>
>>> "Errors occured while ingesting image
>>> 1. Cannot determine file system type (Sector offset: 0)"
>>>
>>> Any tips? I'm really worried since this is all I got and I won't have
>>> access to the computer again.
>>>
>>> Thank you in advance!
>>>
>>> P.S.: Adding all parts of the archive as logical files seems to be
>>> accepted, but nothing useful is gathered (not even time stamps are
>>> displayed).
>>>
>>> ------------------------------------------------------------------------------
>>> Don't Limit Your Business. Reach for the Cloud.
>>> GigeNET's Cloud Solutions provide you with the tools and support that
>>> you need to offload your IT needs and focus on growing your business.
>>> Configured For All Businesses. Start Your Cloud Today.
>>> https://www.gigenetcloud.com/
>>> _______________________________________________
>>> sleuthkit-users mailing list
>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>> http://www.sleuthkit.org

Re: [sleuthkit-users] Clonezilla Multi-Disk

[Tiago F. <tia...@gm...>]

Hi Derrick,

First of all, thank you very much for getting back to me. I thought it
could be that so I used 7zip to extract the "main" file. Tried both
USB images I gathered from the evidence PC and the end result was as
expected: two files with the USBs sizes, however, when trying to add
as data source, the error is still there:

Errors occured while ingesting image
1. Cannot determine file system type (Sector offset: 0)

I would have no problem extracting all three images and using the
resulting files as source, but it seems, at least for both these two
vFAT drives, that Autopsy is having a problem with it as well.

This is happening under v3, however, I also used v2 under GNU/Linux
and had a similar result.

Any tips?

Once again, thank you for your help!

On Sat, Jul 11, 2015 at 7:25 PM, Derrick Karpo <dk...@gm...> wrote:
> Hi Tiago.
>
> I believe the issue you are seeing is that Clonezilla has created a
> split gzip image which sleuthkit does not accept.  Sleuthkit/Autopsy
> will support a split raw image, but not a split gzip image.  What you
> can do is uncompress your split image into a single raw image and that
> should work.  Something like this should work:
>
>   `cat sdd1.vfat-ptcl-img.gz.a* | gzip -d -c > sdd1.vfat-ptcl.img'
>
> Then add 'sdd1.vfat-ptcl.img' to Autopsy and see how that goes!
>
> Derrick
>
>
> On Sat, Jul 11, 2015 at 11:39 AM, Tiago Faria
> <tia...@gm...> wrote:
>> Hi list,
>>
>> I'm having quite a hard time importing a data source of a computer
>> that was clone with CloneZilla. It was a simple clone process with the
>> only different of also cloning the USB disk drives that were also
>> connected to the PC.
>>
>> The end result is something like this (only part of the content):
>>
>> http://i.imgur.com/CHiyGZr.png
>>
>> And I can't seem to add it as a data source, since I get the error:
>>
>> "Errors occured while ingesting image
>> 1. Cannot determine file system type (Sector offset: 0)"
>>
>> Any tips? I'm really worried since this is all I got and I won't have
>> access to the computer again.
>>
>> Thank you in advance!
>>
>> P.S.: Adding all parts of the archive as logical files seems to be
>> accepted, but nothing useful is gathered (not even time stamps are
>> displayed).
>>
>> ------------------------------------------------------------------------------
>> Don't Limit Your Business. Reach for the Cloud.
>> GigeNET's Cloud Solutions provide you with the tools and support that
>> you need to offload your IT needs and focus on growing your business.
>> Configured For All Businesses. Start Your Cloud Today.
>> https://www.gigenetcloud.com/
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org

Re: [sleuthkit-users] Clonezilla Multi-Disk

[Derrick K. <dk...@gm...>]

Hi Tiago.

I believe the issue you are seeing is that Clonezilla has created a
split gzip image which sleuthkit does not accept.  Sleuthkit/Autopsy
will support a split raw image, but not a split gzip image.  What you
can do is uncompress your split image into a single raw image and that
should work.  Something like this should work:

  `cat sdd1.vfat-ptcl-img.gz.a* | gzip -d -c > sdd1.vfat-ptcl.img'

Then add 'sdd1.vfat-ptcl.img' to Autopsy and see how that goes!

Derrick


On Sat, Jul 11, 2015 at 11:39 AM, Tiago Faria
<tia...@gm...> wrote:
> Hi list,
>
> I'm having quite a hard time importing a data source of a computer
> that was clone with CloneZilla. It was a simple clone process with the
> only different of also cloning the USB disk drives that were also
> connected to the PC.
>
> The end result is something like this (only part of the content):
>
> http://i.imgur.com/CHiyGZr.png
>
> And I can't seem to add it as a data source, since I get the error:
>
> "Errors occured while ingesting image
> 1. Cannot determine file system type (Sector offset: 0)"
>
> Any tips? I'm really worried since this is all I got and I won't have
> access to the computer again.
>
> Thank you in advance!
>
> P.S.: Adding all parts of the archive as logical files seems to be
> accepted, but nothing useful is gathered (not even time stamps are
> displayed).
>
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

[sleuthkit-users] Clonezilla Multi-Disk

[Tiago F. <tia...@gm...>]

Hi list,

I'm having quite a hard time importing a data source of a computer
that was clone with CloneZilla. It was a simple clone process with the
only different of also cloning the USB disk drives that were also
connected to the PC.

The end result is something like this (only part of the content):

http://i.imgur.com/CHiyGZr.png

And I can't seem to add it as a data source, since I get the error:

"Errors occured while ingesting image
1. Cannot determine file system type (Sector offset: 0)"

Any tips? I'm really worried since this is all I got and I won't have
access to the computer again.

Thank you in advance!

P.S.: Adding all parts of the archive as logical files seems to be
accepted, but nothing useful is gathered (not even time stamps are
displayed).

[sleuthkit-users] Tutorial #1 on writing Python Modules

[Brian C. <ca...@sl...>]

We posted the first of three tutorials on writing Python modules for Autopsy.   

    http://www.basistech.com/python-autopsy-module-tutorial-1-the-file-ingest-module/

This one focuses on basic file ingest modules.  You have plenty of time to start working on a module for the OSDFCon competition (http://www.basistech.com/osdfcon-2015/osdfcon-contest/).   If you have any problems or questions, send an e-mail to the developers list.

thanks,
brian

[sleuthkit-users] Tsk_objects table: obj_id doubt

[Luís F. N. <lfc...@gm...>]

Hi,

Is it possible to obj_id column have unused id ranges, I mean non
sequential ids?

I have a case where I added several image evidences and I got the following
error:

org.sleuthkit.datamodel.TskCoreException: Error getting file by id, id =
249694

Any help will be appreciated.

Thanks,
Luis Nassif

[sleuthkit-users] Autopsy 3.1.3 Release

[Brian C. <ca...@sl...>]

Autopsy 3.1.3 has been released. You can download it from:

    http://www.sleuthkit.org/autopsy/download.php

It includes:
	• New Embedded File Extractor module that incorporates ZIP file module and extracts images from Office documents
	• Updates to python scripting for Python 2.7, scripts are reloaded each time ingest is run, and errors are better shown.
	• Views area counts updates when ZIP files and such are found
	• Updated right click actions to be consistent across all file types
	• Changed logic of Interesting Files module to look for substrings of parent path.
	• Lots of minor fixes and enhancements


There is also a new NSRL index that you can download for their 2.48 update:

    http://sourceforge.net/projects/autopsy/files/NSRL/

Re: [sleuthkit-users] Unable to run srch_strings

[Tom Y. <to...@ya...>]

John Stewart was able to help me get it working.  I had to checkout a
specific tag (in this case 4.1.3) and then recompile.

Tom


PGP Key ID - B32585D0

On Tue, Jun 23, 2015 at 3:38 PM, Tom Yarrish <to...@ya...> wrote:

> Hello,
> I have an Ubuntu 14.04.02 at work, and I've compiled sleuthkit from source
> (off the github repo).  Most of the tools run without any issues, however
> I'm not able to run srch_strings against any file (I even tried it against
> the NEWS.txt file in the TSK source directory).  When I do, I get the
> following error:
>
> *** Error in `srch_strings': double free or corruption (fasttop): <hex
> address>
>
> The hex address changes each time so I'm assuming it's a memory address.
>
> Regular strings (the program) on the system works fine.
>
> I've never run into this error before on any of my systems so I'm not sure
> where to start looking for the problem.
>
> Thanks,
> Tom
>
> PGP Key ID - B32585D0
>

[sleuthkit-users] Unable to run srch_strings

[Tom Y. <to...@ya...>]

Hello,
I have an Ubuntu 14.04.02 at work, and I've compiled sleuthkit from source
(off the github repo).  Most of the tools run without any issues, however
I'm not able to run srch_strings against any file (I even tried it against
the NEWS.txt file in the TSK source directory).  When I do, I get the
following error:

*** Error in `srch_strings': double free or corruption (fasttop): <hex
address>

The hex address changes each time so I'm assuming it's a memory address.

Regular strings (the program) on the system works fine.

I've never run into this error before on any of my systems so I'm not sure
where to start looking for the problem.

Thanks,
Tom

PGP Key ID - B32585D0

Re: [sleuthkit-users] OSDFCon Voting

[Brian C. <ca...@sl...>]

Friendly reminder that voting ends tomorrow if you want to help pick the agenda for this years OSDFCon. 


> On Jun 9, 2015, at 4:57 PM, Brian Carrier <ca...@sl...> wrote:
> 
> Thanks to everyone who submitted a talk to OSDFCon 2015.  It’s now time for the community to vote on what talks will be given. Votes must be entered by June 23, 2015.  The form can be found here:
> 
>    http://www.basistech.com/osdfcon-2015/osdfcon-vote-for-presentations/
> 
> 
> 
> About OSDFCon
> 
> The 6th Annual Open Source Digital Forensics Conference (OSDFCon) will be held on October 28, 2015 at the Westin Washington Dulles. This conference focuses on tools and techniques that are open source and (typically) free to use. It is a one day event with short talks packed with information. There are both tool developers and users in attendance, and this is a unique opportunity to learn about new tools and provide feedback.
> 
> 

[sleuthkit-users] Fwd: Some guidance required

[Owen O' S. <owe...@gm...>]

resending this to the list as I accidentally hit reply instead of
replyall/reply tolist.


On Thu, Jun 11, 2015 at 11:15 AM, Simson Garfinkel <si...@ac...> wrote:

> Can you post the specific error that you are getting for "the image file
> is unavailable" ? That seems odd.
>

Because I had to kill the autopsy when it was hung, i can't show you the
21,000 errors in the bottom right hand corner all of which were this error,
but if I load the case now, and run the performance test I can get the
error:



Very worthwhile exercise, because now that I look at the target disk
"disk2" I see that I am not even analysing the whole disk, only the active
partition.

That is actually valid in this case, but could have been a bad oversight in
another case. I'm more used to linux where you point at the filesystem
device file

I need to make progress on the work, so I am going to go the bulk extractor
route. I hope the above is useful to the developers to work out what is
wrong with the build and maybe to suggest that they give some system
requirements on the site based on the various resource requirements of the
modules.

Owen.
​

Re: [sleuthkit-users] fiwalk for Windows

[Jon S. <JSt...@St...>]

My colleague, Joel Uckelman, just submitted a PR to TSK yesterday so that fiwalk.exe can be built with mingw.

https://github.com/sleuthkit/sleuthkit/pull/467


Jon

> -----Original Message-----
> From: Richer, Mark (CIV) [mailto:mhr...@np...]
> Sent: Friday, June 12, 2015 10:35 AM
> To: sleuthkit-users
> Subject: [sleuthkit-users] fiwalk for Windows
> 
> Does anyone have a working fiwalk.exe for Windows that is newer than
> 0.6.3, the last Windows installer found on
> http://digitalcorpora.org/downloads/fiwalk/ ?
> 
> My colleague is finding 0.6.3 is crashing a lot on Windows, so we’re hoping a
> newer version won’t.
> 
> Mark
> 
> MARK H RICHER, MS CS
> Faculty Research Associate
> Computer Science Department
> Naval Postgraduate School - National Capital Region (NCR)
> 703-275-8533 (o) 571.303.9498 (m) mhr...@np...
> <mailto:mhr...@np...>
> 
> 
> 
> 

[sleuthkit-users] fiwalk for Windows

[Richer, M. (CIV) <mhr...@np...>]

Does anyone have a working fiwalk.exe for Windows that is newer than 0.6.3, the last Windows installer found on http://digitalcorpora.org/downloads/fiwalk/ ?

My colleague is finding 0.6.3 is crashing a lot on Windows, so we’re hoping a newer version won’t.

Mark

MARK H RICHER, MS CS
Faculty Research Associate
Computer Science Department
Naval Postgraduate School - National Capital Region (NCR)
703-275-8533 (o) 571.303.9498 (m) mhr...@np...<mailto:mhr...@np...>

Re: [sleuthkit-users] sleuthkit-users Digest, Vol 108, Issue 5

[timothy a. b. <ala...@gm...>]

Owen
I agree with Adrian in using Simpson's bulk extractor tool. Maybe consider using bitcurator a Ubuntu distro which will automate the process of running bulk extractor, fiwalk and identify-filenames.py and it will generate pdf reports mapping the search terms to files. 
Regards
Alan 

-----Original Message-----
From: "sle...@li..." <sle...@li...>
Sent: ‎11/‎06/‎2015 13:03
To: "sle...@li..." <sle...@li...>
Subject: sleuthkit-users Digest, Vol 108, Issue 5

Send sleuthkit-users mailing list submissions to
	sle...@li...

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
or, via email, send a message with subject or body 'help' to
	sle...@li...

You can reach the person managing the list at
	sle...@li...

When replying, please edit your Subject line so it is more specific
than "Re: Contents of sleuthkit-users digest..."


Today's Topics:

   1. Re: Some guidance required (Owen O' Shaughnessy)


----------------------------------------------------------------------

Message: 1
Date: Thu, 11 Jun 2015 09:23:06 +0100
From: "Owen O' Shaughnessy" <owe...@gm...>
Subject: Re: [sleuthkit-users] Some guidance required
To: Simson Garfinkel <si...@ac...>
Cc: "sle...@li... Users"
	<sle...@li...>
Message-ID:
	<CAGGOH63LryUbLXCmpmquPpPuq7F=em3...@ma...>
Content-Type: text/plain; charset="utf-8"

On Wed, Jun 10, 2015 at 6:36 PM, Simson Garfinkel <si...@ac...> wrote:

> Hi, Owen.
>
> You didn't say how big your hard drives that you are ingesting,
>

Well, I've only ingested 1 drive, its 500GB, with 29GB in allocated, from a
1 year old system.


> or how much storage you have on your analysis system.
>

The OS is on a 500GB hard drive with about 50GB used, the case is on a 3TB
drive totally dedicated to this. The ingestion of the drive the first time
used 9gb and the second time 10gb


> However, from the sounds of it, your analysis system is under powered.
>

I think it could do with more ram alright, but other than that its top
spec. Unusual that there are no system requirements or suggestions on the
site. Its not actually hitting the ram limit, hangs before that, so the
system spec doesn't look to be a problem just yet.


> What kind of computer are you running on --- laptop or desktop
>

Desktop


> --- how far can you expand the RAM,
>

up to 16GB is possible, up to 8gb is practical, but the system isn't
running out of ram so I don't think it is actually underpowered, it hangs
with half a gig of ram free, so upping that to 16gb won't help.


> and how big is your storage?
>

3.5TB


On this second ingestion, I can see that there are 21k errors saying that
the image file is unavailable, I think that this is the problem, system
isn't handling a local drive properly and is expecting an image file.

Methinks its not the tool for this job. I was hoping for the path of least
resistance, but this aint it.

Owen.
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

------------------------------------------------------------------------------


------------------------------

_______________________________________________
sleuthkit-users mailing list
sle...@li...
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users


End of sleuthkit-users Digest, Vol 108, Issue 5
***********************************************

Re: [sleuthkit-users] Some guidance required

[Owen O' S. <owe...@gm...>]

On Wed, Jun 10, 2015 at 6:36 PM, Simson Garfinkel <si...@ac...> wrote:

> Hi, Owen.
>
> You didn't say how big your hard drives that you are ingesting,
>

Well, I've only ingested 1 drive, its 500GB, with 29GB in allocated, from a
1 year old system.


> or how much storage you have on your analysis system.
>

The OS is on a 500GB hard drive with about 50GB used, the case is on a 3TB
drive totally dedicated to this. The ingestion of the drive the first time
used 9gb and the second time 10gb


> However, from the sounds of it, your analysis system is under powered.
>

I think it could do with more ram alright, but other than that its top
spec. Unusual that there are no system requirements or suggestions on the
site. Its not actually hitting the ram limit, hangs before that, so the
system spec doesn't look to be a problem just yet.


> What kind of computer are you running on --- laptop or desktop
>

Desktop


> --- how far can you expand the RAM,
>

up to 16GB is possible, up to 8gb is practical, but the system isn't
running out of ram so I don't think it is actually underpowered, it hangs
with half a gig of ram free, so upping that to 16gb won't help.


> and how big is your storage?
>

3.5TB


On this second ingestion, I can see that there are 21k errors saying that
the image file is unavailable, I think that this is the problem, system
isn't handling a local drive properly and is expecting an image file.

Methinks its not the tool for this job. I was hoping for the path of least
resistance, but this aint it.

Owen.

Re: [sleuthkit-users] Parent dir from TSK_FS_DIR

[Brian C. <ca...@sl...>]

From TSK_FS_DIR, you can get the TSK_FS_FILE for the directory.  From TSK_FS_FILE structure, you can get the TSK_FS_NAME structure and that has a par_addr field with the meta data address of the parent.  You can then get a TSK_FS_DIR for that by using tsk_fs_dir_open_meta(). 



> On Jun 10, 2015, at 5:56 AM, Lloyd <llo...@gm...> wrote:
> 
> Hi,
> 
> Is it possible to get the parent directory from a TSK_FS_DIR structure based variable? I couldn't find anything related to this in the documentation.
> 
> Thanks,
>   Lloyd
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

Re: [sleuthkit-users] Some guidance required

[ade <adr...@nt...>]

Hi Owen

Did you get just the hard disks, or were they still in the computer systems?
If you got the full systems, I would cut 15 copies of the CAINE disto and boot 
all the systems with that.  Prepare a keyword list containing unusual words or
phrases from the "nasty letter" and feed that into the bulk_extractor "find" 
module.   You essentially need to triage the systems, identify the system(s) 
containing the nasty letter, then you can either image + forensicate those, or 
even use the evidence from bulk_extractor.

Do you know what format the letter was originally a .docx file then the 
contents are compressed.  If the letter was deleted and ended up in 
unallocated space, it is no good doing a standard string search.  
Bulk_extractor has the ability to find compressed data, decompress it in
memory then search that for decompressed data for your strings.

TBH, I can't think of many cases where I wouldn't use bulk_extractor.
Your situation, screams our for triaging the disks with a Linux forensic 
distro + bulk_extractor.

Stumpy

On Wednesday 10 Jun 2015 16:49:27 Owen O' Shaughnessy wrote:
> Hi,
> 
> I have a job to do, got 15 hard disks from an office and need to find out
> who wrote a nasty letter. My initial thought was to copy the live files
> from each disk, then carve out unallocated with blkls and then run foremost
> on the unallocated, index the lot and search for my keywords.
> 
> Decided instead to give autopsy a go, so I cranked up a windows host,
> inputted my keywords and got it to ingest the first disk.
> 
> Left it overnight, but in reality, it hadn't progressed, as autopsy had
> already run out of resources and was non responsive when I left it. There
> was a red dot in the bottom right that I couldn't get info out of, a
> console with a message saying image was no longer accessible and read
> error, a status bar on the bottom saying analyzing image 19% complete, and
> 8 hours later, the status of all was still the same.
> 
> Autopsy had used all available RAM on the pc, which is a Corei7 pc running
> windows 8.1 pro 64bit with 4GB ram.
> 
> When I restarted autopsy, the red dot revealed an error that my security
> software might be blocking the search server, ok that'll be easy to sort,
> but my questions are:
> 
> 1) Exactly how much ram should I wedge into this system for Autopsy to run
> comfortably?
> 2) How can I verify if autopsy successfully ingested the full hard disk?
> 3) By clicking all the options on the ingest, am I safe to assume that it
> is looking for my keywords in unallocated?
> 4) This is disk 1 of 15, am I ok to keep ingesting disks into this case, or
> for resource management should I be giving each disk its own case?
> 5) I assume, if ingesting all disks into this one case, i can name the
> individual disks after I ingest so that if get a keyword hit that I can
> determine who the culprit was?
> 
> Would appreciate some guidance before I go much further. I'd like to
> evaluate autopsy on this simple exercise, so don't really want to switch
> back to the linux command line just yet.
> 
> Thanks,
> 
> Owen.

Re: [sleuthkit-users] Some guidance required

[Simson G. <si...@ac...>]

Hi, Owen.

You didn't say how big your hard drives that you are ingesting, or how much
storage you have on your analysis system. However, from the sounds of it,
your analysis system is under powered. What kind of computer are you
running on --- laptop or desktop --- how far can you expand the RAM, and
how big is your storage?

On Wed, Jun 10, 2015 at 11:49 AM, Owen O' Shaughnessy <
owe...@gm...> wrote:

> Hi,
>
> I have a job to do, got 15 hard disks from an office and need to find out
> who wrote a nasty letter. My initial thought was to copy the live files
> from each disk, then carve out unallocated with blkls and then run foremost
> on the unallocated, index the lot and search for my keywords.
>
> Decided instead to give autopsy a go, so I cranked up a windows host,
> inputted my keywords and got it to ingest the first disk.
>
> Left it overnight, but in reality, it hadn't progressed, as autopsy had
> already run out of resources and was non responsive when I left it. There
> was a red dot in the bottom right that I couldn't get info out of, a
> console with a message saying image was no longer accessible and read
> error, a status bar on the bottom saying analyzing image 19% complete, and
> 8 hours later, the status of all was still the same.
>
> Autopsy had used all available RAM on the pc, which is a Corei7 pc running
> windows 8.1 pro 64bit with 4GB ram.
>
> When I restarted autopsy, the red dot revealed an error that my security
> software might be blocking the search server, ok that'll be easy to sort,
> but my questions are:
>
> 1) Exactly how much ram should I wedge into this system for Autopsy to run
> comfortably?
> 2) How can I verify if autopsy successfully ingested the full hard disk?
> 3) By clicking all the options on the ingest, am I safe to assume that it
> is looking for my keywords in unallocated?
> 4) This is disk 1 of 15, am I ok to keep ingesting disks into this case,
> or for resource management should I be giving each disk its own case?
> 5) I assume, if ingesting all disks into this one case, i can name the
> individual disks after I ingest so that if get a keyword hit that I can
> determine who the culprit was?
>
> Would appreciate some guidance before I go much further. I'd like to
> evaluate autopsy on this simple exercise, so don't really want to switch
> back to the linux command line just yet.
>
> Thanks,
>
> Owen.
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
>

[sleuthkit-users] Some guidance required

[Owen O' S. <owe...@gm...>]

Hi,

I have a job to do, got 15 hard disks from an office and need to find out
who wrote a nasty letter. My initial thought was to copy the live files
from each disk, then carve out unallocated with blkls and then run foremost
on the unallocated, index the lot and search for my keywords.

Decided instead to give autopsy a go, so I cranked up a windows host,
inputted my keywords and got it to ingest the first disk.

Left it overnight, but in reality, it hadn't progressed, as autopsy had
already run out of resources and was non responsive when I left it. There
was a red dot in the bottom right that I couldn't get info out of, a
console with a message saying image was no longer accessible and read
error, a status bar on the bottom saying analyzing image 19% complete, and
8 hours later, the status of all was still the same.

Autopsy had used all available RAM on the pc, which is a Corei7 pc running
windows 8.1 pro 64bit with 4GB ram.

When I restarted autopsy, the red dot revealed an error that my security
software might be blocking the search server, ok that'll be easy to sort,
but my questions are:

1) Exactly how much ram should I wedge into this system for Autopsy to run
comfortably?
2) How can I verify if autopsy successfully ingested the full hard disk?
3) By clicking all the options on the ingest, am I safe to assume that it
is looking for my keywords in unallocated?
4) This is disk 1 of 15, am I ok to keep ingesting disks into this case, or
for resource management should I be giving each disk its own case?
5) I assume, if ingesting all disks into this one case, i can name the
individual disks after I ingest so that if get a keyword hit that I can
determine who the culprit was?

Would appreciate some guidance before I go much further. I'd like to
evaluate autopsy on this simple exercise, so don't really want to switch
back to the linux command line just yet.

Thanks,

Owen.

[sleuthkit-users] Autopsy ingest module - Getting home path in jython

[Sylvain P. <syl...@gm...>]

Hi,

I would like to know how to have home path in jython.

I tried this code in my ingest module :
---------
import os

home = os.curdir

if 'HOME' in os.environ:
    home = os.environ['HOME']
elif os.name == 'posix':
    home = os.path.expanduser("~/")
elif os.name == 'nt':
    if 'HOMEPATH' in os.environ and 'HOMEDRIVE' in os.environ:
        home = os.environ['HOMEDRIVE'] + os.environ['HOMEPATH']
else:
    home = os.environ['HOMEPATH']

-----------
But when I run the ingest module in Autopsy, it crash.
Indeed, after some tests, it seems that the module plant from the "import
os"
Yet this seems to be used in the official jython documentation :
http://www.jython.org/docs/library/os.html

Have you an idea of what to use ?
Thanks

[sleuthkit-users] Parent dir from TSK_FS_DIR

[Lloyd <llo...@gm...>]

Hi,

Is it possible to get the parent directory from a TSK_FS_DIR structure
based variable? I couldn't find anything related to this in the
documentation.

Thanks,
  Lloyd

[sleuthkit-users] OSDFCon Voting

[Brian C. <ca...@sl...>]

Thanks to everyone who submitted a talk to OSDFCon 2015.  It’s now time for the community to vote on what talks will be given. Votes must be entered by June 23, 2015.  The form can be found here:

    http://www.basistech.com/osdfcon-2015/osdfcon-vote-for-presentations/



About OSDFCon

The 6th Annual Open Source Digital Forensics Conference (OSDFCon) will be held on October 28, 2015 at the Westin Washington Dulles. This conference focuses on tools and techniques that are open source and (typically) free to use. It is a one day event with short talks packed with information. There are both tool developers and users in attendance, and this is a unique opportunity to learn about new tools and provide feedback.

Re: [sleuthkit-users] Autopsy Python module - Retrieving data from a blackboard

[Brian C. <ca...@sl...>]

Sidesh and I updated the sample module to:

- have an example reading artifacts using python
- have easier logging
- skip non-files
- added URLs to the java objects that are being passed in so that you have more context about what you can do


https://github.com/sleuthkit/autopsy/blob/develop/pythonExamples/fileIngestModule.py

Hopefully that helps!


> On Jun 3, 2015, at 6:00 PM, Brian Carrier <ca...@sl...> wrote:
> 
> 
>> On Jun 3, 2015, at 8:15 AM, Sylvain Petiot <syl...@gm...> wrote:
>> 
>> Hello, 
>> 
>> I am trying to develop a Python module for autopsy but several questions remain unanswered for now despite my research. I need your expertise to carry out my project.
>> I would like your help with three points that I haven't found an answer :
>> 
>> 1) Find the blackboard of data (generated by other modules) in python
> 
> In the sample files you referred to below, the ‘file’ object is passed in to the process() method in a FileIngestModule or you get a Content object from the ‘findFiles()’ methods in the DataSourceIngestModules. Both of those are Content objects:
> 
> http://sleuthkit.org/sleuthkit/docs/jni-docs/interfaceorg_1_1sleuthkit_1_1datamodel_1_1_content.html
> 
> They have methods to get blackboard artifacts from them. Such as getArtifacts().  The above is documentation for the Java classes and the Python modules have access to all of the Java classes.  We’ll have someone work on sample code for querying the blackboard for artifacts. But, it is basically the getArtifacts() method that you can see from the above link and give it the artifact type that you want from that file. 
> 
>> 2) Sample module developed for autopsy in python.
> 
> You referred below to the sample modules that we have.  We (Basis Technology) do all of our development in Java, so we don’t have any “real” modules that are in Python to point to.
> 
>> 3) Find a specific file by his path in python.
> 
> The sample data source ingest module (https://github.com/sleuthkit/autopsy/blob/develop/pythonExamples/dataSourceIngestModule.py) uses the FileManager service to query for files. The method used in the sample only gives the file name to search for, but there is another method in FileManager that allows you to specify the parent path:
> 
> http://sleuthkit.org/autopsy/docs/api-docs/3.1/classorg_1_1sleuthkit_1_1autopsy_1_1casemodule_1_1services_1_1_file_manager.html#a87f2ab90774caaf385839a242ea1284f
> 
> That should do what you need.
> 
> NOTE: there is a bug in the current version of Autopsy that prevents that method from working on “logical files”, but it is fixed for the release that we’ll be doing next week.
> 
> 
> 
>> 
>> 1) I'm interested in the recovery of information from a previous module. 
>> I saw the documentation about blackboard, like this page : The Sleuth Kit Framework - The Blackboard and we can see that access to the blackboard is possible in C++ and Java. 
>> Is it possible to do the same thing with python and how ?
> 
> Yup. As mentioned above. The most update to date docs on the blackboard are here:
> 
> http://sleuthkit.org/sleuthkit/docs/jni-docs/mod_bbpage.html
> 
>> 
>> 2) I did some research to find python modules developed for autopsy, and I have not found complete projects outside the examples found at: https://github.com/sleuthkit/autopsy/tree/develop/pythonExamples
>> Do you have some links to existing projects developed in python (not Java or netbeans projects) ?
> 
> See above. That’s all we have.
> 
>> 3) I would use in my module files with a defined path to display them in the blackboard "INTERESTING_FILE_HIT". The examples clearly show how to recover files with the method find and after that display these files into the blackboard, no problem about that. 
>> But how to specify a path to a specific file, without using a keyword search (still in python) ?
> 
> See above.
> 
> Let us know if you have other questions.
> 
> 
>> 
>> Thank you to those who respond to this message.
>> Cordially
>> 
>> Sylvain
>> 
>> 
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
> 
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org