sleuthkit-users — List to discuss Autopsy and The Sleuth Kit.

Re: [sleuthkit-users] Information about how to develop a autopsy plugin in python/jython

[Richard C. <rco...@ba...>]

The most current sample Python code can be found at
https://github.com/sleuthkit/autopsy/tree/develop/pythonExamples.

Sincerely,
Richard Cordovano
Autopsy Team Lead

On Wed, May 6, 2015 at 10:10 AM, Geoffrey Wagnier <
wag...@gm...> wrote:

> Hi everyone,
>
> I'm Geoffrey a student in IT security in France, and in order to end a
> school project about autopsy and pyhton's plugins, I would like to know if
> someone can help on this project.
>
> First, I wonder if skeleton in python exists and how use it and install
> it.
>
> Secondly, how works the autopsy library on Eclipse ?
>
> and Finally, every informations will be great for my crew !
>
>
> Thx guys for reading,
>
> Best regards,
>
>
> Geoffrey
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
>

Re: [sleuthkit-users] Information about how to develop a autopsy plugin in python/jython

[Richard C. <rco...@ba...>]

Also, Autopsy uses the NetBeans Rich Client Platform (RCP). There may be a
way to get all the NetBeans platform stuff into Eclipse, but I recommend
using the NetBeans IDE (https://netbeans.org/downloads/).

Sincerely,
Richard Cordovano
Autopsy Team Lead

On Wed, May 6, 2015 at 10:52 AM, Richard Cordovano <rco...@ba...
> wrote:

> The most current sample Python code can be found at
> https://github.com/sleuthkit/autopsy/tree/develop/pythonExamples.
>
> Sincerely,
> Richard Cordovano
> Autopsy Team Lead
>
> On Wed, May 6, 2015 at 10:10 AM, Geoffrey Wagnier <
> wag...@gm...> wrote:
>
>> Hi everyone,
>>
>> I'm Geoffrey a student in IT security in France, and in order to end a
>> school project about autopsy and pyhton's plugins, I would like to know if
>> someone can help on this project.
>>
>> First, I wonder if skeleton in python exists and how use it and install
>> it.
>>
>> Secondly, how works the autopsy library on Eclipse ?
>>
>> and Finally, every informations will be great for my crew !
>>
>>
>> Thx guys for reading,
>>
>> Best regards,
>>
>>
>> Geoffrey
>>
>>
>> ------------------------------------------------------------------------------
>> One dashboard for servers and applications across Physical-Virtual-Cloud
>> Widest out-of-the-box monitoring support with 50+ applications
>> Performance metrics, stats and reports that give you Actionable Insights
>> Deep dive visibility with transaction tracing using APM Insight.
>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
>>
>>
>

Re: [sleuthkit-users] Information about how to develop a autopsy plugin in python/jython

[Brian C. <ca...@sl...>]

Hi Geoffrey,

The development docs contain this information. 

All of the docs are here: http://sleuthkit.org/autopsy/docs/api-docs/3.1/index.html
The Python-specific page is here: http://sleuthkit.org/autopsy/docs/api-docs/3.1/mod_dev_py_page.html

The python page assumes you’ve read the other pages though (except for the Java-specific page). It references sample modules, which can be found here:

https://github.com/sleuthkit/autopsy/tree/develop/pythonExamples

Autopsy is built on top of the NetBeans platform, so we always use NetBeans as an IDE.  I’ve never tried Eclipse with Autopsy. 

thanks,
brian




> On May 6, 2015, at 10:10 AM, Geoffrey Wagnier <wag...@gm...> wrote:
> 
> Hi everyone,
> 
> I'm Geoffrey a student in IT security in France, and in order to end a school project about autopsy and pyhton's plugins, I would like to know if someone can help on this project.
> 
> First, I wonder if skeleton in python exists and how use it and install it. 
> 
> Secondly, how works the autopsy library on Eclipse ?
> 
> and Finally, every informations will be great for my crew !
> 
> 
> Thx guys for reading,
> 
> Best regards,
> 
> 
> Geoffrey
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud 
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

Re: [sleuthkit-users] mactime - meaning of 0000-00-00T00:00:00Z

[Brian C. <ca...@sl...>]

It means TSK doesn’t know a real time value. Either it has been zeroed out on disk or the OS never set it (we’ve seen lots of media cards and such where the phone or other portable device doesn’t set all of the times). 


> On May 5, 2015, at 10:27 PM, W. Walker Sampson <wal...@ic...> wrote:
> 
> Hi everyone,
> 
> I’ve been working with mactime timelines across several floppy disk images (in FAT12) and have come upon events with a timestamp of 0000-00-00T00:00:00Z. Some of these events have a single notation (such as ‘c’, ’m’, etc.), others have all four entries marked (‘macb’). 
> 
> What does a timestamp of 0000-00-00T00:00:00Z mean? Is this a false positive (not an event at all), or simply an event logged without a time by an OS (and if so, have others seen this)? I understand that blank time entries mean that the event shares the time with previous event - is a zeroed out timestamp the equivalent of that?
> 
> - fls command to get body file: fls -m -i raw [image]
> - mactime command for timeline: mactime -b [timeline.txt] -d -y
> 
> Many thanks,
> 
> Walker
> 
> 
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud 
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

[sleuthkit-users] Information about how to develop a autopsy plugin in python/jython

[Geoffrey W. <wag...@gm...>]

Hi everyone,

I'm Geoffrey a student in IT security in France, and in order to end a
school project about autopsy and pyhton's plugins, I would like to know if
someone can help on this project.

First, I wonder if skeleton in python exists and how use it and install it.

Secondly, how works the autopsy library on Eclipse ?

and Finally, every informations will be great for my crew !


Thx guys for reading,

Best regards,


Geoffrey

[sleuthkit-users] mactime - meaning of 0000-00-00T00:00:00Z

[W. W. S. <wal...@ic...>]

Hi everyone,

I’ve been working with mactime timelines across several floppy disk images (in FAT12) and have come upon events with a timestamp of 0000-00-00T00:00:00Z. Some of these events have a single notation (such as ‘c’, ’m’, etc.), others have all four entries marked (‘macb’). 

What does a timestamp of 0000-00-00T00:00:00Z mean? Is this a false positive (not an event at all), or simply an event logged without a time by an OS (and if so, have others seen this)? I understand that blank time entries mean that the event shares the time with previous event - is a zeroed out timestamp the equivalent of that?

 - fls command to get body file: fls -m -i raw [image]
 - mactime command for timeline: mactime -b [timeline.txt] -d -y

Many thanks,

Walker

[sleuthkit-users] Any fix for https://github.com/sleuthkit/sleuthkit/issues/345 ?

[Sean M. <mcl...@in...>]

OOOB, TSK will not compile with the current values for bindings/java/ivy.xml and ivysettings.xml.

Thanks in advance.

Sean McLinden


-- 
NOTICE of CONFIDENTIALITY and DISCLAIMER

This transmission, including attachments, is confidential. It may also be privileged or otherwise protected by work product immunity or other legal rules. If you have received it by mistake, please let us know by e-mail to the sender, only, and delete it from your system; you may not copy this message or disclose its contents to anyone.

Unless expressly noted, above, this communication does not reflect an intention by the sender to conduct a transaction or make any agreement by electronic means. Nothing contained in this transmission shall constitute a contract or electronic signature under the ESIGN, any version of the UETA, or any other statute governing electronic transactions. 

If this transmission contains advice, the advice is based on instructions in relation to, and is provided to the addressee in connection with, the matter mentioned above. Responsibility is not accepted for reliance upon it by any other person or for any other purpose.

[sleuthkit-users] sleuthkit framework and scalpel

[Sanchez, R. <rr...@ra...>]

I have a question about scalpel and integration with the sleuthkit framework. I was able to get scalpel and sleuthkit built and I used the sample framework and pipeline XML files to carve and do some file analysis on a test image. However, I notice that carved files aren't being processing in the file analysis phase. E.g., the carved files don't get hashed. At least they don't appear in the file_hashes table in the output database. So my question is: do I need to do something special to make sure the carved files get added to the scheduler for processing.

I'm just getting started with sleuthkit, so I apologize if this is a simple question.

Thank you,

-ricky


Ricardo Sanchez, RAND Corporation
Research Software Engineer, Information Services
n1428b   (504) 299-3448   rr...@ra...<mailto:rr...@ra...>


__________________________________________________________________________

This email message is for the sole use of the intended recipient(s) and
may contain confidential information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply email and destroy all copies
of the original message.

Re: [sleuthkit-users] Feature Placement

[Andre L. <la...@xe...>]

Hi,
for me such embed Files are part of the Document self.
What i mean was it would be perfect if in the List where Doc or Docx Files are listed every file with
embed Files have a + sign and i can see here what is embed.
I not will loose the link between Mother and Child Objects, if i would get a Folder with all embed Images
maybe with link to Mother Document i loose the information of the rest Document and mostly pictures are
only important with the rest of Information in a Document.
I i find now in hundreds of Pictures some that i will get more Information i will get massive false positives
the picture is maybe hot but the text in document self is a Joke that someone have send as Attachment in doc
to hole Department.
Without knowing the rest of Information from such Document a picture is only a picture it say all and say nothing.

For my Cases i miss in Autopsy a Document tree like this


Documents sorted as type, perfect with a second Tab where is a Timeline of that Documents  and if i select a day or hour
the visible Files in tree are that what are matsch my time slot selection

Doc Foler
	file.doc
	 + embed Files
	 + Meta data
DocX Folder
	file.docx
 	 + embed Files
	 + Meta data

	and so far

And for those File Tree a Search Function with enhancement to save searches, make a Index over hole Files (Text),
and search word lists with searchable result Lists that can be exported to case report.


But Live is not perfect ;-) maybe you can pic something of my wishes for such feature.

best

Andre


> ---------- Original Message ----------
> Von: Derrick Karpo dk...@gm...
> Gesendet: 17. April 2015 16:06:21 MESZ
> An: Brian Carrier ca...@sl...; sleuthkit-users sle...@li...
> Betreff: Aw: [sleuthkit-users] Feature Placement
> 
> Would it work to just have a single "Extract embedded data in files"
> module which would deep traverse files and look for embedded child
> objects such as pictures in docs/pdfs, pictures from thumbnails,
> cookies and blobs from browser sqlite databases, etc?  It's a bit of a
> catch all module for all things embedded (not just graphics) so that
> you don't end up with an ever growing list of modules.
> 
> I think the keyword module should be kept separate.  For me, even
> though searching for ASCII/Unicode text uses the same library, the use
> case is very different.  I only search for keywords in specific cases
> and often would just want to run the 'deep traverse' without running
> keywords.
> 
> Derrick
> 
> 
> On Thu, Apr 16, 2015 at 9:46 PM, Hoyt Harness <hoy...@gm...> wrote:
>> Maybe it's a matter of renaming the keyword module and modifying the
>> hover tip so they're more inclusive once the embedded image feature is
>> added. That would solve it, I think, as well as maximize performance,
>> reduce the development task, and aid in ingest brevity.
>> 
>> Hoyt
>> 
>> On Thu, Apr 16, 2015 at 8:57 AM, Brian Carrier <ca...@sl...> wrote:
>>> Question for the Autopsy users on the list.  We’re about to add a feature to extract pictures from inside of Word/PowerPoint/Excel docs and add them in as derived files that will be hashed, searched, etc.
>>> 
>>> The question is where we put the module.
>>> 
>>> Technically, it is using the same library that we use in Keyword Search to extract text from these file types, so it would be fastest and least code for us to add it as a by-product of that module. Though, it is not very intuitive that the Keyword Search module would be doing that (from a user experience perspective).
>>> 
>>> A second option is to make a module just for that.  In addition to a slight performance hit, my other concern with this is that the list of ingest modules is starting to get long.  I don’t want Autopsy to have a list of 20 items to select from each time (when most of them will always be enabled).  There are of course longer-term ways to group modules by category, but that doesn’t solve the problem of where do we check this in next week.
>>> 
>>> A third option is to make a module that is graphic image focused and merge the EXIF module into it.  So, this new module would extract images from Word and EXIF extract and have a name that is graphics-based.
>>> 
>>> Any strong thoughts?  Should performance trump a little confusion about who is actually going to be extracting the images?
>>> 
>>> 
>>> ------------------------------------------------------------------------------
>>> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
>>> Develop your own process in accordance with the BPMN 2 standard
>>> Learn Process modeling best practices with Bonita BPM through live exercises
>>> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
>>> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>>> _______________________________________________
>>> sleuthkit-users mailing list
>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>> http://www.sleuthkit.org
>> 
>> 
>> 
>> --
>> Hoyt
>> -----------------
>> There are 11 kinds of people - those who think binary jokes are funny,
>> those who don't, ...and those who don't know binary.
>> 
>> ------------------------------------------------------------------------------
>> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
>> Develop your own process in accordance with the BPMN 2 standard
>> Learn Process modeling best practices with Bonita BPM through live exercises
>> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
>> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
> 
> ------------------------------------------------------------------------------
> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> Develop your own process in accordance with the BPMN 2 standard
> Learn Process modeling best practices with Bonita BPM through live exercises
> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

MfG

Andre Lauzon
la...@xe...

[sleuthkit-users] Images filter

[Alan B. <ala...@gm...>]

I notice that under the images filter that jpgs,bmp and pngs are all that
are shown. Can you extend the file formats to include gifs, tiffs and some
more graphic file formats. Also I notice that bmps are not able to be
viewed. When I click on a bmp file I can only see the text metadata even
though when I have done a file signature analysis and it is indeed a bmp
file.

Also is it going to be in the plans of autopsy to extract images from
certain type of allocated files. I see that developers are planning on
extracting from office docs, but is there plans to do some carving from
other types of files.

alan

Re: [sleuthkit-users] Python/Jython and Windows registry analysis

[Tim <tim...@se...>]

On Thu, Apr 16, 2015 at 11:23:59PM +0000, James H Jr Jones wrote:
> We'd like to implement some existing Python Windows registry
> analysis scripts as Autopsy modules. As far as we can tell, the
> _winreg module is not implemented in Jython, so asking for
> recommendations on the best Python way to access the Windows registry
> from within Autopsy. Might accessing raw RegRipper output work, is
> there an alternative Jython module, or is there a better way? The
> script developers are a group of my students learning Python, so
> implementing the modules in Java isn't an option.


Hi Jim,

My regfi[1] C library has had python wrappers[2] for some time, but
not sure if it would work with Jython.  You could also parse
reglookup[3] output which is quite structured and well-defined.

tim


1. http://projects.sentinelchicken.org/data/doc/reglookup/regfi/
2. http://projects.sentinelchicken.org/data/doc/reglookup/pyregfi/
3. http://projects.sentinelchicken.org/reglookup/download/

Re: [sleuthkit-users] Feature Placement

[Derrick K. <dk...@gm...>]

Would it work to just have a single "Extract embedded data in files"
module which would deep traverse files and look for embedded child
objects such as pictures in docs/pdfs, pictures from thumbnails,
cookies and blobs from browser sqlite databases, etc?  It's a bit of a
catch all module for all things embedded (not just graphics) so that
you don't end up with an ever growing list of modules.

I think the keyword module should be kept separate.  For me, even
though searching for ASCII/Unicode text uses the same library, the use
case is very different.  I only search for keywords in specific cases
and often would just want to run the 'deep traverse' without running
keywords.

Derrick


On Thu, Apr 16, 2015 at 9:46 PM, Hoyt Harness <hoy...@gm...> wrote:
> Maybe it's a matter of renaming the keyword module and modifying the
> hover tip so they're more inclusive once the embedded image feature is
> added. That would solve it, I think, as well as maximize performance,
> reduce the development task, and aid in ingest brevity.
>
> Hoyt
>
> On Thu, Apr 16, 2015 at 8:57 AM, Brian Carrier <ca...@sl...> wrote:
>> Question for the Autopsy users on the list.  We’re about to add a feature to extract pictures from inside of Word/PowerPoint/Excel docs and add them in as derived files that will be hashed, searched, etc.
>>
>> The question is where we put the module.
>>
>> Technically, it is using the same library that we use in Keyword Search to extract text from these file types, so it would be fastest and least code for us to add it as a by-product of that module. Though, it is not very intuitive that the Keyword Search module would be doing that (from a user experience perspective).
>>
>> A second option is to make a module just for that.  In addition to a slight performance hit, my other concern with this is that the list of ingest modules is starting to get long.  I don’t want Autopsy to have a list of 20 items to select from each time (when most of them will always be enabled).  There are of course longer-term ways to group modules by category, but that doesn’t solve the problem of where do we check this in next week.
>>
>> A third option is to make a module that is graphic image focused and merge the EXIF module into it.  So, this new module would extract images from Word and EXIF extract and have a name that is graphics-based.
>>
>> Any strong thoughts?  Should performance trump a little confusion about who is actually going to be extracting the images?
>>
>>
>> ------------------------------------------------------------------------------
>> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
>> Develop your own process in accordance with the BPMN 2 standard
>> Learn Process modeling best practices with Bonita BPM through live exercises
>> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
>> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
>
>
>
> --
> Hoyt
> -----------------
> There are 11 kinds of people - those who think binary jokes are funny,
> those who don't, ...and those who don't know binary.
>
> ------------------------------------------------------------------------------
> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> Develop your own process in accordance with the BPMN 2 standard
> Learn Process modeling best practices with Bonita BPM through live exercises
> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

Re: [sleuthkit-users] Feature Placement

[Hoyt H. <hoy...@gm...>]

Maybe it's a matter of renaming the keyword module and modifying the
hover tip so they're more inclusive once the embedded image feature is
added. That would solve it, I think, as well as maximize performance,
reduce the development task, and aid in ingest brevity.

Hoyt

On Thu, Apr 16, 2015 at 8:57 AM, Brian Carrier <ca...@sl...> wrote:
> Question for the Autopsy users on the list.  We’re about to add a feature to extract pictures from inside of Word/PowerPoint/Excel docs and add them in as derived files that will be hashed, searched, etc.
>
> The question is where we put the module.
>
> Technically, it is using the same library that we use in Keyword Search to extract text from these file types, so it would be fastest and least code for us to add it as a by-product of that module. Though, it is not very intuitive that the Keyword Search module would be doing that (from a user experience perspective).
>
> A second option is to make a module just for that.  In addition to a slight performance hit, my other concern with this is that the list of ingest modules is starting to get long.  I don’t want Autopsy to have a list of 20 items to select from each time (when most of them will always be enabled).  There are of course longer-term ways to group modules by category, but that doesn’t solve the problem of where do we check this in next week.
>
> A third option is to make a module that is graphic image focused and merge the EXIF module into it.  So, this new module would extract images from Word and EXIF extract and have a name that is graphics-based.
>
> Any strong thoughts?  Should performance trump a little confusion about who is actually going to be extracting the images?
>
>
> ------------------------------------------------------------------------------
> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> Develop your own process in accordance with the BPMN 2 standard
> Learn Process modeling best practices with Bonita BPM through live exercises
> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org



-- 
Hoyt
-----------------
There are 11 kinds of people - those who think binary jokes are funny,
those who don't, ...and those who don't know binary.

Re: [sleuthkit-users] Python/Jython and Windows registry analysis

[Willi B. <wil...@gm...>]

Hey Jim,

Seems like a neat project for the students. As you've found, the _winreg
module ultimately calls down to the Windows API functions to retrieve data
from the Registry, so it's not an appropriate library for an Autopsy
plugin. Instead, you might consider taking a look at the python-registry
module (https://github.com/williballenthin/python-registry) that I've
developed and maintained over the past few years. It's pure Python, so it
should work well with Jython, and can parse hive data from a memory buffer
(presumably that you'd fetch via the Autopsy API).

I hope you'll share with the list the plugins that the students complete!

Thanks,
Willi

On Thursday, April 16, 2015, James H Jr Jones <jj...@gm...> wrote:

> We'd like to implement some existing Python Windows registry analysis
> scripts as Autopsy modules. As far as we can tell, the _winreg module is
> not implemented in Jython, so asking for recommendations on the best Python
> way to access the Windows registry from within Autopsy. Might accessing raw
> RegRipper output work, is there an alternative Jython module, or is there a
> better way? The script developers are a group of my students learning
> Python, so implementing the modules in Java isn't an option.
>
> Thanks for any suggestions or pointers.
>
> Jim
>
>
> ------------------------------------------------------------------------------
> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> Develop your own process in accordance with the BPMN 2 standard
> Learn Process modeling best practices with Bonita BPM through live
> exercises
> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
> event?utm_
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>

[sleuthkit-users] Python/Jython and Windows registry analysis

[James H Jr J. <jj...@gm...>]

We'd like to implement some existing Python Windows registry analysis scripts as Autopsy modules. As far as we can tell, the _winreg module is not implemented in Jython, so asking for recommendations on the best Python way to access the Windows registry from within Autopsy. Might accessing raw RegRipper output work, is there an alternative Jython module, or is there a better way? The script developers are a group of my students learning Python, so implementing the modules in Java isn't an option.

Thanks for any suggestions or pointers.

Jim

[sleuthkit-users] Feature Placement

[Brian C. <ca...@sl...>]

Question for the Autopsy users on the list.  We’re about to add a feature to extract pictures from inside of Word/PowerPoint/Excel docs and add them in as derived files that will be hashed, searched, etc.

The question is where we put the module. 

Technically, it is using the same library that we use in Keyword Search to extract text from these file types, so it would be fastest and least code for us to add it as a by-product of that module. Though, it is not very intuitive that the Keyword Search module would be doing that (from a user experience perspective).

A second option is to make a module just for that.  In addition to a slight performance hit, my other concern with this is that the list of ingest modules is starting to get long.  I don’t want Autopsy to have a list of 20 items to select from each time (when most of them will always be enabled).  There are of course longer-term ways to group modules by category, but that doesn’t solve the problem of where do we check this in next week.

A third option is to make a module that is graphic image focused and merge the EXIF module into it.  So, this new module would extract images from Word and EXIF extract and have a name that is graphics-based. 

Any strong thoughts?  Should performance trump a little confusion about who is actually going to be extracting the images? 

[sleuthkit-users] Vote for Autopsy in the Forensic 4:cast Awards

[Brian C. <ca...@sl...>]

Autopsy is in the list for Computer Forensic Software of the Year!  Send in your votes if like it: 

    https://forensic4cast.com/forensic-4cast-awards/

brian

Re: [sleuthkit-users] Autopsy 3 - file offset information

[Sam K <sku...@gm...>]

Thanks Brian, and to Alex, Atila, & Stumpy for your feedback.

Perhaps I should have included more background in my initial e-mail: my
organization has decided to use the DCFL Control Standard (
http://www.cfreds.nist.gov/Controlv1_0/DCFL_Control_Standard_V1_0.html) for
baseline validation of forensic software.  DCFL includes hex offsets for
the various artifacts that are included in the control image.

I am creating an Autopsy report module that will output the details of all
of these artifacts after ingest of the DCFL image.  Based on the feedback
from this list, I was able to find the info from Autopsy by using the
getMetaDataText() method of an FsContent object, and parsing down to the
data run information that starts at the end of the attributes section.  At
least for the DCFL image, this gives me the offset info that corresponds to
the DCFL standard (after converting from decimal to hex).

Thanks again to all who responded from the list.  I will upload the module
for others to critique when it's finished, if anyone else is using this
particular method for validating their tools.

-Sam


On Tue, Apr 7, 2015 at 11:52 AM, Brian Carrier <ca...@sl...>
wrote:

> Hi Sam,
>
> The data below is created “in real time” by calling the TSK code.  It
> isn’t stored anywhere in the Autopsy DB.  It is the same info that you get
> from running the ‘stat’ command in TSK.
>
> Autopsy doesn’t store any file info for speed reasons. It would take A LOT
> longer to add a data source into Autopsy if we did that (we did in the very
> early days) and there aren’t that many use cases (in Autopsy at least) that
> need it.  The theory was that we would expose an API to the data via TSK if
> a use case ever presented itself.  And perhaps one now has.
>
> Are you looking for a method that returns the list of blocks for a given
> file?
>
> As Alex pointed out, NTFS further complicates this because of resident
> files that have data that are not on sector boundaries.  So, to be truly
> generic, the API would need to be starting byte of a file.
>
> brian
>
>
>
> > On Apr 1, 2015, at 11:17 AM, Sam K <sku...@gm...> wrote:
> >
> > Good morning:
> >
> > Can anyone shed light on where Autopsy 3.1.2 would store the starting
> physical sector for a file, if that information is not contained in the
> tsk_file_layout table? I'm guessing it must be stored somewhere (and not
> re-parsed from the MFT every time I view the file), but have been
> unsuccessful in finding it.
> >
> > Based on the output in the Metadata tab, Autopsy does store the
> information.  I've confirmed with another tool that 118341 is indeed the
> starting physical sector.  I want this information included with a report
> module I'm working on, and can't seem to reference it anywhere in the API
> or database (there's no entry for the file in tsk_file_layout, perhaps
> because it's contiguous and not fragmented).
> > Attributes:
> > Type: ? (16-0)   Name: N/A   Resident   size: 72
> > Type: ? (48-6)   Name: N/A   Resident   size: 90
> > Type: ? (48-5)   Name: N/A   Resident   size: 110
> > Type: ? (128-4)   Name: N/A   Non-Resident   size: 25600  init_size:
> 25600
> > 118341 118342 118343 118344 118345 118346 118347 118348
> > 118349 118350 118351 118352 118353 118354 118355 118356
> > 118357 118358 118359 118360 118361 118362 118363 118364
> > 118365 118366 118367 118368 118369 118370 118371 118372
> > 118373 118374 118375 118376 118377 118378 118379 118380
> > 118381 118382 118383 118384 118385 118386 118387 118388
> > 118389 118390
> > Thanks in advance for any feedback.
> >
> ------------------------------------------------------------------------------
> > Dive into the World of Parallel Programming The Go Parallel Website,
> sponsored
> > by Intel and developed in partnership with Slashdot Media, is your hub
> for all
> > things parallel software development, from weekly thought leadership
> blogs to
> > news, videos, case studies, tutorials and more. Take a look and join the
> > conversation now.
> http://goparallel.sourceforge.net/_______________________________________________
> > sleuthkit-users mailing list
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > http://www.sleuthkit.org
>
>

Re: [sleuthkit-users] Autopsy 3 - file offset information

[Brian C. <ca...@sl...>]

Hi Sam,

The data below is created “in real time” by calling the TSK code.  It isn’t stored anywhere in the Autopsy DB.  It is the same info that you get from running the ‘stat’ command in TSK.

Autopsy doesn’t store any file info for speed reasons. It would take A LOT longer to add a data source into Autopsy if we did that (we did in the very early days) and there aren’t that many use cases (in Autopsy at least) that need it.  The theory was that we would expose an API to the data via TSK if a use case ever presented itself.  And perhaps one now has.

Are you looking for a method that returns the list of blocks for a given file?  

As Alex pointed out, NTFS further complicates this because of resident files that have data that are not on sector boundaries.  So, to be truly generic, the API would need to be starting byte of a file.

brian



> On Apr 1, 2015, at 11:17 AM, Sam K <sku...@gm...> wrote:
> 
> Good morning:
> 
> Can anyone shed light on where Autopsy 3.1.2 would store the starting physical sector for a file, if that information is not contained in the tsk_file_layout table? I'm guessing it must be stored somewhere (and not re-parsed from the MFT every time I view the file), but have been unsuccessful in finding it.
> 
> Based on the output in the Metadata tab, Autopsy does store the information.  I've confirmed with another tool that 118341 is indeed the starting physical sector.  I want this information included with a report module I'm working on, and can't seem to reference it anywhere in the API or database (there's no entry for the file in tsk_file_layout, perhaps because it's contiguous and not fragmented).
> Attributes: 
> Type: ? (16-0)   Name: N/A   Resident   size: 72
> Type: ? (48-6)   Name: N/A   Resident   size: 90
> Type: ? (48-5)   Name: N/A   Resident   size: 110
> Type: ? (128-4)   Name: N/A   Non-Resident   size: 25600  init_size: 25600
> 118341 118342 118343 118344 118345 118346 118347 118348 
> 118349 118350 118351 118352 118353 118354 118355 118356 
> 118357 118358 118359 118360 118361 118362 118363 118364 
> 118365 118366 118367 118368 118369 118370 118371 118372 
> 118373 118374 118375 118376 118377 118378 118379 118380 
> 118381 118382 118383 118384 118385 118386 118387 118388 
> 118389 118390 
> Thanks in advance for any feedback.
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the 
> conversation now. http://goparallel.sourceforge.net/_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

[sleuthkit-users] OSDFCon CFP

[Brian C. <ca...@sl...>]

Open Source Digital Forensics Conference - Call For Presentations and Workshops

The 6th Annual Open Source Digital Forensics Conference (OSDFCon) will be held on October 28, 2015 in Herndon, VA.  All users and developers are invited to submit a presentation or workshop topic by June 1, 2015.  This is a unique opportunity to present your work and experiences to over 400 people.

The conference will be attended by both digital forensic investigators and developers.  This event is a great opportunity to make investigators aware of your tools, get feedback from users, meet fellow developers and users, and help direct the future of open source digital forensics software.

To receive updates about the conference, sign up for e-mail updates (http://www.osdfcon.org) or watch #osdfcon on twitter.



TOPICS

We are looking for 35-minute talks on a variety of topics about using open source tools, including:

 * New tools and analysis techniques
 * New features to mature tools
 * Open, plug-in analysis framework designs and experiences
 * Automated analysis
 * Hard drive analysis and triage
 * Memory and network forensics
 * Mobile device forensics
 * Analyzing application-level artifacts
 * Cyber incident response
 * User experiences
 * Case studies


We also have openings for half-day workshops on the day before the conference (October 27, 2015).  The workshops should teach people how to use or develop open source tools by providing hands-on guidance.



SUBMISSION INSTRUCTIONS

Topics can be submitted using an online form:

    http://www.osdfcon.org

Submissions are due June 1, 2015. Our plan this year is to do an initial pass of the submissions and then use crowd sourcing to choose the final set of topics.  

E-mail submissions2015 [at] osdfcon [dot] org with any questions. 

Re: [sleuthkit-users] Autopsy 3 - file offset information

[Alex N. <ajn...@cs...>]

If you find further issues with missing small, resident files' data
locations, there is an open bug on that.

https://github.com/sleuthkit/sleuthkit/issues/379

--Alex



On Thu, Apr 2, 2015 at 11:13 AM, Atila <ati...@dp...> wrote:

>  Sam, Autopsy does not fill tsk_file_layout, but tsk_loaddb does (with
> some exceptions, like very small files that are stored in MFT for NTFS).
> Maybe that helps you?
>
>
> On 01-04-2015 12:51, Sam K wrote:
>
>  Thanks, that makes sense.  Calculating is not a problem - but I can't
> seem to find where the data run information is stored for this file.  I was
> expecting tsk_file_layout, but no joy.  Is there an API call or somewhere
> else in the SQLite tables it could live?
>
>
>  On Wed, Apr 1, 2015 at 11:26 AM, ade <adr...@nt...> wrote:
>
>> Hi Sam
>>
>> The metadata you have presented is the data-runs, which are the block (or
>> cluster)  numbers, parsed from the inode information .  AFAIK, tsk doesn't
>> get the starting sector number for files as this is not maintained by any
>> structures on the disk.  You would have to calculate the sector number
>> based
>> on the first cluster number in the data run, taking into account the
>> partition
>> start sector and the number of sectors per cluster.
>>
>> Stumpy
>>
>> On Wednesday 01 Apr 2015 11:17:32 Sam K wrote:
>> > Good morning:
>> >
>> > Can anyone shed light on where Autopsy 3.1.2 would store the starting
>> > physical sector for a file, if that information is *not *contained in
>> the
>> > tsk_file_layout table? I'm guessing it must be stored somewhere (and not
>> > re-parsed from the MFT every time I view the file), but have been
>> > unsuccessful in finding it.
>> >
>> > Based on the output in the Metadata tab, Autopsy does store the
>> > information.  I've confirmed with another tool that 118341 is indeed the
>> > starting physical sector.  I want this information included with a
>> report
>> > module I'm working on, and can't seem to reference it anywhere in the
>> API
>> > or database (there's no entry for the file in tsk_file_layout, perhaps
>> > because it's contiguous and not fragmented).
>> >
>> > Attributes:
>> > Type: ? (16-0)   Name: N/A   Resident   size: 72
>> > Type: ? (48-6)   Name: N/A   Resident   size: 90
>> > Type: ? (48-5)   Name: N/A   Resident   size: 110
>> > Type: ? (128-4)   Name: N/A   Non-Resident   size: 25600  init_size:
>> 25600
>> > 118341 118342 118343 118344 118345 118346 118347 118348
>> > 118349 118350 118351 118352 118353 118354 118355 118356
>> > 118357 118358 118359 118360 118361 118362 118363 118364
>> > 118365 118366 118367 118368 118369 118370 118371 118372
>> > 118373 118374 118375 118376 118377 118378 118379 118380
>> > 118381 118382 118383 118384 118385 118386 118387 118388
>> > 118389 118390
>> >
>> > Thanks in advance for any feedback.
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Dive into the World of Parallel Programming The Go Parallel Website,
>> sponsored
>> by Intel and developed in partnership with Slashdot Media, is your hub
>> for all
>> things parallel software development, from weekly thought leadership
>> blogs to
>> news, videos, case studies, tutorials and more. Take a look and join the
>> conversation now. http://goparallel.sourceforge.net/
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
>>
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
>
>
>
> _______________________________________________
> sleuthkit-users mailing listhttps://lists.sourceforge.net/lists/listinfo/sleuthkit-usershttp://www.sleuthkit.org
>
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website,
> sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for
> all
> things parallel software development, from weekly thought leadership blogs
> to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
>

Re: [sleuthkit-users] Which blocks my very partly zeroed out, recoverable luks volume file occupies?

[<mir...@zg...>]

I have not received, and surely it is because I have a miserable
provider, the reply that Atila sent (at least) to the list.

This message (I didn't get but one unrelated of the 3 new messages
after, and including mine) I am referring to:
( of this same subject as this message you are reading )
http://sourceforge.net/p/sleuthkit/mailman/message/33695222/

So I'll reconstruct it. And if it get filtered out by my bad provider,
I'll post it at:

Recover partly overwritten luks volume?
https://forums.gentoo.org/viewtopic-t-1004014.html
(around the current date and time plus a few more hours.

[So I'll reconstruct it], as if I had received it.

> Please don't use mke2fs!!! That's for create a new fs!
> 
> Since you can mount the luks vol, I guess you are at a point were you 
> have a unencrypted ext4 fs with the first 5% (or other number)
> overwritten.
> 
> Is this correct? If so, a 'hexdump -C'  of the middle of your 
> unencrypted disk may have readable text.
> 
> Did you try that that sugestion of using mount with sb=...?
> 
> I didn't understand the MD5 part. You have the MD5 of the luks header? 
> How is this helpful?

Thank you most kindly, Atila! But, as I wrote, allow time for my
actions. The problem is I have other unpredictable unrelated work at
hand that I have to dedicate to previously to working on my recovery.

I love Sleuthkit! Patience!

-- 
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

Re: [sleuthkit-users] Which blocks my very partly zeroed out, recoverable luks volume file occupies?

[Atila <ati...@dp...>]

Please don't use mke2fs!!! That's for create a new fs!

Since you can mount the luks vol, I guess you are at a point were you 
have a unencrypted ext4 fs with the first 5% (or other number) overwritten.

Is this correct? If so, a 'hexdump -C'  of the middle of your 
unencrypted disk may have readable text.

Did you try that that sugestion of using mount with sb=...?

I didn't understand the MD5 part. You have the MD5 of the luks header? 
How is this helpful?


On 02-04-2015 05:22, mir...@zg... wrote:
> As you can read here:
> Recover partly overwritten luks volume?
> https://forums.gentoo.org/viewtopic-t-1004014.html#7724054
> , and around, I have been trying to get help from
> the Sleuthkit Forum/Users/Other for days.
>
> Never mind that. But what I next need to do and if anybody can suggest
> where to educate myself about it, is, on the lines of what I wrote in
> the last post in that topic of Gentoo Forums.
>
> But, in brief, I'll give a summary of the stage I am at right now. It is
> however too complex for me to sufficiently well explain it in this
> summary, so, pls look it up in the topic linked above, and accept my
> apologies for not having been able to provide clearer and not so
> redundant explanations there (but those explanations are, on the bright
> side, rather complete as to what I managed to understand and do so far).
>
> All the following are pastes from there.
>
> I had had (not a typo: past perfect tense) a luks-volume in a file:
>
> -rw-r--r-- 1 root root 465567744000 2014-09-11 23:07 H_E09.vol
>
> J had backed it up in time:
>
> # cryptsetup luksHeaderBackup H_E09.vol --header-backup-file H_E09.bak
>
> But I overwrote it (past tense, so after the above two events):
>
> uabox c1 # dd if=/dev/zero bs=4k count=1110000000 of=H_E09.vol &
>
> for only seconds though! Probably a matter of maximum a few GB (of the
> 430GB were zeroed.
>
> I managed to open it:
>
> uabox ~ # cryptsetup --verbose --header /mnt/sdk1/H_E09.bak open
> /dev/loop0 H_E09
> Enter passphrase for /mnt/sdk1/H_E09.vol:
> Key slot 0 unlocked.
> Command successful.
> uabox ~ #
>
> And it may be best at this point, to find that exact text in this post:
>
> https://forums.gentoo.org/viewtopic-t-1004014.html#7723732
>
> read a little about how the superblock would be written with the
>
> mke2fs -t ext4 -n -b /dev/mapper/H_E09
>
> or
>
> mke2fs -t ext4 -n -b -4096 /dev/mapper/H_E09
>
> command, and, maybe (sic! only maybe, for regular users like me; but
> probably if some of the experts are reading this) even skip a few post
> up to this one:
>
> https://forums.gentoo.org/viewtopic-t-1004014-start-25.html#7724538
>
> where I summarize (pasting over from there):
>
> [I need to learn]
>> how do you get which exact blocks a particular file is
>> occupying on a device.
>>
>> Why? Because I want to be able to revert to the current status defined
>> by the MD5 sum of the device taken.
>>
>> How? By dumping, with dd dump seek... , just that which some of my
>> command will change in the next steps after this stage, so that if I go
>> wrong, I can recover, with dd dump skip ..., exactly those blocks only,
>> and check the MD5, and know that I am back at this exact stage at which
>> I am right now while I am writing this.
>>
>> ...
>>
>> It occurs to me, a strong suspicion, right now. what if, that command,
>> and I'll post it 3+1st or 4+1st time now...
>> What if this:
>>
>> uabox ~ # mke2fs -t ext4 -n -b /dev/mapper/H_E09
>> mke2fs: invalid block size - /dev/mapper/H_E09
>> uabox ~ #
>>
>> that command wanted to write a new superblock, and not recover the
>> existing one? ..
> I'll be thankful to any kind people for their advice on this issue.
>
> Pls. allow time for my actions to follow your advice. I've got the
> entire case archived currently, as I needed the resorces, so I first
> need to retrace my steps, and I am generally rather slow in these
> difficult stunts for a 60 yrs old late adopter that I am.
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
>
>
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

Re: [sleuthkit-users] Autopsy 3 - file offset information

[Atila <ati...@dp...>]

Sam, Autopsy does not fill tsk_file_layout, but tsk_loaddb does (with 
some exceptions, like very small files that are stored in MFT for NTFS). 
Maybe that helps you?

On 01-04-2015 12:51, Sam K wrote:
> Thanks, that makes sense.  Calculating is not a problem - but I can't 
> seem to find where the data run information is stored for this file.  
> I was expecting tsk_file_layout, but no joy.  Is there an API call or 
> somewhere else in the SQLite tables it could live?
>
>
> On Wed, Apr 1, 2015 at 11:26 AM, ade <adr...@nt... 
> <mailto:adr...@nt...>> wrote:
>
>     Hi Sam
>
>     The metadata you have presented is the data-runs, which are the
>     block (or
>     cluster)  numbers, parsed from the inode information . AFAIK, tsk
>     doesn't
>     get the starting sector number for files as this is not maintained
>     by any
>     structures on the disk.  You would have to calculate the sector
>     number based
>     on the first cluster number in the data run, taking into account
>     the partition
>     start sector and the number of sectors per cluster.
>
>     Stumpy
>
>     On Wednesday 01 Apr 2015 11:17:32 Sam K wrote:
>     > Good morning:
>     >
>     > Can anyone shed light on where Autopsy 3.1.2 would store the
>     starting
>     > physical sector for a file, if that information is *not
>     *contained in the
>     > tsk_file_layout table? I'm guessing it must be stored somewhere
>     (and not
>     > re-parsed from the MFT every time I view the file), but have been
>     > unsuccessful in finding it.
>     >
>     > Based on the output in the Metadata tab, Autopsy does store the
>     > information.  I've confirmed with another tool that 118341 is
>     indeed the
>     > starting physical sector.  I want this information included with
>     a report
>     > module I'm working on, and can't seem to reference it anywhere
>     in the API
>     > or database (there's no entry for the file in tsk_file_layout,
>     perhaps
>     > because it's contiguous and not fragmented).
>     >
>     > Attributes:
>     > Type: ? (16-0)   Name: N/A   Resident   size: 72
>     > Type: ? (48-6)   Name: N/A   Resident   size: 90
>     > Type: ? (48-5)   Name: N/A   Resident   size: 110
>     > Type: ? (128-4)   Name: N/A   Non-Resident   size: 25600 
>     init_size: 25600
>     > 118341 118342 118343 118344 118345 118346 118347 118348
>     > 118349 118350 118351 118352 118353 118354 118355 118356
>     > 118357 118358 118359 118360 118361 118362 118363 118364
>     > 118365 118366 118367 118368 118369 118370 118371 118372
>     > 118373 118374 118375 118376 118377 118378 118379 118380
>     > 118381 118382 118383 118384 118385 118386 118387 118388
>     > 118389 118390
>     >
>     > Thanks in advance for any feedback.
>
>
>     ------------------------------------------------------------------------------
>     Dive into the World of Parallel Programming The Go Parallel
>     Website, sponsored
>     by Intel and developed in partnership with Slashdot Media, is your
>     hub for all
>     things parallel software development, from weekly thought
>     leadership blogs to
>     news, videos, case studies, tutorials and more. Take a look and
>     join the
>     conversation now. http://goparallel.sourceforge.net/
>     _______________________________________________
>     sleuthkit-users mailing list
>     https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>     http://www.sleuthkit.org
>
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
>
>
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

[sleuthkit-users] Which blocks my very partly zeroed out, recoverable luks volume file occupies?

[<mir...@zg...>]

As you can read here:
Recover partly overwritten luks volume?
https://forums.gentoo.org/viewtopic-t-1004014.html#7724054 
, and around, I have been trying to get help from
the Sleuthkit Forum/Users/Other for days.

Never mind that. But what I next need to do and if anybody can suggest
where to educate myself about it, is, on the lines of what I wrote in
the last post in that topic of Gentoo Forums.

But, in brief, I'll give a summary of the stage I am at right now. It is
however too complex for me to sufficiently well explain it in this
summary, so, pls look it up in the topic linked above, and accept my
apologies for not having been able to provide clearer and not so
redundant explanations there (but those explanations are, on the bright
side, rather complete as to what I managed to understand and do so far).

All the following are pastes from there.

I had had (not a typo: past perfect tense) a luks-volume in a file:

-rw-r--r-- 1 root root 465567744000 2014-09-11 23:07 H_E09.vol 

J had backed it up in time:

# cryptsetup luksHeaderBackup H_E09.vol --header-backup-file H_E09.bak

But I overwrote it (past tense, so after the above two events):

uabox c1 # dd if=/dev/zero bs=4k count=1110000000 of=H_E09.vol & 

for only seconds though! Probably a matter of maximum a few GB (of the
430GB were zeroed.

I managed to open it:

uabox ~ # cryptsetup --verbose --header /mnt/sdk1/H_E09.bak open
/dev/loop0 H_E09 
Enter passphrase for /mnt/sdk1/H_E09.vol: 
Key slot 0 unlocked. 
Command successful. 
uabox ~ # 

And it may be best at this point, to find that exact text in this post:

https://forums.gentoo.org/viewtopic-t-1004014.html#7723732

read a little about how the superblock would be written with the 

mke2fs -t ext4 -n -b /dev/mapper/H_E09

or

mke2fs -t ext4 -n -b -4096 /dev/mapper/H_E09 

command, and, maybe (sic! only maybe, for regular users like me; but
probably if some of the experts are reading this) even skip a few post
up to this one:

https://forums.gentoo.org/viewtopic-t-1004014-start-25.html#7724538

where I summarize (pasting over from there):

[I need to learn] 
> how do you get which exact blocks a particular file is
> occupying on a device. 
> 
> Why? Because I want to be able to revert to the current status defined
> by the MD5 sum of the device taken. 
> 
> How? By dumping, with dd dump seek... , just that which some of my
> command will change in the next steps after this stage, so that if I go
> wrong, I can recover, with dd dump skip ..., exactly those blocks only,
> and check the MD5, and know that I am back at this exact stage at which
> I am right now while I am writing this. 
>
>...
>
> It occurs to me, a strong suspicion, right now. what if, that command,
> and I'll post it 3+1st or 4+1st time now... 
> What if this: 
>
> uabox ~ # mke2fs -t ext4 -n -b /dev/mapper/H_E09 
> mke2fs: invalid block size - /dev/mapper/H_E09 
> uabox ~ # 
> 
> that command wanted to write a new superblock, and not recover the
> existing one? ..

I'll be thankful to any kind people for their advice on this issue.

Pls. allow time for my actions to follow your advice. I've got the
entire case archived currently, as I needed the resorces, so I first
need to retrace my steps, and I am generally rather slow in these
difficult stunts for a 60 yrs old late adopter that I am.
-- 
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr