sleuthkit-users Mailing List for The Sleuth Kit (Page 30)

Brought to you by: carrier

sleuthkit-users — List to discuss Autopsy and The Sleuth Kit.

You can subscribe to this list here.

2002	Jan	Feb	Mar	Apr	May	Jun	Jul (6)	Aug	Sep (11)	Oct (5)	Nov (4)	Dec
2003	Jan (1)	Feb (20)	Mar (60)	Apr (40)	May (24)	Jun (28)	Jul (18)	Aug (27)	Sep (6)	Oct (14)	Nov (15)	Dec (22)
2004	Jan (34)	Feb (13)	Mar (28)	Apr (23)	May (27)	Jun (26)	Jul (37)	Aug (19)	Sep (20)	Oct (39)	Nov (17)	Dec (9)
2005	Jan (45)	Feb (43)	Mar (66)	Apr (36)	May (19)	Jun (64)	Jul (10)	Aug (11)	Sep (35)	Oct (6)	Nov (4)	Dec (13)
2006	Jan (52)	Feb (34)	Mar (39)	Apr (39)	May (37)	Jun (15)	Jul (13)	Aug (48)	Sep (9)	Oct (10)	Nov (47)	Dec (13)
2007	Jan (25)	Feb (4)	Mar (2)	Apr (29)	May (11)	Jun (19)	Jul (13)	Aug (15)	Sep (30)	Oct (12)	Nov (10)	Dec (13)
2008	Jan (2)	Feb (54)	Mar (58)	Apr (43)	May (10)	Jun (27)	Jul (25)	Aug (27)	Sep (48)	Oct (69)	Nov (55)	Dec (43)
2009	Jan (26)	Feb (36)	Mar (28)	Apr (27)	May (55)	Jun (9)	Jul (19)	Aug (16)	Sep (15)	Oct (17)	Nov (70)	Dec (21)
2010	Jan (56)	Feb (59)	Mar (53)	Apr (32)	May (25)	Jun (31)	Jul (36)	Aug (11)	Sep (37)	Oct (19)	Nov (23)	Dec (6)
2011	Jan (21)	Feb (20)	Mar (30)	Apr (30)	May (74)	Jun (50)	Jul (34)	Aug (34)	Sep (12)	Oct (33)	Nov (10)	Dec (8)
2012	Jan (23)	Feb (57)	Mar (26)	Apr (14)	May (27)	Jun (27)	Jul (60)	Aug (88)	Sep (13)	Oct (36)	Nov (97)	Dec (85)
2013	Jan (60)	Feb (24)	Mar (43)	Apr (32)	May (22)	Jun (38)	Jul (51)	Aug (50)	Sep (76)	Oct (65)	Nov (25)	Dec (30)
2014	Jan (19)	Feb (41)	Mar (43)	Apr (28)	May (61)	Jun (12)	Jul (10)	Aug (37)	Sep (76)	Oct (31)	Nov (41)	Dec (12)
2015	Jan (33)	Feb (28)	Mar (53)	Apr (22)	May (29)	Jun (20)	Jul (15)	Aug (17)	Sep (52)	Oct (3)	Nov (18)	Dec (21)
2016	Jan (20)	Feb (8)	Mar (21)	Apr (7)	May (13)	Jun (35)	Jul (34)	Aug (11)	Sep (14)	Oct (22)	Nov (31)	Dec (23)
2017	Jan (20)	Feb (7)	Mar (5)	Apr (6)	May (6)	Jun (22)	Jul (11)	Aug (16)	Sep (8)	Oct (1)	Nov (1)	Dec (1)
2018	Jan	Feb	Mar (16)	Apr (2)	May (6)	Jun (5)	Jul	Aug (2)	Sep (4)	Oct	Nov (16)	Dec (13)
2019	Jan	Feb (1)	Mar (25)	Apr (9)	May (2)	Jun (1)	Jul (1)	Aug	Sep	Oct	Nov	Dec
2020	Jan (2)	Feb	Mar (1)	Apr	May (1)	Jun (3)	Jul (2)	Aug	Sep	Oct (5)	Nov	Dec
2021	Jan	Feb	Mar (1)	Apr	May	Jun (4)	Jul (1)	Aug	Sep (1)	Oct	Nov (1)	Dec
2022	Jan	Feb (2)	Mar	Apr	May (2)	Jun	Jul (3)	Aug	Sep	Oct	Nov	Dec
2023	Jan (2)	Feb	Mar (1)	Apr	May	Jun	Jul	Aug	Sep	Oct (1)	Nov	Dec
2024	Jan	Feb (3)	Mar	Apr (1)	May	Jun	Jul	Aug	Sep	Oct	Nov	Dec
2025	Jan	Feb	Mar	Apr	May	Jun	Jul (1)	Aug	Sep	Oct	Nov	Dec

Flat | Threaded

<< < 1 .. 28 29 30 31 32 .. 211 > >> (Page 30 of 211)

Re: [sleuthkit-users] STIX/Cybox report module

From: Brian C. <ca...@sl...> - 2015-03-09 13:55:10

Hi Mitch,

You can find the list here:

http://sleuthkit.org/autopsy/docs/user-docs/3.1/stix_page.html

thanks,
brian

On Mar 5, 2015, at 7:13 PM, Mitch Wander <mw...@gm...> wrote:

> Brian / Autopsy Team,
> 
> What observables are supported by the new STIX/Cybox report module please?
> 
> Is there a way to look this up in the module or other documentation?
> 
> Thanks!
> 
> Mitch
> 
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the 
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

[sleuthkit-users] [Autopsy] Extracted Content - Web Searches: Full Path in table view?

From: <in...@ba...> - 2015-03-09 11:22:13

Dear all,

I am currently working on a case and gave Autopsy a try due to advanced 
content extracter regarding recent activities. Using this feature I have 
found a high amount of relevant web searches which are listed under 
"Results -> Extracted Content -> Web Searches".

The case includes several different computers that were used by various 
different windows users. The relevance of a search depends on the user 
that queried the search. Therefore, I do not only need to know the 
search query, browser and evidence file but also the „Full Path“ to the 
file that contained the web search. As far as I have searched, Autopsy 
only provides this information in the metadata or result pane but not in 
the table view. But I need to have this information in the table view so 
that I can easily filter the result set.

Therefore, I have taken a look at the database layout. I have figured 
out that joining the tables blackboard_artifacts and tsk_files and 
filtering on artifacte_type_id 15 will give me the file path inside the 
volume for each search query. But I am still missing the partition ID 
and the evidence file.

Can somebody help me how I can query all necessary information?

And an additional request: Is there a reason why this information is not 
displayed by default in the table view?

Best regards
Dennis

[sleuthkit-users] STIX/Cybox report module

From: Mitch W. <mw...@gm...> - 2015-03-06 00:14:04

Brian / Autopsy Team,

What observables are supported by the new STIX/Cybox report module please?

Is there a way to look this up in the module or other documentation?

Thanks!

Mitch

[sleuthkit-users] Forensic 4Cast

From: Brian C. <ca...@sl...> - 2015-03-05 19:14:13

Nominations are open for the Forensic 4Cast awards.   If you like Autopsy, you might want to nominate it .... 

    https://forensic4cast.com/forensic-4cast-awards/

Re: [sleuthkit-users] Autopsy 3.1.2 is available

From: Anthony S. <ant...@gm...> - 2015-03-05 13:41:01

<p dir="ltr">Awesome. Thanks!<br><br></p>
<p dir="ltr">Sent using <a href="https://cloudmagic.com/k/d/mailapp?ct=ta&cv=6.0.6.1&pv=5.0.2">CloudMagic</a></p>
<br/><div class="cm_quote" style=" color: #787878">On Wed, Mar 04, 2015 at 11:38 pm, Brian Carrier &lt;<a href="mailto:ca...@sl...">ca...@sl...</a>&gt; wrote:</div><br><div id="oldcontent" style="background: rgb(255, 255, 255);"><blockquote style=""><p dir="ltr">Autopsy 3.1.2 is on the website.&nbsp; Details of what is in it are below. The most requested feature that is part of this release is carving using PhotoRec.
<br>

<br>
&nbsp;&nbsp;&nbsp; http://sleuthkit.org/autopsy/
<br>

<br>
Also a reminder that we'll be using this version in the next training course, which is on March 18 and available both in person in Herndon, VA and online:
<br>

<br>
&nbsp;&nbsp;&nbsp; http://www.basistech.com/digital-forensics/autopsy/training/
<br>

<br>
What's New in 3.1.2:
<br>

<br>
	• New PhotoRec carving ingest module
<br>
	• Metadata tab in lower right now also shows istat (TSK) output for more metadata details
<br>
	• Regripper output is available as a report instead of TOOL_OUTPUT artifact
<br>
	• Updated version of RegRipper
<br>
	• New STIX/Cybox report module (manually run after image has been analyzed)
<br>
	• File type module supports user defined file types and can alert when they are found
<br>
	• More artifacts are extracted from registry
<br>
	• User docs were moved online (http://sleuthkit.org/autopsy/docs/user-docs/3.1/)
<br>
------------------------------------------------------------------------------
<br>
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
<br>
by Intel and developed in partnership with Slashdot Media, is your hub for all
<br>
things parallel software development, from weekly thought leadership blogs to
<br>
news, videos, case studies, tutorials and more. Take a look and join the 
<br>
conversation now. http://goparallel.sourceforge.net/
<br>
_______________________________________________
<br>
sleuthkit-users mailing list
<br>
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
<br>
http://www.sleuthkit.org
<br>
</p>
</blockquote></div>

[sleuthkit-users] Autopsy 3.1.2 is available

From: Brian C. <ca...@sl...> - 2015-03-05 04:35:04

Autopsy 3.1.2 is on the website.  Details of what is in it are below. The most requested feature that is part of this release is carving using PhotoRec.

    http://sleuthkit.org/autopsy/

Also a reminder that we'll be using this version in the next training course, which is on March 18 and available both in person in Herndon, VA and online:

    http://www.basistech.com/digital-forensics/autopsy/training/

What's New in 3.1.2:

	• New PhotoRec carving ingest module
	• Metadata tab in lower right now also shows istat (TSK) output for more metadata details
	• Regripper output is available as a report instead of TOOL_OUTPUT artifact
	• Updated version of RegRipper
	• New STIX/Cybox report module (manually run after image has been analyzed)
	• File type module supports user defined file types and can alert when they are found
	• More artifacts are extracted from registry
	• User docs were moved online (http://sleuthkit.org/autopsy/docs/user-docs/3.1/)

[sleuthkit-users] tsk_loaddb difficulties with OSX Time Machine

From: Ketil F. <ke...@fr...> - 2015-03-03 13:56:31

Hi,

Has anyone tried running tsk_loaddb on an image of a Mac backup (aka
Time Machine) drive? Time Machine creates a lot of hard links, and I
don't think tsk_loaddb recognises the hard links, because the result
is that processing either takes more memory than I have, or takes very
long.

Here's a new issue report I just posted on the bugtracker:

https://github.com/sleuthkit/sleuthkit/issues/397

For example, I suspect that tsk_loaddb -h (to calculate checksums)
actually checksums files not just once, but once for each hard link. I
haven't verified this in the code, but the processing time increases
by so much when I add the -h flag that I suspect this must be the
case.

As noted on the issue tracker, the tsk_files table in the database
contains full path and metadata (like size, timestamps, checksum,
etc), and the tsk_file_layout stores  This replicates all the metadata
for each inode. That probably isn't a problem in the ordinary case,
but it means that a lot of data is processed and stored many times for
a case like mine. Perhaps this is something to consider for the
database schema. Is v3 of the schema implemented yet?

http://wiki.sleuthkit.org/index.php?title=SQLite_Database_v3_Schema

It'd also be interesting to hear if anyone else has seen other real
life cases where there's a lot of hard links.

-Ketil

Re: [sleuthkit-users] File List

From: Billy P. <bg...@gm...> - 2015-02-23 04:10:35

slo - I think I am looking at needing more that just the partitions, but
thanks.

Brian - I am not sure what you mean, but I think Patrick is explaining..

Patrick - Thanks. I will take a look. Not exactly the "format" I was
looking for, but if I can get it into Excel and everything has its own
column, then I can move it around. (Although I was hoping the path and the
filename would be separate - or a separate column with just the filename.)
I will check out your link. Thanks.

On Sun, Feb 22, 2015 at 7:57 PM, Patrick Olsen <
pat...@sy...> wrote:

> You can use fls or tsk_gettimes.
>
> I've also written a few blog posts on using TSK. Hopefully they help out
> some: https://sysforensics.org/?s=The+Sleuth+Kit+Part&searchsubmit=Search
>
> Here are a couple quick examples I did on my mac quickly.
>
> *sudo tsk_gettimes /dev/disk0s3*
>
> *sudo fls -r -m "/" -f hfs /dev/disk0s3*
>
>
> 0|/System/Library/CoreServices/pgpboot.efi|510|r/rrw-r--r--|0|0|1093702|1419478190|1419478190|1419478190|1419478190
>
> 0|/System/Library/CoreServices/pgpcontents.tar|511|r/rrw-r--r--|0|0|4686336|1419478190|1419478190|1419478190|1419478190
>
> 0|/System/Library/CoreServices/PlatformSupport.plist|508|r/rrw-r--r--|0|0|4694|1419478190|1419478190|1419478190|1419478190
>
> 0|/System/Library/CoreServices/SystemVersion.plist|507|r/rr--r--r--|0|0|478|1419478190|1419478190|1419478190|1419478190
> 0|/^^^^HFS+ Private
> Data|18|d/d---------|0|0|0|1392702170|1392702170|1392702170|1392702170
>
> Then you could do:
>
> *sudo fls -r -m "/" -f hfs /dev/disk0s3 |mactime -b*
>
> Xxx Xxx 00 0000 00:00:00  8388608 .ac. r/r--------- 0        0        16
>     /.journal
>                              4096 .ac. r/r--------- 0        0        17
>     /.journal_info_block
> Fri Sep 27 2013 21:56:00     4530 m..b r/rrw-r--r-- 0        0        79
>     /com.apple.recovery.boot/PlatformSupport.plist
> Wed Oct 02 2013 12:01:32     4530 .a.. r/rrw-r--r-- 0        0        79
>     /com.apple.recovery.boot/PlatformSupport.plist
> Sat Oct 05 2013 01:39:23      476 m..b r/rr--r--r-- 0        0        78
>     /com.apple.recovery.boot/SystemVersion.plist
> Sat Oct 05 2013 02:56:19 16538164 m..b r/rrw-r--r-- 0        0        76
>     /com.apple.recovery.boot/kernelcache
> Sat Oct 05 2013 03:05:21 16538164 .a.. r/rrw-r--r-- 0        0        76
>     /com.apple.recovery.boot/kernelcache
> Sat Oct 05 2013 03:06:38 482596302 m..b r/rrw-r--r-- 0        0        77
>       /com.apple.recovery.boot/BaseSystem.dmg
>
> On Sun, Feb 22, 2015 at 10:36 PM, Billy Pronovost <bg...@gm...>
> wrote:
>
>> Hi all...
>>
>> I am still fairly new to Sleuthkit, but I am learning more and more
>> everyday. I am wondering if there is any way to export a file listing (like
>> a csv) containing details like MAC, Filename, extension, ect. The idea here
>> is to be able to include this information in a report.
>>
>> Thanks,
>>
>> Billy
>>
>>
>> ------------------------------------------------------------------------------
>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>> Get technology previously reserved for billion-dollar corporations, FREE
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
>>
>>
>

Re: [sleuthkit-users] File List

From: Brian C. <ca...@sl...> - 2015-02-23 03:48:18

The 'body' file format is pipe delimited and could work for that.  You can make that format with 'tsk_gettimes' and 'fls'.


On Feb 22, 2015, at 10:36 PM, Billy Pronovost <bg...@gm...> wrote:

> Hi all...
> 
> I am still fairly new to Sleuthkit, but I am learning more and more everyday. I am wondering if there is any way to export a file listing (like a csv) containing details like MAC, Filename, extension, ect. The idea here is to be able to include this information in a report. 
> 
> Thanks,
> 
> Billy
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

[sleuthkit-users] Autopsy Training

From: Brian C. <ca...@sl...> - 2015-02-23 03:47:26

Hello all,

I wanted to remind everyone that the next Autopsy training is one month away on March 18.  The training is now 1 day long instead of 2 and we'll be doing both in person (in Herndon, VA) and online at the same time.  The training covers the basics of using Autopsy and configuration of the modules. More details can be found here:

    http://www.basistech.com/digital-forensics/autopsy/training/

thanks,
brian

[sleuthkit-users] File List

From: Billy P. <bg...@gm...> - 2015-02-23 03:36:41

Hi all...

I am still fairly new to Sleuthkit, but I am learning more and more
everyday. I am wondering if there is any way to export a file listing (like
a csv) containing details like MAC, Filename, extension, ect. The idea here
is to be able to include this information in a report.

Thanks,

Billy

Re: [sleuthkit-users] Autopsy 3.xx on linux

From: Vitor V. <ven...@gm...> - 2015-02-19 20:03:55

Has a malware and ERS consultant I prefer to use Linux as a base OS. This
allow me to use filesystems with better performance for large files. Also I
would be less vulnerable when I analyse windows machines (which are 90% of
my cases). The ingest takes a lot of time

On Thu, Feb 19, 2015 at 12:06 AM, Scott Johnson <sc...@of...> wrote:

> Not really, I'm just new with Autopsy and already had a Windows box set
> up. Is the Linux build a better way to go?
>
>
>
> On Feb 18, 2015, at 2:07 PM, Vitor Ventura <ven...@gm...>
> wrote:
>
> Is there any legal or otherwise reason for nota having autopsy 3.0 for
> linux?
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
>
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
>

[sleuthkit-users] Autopsy 3.1.1 times

From: Nanni B. <dig...@gm...> - 2015-02-19 07:11:00

Hi all,
I launched a little survey in CFI (Computer Forensics Italy) an italian
mailing list, on the times for indexing an hard disk with Autopsy 3.1.1
I believe this could be interesting for you:

hdd da 150Gb, connected via Bridge Sata on USB 3.0, 3Gb Ram, i5 cpu - time
taken almost 12 hours.

100 GB EWF image,compression factor = 6,
Workstation HP Z620 16 GB RaM, 1 cpu  4 core Xeon E5-2609 v2, 3 Disks  RAID
0 ( Seagate Barracuda 2 TB HDD SATA 6 Gb/s NCQ 64MB Cache 3.5-Inch Internal
Bare Drive ST2000DM001) Controller LSI 9217-4i4e 8-port SAS 6Gb/s RAID Card
-  Time taken 5 hours.

dd image HD  250 Gb,
Notebook  - cpu i7 (F:2Gh+, Cache L3:3Mb+, 64 bit), 8Gb RAM DDR3. Time
taken 30 hours.

Hard disk 320GB - Workstation sata1 - cpu Xeon 2.4Ghz  - 8GB ram - Time
taken 52 hours.

Others comments are on the stuck issue of Autopsy,while it are indexing
something big (1Tb, 500Gb, etc.).

I hope this helps ;)

Thanks


-- 
Dr. Nanni Bassetti
http://www.nannibassetti.com
CAINE project manager - http://www.caine-live.net

[sleuthkit-users] Using Scalpel to retrieve outlook's ost files

From: Aneesh P.A. <my...@gm...> - 2015-02-19 07:06:41

Hi,

I have used scalpel for retrieving data from outlook on a windows7 system.
The details are given below.

Scalpel version : 1.60
Host : Ubuntu 14.04 LTS
Data is being retrieved from a deleted windows7 profile on an NTFS
partition.

Files retrieved: dbx, idx, mbx, and ost files. No pst file was found.

I tried importing the files to Outlook as well as Thunderbird but to no
avail. Has anyone tried retrieving outlooks mails and folders with scalpel?
Is there any other tool that might be of some help?

Thanks and Regards,

Aneesh

Re: [sleuthkit-users] Autopsy 3.xx on linux

From: Scott J. <sc...@of...> - 2015-02-19 00:06:33

Not really, I'm just new with Autopsy and already had a Windows box set up.
Is the Linux build a better way to go?



On Feb 18, 2015, at 2:07 PM, Vitor Ventura <ven...@gm...> wrote:

Is there any legal or otherwise reason for nota having autopsy 3.0 for
linux?

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk

_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org

[sleuthkit-users] Autopsy 3.xx on linux

From: Vitor V. <ven...@gm...> - 2015-02-18 21:06:30

Is there any legal or otherwise reason for nota having autopsy 3.0 for
linux?

Re: [sleuthkit-users] Autopsy extracting files Mac HFS+

From: Ketil F. <ke...@fr...> - 2015-02-18 17:23:02

If this is the same issue as I reported earlier on github and it's
been fixed, I guess both the sleuthkit issue and the autopsy issue can
be closed?

https://github.com/sleuthkit/sleuthkit/issues/376
https://github.com/sleuthkit/autopsy/issues/903

Regards, Ketil

On 18 February 2015 at 16:38, Brian Carrier <ca...@sl...> wrote:
> The fix will be in the 3.1.2 release, which should be out early next week.
>
>
>
> On Feb 18, 2015, at 3:15 AM, Nanni Bassetti <dig...@gm...> wrote:
>
>> Yes, I confirm this issue.
>>
>> 2015-02-18 1:55 GMT+01:00 Scott Johnson <sc...@of...>:
>> I have not been able to extract a file from an HFS+ image until I found the email below describing the extraction program appending ":data" when saving the file. When I remove the ":data" from the "save as" file name, the file is extracted just fine. If I try to extract multiple files then there is no option to remove the ":data" from the file names, and thus the files are not extracted. The message below suggests a fix for this issue but I cannot find where to obtain the fix. Any help would be appreciated as I have to extract hundreds of files from a Mac image.
>>
>> Scott
>>
>>
>>
>> ------------------------------------------------------------------
>>
>> Re: [sleuthkit-users] Autopsy and MAC
>> From: Brian Carrier <carrier@sl...> - 2015-01-14 15:30:36
>> I poked at the HFS+ code a bit this morning to try some things since there seem to be some common issues with it and Autopsy.  There is a slight exporting issue that I've fixed, which was basically that you could export the file, but the HFS+ code was adding ":DATA" to the end of the name to reflect the data fork (versus the resource fork) and that turned into an Alternate Data Stream on a windows system.  So, you would never see the exported file.  I changed it so that ":DATA" is not added for the default data fork (like what happens on the command line tools for TSK) and also changed Autopsy so that it replaces any ":" with a "_" in the suggested file name so that you don't save things as ADS (well you still can, but you need to do some work to do it now).
>>
>> There still seem to be some database issues with HFS+ that I haven't been able to recreate.
>>
>> brian
>>
>>
>> ------------------------------------------------------------------------------
>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>> Get technology previously reserved for billion-dollar corporations, FREE
>> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
>>
>>
>>
>>
>> --
>> Dr. Nanni Bassetti
>> http://www.nannibassetti.com
>> CAINE project manager - http://www.caine-live.net
>> ------------------------------------------------------------------------------
>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>> Get technology previously reserved for billion-dollar corporations, FREE
>> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk_______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org



-- 
-Ketil

Re: [sleuthkit-users] Autopsy extracting files Mac HFS+

From: Brian C. <ca...@sl...> - 2015-02-18 15:38:47

The fix will be in the 3.1.2 release, which should be out early next week.



On Feb 18, 2015, at 3:15 AM, Nanni Bassetti <dig...@gm...> wrote:

> Yes, I confirm this issue.
> 
> 2015-02-18 1:55 GMT+01:00 Scott Johnson <sc...@of...>:
> I have not been able to extract a file from an HFS+ image until I found the email below describing the extraction program appending ":data" when saving the file. When I remove the ":data" from the "save as" file name, the file is extracted just fine. If I try to extract multiple files then there is no option to remove the ":data" from the file names, and thus the files are not extracted. The message below suggests a fix for this issue but I cannot find where to obtain the fix. Any help would be appreciated as I have to extract hundreds of files from a Mac image.
> 
> Scott
> 
> 
> 
> ------------------------------------------------------------------
> 
> Re: [sleuthkit-users] Autopsy and MAC
> From: Brian Carrier <carrier@sl...> - 2015-01-14 15:30:36
> I poked at the HFS+ code a bit this morning to try some things since there seem to be some common issues with it and Autopsy.  There is a slight exporting issue that I've fixed, which was basically that you could export the file, but the HFS+ code was adding ":DATA" to the end of the name to reflect the data fork (versus the resource fork) and that turned into an Alternate Data Stream on a windows system.  So, you would never see the exported file.  I changed it so that ":DATA" is not added for the default data fork (like what happens on the command line tools for TSK) and also changed Autopsy so that it replaces any ":" with a "_" in the suggested file name so that you don't save things as ADS (well you still can, but you need to do some work to do it now). 
> 
> There still seem to be some database issues with HFS+ that I haven't been able to recreate. 
> 
> brian
> 
> 
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
> 
> 
> 
> 
> -- 
> Dr. Nanni Bassetti
> http://www.nannibassetti.com
> CAINE project manager - http://www.caine-live.net
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

Re: [sleuthkit-users] Autopsy extracting files Mac HFS+

From: Nanni B. <dig...@gm...> - 2015-02-18 08:15:12

Yes, I confirm this issue.

2015-02-18 1:55 GMT+01:00 Scott Johnson <sc...@of...>:

> I have not been able to extract a file from an HFS+ image until I found
> the email below describing the extraction program appending ":data" when
> saving the file. When I remove the ":data" from the "save as" file name,
> the file is extracted just fine. If I try to extract multiple files then
> there is no option to remove the ":data" from the file names, and thus the
> files are not extracted. The message below suggests a fix for this issue
> but I cannot find where to obtain the fix. Any help would be appreciated as
> I have to extract hundreds of files from a Mac image.
>
> Scott
>
>
>
> ------------------------------------------------------------------
>
> *Re: [sleuthkit-users] Autopsy and MAC
> <http://sourceforge.net/p/sleuthkit/mailman/message/33232201/>*
> From: Brian Carrier <carrier@sl...> - 2015-01-14 15:30:36
>
> I poked at the HFS+ code a bit this morning to try some things since there seem to be some common issues with it and Autopsy.  There is a slight exporting issue that I've fixed, which was basically that you could export the file, but the HFS+ code was adding ":DATA" to the end of the name to reflect the data fork (versus the resource fork) and that turned into an Alternate Data Stream on a windows system.  So, you would never see the exported file.  I changed it so that ":DATA" is not added for the default data fork (like what happens on the command line tools for TSK) and also changed Autopsy so that it replaces any ":" with a "_" in the suggested file name so that you don't save things as ADS (well you still can, but you need to do some work to do it now).
>
> There still seem to be some database issues with HFS+ that I haven't been able to recreate.
>
> brian
>
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
>


-- 
Dr. Nanni Bassetti
http://www.nannibassetti.com
CAINE project manager - http://www.caine-live.net

[sleuthkit-users] Autopsy extracting files Mac HFS+

From: Scott J. <sc...@of...> - 2015-02-18 01:50:15

I have not been able to extract a file from an HFS+ image until I found the
email below describing the extraction program appending ":data" when saving
the file. When I remove the ":data" from the "save as" file name, the file
is extracted just fine. If I try to extract multiple files then there is no
option to remove the ":data" from the file names, and thus the files are
not extracted. The message below suggests a fix for this issue but I cannot
find where to obtain the fix. Any help would be appreciated as I have to
extract hundreds of files from a Mac image.

Scott



------------------------------------------------------------------

*Re: [sleuthkit-users] Autopsy and MAC
<http://sourceforge.net/p/sleuthkit/mailman/message/33232201/>*
From: Brian Carrier <carrier@sl...> - 2015-01-14 15:30:36

I poked at the HFS+ code a bit this morning to try some things since
there seem to be some common issues with it and Autopsy.  There is a
slight exporting issue that I've fixed, which was basically that you
could export the file, but the HFS+ code was adding ":DATA" to the end
of the name to reflect the data fork (versus the resource fork) and
that turned into an Alternate Data Stream on a windows system.  So,
you would never see the exported file.  I changed it so that ":DATA"
is not added for the default data fork (like what happens on the
command line tools for TSK) and also changed Autopsy so that it
replaces any ":" with a "_" in the suggested file name so that you
don't save things as ADS (well you still can, but you need to do some
work to do it now).

There still seem to be some database issues with HFS+ that I haven't
been able to recreate.

brian