sleuthkit-users Mailing List for The Sleuth Kit (Page 36)
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users — List to discuss Autopsy and The Sleuth Kit.
You can subscribe to this list here.
| 2002 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(6) |
Aug
|
Sep
(11) |
Oct
(5) |
Nov
(4) |
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 |
Jan
(1) |
Feb
(20) |
Mar
(60) |
Apr
(40) |
May
(24) |
Jun
(28) |
Jul
(18) |
Aug
(27) |
Sep
(6) |
Oct
(14) |
Nov
(15) |
Dec
(22) |
| 2004 |
Jan
(34) |
Feb
(13) |
Mar
(28) |
Apr
(23) |
May
(27) |
Jun
(26) |
Jul
(37) |
Aug
(19) |
Sep
(20) |
Oct
(39) |
Nov
(17) |
Dec
(9) |
| 2005 |
Jan
(45) |
Feb
(43) |
Mar
(66) |
Apr
(36) |
May
(19) |
Jun
(64) |
Jul
(10) |
Aug
(11) |
Sep
(35) |
Oct
(6) |
Nov
(4) |
Dec
(13) |
| 2006 |
Jan
(52) |
Feb
(34) |
Mar
(39) |
Apr
(39) |
May
(37) |
Jun
(15) |
Jul
(13) |
Aug
(48) |
Sep
(9) |
Oct
(10) |
Nov
(47) |
Dec
(13) |
| 2007 |
Jan
(25) |
Feb
(4) |
Mar
(2) |
Apr
(29) |
May
(11) |
Jun
(19) |
Jul
(13) |
Aug
(15) |
Sep
(30) |
Oct
(12) |
Nov
(10) |
Dec
(13) |
| 2008 |
Jan
(2) |
Feb
(54) |
Mar
(58) |
Apr
(43) |
May
(10) |
Jun
(27) |
Jul
(25) |
Aug
(27) |
Sep
(48) |
Oct
(69) |
Nov
(55) |
Dec
(43) |
| 2009 |
Jan
(26) |
Feb
(36) |
Mar
(28) |
Apr
(27) |
May
(55) |
Jun
(9) |
Jul
(19) |
Aug
(16) |
Sep
(15) |
Oct
(17) |
Nov
(70) |
Dec
(21) |
| 2010 |
Jan
(56) |
Feb
(59) |
Mar
(53) |
Apr
(32) |
May
(25) |
Jun
(31) |
Jul
(36) |
Aug
(11) |
Sep
(37) |
Oct
(19) |
Nov
(23) |
Dec
(6) |
| 2011 |
Jan
(21) |
Feb
(20) |
Mar
(30) |
Apr
(30) |
May
(74) |
Jun
(50) |
Jul
(34) |
Aug
(34) |
Sep
(12) |
Oct
(33) |
Nov
(10) |
Dec
(8) |
| 2012 |
Jan
(23) |
Feb
(57) |
Mar
(26) |
Apr
(14) |
May
(27) |
Jun
(27) |
Jul
(60) |
Aug
(88) |
Sep
(13) |
Oct
(36) |
Nov
(97) |
Dec
(85) |
| 2013 |
Jan
(60) |
Feb
(24) |
Mar
(43) |
Apr
(32) |
May
(22) |
Jun
(38) |
Jul
(51) |
Aug
(50) |
Sep
(76) |
Oct
(65) |
Nov
(25) |
Dec
(30) |
| 2014 |
Jan
(19) |
Feb
(41) |
Mar
(43) |
Apr
(28) |
May
(61) |
Jun
(12) |
Jul
(10) |
Aug
(37) |
Sep
(76) |
Oct
(31) |
Nov
(41) |
Dec
(12) |
| 2015 |
Jan
(33) |
Feb
(28) |
Mar
(53) |
Apr
(22) |
May
(29) |
Jun
(20) |
Jul
(15) |
Aug
(17) |
Sep
(52) |
Oct
(3) |
Nov
(18) |
Dec
(21) |
| 2016 |
Jan
(20) |
Feb
(8) |
Mar
(21) |
Apr
(7) |
May
(13) |
Jun
(35) |
Jul
(34) |
Aug
(11) |
Sep
(14) |
Oct
(22) |
Nov
(31) |
Dec
(23) |
| 2017 |
Jan
(20) |
Feb
(7) |
Mar
(5) |
Apr
(6) |
May
(6) |
Jun
(22) |
Jul
(11) |
Aug
(16) |
Sep
(8) |
Oct
(1) |
Nov
(1) |
Dec
(1) |
| 2018 |
Jan
|
Feb
|
Mar
(16) |
Apr
(2) |
May
(6) |
Jun
(5) |
Jul
|
Aug
(2) |
Sep
(4) |
Oct
|
Nov
(16) |
Dec
(13) |
| 2019 |
Jan
|
Feb
(1) |
Mar
(25) |
Apr
(9) |
May
(2) |
Jun
(1) |
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2020 |
Jan
(2) |
Feb
|
Mar
(1) |
Apr
|
May
(1) |
Jun
(3) |
Jul
(2) |
Aug
|
Sep
|
Oct
(5) |
Nov
|
Dec
|
| 2021 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(4) |
Jul
(1) |
Aug
|
Sep
(1) |
Oct
|
Nov
(1) |
Dec
|
| 2022 |
Jan
|
Feb
(2) |
Mar
|
Apr
|
May
(2) |
Jun
|
Jul
(3) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2023 |
Jan
(2) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
| 2024 |
Jan
|
Feb
(3) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2025 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Ketil F. <ke...@fr...> - 2014-10-01 10:16:22
|
Develop worked better! Thanks. Thanks, Ketil On 30 September 2014 17:31, Brian Carrier <ca...@sl...> wrote: > HI Ketil, > > I think I fixed that, but haven't released it. > > Can you download the latest source and try that one: > > https://github.com/sleuthkit/sleuthkit/archive/develop.zip > > > On Sep 30, 2014, at 9:25 AM, Ketil Froyn <ke...@fr...> wrote: > >> Hi, >> >> I'm running tsk_loaddb from tsk 4.1.3 on Ubuntu 14.04. Ubuntu is >> bundled with an older version, so I downloaded the source tarball and >> built it. First I built libewf-20140608 like this: >> >> ./configure --enable-python --enable-verbose-output >> --enable-debug-output --prefix=$HOME/tsk >> make >> make install >> >> and then TSK like this: >> >> ./configure --prefix=$HOME/tskk --with-libewf=$HOME/tsk --disable-java >> make >> make install >> >> Now, tsk_loaddb works fine without the -h switch, but when I try to >> enable hashing I get lots of errors, both of these errors are repeated >> lots of times: >> >> Error: >> Error: Database Error (TskDbSqlite::addFile: Error adding data to >> tsk_files table: unrecognized token "dbe0f49aabec8001c62ef508e19e5584" >> ) >> Error: >> Error: Database Error (TskDbSqlite::addFile: Error adding data to >> tsk_files table: near "f3133e4c78b43def98234ffebc556b90": syntax error >> ) >> >> My commands were: >> >> tsk_loaddb -i ewf -d nohash.db image.E01 >> or >> tsk_loaddb -i ewf -h -d hash.db image.E01 >> >> I have sqlite3 v3.8.2. Now that I double checked I didn't have >> libsqlite3-dev installed, but everything built fine and tsk_loaddb >> works great without -h, so I guess that's not the issue. Had a brief >> look into tsk/auto/db_sqlite.cpp, but didn't spot the issue. >> >> Is this a bug, or did I do something wrong? >> >> -Ketil >> >> ------------------------------------------------------------------------------ >> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org > -- -Ketil |
|
From: Luís F. N. <lfc...@gm...> - 2014-10-01 00:00:24
|
This problem still happens with 4.2.0 branch. If I can help with some more information, please let me know. Thanks Luis 2014-07-24 9:21 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>: > Another information: the sum of the millions of file sizes resulted in 1,1 > petabyte, while the image has only 250 GB. > > > 2014-07-23 22:21 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>: > >> We tested loaddb of both the released 4.1.3 version and the develop >> branch of sleuthkit on a NTFS image of a hard disk with a lot of bad >> blocks, many of them at the beginning of the disk. >> >> The 4.1.3 version found ~400.000 allocated files more ~100.000 orphan >> files, about the same found by other forensic tools. The develop branch >> found the same ~400.000 allocated files more ~2.500.000 orphan files! Most >> of these millions of orphans have corrupted names or the name >> OrphanFile-xxxxxxx and have lengths ranging from 0 to 4.294.967.296 bytes. >> We think the recent changes to NTFS code are causing this large number of >> corrupted orphans to be added to the case. Maybe it should be investigated >> before the final 4.2 release. >> >> Luis >> > > |
|
From: Alessandro F. <at...@gm...> - 2014-09-30 15:43:07
|
Exactly, Brian. The images are listes as "jpeg images" in "extension mismatch", and are not listed in "views". If you can point me to the db design schema, I could help in traking the problem in the data. Regards Alessandro 2014-09-30 17:35 GMT+02:00 Brian Carrier <ca...@sl...>: > Hi Alessandro, > > So, you are saying that the files have an extension of ".jpeg:DATA" and > therefore it is not being shown in the Views area and is coming up as a > mismatch? > > thanks, > brian > > > On Sep 26, 2014, at 1:34 PM, Alessandro Farina <at...@gm...> wrote: > > > Hi Jason > > thanks for the answer, I had the same idea. > > I think maybe it should only need to make a query for the "views node" > that includes also the mismatch results. > > In my case could be useful to know that the mismatched extension is > "jpeg:DATA" > > > > Regards > > Alessandro > > > > 2014-09-24 21:24 GMT+02:00 Jason Letourneau <jle...@ba...>: > > Hi Alessandro - > > > > There is a difference between the views node and the mismatch results. > Currently, the views node purely uses the extensions of files to show its > results. We'll better adjust those results in the future to take into > account signatures that have been detected. > > > > Jason > > > > > > > > > > > > > > ------------------------------------------------ > > > > Jason Letourneau > > Product Manager, Digital Forensics > > Basis Technology > > jle...@ba... > > 617-386-2000 ext. 152 > > > > > > > > > > On Sep 23, 2014, at 9:48 AM, Alessandro Farina <at...@gm...> > wrote: > > > >> Hi > >> I'm testing the last version on some macbook images. > >> Analysing the result I've found a out of sync between two branch of the > tree. > >> In the branch "Images" of the "Views" folder I found not listed any > image, while in the module of the extension mismatch I found thousand of > images. > >> The Exif analysis is (almost, I cannot check the number of images > precisely) correct showing some thousands of result. > >> > >> Regards > >> Alessandro > >> > ------------------------------------------------------------------------------ > >> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer > >> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports > >> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper > >> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer > >> > http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk_______________________________________________ > >> sleuthkit-users mailing list > >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > >> http://www.sleuthkit.org > > > > > > > ------------------------------------------------------------------------------ > > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer > > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports > > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper > > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer > > > http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk_______________________________________________ > > sleuthkit-users mailing list > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > http://www.sleuthkit.org > > |
|
From: Brian C. <ca...@sl...> - 2014-09-30 15:35:31
|
Hi Alessandro, So, you are saying that the files have an extension of ".jpeg:DATA" and therefore it is not being shown in the Views area and is coming up as a mismatch? thanks, brian On Sep 26, 2014, at 1:34 PM, Alessandro Farina <at...@gm...> wrote: > Hi Jason > thanks for the answer, I had the same idea. > I think maybe it should only need to make a query for the "views node" that includes also the mismatch results. > In my case could be useful to know that the mismatched extension is "jpeg:DATA" > > Regards > Alessandro > > 2014-09-24 21:24 GMT+02:00 Jason Letourneau <jle...@ba...>: > Hi Alessandro - > > There is a difference between the views node and the mismatch results. Currently, the views node purely uses the extensions of files to show its results. We'll better adjust those results in the future to take into account signatures that have been detected. > > Jason > > > > > > > ------------------------------------------------ > > Jason Letourneau > Product Manager, Digital Forensics > Basis Technology > jle...@ba... > 617-386-2000 ext. 152 > > > > > On Sep 23, 2014, at 9:48 AM, Alessandro Farina <at...@gm...> wrote: > >> Hi >> I'm testing the last version on some macbook images. >> Analysing the result I've found a out of sync between two branch of the tree. >> In the branch "Images" of the "Views" folder I found not listed any image, while in the module of the extension mismatch I found thousand of images. >> The Exif analysis is (almost, I cannot check the number of images precisely) correct showing some thousands of result. >> >> Regards >> Alessandro >> ------------------------------------------------------------------------------ >> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk_______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org > > > ------------------------------------------------------------------------------ > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer > http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: Brian C. <ca...@sl...> - 2014-09-30 15:31:20
|
HI Ketil, I think I fixed that, but haven't released it. Can you download the latest source and try that one: https://github.com/sleuthkit/sleuthkit/archive/develop.zip On Sep 30, 2014, at 9:25 AM, Ketil Froyn <ke...@fr...> wrote: > Hi, > > I'm running tsk_loaddb from tsk 4.1.3 on Ubuntu 14.04. Ubuntu is > bundled with an older version, so I downloaded the source tarball and > built it. First I built libewf-20140608 like this: > > ./configure --enable-python --enable-verbose-output > --enable-debug-output --prefix=$HOME/tsk > make > make install > > and then TSK like this: > > ./configure --prefix=$HOME/tskk --with-libewf=$HOME/tsk --disable-java > make > make install > > Now, tsk_loaddb works fine without the -h switch, but when I try to > enable hashing I get lots of errors, both of these errors are repeated > lots of times: > > Error: > Error: Database Error (TskDbSqlite::addFile: Error adding data to > tsk_files table: unrecognized token "dbe0f49aabec8001c62ef508e19e5584" > ) > Error: > Error: Database Error (TskDbSqlite::addFile: Error adding data to > tsk_files table: near "f3133e4c78b43def98234ffebc556b90": syntax error > ) > > My commands were: > > tsk_loaddb -i ewf -d nohash.db image.E01 > or > tsk_loaddb -i ewf -h -d hash.db image.E01 > > I have sqlite3 v3.8.2. Now that I double checked I didn't have > libsqlite3-dev installed, but everything built fine and tsk_loaddb > works great without -h, so I guess that's not the issue. Had a brief > look into tsk/auto/db_sqlite.cpp, but didn't spot the issue. > > Is this a bug, or did I do something wrong? > > -Ketil > > ------------------------------------------------------------------------------ > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer > http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: Ketil F. <ke...@fr...> - 2014-09-30 13:31:19
|
Hi, I'm running tsk_loaddb from tsk 4.1.3 on Ubuntu 14.04. Ubuntu is bundled with an older version, so I downloaded the source tarball and built it. First I built libewf-20140608 like this: ./configure --enable-python --enable-verbose-output --enable-debug-output --prefix=$HOME/tsk make make install and then TSK like this: ./configure --prefix=$HOME/tskk --with-libewf=$HOME/tsk --disable-java make make install Now, tsk_loaddb works fine without the -h switch, but when I try to enable hashing I get lots of errors, both of these errors are repeated lots of times: Error: Error: Database Error (TskDbSqlite::addFile: Error adding data to tsk_files table: unrecognized token "dbe0f49aabec8001c62ef508e19e5584" ) Error: Error: Database Error (TskDbSqlite::addFile: Error adding data to tsk_files table: near "f3133e4c78b43def98234ffebc556b90": syntax error ) My commands were: tsk_loaddb -i ewf -d nohash.db image.E01 or tsk_loaddb -i ewf -h -d hash.db image.E01 I have sqlite3 v3.8.2. Now that I double checked I didn't have libsqlite3-dev installed, but everything built fine and tsk_loaddb works great without -h, so I guess that's not the issue. Had a brief look into tsk/auto/db_sqlite.cpp, but didn't spot the issue. Is this a bug, or did I do something wrong? -Ketil |
|
From: Alessandro F. <at...@gm...> - 2014-09-26 17:35:04
|
Hi Jason thanks for the answer, I had the same idea. I think maybe it should only need to make a query for the "views node" that includes also the mismatch results. In my case could be useful to know that the mismatched extension is "jpeg:DATA" Regards Alessandro 2014-09-24 21:24 GMT+02:00 Jason Letourneau <jle...@ba...>: > Hi Alessandro - > > There is a difference between the views node and the mismatch results. > Currently, the views node purely uses the extensions of files to show its > results. We'll better adjust those results in the future to take into > account signatures that have been detected. > > Jason > > > > > > > ------------------------------------------------ > > Jason Letourneau > Product Manager, Digital Forensics > Basis Technology > jle...@ba... > 617-386-2000 ext. 152 > > > > > On Sep 23, 2014, at 9:48 AM, Alessandro Farina <at...@gm...> wrote: > > Hi > I'm testing the last version on some macbook images. > Analysing the result I've found a out of sync between two branch of the > tree. > In the branch "Images" of the "Views" folder I found not listed any image, > while in the module of the extension mismatch I found thousand of images. > The Exif analysis is (almost, I cannot check the number of images > precisely) correct showing some thousands of result. > > Regards > Alessandro > > ------------------------------------------------------------------------------ > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer > > http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > > |
|
From: MATT P. <mat...@ad...> - 2014-09-25 20:50:21
|
I’m really excited to see this coming along. Thank you for putting the time to add this capability. Search would be an amazing ability. The ability to carve an email into an evidence container with metadata intact would be ultimately amazing. From: Joyce Nord [mailto:joy...@gm...] Sent: Thursday, September 25, 2014 2:04 PM To: 'Jason Letourneau' Cc: sle...@li... Subject: Re: [sleuthkit-users] Parse outlook pst file to locate emails by sentor crated date range Hi Jason... Gotcha..thank you. Wanted to make sure I didn't screw something up. All the Best, Joyce ***************************************************************************************************************************************************************************************************** In accordance with applicable privacy protection laws, this email and its contents are a private communication and are intended only for the expressed recipient. I do not authorize disclosure to a third party without my direct written consent. If you have received this email in error or are not the intended recipient, securely destroy it (as well as all copies) and notify me via separate email immediately. ****************************************************************************************************************************************************************************************************** From: Jason Letourneau [mailto:jle...@ba...] Sent: Thursday, September 25, 2014 1:42 PM To: Joyce Nord Cc: sle...@li...<mailto:sle...@li...> Subject: Re: [sleuthkit-users] Parse outlook pst file to locate emails by sentor crated date range Hi Joyce - The email support in Autopsy isn't as robust as you might be looking for and have discovered. The PST parsing creates "artifacts" for each email, but not fully qualified files that get indexed for search. The result is the ability to browse through the email contents, but not do too much more than that at this point. Jason ------------------------------------------------ Jason Letourneau Product Manager, Digital Forensics Basis Technology jle...@ba...<mailto:jle...@ba...> 617-386-2000 ext. 152 On Sep 24, 2014, at 1:16 PM, Joyce Nord <joy...@gm...<mailto:joy...@gm...>> wrote: So I've been paying with sleuthkit, and I can sort by date sent / date received, and select. However, when I select the emails within a given range by highlighting them, then right-clicking and choosing extract, it exports the entire pst again -- not just the ones I've selected. So apparently the extract file option is not to export the email messages individually. If I tag the results, Autopsy bookmarks the entire file rather than the individual email. So it does not appear there is a way to export individual emails inside Autopsy. Can someone confirm this? ***************************************************************************************************************************************************************************************************** In accordance with applicable privacy protection laws, this email and its contents are a private communication and are intended only for the expressed recipient. I do not authorize disclosure to a third party without my direct written consent. If you have received this email in error or are not the intended recipient, securely destroy it (as well as all copies) and notify me via separate email immediately. ****************************************************************************************************************************************************************************************************** From: Jason Letourneau [mailto:jle...@ba...<http://basistech.com>] Sent: Tuesday, September 23, 2014 9:20 AM To: Joyce Nord Cc: ajs; sle...@li...<mailto:sle...@li...> Subject: Re: [sleuthkit-users] Parse outlook pst file to locate emails by sentor crated date range Sorry...I meant Joyce (better to look at the actual email rather than Autopsy parsed email for names) ;) Jason On Tue, Sep 23, 2014 at 9:19 AM, Jason Letourneau <jle...@ba...<mailto:jle...@ba...>> wrote: Hi Albert - It looks like your PST was parsed (see the Email node in the tree in one of your screenshots). I think your search isn't doing what you think it should which is why you are seeing no results. The "Name" field is searching for the file name, uncheck that box and see what results you get. I don't see any file with the name in the box, were you thinking that names the search/filter set? Jason On Tue, Sep 23, 2014 at 12:01 AM, Joyce Nord <joy...@gm...<mailto:joy...@gm...>> wrote: I tried adding it as a data source before I asked the group and and no results are produced which fall into the known data set: Here are the search parameters: <image001.png> And, here are the results: <image002.png> The email ingest option was turned on because if I look manually I can see: <image003.png> Yet if I open the pst in outlook, I see: <image004.png> ***************************************************************************************************************************************************************************************************** In accordance with applicable privacy protection laws, this email and its contents are a private communication and are intended only for the expressed recipient. I do not authorize disclosure to a third party without my direct written consent. If you have received this email in error or are not the intended recipient, securely destroy it (as well as all copies) and notify me via separate email immediately. ****************************************************************************************************************************************************************************************************** From: ajs [mailto:ant...@gm...<mailto:ant...@gm...>] Sent: Monday, September 22, 2014 9:06 PM To: Jason Letourneau; Joyce Nord Cc: sle...@li...<mailto:sle...@li...> Subject: RE: [sleuthkit-users] Parse outlook pst file to locate emails by sentor crated date range Thanks. I don't recall if i added it as a data source specifically in my case but it never pulled anything for me. I'll try again to see what I can get. ________________________________ From: Jason Letourneau<mailto:jle...@ba...> Sent: 9/22/2014 7:17 PM To: Joyce Nord<mailto:joy...@gm...> Cc: ajs<mailto:ant...@gm...>; sle...@li...<mailto:sle...@li...> Subject: Re: [sleuthkit-users] Parse outlook pst file to locate emails by sentor crated date range Libpst is integrated into Autopsy 3.1 so you should be able to add the PST file as a data source (logical file) and get it parsed as long as you enable the email parser ingest module - there are some limitations with Libpst in terms of file and version support, so you may need to see if your file is in their supported version set Jason On Monday, September 22, 2014, Joyce Nord <joy...@gm...<mailto:joy...@gm...>> wrote: Thank you. Trying to do it with open source right now to prove it can be done. Looks like my options are readpst and then grepmail or even perhaps regular grep and scripting moving the files matching the attribute pattern. grepmail looks like it might work but I keep getting the error "invalid config variable: todayismidnight Which was supposedly rectified back in 2010 or 11, but apparently not. ***************************************************************************************************************************************************************************************************** In accordance with applicable privacy protection laws, this email and its contents are a private communication and are intended only for the expressed recipient. I do not authorize disclosure to a third party without my direct written consent. If you have received this email in error or are not the intended recipient, securely destroy it (as well as all copies) and notify me via separate email immediately. ****************************************************************************************************************************************************************************************************** From: ajs [mailto:ant...@gm...] Sent: Monday, September 22, 2014 6:30 PM To: Joyce Nord; sle...@li...<mailto:sle...@li...> Subject: RE: [sleuthkit-users] Parse outlook pst file to locate emails by sent orcrated date range In my limited experience, no. I asked about this a week or two ago and didn't hear anything back. If you have IEF or FTK, both if those handle it well. ________________________________ From: Joyce Nord Sent: 9/22/2014 6:07 PM To: sle...@li...<mailto:sle...@li...> Subject: [sleuthkit-users] Parse outlook pst file to locate emails by sent orcrated date range Is there a way to do this within Autopsy 3.0? I have a PST I need to parse, not an entire image. ***************************************************************************************************************************************************************************************************** In accordance with applicable privacy protection laws, this email and its contents are a private communication and are intended only for the expressed recipient. I do not authorize disclosure to a third party without my direct written consent. If you have received this email in error or are not the intended recipient, securely destroy it (as well as all copies) and notify me via separate email immediately. ****************************************************************************************************************************************************************************************************** |
|
From: Conley, T. <tom...@us...> - 2014-09-25 20:27:43
|
If you can export the list / agent ransack will find things for you very quickly -----Original Message----- From: sle...@li... [mailto:sle...@li...] Sent: Thursday, September 25, 2014 2:04 PM To: sle...@li... Subject: EXTERNAL: sleuthkit-users Digest, Vol 99, Issue 18 Send sleuthkit-users mailing list submissions to sle...@li... To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/sleuthkit-users or, via email, send a message with subject or body 'help' to sle...@li... You can reach the person managing the list at sle...@li... When replying, please edit your Subject line so it is more specific than "Re: Contents of sleuthkit-users digest..." Today's Topics: 1. Re: Parse outlook pst file to locate emails by sentor crated date range (Joyce Nord) ---------------------------------------------------------------------- Message: 1 Date: Thu, 25 Sep 2014 15:03:30 -0400 From: "Joyce Nord" <joy...@gm...> Subject: Re: [sleuthkit-users] Parse outlook pst file to locate emails by sentor crated date range To: "'Jason Letourneau'" <jle...@ba...> Cc: sle...@li... Message-ID: <542...@mx...> Content-Type: text/plain; charset="utf-8" Hi Jason... Gotcha..thank you. Wanted to make sure I didn't screw something up. All the Best, Joyce ***************************************************************************************************************************************************************************************************** In accordance with applicable privacy protection laws, this email and its contents are a private communication and are intended only for the expressed recipient. I do not authorize disclosure to a third party without my direct written consent. If you have received this email in error or are not the intended recipient, securely destroy it (as well as all copies) and notify me via separate email immediately. ****************************************************************************************************************************************************************************************************** From: Jason Letourneau [mailto:jle...@ba...] Sent: Thursday, September 25, 2014 1:42 PM To: Joyce Nord Cc: sle...@li... Subject: Re: [sleuthkit-users] Parse outlook pst file to locate emails by sentor crated date range Hi Joyce - The email support in Autopsy isn't as robust as you might be looking for and have discovered. The PST parsing creates "artifacts" for each email, but not fully qualified files that get indexed for search. The result is the ability to browse through the email contents, but not do too much more than that at this point. Jason ------------------------------------------------ Jason Letourneau Product Manager, Digital Forensics Basis Technology jle...@ba... 617-386-2000 ext. 152 On Sep 24, 2014, at 1:16 PM, Joyce Nord <joy...@gm...> wrote: So I've been paying with sleuthkit, and I can sort by date sent / date received, and select. However, when I select the emails within a given range by highlighting them, then right-clicking and choosing extract, it exports the entire pst again -- not just the ones I've selected. So apparently the extract file option is not to export the email messages individually. If I tag the results, Autopsy bookmarks the entire file rather than the individual email. So it does not appear there is a way to export individual emails inside Autopsy. Can someone confirm this? ***************************************************************************************************************************************************************************************************** In accordance with applicable privacy protection laws, this email and its contents are a private communication and are intended only for the expressed recipient. I do not authorize disclosure to a third party without my direct written consent. If you have received this email in error or are not the intended recipient, securely destroy it (as well as all copies) and notify me via separate email immediately. ****************************************************************************************************************************************************************************************************** From: Jason Letourneau [mailto:jletourneau@ <http://basistech.com> basistech.com] Sent: Tuesday, September 23, 2014 9:20 AM To: Joyce Nord Cc: ajs; <mailto:sle...@li...> sle...@li... Subject: Re: [sleuthkit-users] Parse outlook pst file to locate emails by sentor crated date range Sorry...I meant Joyce (better to look at the actual email rather than Autopsy parsed email for names) ;) Jason On Tue, Sep 23, 2014 at 9:19 AM, Jason Letourneau < <mailto:jle...@ba...> jle...@ba...> wrote: Hi Albert - It looks like your PST was parsed (see the Email node in the tree in one of your screenshots). I think your search isn't doing what you think it should which is why you are seeing no results. The "Name" field is searching for the file name, uncheck that box and see what results you get. I don't see any file with the name in the box, were you thinking that names the search/filter set? Jason On Tue, Sep 23, 2014 at 12:01 AM, Joyce Nord < <mailto:joy...@gm...> joy...@gm...> wrote: I tried adding it as a data source before I asked the group and and no results are produced which fall into the known data set: Here are the search parameters: <image001.png> And, here are the results: <image002.png> The email ingest option was turned on because if I look manually I can see: <image003.png> Yet if I open the pst in outlook, I see: <image004.png> ***************************************************************************************************************************************************************************************************** In accordance with applicable privacy protection laws, this email and its contents are a private communication and are intended only for the expressed recipient. I do not authorize disclosure to a third party without my direct written consent. If you have received this email in error or are not the intended recipient, securely destroy it (as well as all copies) and notify me via separate email immediately. ****************************************************************************************************************************************************************************************************** From: ajs [mailto: <mailto:ant...@gm...> ant...@gm...] Sent: Monday, September 22, 2014 9:06 PM To: Jason Letourneau; Joyce Nord Cc: <mailto:sle...@li...> sle...@li... Subject: RE: [sleuthkit-users] Parse outlook pst file to locate emails by sentor crated date range Thanks. I don't recall if i added it as a data source specifically in my case but it never pulled anything for me. I'll try again to see what I can get. _____ From: <mailto:jle...@ba...> Jason Letourneau Sent: ?9/?22/?2014 7:17 PM To: <mailto:joy...@gm...> Joyce Nord Cc: <mailto:ant...@gm...> ajs; <mailto:sle...@li...> sle...@li... Subject: Re: [sleuthkit-users] Parse outlook pst file to locate emails by sentor crated date range Libpst is integrated into Autopsy 3.1 so you should be able to add the PST file as a data source (logical file) and get it parsed as long as you enable the email parser ingest module - there are some limitations with Libpst in terms of file and version support, so you may need to see if your file is in their supported version set Jason On Monday, September 22, 2014, Joyce Nord < <mailto:joy...@gm...> joy...@gm...> wrote: Thank you. Trying to do it with open source right now to prove it can be done. Looks like my options are readpst and then grepmail or even perhaps regular grep and scripting moving the files matching the attribute pattern. grepmail looks like it might work but I keep getting the error "invalid config variable: todayismidnight Which was supposedly rectified back in 2010 or 11, but apparently not. ***************************************************************************************************************************************************************************************************** In accordance with applicable privacy protection laws, this email and its contents are a private communication and are intended only for the expressed recipient. I do not authorize disclosure to a third party without my direct written consent. If you have received this email in error or are not the intended recipient, securely destroy it (as well as all copies) and notify me via separate email immediately. ****************************************************************************************************************************************************************************************************** From: ajs [ <mailto:ant...@gm...> mailto:ant...@gm...] Sent: Monday, September 22, 2014 6:30 PM To: Joyce Nord; <mailto:sle...@li...> sle...@li... Subject: RE: [sleuthkit-users] Parse outlook pst file to locate emails by sent orcrated date range In my limited experience, no. I asked about this a week or two ago and didn't hear anything back. If you have IEF or FTK, both if those handle it well. _____ From: Joyce Nord Sent: ?9/?22/?2014 6:07 PM To: <mailto:sle...@li...> sle...@li... Subject: [sleuthkit-users] Parse outlook pst file to locate emails by sent orcrated date range Is there a way to do this within Autopsy 3.0? I have a PST I need to parse, not an entire image. ***************************************************************************************************************************************************************************************************** In accordance with applicable privacy protection laws, this email and its contents are a private communication and are intended only for the expressed recipient. I do not authorize disclosure to a third party without my direct written consent. If you have received this email in error or are not the intended recipient, securely destroy it (as well as all copies) and notify me via separate email immediately. ****************************************************************************************************************************************************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk ------------------------------ _______________________________________________ sleuthkit-users mailing list sle...@li... https://lists.sourceforge.net/lists/listinfo/sleuthkit-users End of sleuthkit-users Digest, Vol 99, Issue 18 *********************************************** |
|
From: Joyce N. <joy...@gm...> - 2014-09-25 19:03:57
|
Hi Jason... Gotcha..thank you. Wanted to make sure I didn't screw something up. All the Best, Joyce ***************************************************************************************************************************************************************************************************** In accordance with applicable privacy protection laws, this email and its contents are a private communication and are intended only for the expressed recipient. I do not authorize disclosure to a third party without my direct written consent. If you have received this email in error or are not the intended recipient, securely destroy it (as well as all copies) and notify me via separate email immediately. ****************************************************************************************************************************************************************************************************** From: Jason Letourneau [mailto:jle...@ba...] Sent: Thursday, September 25, 2014 1:42 PM To: Joyce Nord Cc: sle...@li... Subject: Re: [sleuthkit-users] Parse outlook pst file to locate emails by sentor crated date range Hi Joyce - The email support in Autopsy isn't as robust as you might be looking for and have discovered. The PST parsing creates "artifacts" for each email, but not fully qualified files that get indexed for search. The result is the ability to browse through the email contents, but not do too much more than that at this point. Jason ------------------------------------------------ Jason Letourneau Product Manager, Digital Forensics Basis Technology jle...@ba... 617-386-2000 ext. 152 On Sep 24, 2014, at 1:16 PM, Joyce Nord <joy...@gm...> wrote: So I've been paying with sleuthkit, and I can sort by date sent / date received, and select. However, when I select the emails within a given range by highlighting them, then right-clicking and choosing extract, it exports the entire pst again -- not just the ones I've selected. So apparently the extract file option is not to export the email messages individually. If I tag the results, Autopsy bookmarks the entire file rather than the individual email. So it does not appear there is a way to export individual emails inside Autopsy. Can someone confirm this? ***************************************************************************************************************************************************************************************************** In accordance with applicable privacy protection laws, this email and its contents are a private communication and are intended only for the expressed recipient. I do not authorize disclosure to a third party without my direct written consent. If you have received this email in error or are not the intended recipient, securely destroy it (as well as all copies) and notify me via separate email immediately. ****************************************************************************************************************************************************************************************************** From: Jason Letourneau [mailto:jletourneau@ <http://basistech.com> basistech.com] Sent: Tuesday, September 23, 2014 9:20 AM To: Joyce Nord Cc: ajs; <mailto:sle...@li...> sle...@li... Subject: Re: [sleuthkit-users] Parse outlook pst file to locate emails by sentor crated date range Sorry...I meant Joyce (better to look at the actual email rather than Autopsy parsed email for names) ;) Jason On Tue, Sep 23, 2014 at 9:19 AM, Jason Letourneau < <mailto:jle...@ba...> jle...@ba...> wrote: Hi Albert - It looks like your PST was parsed (see the Email node in the tree in one of your screenshots). I think your search isn't doing what you think it should which is why you are seeing no results. The "Name" field is searching for the file name, uncheck that box and see what results you get. I don't see any file with the name in the box, were you thinking that names the search/filter set? Jason On Tue, Sep 23, 2014 at 12:01 AM, Joyce Nord < <mailto:joy...@gm...> joy...@gm...> wrote: I tried adding it as a data source before I asked the group and and no results are produced which fall into the known data set: Here are the search parameters: <image001.png> And, here are the results: <image002.png> The email ingest option was turned on because if I look manually I can see: <image003.png> Yet if I open the pst in outlook, I see: <image004.png> ***************************************************************************************************************************************************************************************************** In accordance with applicable privacy protection laws, this email and its contents are a private communication and are intended only for the expressed recipient. I do not authorize disclosure to a third party without my direct written consent. If you have received this email in error or are not the intended recipient, securely destroy it (as well as all copies) and notify me via separate email immediately. ****************************************************************************************************************************************************************************************************** From: ajs [mailto: <mailto:ant...@gm...> ant...@gm...] Sent: Monday, September 22, 2014 9:06 PM To: Jason Letourneau; Joyce Nord Cc: <mailto:sle...@li...> sle...@li... Subject: RE: [sleuthkit-users] Parse outlook pst file to locate emails by sentor crated date range Thanks. I don't recall if i added it as a data source specifically in my case but it never pulled anything for me. I'll try again to see what I can get. _____ From: <mailto:jle...@ba...> Jason Letourneau Sent: 9/22/2014 7:17 PM To: <mailto:joy...@gm...> Joyce Nord Cc: <mailto:ant...@gm...> ajs; <mailto:sle...@li...> sle...@li... Subject: Re: [sleuthkit-users] Parse outlook pst file to locate emails by sentor crated date range Libpst is integrated into Autopsy 3.1 so you should be able to add the PST file as a data source (logical file) and get it parsed as long as you enable the email parser ingest module - there are some limitations with Libpst in terms of file and version support, so you may need to see if your file is in their supported version set Jason On Monday, September 22, 2014, Joyce Nord < <mailto:joy...@gm...> joy...@gm...> wrote: Thank you. Trying to do it with open source right now to prove it can be done. Looks like my options are readpst and then grepmail or even perhaps regular grep and scripting moving the files matching the attribute pattern. grepmail looks like it might work but I keep getting the error "invalid config variable: todayismidnight Which was supposedly rectified back in 2010 or 11, but apparently not. ***************************************************************************************************************************************************************************************************** In accordance with applicable privacy protection laws, this email and its contents are a private communication and are intended only for the expressed recipient. I do not authorize disclosure to a third party without my direct written consent. If you have received this email in error or are not the intended recipient, securely destroy it (as well as all copies) and notify me via separate email immediately. ****************************************************************************************************************************************************************************************************** From: ajs [ <mailto:ant...@gm...> mailto:ant...@gm...] Sent: Monday, September 22, 2014 6:30 PM To: Joyce Nord; <mailto:sle...@li...> sle...@li... Subject: RE: [sleuthkit-users] Parse outlook pst file to locate emails by sent orcrated date range In my limited experience, no. I asked about this a week or two ago and didn't hear anything back. If you have IEF or FTK, both if those handle it well. _____ From: Joyce Nord Sent: 9/22/2014 6:07 PM To: <mailto:sle...@li...> sle...@li... Subject: [sleuthkit-users] Parse outlook pst file to locate emails by sent orcrated date range Is there a way to do this within Autopsy 3.0? I have a PST I need to parse, not an entire image. ***************************************************************************************************************************************************************************************************** In accordance with applicable privacy protection laws, this email and its contents are a private communication and are intended only for the expressed recipient. I do not authorize disclosure to a third party without my direct written consent. If you have received this email in error or are not the intended recipient, securely destroy it (as well as all copies) and notify me via separate email immediately. ****************************************************************************************************************************************************************************************************** |
|
From: Jason L. <jle...@ba...> - 2014-09-25 17:42:24
|
Hi Joyce - The email support in Autopsy isn't as robust as you might be looking for and have discovered. The PST parsing creates "artifacts" for each email, but not fully qualified files that get indexed for search. The result is the ability to browse through the email contents, but not do too much more than that at this point. Jason ------------------------------------------------ Jason Letourneau Product Manager, Digital Forensics Basis Technology jle...@ba... 617-386-2000 ext. 152 On Sep 24, 2014, at 1:16 PM, Joyce Nord <joy...@gm...> wrote: > So I've been paying with sleuthkit, and I can sort by date sent / date received, and select. However, when I select the emails within a given range by highlighting them, then right-clicking and choosing extract, it exports the entire pst again -- not just the ones I've selected. So apparently the extract file option is not to export the email messages individually. > > If I tag the results, Autopsy bookmarks the entire file rather than the individual email. > > So it does not appear there is a way to export individual emails inside Autopsy. > > Can someone confirm this? > > ***************************************************************************************************************************************************************************************************** > > In accordance with applicable privacy protection laws, this email and its contents are a private communication and are intended only for the expressed recipient. I do not authorize disclosure to a third party without my direct written consent. > If you have received this email in error or are not the intended recipient, securely destroy it (as well as all copies) and notify me via separate email immediately. > > ****************************************************************************************************************************************************************************************************** > > From: Jason Letourneau [mailto:jle...@ba...] > Sent: Tuesday, September 23, 2014 9:20 AM > To: Joyce Nord > Cc: ajs; sle...@li... > Subject: Re: [sleuthkit-users] Parse outlook pst file to locate emails by sentor crated date range > > Sorry...I meant Joyce (better to look at the actual email rather than Autopsy parsed email for names) ;) > > Jason > > On Tue, Sep 23, 2014 at 9:19 AM, Jason Letourneau <jle...@ba...> wrote: > Hi Albert - > > It looks like your PST was parsed (see the Email node in the tree in one of your screenshots). I think your search isn't doing what you think it should which is why you are seeing no results. The "Name" field is searching for the file name, uncheck that box and see what results you get. I don't see any file with the name in the box, were you thinking that names the search/filter set? > > Jason > > On Tue, Sep 23, 2014 at 12:01 AM, Joyce Nord <joy...@gm...> wrote: > I tried adding it as a data source before I asked the group and and no results are produced which fall into the known data set: > > Here are the search parameters: > > > <image001.png> > > And, here are the results: > > <image002.png> > > The email ingest option was turned on because if I look manually I can see: > > > <image003.png> > > Yet if I open the pst in outlook, I see: > > <image004.png> > ***************************************************************************************************************************************************************************************************** > > In accordance with applicable privacy protection laws, this email and its contents are a private communication and are intended only for the expressed recipient. I do not authorize disclosure to a third party without my direct written consent. > If you have received this email in error or are not the intended recipient, securely destroy it (as well as all copies) and notify me via separate email immediately. > > ****************************************************************************************************************************************************************************************************** > > From: ajs [mailto:ant...@gm...] > Sent: Monday, September 22, 2014 9:06 PM > To: Jason Letourneau; Joyce Nord > Cc: sle...@li... > > Subject: RE: [sleuthkit-users] Parse outlook pst file to locate emails by sentor crated date range > > Thanks. I don't recall if i added it as a data source specifically in my case but it never pulled anything for me. I'll try again to see what I can get. > From: Jason Letourneau > Sent: 9/22/2014 7:17 PM > To: Joyce Nord > Cc: ajs; sle...@li... > Subject: Re: [sleuthkit-users] Parse outlook pst file to locate emails by sentor crated date range > > Libpst is integrated into Autopsy 3.1 so you should be able to add the PST file as a data source (logical file) and get it parsed as long as you enable the email parser ingest module - there are some limitations with Libpst in terms of file and version support, so you may need to see if your file is in their supported version set > > Jason > > On Monday, September 22, 2014, Joyce Nord <joy...@gm...> wrote: > Thank you. > > Trying to do it with open source right now to prove it can be done. Looks like my options are readpst and then grepmail or even perhaps regular grep and scripting moving the files matching the attribute pattern. > > grepmail looks like it might work but I keep getting the error "invalid config variable: todayismidnight > > Which was supposedly rectified back in 2010 or 11, but apparently not. > > ***************************************************************************************************************************************************************************************************** > > In accordance with applicable privacy protection laws, this email and its contents are a private communication and are intended only for the expressed recipient. I do not authorize disclosure to a third party without my direct written consent. > If you have received this email in error or are not the intended recipient, securely destroy it (as well as all copies) and notify me via separate email immediately. > > ****************************************************************************************************************************************************************************************************** > > From: ajs [mailto:ant...@gm...] > Sent: Monday, September 22, 2014 6:30 PM > To: Joyce Nord; sle...@li... > Subject: RE: [sleuthkit-users] Parse outlook pst file to locate emails by sent orcrated date range > > In my limited experience, no. I asked about this a week or two ago and didn't hear anything back. If you have IEF or FTK, both if those handle it well. > From: Joyce Nord > Sent: 9/22/2014 6:07 PM > To: sle...@li... > Subject: [sleuthkit-users] Parse outlook pst file to locate emails by sent orcrated date range > > Is there a way to do this within Autopsy 3.0? I have a PST I need to parse, not an entire image. > > ***************************************************************************************************************************************************************************************************** > > In accordance with applicable privacy protection laws, this email and its contents are a private communication and are intended only for the expressed recipient. I do not authorize disclosure to a third party without my direct written consent. > If you have received this email in error or are not the intended recipient, securely destroy it (as well as all copies) and notify me via separate email immediately. > > ****************************************************************************************************************************************************************************************************** > > |
|
From: Jason L. <jle...@ba...> - 2014-09-24 19:24:09
|
Hi Alessandro - There is a difference between the views node and the mismatch results. Currently, the views node purely uses the extensions of files to show its results. We'll better adjust those results in the future to take into account signatures that have been detected. Jason ------------------------------------------------ Jason Letourneau Product Manager, Digital Forensics Basis Technology jle...@ba... 617-386-2000 ext. 152 On Sep 23, 2014, at 9:48 AM, Alessandro Farina <at...@gm...> wrote: > Hi > I'm testing the last version on some macbook images. > Analysing the result I've found a out of sync between two branch of the tree. > In the branch "Images" of the "Views" folder I found not listed any image, while in the module of the extension mismatch I found thousand of images. > The Exif analysis is (almost, I cannot check the number of images precisely) correct showing some thousands of result. > > Regards > Alessandro > ------------------------------------------------------------------------------ > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer > http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: Jason L. <jle...@ba...> - 2014-09-23 14:02:58
|
Hi All - I wanted to call your attention to a new support forum available on sleuthkit.org: http://forum.sleuthkit.org/ Based on some feedback from this list and other users, we decided to launch the forum for easier searching and review of previously asked questions, etc. This list is obviously still a great place to go, but I'd encourage you to check out the forum as well as we try and build up our community. Jason |
|
From: Alessandro F. <at...@gm...> - 2014-09-23 13:49:03
|
Hi I'm testing the last version on some macbook images. Analysing the result I've found a out of sync between two branch of the tree. In the branch "Images" of the "Views" folder I found not listed any image, while in the module of the extension mismatch I found thousand of images. The Exif analysis is (almost, I cannot check the number of images precisely) correct showing some thousands of result. Regards Alessandro |
|
From: ajs <ant...@gm...> - 2014-09-23 01:07:00
|
Thanks. I don't recall if i added it as a data source specifically in my case but it never pulled anything for me. I'll try again to see what I can get. -----Original Message----- From: "Jason Letourneau" <jle...@ba...> Sent: 9/22/2014 7:17 PM To: "Joyce Nord" <joy...@gm...> Cc: "ajs" <ant...@gm...>; "sle...@li..." <sle...@li...> Subject: Re: [sleuthkit-users] Parse outlook pst file to locate emails by sentor crated date range Libpst is integrated into Autopsy 3.1 so you should be able to add the PST file as a data source (logical file) and get it parsed as long as you enable the email parser ingest module - there are some limitations with Libpst in terms of file and version support, so you may need to see if your file is in their supported version set Jason On Monday, September 22, 2014, Joyce Nord <joy...@gm...> wrote: Thank you. Trying to do it with open source right now to prove it can be done. Looks like my options are readpst and then grepmail or even perhaps regular grep and scripting moving the files matching the attribute pattern. grepmail looks like it might work but I keep getting the error "invalid config variable: todayismidnight Which was supposedly rectified back in 2010 or 11, but apparently not. ***************************************************************************************************************************************************************************************************** In accordance with applicable privacy protection laws, this email and its contents are a private communication and are intended only for the expressed recipient. I do not authorize disclosure to a third party without my direct written consent. If you have received this email in error or are not the intended recipient, securely destroy it (as well as all copies) and notify me via separate email immediately. ****************************************************************************************************************************************************************************************************** From: ajs [mailto:ant...@gm...] Sent: Monday, September 22, 2014 6:30 PM To: Joyce Nord; sle...@li... Subject: RE: [sleuthkit-users] Parse outlook pst file to locate emails by sent orcrated date range In my limited experience, no. I asked about this a week or two ago and didn't hear anything back. If you have IEF or FTK, both if those handle it well. From: Joyce Nord Sent: 9/22/2014 6:07 PM To: sle...@li... Subject: [sleuthkit-users] Parse outlook pst file to locate emails by sent orcrated date range Is there a way to do this within Autopsy 3.0? I have a PST I need to parse, not an entire image. ***************************************************************************************************************************************************************************************************** In accordance with applicable privacy protection laws, this email and its contents are a private communication and are intended only for the expressed recipient. I do not authorize disclosure to a third party without my direct written consent. If you have received this email in error or are not the intended recipient, securely destroy it (as well as all copies) and notify me via separate email immediately. ****************************************************************************************************************************************************************************************************** |
|
From: Jason L. <jle...@ba...> - 2014-09-22 23:45:48
|
Libpst is integrated into Autopsy 3.1 so you should be able to add the PST file as a data source (logical file) and get it parsed as long as you enable the email parser ingest module - there are some limitations with Libpst in terms of file and version support, so you may need to see if your file is in their supported version set Jason On Monday, September 22, 2014, Joyce Nord <joy...@gm...> wrote: > Thank you. > > > > Trying to do it with open source right now to prove it can be done. Looks > like my options are readpst and then grepmail or even perhaps regular grep > and scripting moving the files matching the attribute pattern. > > > > grepmail looks like it might work but I keep getting the error "invalid > config variable: todayismidnight > > > > Which was supposedly rectified back in 2010 or 11, but apparently not. > > > > > ***************************************************************************************************************************************************************************************************** > > > > In accordance with applicable privacy protection laws, this email and its > contents are a private communication and are intended only for the > expressed recipient. I do not authorize disclosure to a third party > without my direct written consent. > > If you have received this email in error or are not the intended > recipient, securely destroy it (as well as all copies) and notify me via > separate email immediately. > > > > > ****************************************************************************************************************************************************************************************************** > > > > *From:* ajs [mailto:ant...@gm... > <javascript:_e(%7B%7D,'cvml','ant...@gm...');>] > *Sent:* Monday, September 22, 2014 6:30 PM > *To:* Joyce Nord; sle...@li... > <javascript:_e(%7B%7D,'cvml','sle...@li...');> > *Subject:* RE: [sleuthkit-users] Parse outlook pst file to locate emails > by sent orcrated date range > > > > In my limited experience, no. I asked about this a week or two ago and > didn't hear anything back. If you have IEF or FTK, both if those handle it > well. > ------------------------------ > > *From: *Joyce Nord <javascript:_e(%7B%7D,'cvml','joy...@gm...');> > *Sent: *9/22/2014 6:07 PM > *To: *sle...@li... > <javascript:_e(%7B%7D,'cvml','sle...@li...');> > *Subject: *[sleuthkit-users] Parse outlook pst file to locate emails by > sent orcrated date range > > Is there a way to do this within Autopsy 3.0? I have a PST I need to > parse, not an entire image. > > > > > ***************************************************************************************************************************************************************************************************** > > > > In accordance with applicable privacy protection laws, this email and its > contents are a private communication and are intended only for the > expressed recipient. I do not authorize disclosure to a third party > without my direct written consent. > > If you have received this email in error or are not the intended > recipient, securely destroy it (as well as all copies) and notify me via > separate email immediately. > > > > > ****************************************************************************************************************************************************************************************************** > > > |
|
From: Joyce N. <joy...@gm...> - 2014-09-22 22:41:25
|
Thank you. Trying to do it with open source right now to prove it can be done. Looks like my options are readpst and then grepmail or even perhaps regular grep and scripting moving the files matching the attribute pattern. grepmail looks like it might work but I keep getting the error "invalid config variable: todayismidnight Which was supposedly rectified back in 2010 or 11, but apparently not. ***************************************************************************************************************************************************************************************************** In accordance with applicable privacy protection laws, this email and its contents are a private communication and are intended only for the expressed recipient. I do not authorize disclosure to a third party without my direct written consent. If you have received this email in error or are not the intended recipient, securely destroy it (as well as all copies) and notify me via separate email immediately. ****************************************************************************************************************************************************************************************************** From: ajs [mailto:ant...@gm...] Sent: Monday, September 22, 2014 6:30 PM To: Joyce Nord; sle...@li... Subject: RE: [sleuthkit-users] Parse outlook pst file to locate emails by sent orcrated date range In my limited experience, no. I asked about this a week or two ago and didn't hear anything back. If you have IEF or FTK, both if those handle it well. _____ From: Joyce Nord <mailto:joy...@gm...> Sent: 9/22/2014 6:07 PM To: sle...@li... Subject: [sleuthkit-users] Parse outlook pst file to locate emails by sent orcrated date range Is there a way to do this within Autopsy 3.0? I have a PST I need to parse, not an entire image. ***************************************************************************************************************************************************************************************************** In accordance with applicable privacy protection laws, this email and its contents are a private communication and are intended only for the expressed recipient. I do not authorize disclosure to a third party without my direct written consent. If you have received this email in error or are not the intended recipient, securely destroy it (as well as all copies) and notify me via separate email immediately. ****************************************************************************************************************************************************************************************************** |
|
From: MATT P. <mat...@ad...> - 2014-09-22 22:31:38
|
I would love to see this as well. I've recently been playing with libpff to export the pst to text. Then importing this into Splunk for analysis. I'm not there yet but I think the approach is promising. It will sadly not get me the attachment's. Something that Autopsy would have better tools to approach. From: Joyce Nord [mailto:joy...@gm...] Sent: Monday, September 22, 2014 5:04 PM To: sle...@li... Subject: [sleuthkit-users] Parse outlook pst file to locate emails by sent or crated date range Is there a way to do this within Autopsy 3.0? I have a PST I need to parse, not an entire image. ***************************************************************************************************************************************************************************************************** In accordance with applicable privacy protection laws, this email and its contents are a private communication and are intended only for the expressed recipient. I do not authorize disclosure to a third party without my direct written consent. If you have received this email in error or are not the intended recipient, securely destroy it (as well as all copies) and notify me via separate email immediately. ****************************************************************************************************************************************************************************************************** |
|
From: ajs <ant...@gm...> - 2014-09-22 22:31:12
|
In my limited experience, no. I asked about this a week or two ago and didn't hear anything back. If you have IEF or FTK, both if those handle it well. -----Original Message----- From: "Joyce Nord" <joy...@gm...> Sent: 9/22/2014 6:07 PM To: "sle...@li..." <sle...@li...> Subject: [sleuthkit-users] Parse outlook pst file to locate emails by sent orcrated date range Is there a way to do this within Autopsy 3.0? I have a PST I need to parse, not an entire image. ***************************************************************************************************************************************************************************************************** In accordance with applicable privacy protection laws, this email and its contents are a private communication and are intended only for the expressed recipient. I do not authorize disclosure to a third party without my direct written consent. If you have received this email in error or are not the intended recipient, securely destroy it (as well as all copies) and notify me via separate email immediately. ****************************************************************************************************************************************************************************************************** |
|
From: Joyce N. <joy...@gm...> - 2014-09-22 22:04:16
|
Is there a way to do this within Autopsy 3.0? I have a PST I need to parse, not an entire image. **************************************************************************** **************************************************************************** ********************************************* In accordance with applicable privacy protection laws, this email and its contents are a private communication and are intended only for the expressed recipient. I do not authorize disclosure to a third party without my direct written consent. If you have received this email in error or are not the intended recipient, securely destroy it (as well as all copies) and notify me via separate email immediately. **************************************************************************** **************************************************************************** ********************************************** |
|
From: Brian C. <ca...@sl...> - 2014-09-17 14:45:48
|
Thanks everyone. log as default it is. To be clear, there is a button on the top to change scales, so it is easy to switch back and forth. The main question here was what should be the default (since many people may not realize that they can/should change it). Kalin, we'll add the units to the list to see if that can be easily done. On Sep 17, 2014, at 5:39 AM, Kalin KOZHUHAROV <me....@gm...> wrote: > Logscale as default, with user option (UI or config file) to change > it, in case someone really hates it. > > Additionally, for y-axis using K,M,G in labels (as x1000, NOT 1024) > may make it more readable. > > Kalin. > > ------------------------------------------------------------------------------ > Want excitement? > Manually upgrade your production database. > When you want reliability, choose Perforce > Perforce version control. Predictably reliable. > http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: Simson G. <si...@ac...> - 2014-09-17 09:50:20
|
I'm sorry, I misread the question. In the past I've tried a split scale. Have a lower part of the scale that goes 1-1000, and a break, and then an upper part that goes 1000-1M. This gets you two linear regions. Allow the split to be dragged up and down to change where the split happens. In my experience people have a hard time understanding logarithmic scales. Another approach is to have a magnifying glass that you can use to evaluate the bottom of the graph. However, if you can only go between linear and log, then I go for log as well. On Sep 17, 2014, at 4:44 AM, Simson Garfinkel <si...@ac...> wrote: > Have a switch to allow either. > > Sent from my iPad > >> On Sep 15, 2014, at 4:47 PM, Brian Carrier <ca...@sl...> wrote: >> >> As many of you may know, we've been working on a new timeline viewer for Autopsy as part of a DHS S&T contract. It's got some really cool features and I'm looking for some feedback on default settings. One view has bar graphs to show "how many things occurred in a given time frame". The primary use case was to answer questions about knowing when and how often the system was used. There is another view that provides details. >> >> My question is if linear or logarithmic scale is better as a default. In the bar chart, there are differently colored sections for file system activity, web activity, and "other" activity. There will be more bars as we add more features. Linear allows you to compare the size of each bar, but it means that many bars are not visible. Logarithmic is not as intuitive for people, but it allows you to see more of the bars. Below is an example. The Linear view doesn't show any of the blue bars. As a reference on the final bar in the log scale, the red bar has 53,000 events, the green has 3,500, and the blue has 54. >> >> >> My vote is to have log scale be the default so that you can see that there is web activity even though there is far less than file system times, but I wanted to get feedback before we did that. Votes? >> >> >> <tl_lin.png><tl_log.png> >> ------------------------------------------------------------------------------ >> Want excitement? >> Manually upgrade your production database. >> When you want reliability, choose Perforce >> Perforce version control. Predictably reliable. >> http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org > > ------------------------------------------------------------------------------ > Want excitement? > Manually upgrade your production database. > When you want reliability, choose Perforce > Perforce version control. Predictably reliable. > http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: Kalin K. <me....@gm...> - 2014-09-17 09:39:58
|
Logscale as default, with user option (UI or config file) to change it, in case someone really hates it. Additionally, for y-axis using K,M,G in labels (as x1000, NOT 1024) may make it more readable. Kalin. |
|
From: Simson G. <si...@ac...> - 2014-09-17 08:44:42
|
Have a switch to allow either. Sent from my iPad > On Sep 15, 2014, at 4:47 PM, Brian Carrier <ca...@sl...> wrote: > > As many of you may know, we've been working on a new timeline viewer for Autopsy as part of a DHS S&T contract. It's got some really cool features and I'm looking for some feedback on default settings. One view has bar graphs to show "how many things occurred in a given time frame". The primary use case was to answer questions about knowing when and how often the system was used. There is another view that provides details. > > My question is if linear or logarithmic scale is better as a default. In the bar chart, there are differently colored sections for file system activity, web activity, and "other" activity. There will be more bars as we add more features. Linear allows you to compare the size of each bar, but it means that many bars are not visible. Logarithmic is not as intuitive for people, but it allows you to see more of the bars. Below is an example. The Linear view doesn't show any of the blue bars. As a reference on the final bar in the log scale, the red bar has 53,000 events, the green has 3,500, and the blue has 54. > > > My vote is to have log scale be the default so that you can see that there is web activity even though there is far less than file system times, but I wanted to get feedback before we did that. Votes? > > > <tl_lin.png><tl_log.png> > ------------------------------------------------------------------------------ > Want excitement? > Manually upgrade your production database. > When you want reliability, choose Perforce > Perforce version control. Predictably reliable. > http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: Stefan K. <sk...@bf...> - 2014-09-17 07:25:08
|
Brian, > Logarithmic for me. Even light usage may be important and that could be missed on a linear scale. One click to go to linear makes easy to do and not having scale marks on the y axis will send even a novice looking at the options for how to get scale marks. I second Greg's opinion. Cheers, Stefan. -- Stefan Kelm <sk...@bf...> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstrasse 100 Tel: +49-721-96201-1 D-76133 Karlsruhe Fax: +49-721-96201-99 |
38 messages has been excluded from this view by a project administrator.
