sleuthkit-users Mailing List for The Sleuth Kit (Page 39)
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users — List to discuss Autopsy and The Sleuth Kit.
You can subscribe to this list here.
| 2002 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(6) |
Aug
|
Sep
(11) |
Oct
(5) |
Nov
(4) |
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 |
Jan
(1) |
Feb
(20) |
Mar
(60) |
Apr
(40) |
May
(24) |
Jun
(28) |
Jul
(18) |
Aug
(27) |
Sep
(6) |
Oct
(14) |
Nov
(15) |
Dec
(22) |
| 2004 |
Jan
(34) |
Feb
(13) |
Mar
(28) |
Apr
(23) |
May
(27) |
Jun
(26) |
Jul
(37) |
Aug
(19) |
Sep
(20) |
Oct
(39) |
Nov
(17) |
Dec
(9) |
| 2005 |
Jan
(45) |
Feb
(43) |
Mar
(66) |
Apr
(36) |
May
(19) |
Jun
(64) |
Jul
(10) |
Aug
(11) |
Sep
(35) |
Oct
(6) |
Nov
(4) |
Dec
(13) |
| 2006 |
Jan
(52) |
Feb
(34) |
Mar
(39) |
Apr
(39) |
May
(37) |
Jun
(15) |
Jul
(13) |
Aug
(48) |
Sep
(9) |
Oct
(10) |
Nov
(47) |
Dec
(13) |
| 2007 |
Jan
(25) |
Feb
(4) |
Mar
(2) |
Apr
(29) |
May
(11) |
Jun
(19) |
Jul
(13) |
Aug
(15) |
Sep
(30) |
Oct
(12) |
Nov
(10) |
Dec
(13) |
| 2008 |
Jan
(2) |
Feb
(54) |
Mar
(58) |
Apr
(43) |
May
(10) |
Jun
(27) |
Jul
(25) |
Aug
(27) |
Sep
(48) |
Oct
(69) |
Nov
(55) |
Dec
(43) |
| 2009 |
Jan
(26) |
Feb
(36) |
Mar
(28) |
Apr
(27) |
May
(55) |
Jun
(9) |
Jul
(19) |
Aug
(16) |
Sep
(15) |
Oct
(17) |
Nov
(70) |
Dec
(21) |
| 2010 |
Jan
(56) |
Feb
(59) |
Mar
(53) |
Apr
(32) |
May
(25) |
Jun
(31) |
Jul
(36) |
Aug
(11) |
Sep
(37) |
Oct
(19) |
Nov
(23) |
Dec
(6) |
| 2011 |
Jan
(21) |
Feb
(20) |
Mar
(30) |
Apr
(30) |
May
(74) |
Jun
(50) |
Jul
(34) |
Aug
(34) |
Sep
(12) |
Oct
(33) |
Nov
(10) |
Dec
(8) |
| 2012 |
Jan
(23) |
Feb
(57) |
Mar
(26) |
Apr
(14) |
May
(27) |
Jun
(27) |
Jul
(60) |
Aug
(88) |
Sep
(13) |
Oct
(36) |
Nov
(97) |
Dec
(85) |
| 2013 |
Jan
(60) |
Feb
(24) |
Mar
(43) |
Apr
(32) |
May
(22) |
Jun
(38) |
Jul
(51) |
Aug
(50) |
Sep
(76) |
Oct
(65) |
Nov
(25) |
Dec
(30) |
| 2014 |
Jan
(19) |
Feb
(41) |
Mar
(43) |
Apr
(28) |
May
(61) |
Jun
(12) |
Jul
(10) |
Aug
(37) |
Sep
(76) |
Oct
(31) |
Nov
(41) |
Dec
(12) |
| 2015 |
Jan
(33) |
Feb
(28) |
Mar
(53) |
Apr
(22) |
May
(29) |
Jun
(20) |
Jul
(15) |
Aug
(17) |
Sep
(52) |
Oct
(3) |
Nov
(18) |
Dec
(21) |
| 2016 |
Jan
(20) |
Feb
(8) |
Mar
(21) |
Apr
(7) |
May
(13) |
Jun
(35) |
Jul
(34) |
Aug
(11) |
Sep
(14) |
Oct
(22) |
Nov
(31) |
Dec
(23) |
| 2017 |
Jan
(20) |
Feb
(7) |
Mar
(5) |
Apr
(6) |
May
(6) |
Jun
(22) |
Jul
(11) |
Aug
(16) |
Sep
(8) |
Oct
(1) |
Nov
(1) |
Dec
(1) |
| 2018 |
Jan
|
Feb
|
Mar
(16) |
Apr
(2) |
May
(6) |
Jun
(5) |
Jul
|
Aug
(2) |
Sep
(4) |
Oct
|
Nov
(16) |
Dec
(13) |
| 2019 |
Jan
|
Feb
(1) |
Mar
(25) |
Apr
(9) |
May
(2) |
Jun
(1) |
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2020 |
Jan
(2) |
Feb
|
Mar
(1) |
Apr
|
May
(1) |
Jun
(3) |
Jul
(2) |
Aug
|
Sep
|
Oct
(5) |
Nov
|
Dec
|
| 2021 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(4) |
Jul
(1) |
Aug
|
Sep
(1) |
Oct
|
Nov
(1) |
Dec
|
| 2022 |
Jan
|
Feb
(2) |
Mar
|
Apr
|
May
(2) |
Jun
|
Jul
(3) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2023 |
Jan
(2) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
| 2024 |
Jan
|
Feb
(3) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2025 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Luís F. N. <lfc...@gm...> - 2014-08-25 02:38:35
|
Ok, I have found another solution without the asked feature. i have just found the offset parameter of AbstractFile.read(...) method, which allows to read the file from the passed offset. So we can save the parent file id and the carved file start offset to later read the carved content without exporting it to anywhere before. Regards, Luis Nassif 2014-08-22 15:55 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>: > We wonder if it was possible to expose such feature to java developers, > but I do not known enough about sleuthkit C code to evaluate if it is too > difficult or not. Can some sleuthkit expert give some direction? We are > developing a java carving tool and this feature would be very useful, > because we can only mark the carved file range in the image, instead of > exporting the carved file contents to somewhere (much slower), as we have > already successfully done with unallocated clusters accessed through > sleuthkit java bindings after populating sqlite db. But we want to do this > lightweight carving on pagefile, hiberfil, shadow copies and other > allocated files, which file ranges are not currently accessible through > java bindings TSK api. We think this great feature could be very useful for > scalpel and other forensic applications too. > > Regards, > Luis Nassif > |
|
From: Brian C. <ca...@sl...> - 2014-08-22 21:29:20
|
There is a new NSRL 245 pre-made index on sourceforge: http://sourceforge.net/projects/autopsy/files/NSRL/NSRL-245m-autopsy.zip/download For the extra observant, you'll notice that there is now an idx2 file in the ZIP file. This is a new index that TSK/Autopsy use that stays in memory to make lookups faster. |
|
From: Luís F. N. <lfc...@gm...> - 2014-08-22 18:55:59
|
We wonder if it was possible to expose such feature to java developers, but I do not known enough about sleuthkit C code to evaluate if it is too difficult or not. Can some sleuthkit expert give some direction? We are developing a java carving tool and this feature would be very useful, because we can only mark the carved file range in the image, instead of exporting the carved file contents to somewhere (much slower), as we have already successfully done with unallocated clusters accessed through sleuthkit java bindings after populating sqlite db. But we want to do this lightweight carving on pagefile, hiberfil, shadow copies and other allocated files, which file ranges are not currently accessible through java bindings TSK api. We think this great feature could be very useful for scalpel and other forensic applications too. Regards, Luis Nassif |
|
From: Alex N. <ajn...@cs...> - 2014-08-21 20:07:00
|
Hi Christie, I've developed a patch that compiles, and I think will do what you want, but I haven't tested it yet. Could you test it and see if running this modified Fiwalk, clamscan on your disk, and clamscan on your disk's dd'd boot sector report what you're looking for? https://github.com/ajnelson/sleuthkit/tree/testing/fiwalk_plugins_on_virtuals (Feel free to email me off-list for any testing logistics.) --Alex On Wed, Aug 20, 2014 at 4:59 PM, Christie Peterson <cpe...@jh...> wrote: > My goal is to use fiwalk to automate a number of functions (including > virus scan) over a collection of disk images, building off of the python > scripts that can be found at https://github.com/anarchivist/fiwalk-dgi > > > > As I was testing pyclam, though, I realized it was not catching a known > BSV, which led to this thread. > > > > Thanks, > > > > Christie > > > > *From:* Simson Garfinkel [mailto:si...@ac...] > *Sent:* Wednesday, August 20, 2014 4:44 PM > *To:* Alex Nelson > *Cc:* Christie Peterson; sle...@li... > > *Subject:* Re: [sleuthkit-users] Fiwalk clam scripts miss boot sector > virus > > > > Christie, > > > > It seems like you're going through a huge amount of work to get this to > work. WHy don't you just use 'dd' and copy out the MBR into a file, and > then run clamav on the resulting file? Is there some reason you need to do > this within fiwalk? > > > > On Aug 20, 2014, at 4:41 PM, Alex Nelson <ajn...@cs...> wrote: > > > > Ah, ok. I can make that adjustment, but I have a few things on my queue > to get to first. > > > > --Alex > > > > On Wed, Aug 20, 2014 at 4:29 PM, Christie Peterson <cpe...@jh...> > wrote: > > Actually, I take that back – the adjustment part, not the thanks part. > > > > I realized after clicking send that you were pointing to an adjustment to > be made in Fiwalk, not in the plugin. I’m afraid C++ is beyond both my > skills and my ambition at this point. > > > > Best, > > > > Christie > > > > *From:* Christie Peterson > *Sent:* Wednesday, August 20, 2014 4:13 PM > *To:* 'Alex Nelson' > *Cc:* sle...@li... > *Subject:* RE: [sleuthkit-users] Fiwalk clam scripts miss boot sector > virus > > > > Thanks for catching that, Alex! Going to the script was my next step, once > I got a better handle on how Fiwalk was actually running. > > > > I will definitely submit the adjustment, though it could be a while before > I manage to do it. > > > > Best, > > > > Christie > > > > > > *From:* Alex Nelson [mailto:ajn...@cs... <ajn...@cs...>] > > *Sent:* Wednesday, August 20, 2014 4:10 PM > > *To:* Christie Peterson > *Cc:* sle...@li... > *Subject:* Re: [sleuthkit-users] Fiwalk clam scripts miss boot sector > virus > > > > > > That file object looks fine (though I could be highly pedantic and argue > that $MBR semantically has neither parent nor fs_offset). > > > > I did find why the plugin didn't run, though. Note that <name_type> is v, > which TSK uses for virtual files. There is a specific check in place to > only run plugins on "Regular" files: > > > > > https://github.com/sleuthkit/sleuthkit/blob/develop/tools/fiwalk/src/fiwalk_tsk.cpp#L345 > > > > The correct revision for scanning the MBR would be to add a third boolean > into L347 based on the file's type and name, tweaking the test at L345 to > set the boolean based on matching name. > > > > Would you like to submit that adjustment? > > > > --Alex > > > > On Wed, Aug 20, 2014 at 3:40 PM, Christie Peterson <cpe...@jh...> > wrote: > > Here is the full <fileobject> for $MBR: > > > > <fileobject> > > <parent_object> > > <inode>2</inode> > > </parent_object> > > <filename>$MBR</filename> > > <partition>1</partition> > > <id>36</id> > > <name_type>v</name_type> > > <filesize>512</filesize> > > <alloc>1</alloc> > > <used>1</used> > > <inode>11443</inode> > > <meta_type>10</meta_type> > > <mode>0</mode> > > <nlink>1</nlink> > > <uid>0</uid> > > <gid>0</gid> > > <byte_runs> > > <byte_run file_offset="0" fs_offset="0" img_offset="0" len="512"/> > > </byte_runs> > > <hashdigest type="md5">2094c4ac8d687f7c1476a5ce675229e4</hashdigest> > > <hashdigest > type="sha1">ad3220057082bae3090202d8b1675406304d5d91</hashdigest> > > </fileobject> > > > > If the plugin had run, there would be an entry after the <hashdigest> > entries. > > > > Christie > > > > > > > > > > > ------------------------------------------------------------------------------ > Slashdot TV. > Video for Nerds. Stuff that matters. > http://tv.slashdot.org/_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > > |
|
From: Brian C. <ca...@sl...> - 2014-08-21 13:21:12
|
We're done with beta releases and the full 3.1.0 release is available!
http://www.sleuthkit.org/autopsy/
It has minor changes from beta 2.
As a reminder, here are the big changes since 3.0.10:
• Multi-threaded pipelines
• File type ingest module
• File extension mismatch ingest module
• Android ingest module
• KML report module
• Tags can be deleted
• Hash databases can be created and maintained
As has been reported on the list, 3rd party modules that were developed for 3.0 will not work in 3.1. Basis will be sending out info on our new modules.
brian
|
|
From: Adam M. <mar...@gm...> - 2014-08-21 10:43:52
|
Hi Brian, Thank you for your response. I just wanted to generate the graphical representation of timeline when given only the body file obtained from fls or mactime file. And when I click on the bar, I'd like to see the list of files that were accessed, modified, etc. in the given day corresponding to that bar with information taken only from mactime file. It's because I remotely run fls (or mac-robber) and mactime on machines as a security incident response and then I'd like to visualize the file activity. I can only have the body file a mactime file, because making image of 1 TB disk and transmitting it over the network is probably not very good idea. What information are required to be stored into database? Could it be somehow fooled e.g. by manually storing empty objects or something like that? Or can it be solved by writing a module? And do you know when the version 3.1.1 is planned to be released? And will it offer higher level of zooming e.g. hours/minutes/seconds? Because in current version, I can only zoom to the "day level" at most. Thank you very much. Adam 2014-08-21 4:06 GMT+02:00 Brian Carrier <ca...@sl...>: > Hi Adam, > > The body file that autopsy internally makes is not a proper body file. It > uses one of the columns to store the file's object ID, which is from the > Autopsy database. If you put a proper body file in there, then Autopsy > won't be happy because it will want the object ID. > > The 3.1.1 release will have an entirely new timeline feature. Are you > filtering out certain information in the body file? The new timeline has > filtering built into it - if that will help. > > brian > > > > On Aug 20, 2014, at 7:55 AM, Adam Mariš <mar...@gm...> wrote: > > > Hello, > > > > I have a question regarding the generation of timeline. I'm using > Autopsy 3.1.0_Beta2 on Windows. I have the body file and mactime file > generated by other means and I'd like to use Autopsy just for generating > the timeline when given only those files. I already fooled Autopsy just to > parse the given mactime file by storing the mactime file in the directory > of the corresponding case. Graph was drawn nicely, but information about > the files in Table view were missing. These information are clearly not > taken only from those files, however it would be nice to have such > functionality that takes only mactime file as input and generates the > timeline with some reduced information in Table view. Is it possible to do > something like that in Autopsy? Or is it possible to write some module that > would offer such functionality? Or do you know about any other simple > application that offers such functionality? > > > > Thank you very much, > > > > Adam > > > ------------------------------------------------------------------------------ > > Slashdot TV. > > Video for Nerds. Stuff that matters. > > http://tv.slashdot.org/_______________________________________________ > > sleuthkit-users mailing list > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > http://www.sleuthkit.org > > |
|
From: Brian C. <ca...@sl...> - 2014-08-21 02:09:33
|
So the image has four partitions, but one of them isn't showing any files? On Aug 14, 2014, at 5:42 AM, Alessandro Farina <at...@gm...> wrote: > Hi > I'm analysing an image (EWF) extracted from an IMAC. > The disk (image) has 4 partition: 2 HFS+ and 2 NTFS (BOOTCAMP). > I'm using Autopsy 3.0.10 on Window 7 SP1. > From the partition browser I can't access to one of the HFS+ partition. > The image file is ok, infact I can mount and browse all the partition in > linux (via ewfmount) without any problem. The same happens if I access > the image via ftk mounter on windows. > I think there is some sort of problem with Autopsy and I would like to > help whith analysis and debug. > I can't send to many info on the contents because is part of an ongoing > investigation, but I think I can share info on disk and partition structure. > Any help will be very appreciated. > > Thanks in advance > Alessandro > > ------------------------------------------------------------------------------ > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: Brian C. <ca...@sl...> - 2014-08-21 02:06:55
|
Hi Adam, The body file that autopsy internally makes is not a proper body file. It uses one of the columns to store the file's object ID, which is from the Autopsy database. If you put a proper body file in there, then Autopsy won't be happy because it will want the object ID. The 3.1.1 release will have an entirely new timeline feature. Are you filtering out certain information in the body file? The new timeline has filtering built into it - if that will help. brian On Aug 20, 2014, at 7:55 AM, Adam Mariš <mar...@gm...> wrote: > Hello, > > I have a question regarding the generation of timeline. I'm using Autopsy 3.1.0_Beta2 on Windows. I have the body file and mactime file generated by other means and I'd like to use Autopsy just for generating the timeline when given only those files. I already fooled Autopsy just to parse the given mactime file by storing the mactime file in the directory of the corresponding case. Graph was drawn nicely, but information about the files in Table view were missing. These information are clearly not taken only from those files, however it would be nice to have such functionality that takes only mactime file as input and generates the timeline with some reduced information in Table view. Is it possible to do something like that in Autopsy? Or is it possible to write some module that would offer such functionality? Or do you know about any other simple application that offers such functionality? > > Thank you very much, > > Adam > ------------------------------------------------------------------------------ > Slashdot TV. > Video for Nerds. Stuff that matters. > http://tv.slashdot.org/_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: Simson G. <si...@ac...> - 2014-08-20 21:01:43
|
Christie, It seems like you're going through a huge amount of work to get this to work. WHy don't you just use 'dd' and copy out the MBR into a file, and then run clamav on the resulting file? Is there some reason you need to do this within fiwalk? On Aug 20, 2014, at 4:41 PM, Alex Nelson <ajn...@cs...> wrote: > Ah, ok. I can make that adjustment, but I have a few things on my queue to get to first. > > --Alex > > > On Wed, Aug 20, 2014 at 4:29 PM, Christie Peterson <cpe...@jh...> wrote: > Actually, I take that back – the adjustment part, not the thanks part. > > > > I realized after clicking send that you were pointing to an adjustment to be made in Fiwalk, not in the plugin. I’m afraid C++ is beyond both my skills and my ambition at this point. > > > > Best, > > > > Christie > > > > From: Christie Peterson > Sent: Wednesday, August 20, 2014 4:13 PM > To: 'Alex Nelson' > Cc: sle...@li... > Subject: RE: [sleuthkit-users] Fiwalk clam scripts miss boot sector virus > > > > Thanks for catching that, Alex! Going to the script was my next step, once I got a better handle on how Fiwalk was actually running. > > > > I will definitely submit the adjustment, though it could be a while before I manage to do it. > > > > Best, > > > > Christie > > > > > > From: Alex Nelson [mailto:ajn...@cs...] > > Sent: Wednesday, August 20, 2014 4:10 PM > To: Christie Peterson > Cc: sle...@li... > Subject: Re: [sleuthkit-users] Fiwalk clam scripts miss boot sector virus > > > > That file object looks fine (though I could be highly pedantic and argue that $MBR semantically has neither parent nor fs_offset). > > > > I did find why the plugin didn't run, though. Note that <name_type> is v, which TSK uses for virtual files. There is a specific check in place to only run plugins on "Regular" files: > > > > https://github.com/sleuthkit/sleuthkit/blob/develop/tools/fiwalk/src/fiwalk_tsk.cpp#L345 > > > > The correct revision for scanning the MBR would be to add a third boolean into L347 based on the file's type and name, tweaking the test at L345 to set the boolean based on matching name. > > > > Would you like to submit that adjustment? > > > > --Alex > > > > On Wed, Aug 20, 2014 at 3:40 PM, Christie Peterson <cpe...@jh...> wrote: > > Here is the full <fileobject> for $MBR: > > > > <fileobject> > > <parent_object> > > <inode>2</inode> > > </parent_object> > > <filename>$MBR</filename> > > <partition>1</partition> > > <id>36</id> > > <name_type>v</name_type> > > <filesize>512</filesize> > > <alloc>1</alloc> > > <used>1</used> > > <inode>11443</inode> > > <meta_type>10</meta_type> > > <mode>0</mode> > > <nlink>1</nlink> > > <uid>0</uid> > > <gid>0</gid> > > <byte_runs> > > <byte_run file_offset="0" fs_offset="0" img_offset="0" len="512"/> > > </byte_runs> > > <hashdigest type="md5">2094c4ac8d687f7c1476a5ce675229e4</hashdigest> > > <hashdigest type="sha1">ad3220057082bae3090202d8b1675406304d5d91</hashdigest> > > </fileobject> > > > > If the plugin had run, there would be an entry after the <hashdigest> entries. > > > > Christie > > > > > > > > > ------------------------------------------------------------------------------ > Slashdot TV. > Video for Nerds. Stuff that matters. > http://tv.slashdot.org/_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: Christie P. <cpe...@jh...> - 2014-08-20 20:59:24
|
My goal is to use fiwalk to automate a number of functions (including virus scan) over a collection of disk images, building off of the python scripts that can be found at https://github.com/anarchivist/fiwalk-dgi As I was testing pyclam, though, I realized it was not catching a known BSV, which led to this thread. Thanks, Christie From: Simson Garfinkel [mailto:si...@ac...] Sent: Wednesday, August 20, 2014 4:44 PM To: Alex Nelson Cc: Christie Peterson; sle...@li... Subject: Re: [sleuthkit-users] Fiwalk clam scripts miss boot sector virus Christie, It seems like you're going through a huge amount of work to get this to work. WHy don't you just use 'dd' and copy out the MBR into a file, and then run clamav on the resulting file? Is there some reason you need to do this within fiwalk? On Aug 20, 2014, at 4:41 PM, Alex Nelson <ajn...@cs...<mailto:ajn...@cs...>> wrote: Ah, ok. I can make that adjustment, but I have a few things on my queue to get to first. --Alex On Wed, Aug 20, 2014 at 4:29 PM, Christie Peterson <cpe...@jh...<mailto:cpe...@jh...>> wrote: Actually, I take that back - the adjustment part, not the thanks part. I realized after clicking send that you were pointing to an adjustment to be made in Fiwalk, not in the plugin. I'm afraid C++ is beyond both my skills and my ambition at this point. Best, Christie From: Christie Peterson Sent: Wednesday, August 20, 2014 4:13 PM To: 'Alex Nelson' Cc: sle...@li...<mailto:sle...@li...> Subject: RE: [sleuthkit-users] Fiwalk clam scripts miss boot sector virus Thanks for catching that, Alex! Going to the script was my next step, once I got a better handle on how Fiwalk was actually running. I will definitely submit the adjustment, though it could be a while before I manage to do it. Best, Christie From: Alex Nelson [mailto:ajn...@cs...] Sent: Wednesday, August 20, 2014 4:10 PM To: Christie Peterson Cc: sle...@li...<mailto:sle...@li...> Subject: Re: [sleuthkit-users] Fiwalk clam scripts miss boot sector virus That file object looks fine (though I could be highly pedantic and argue that $MBR semantically has neither parent nor fs_offset). I did find why the plugin didn't run, though. Note that <name_type> is v, which TSK uses for virtual files. There is a specific check in place to only run plugins on "Regular" files: https://github.com/sleuthkit/sleuthkit/blob/develop/tools/fiwalk/src/fiwalk_tsk.cpp#L345 The correct revision for scanning the MBR would be to add a third boolean into L347 based on the file's type and name, tweaking the test at L345 to set the boolean based on matching name. Would you like to submit that adjustment? --Alex On Wed, Aug 20, 2014 at 3:40 PM, Christie Peterson <cpe...@jh...<mailto:cpe...@jh...>> wrote: Here is the full <fileobject> for $MBR: <fileobject> <parent_object> <inode>2</inode> </parent_object> <filename>$MBR</filename> <partition>1</partition> <id>36</id> <name_type>v</name_type> <filesize>512</filesize> <alloc>1</alloc> <used>1</used> <inode>11443</inode> <meta_type>10</meta_type> <mode>0</mode> <nlink>1</nlink> <uid>0</uid> <gid>0</gid> <byte_runs> <byte_run file_offset="0" fs_offset="0" img_offset="0" len="512"/> </byte_runs> <hashdigest type="md5">2094c4ac8d687f7c1476a5ce675229e4</hashdigest> <hashdigest type="sha1">ad3220057082bae3090202d8b1675406304d5d91</hashdigest> </fileobject> If the plugin had run, there would be an entry after the <hashdigest> entries. Christie ------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/_______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org |
|
From: Alex N. <ajn...@cs...> - 2014-08-20 20:41:39
|
Ah, ok. I can make that adjustment, but I have a few things on my queue to get to first. --Alex On Wed, Aug 20, 2014 at 4:29 PM, Christie Peterson <cpe...@jh...> wrote: > Actually, I take that back – the adjustment part, not the thanks part. > > > > I realized after clicking send that you were pointing to an adjustment to > be made in Fiwalk, not in the plugin. I’m afraid C++ is beyond both my > skills and my ambition at this point. > > > > Best, > > > > Christie > > > > *From:* Christie Peterson > *Sent:* Wednesday, August 20, 2014 4:13 PM > *To:* 'Alex Nelson' > *Cc:* sle...@li... > *Subject:* RE: [sleuthkit-users] Fiwalk clam scripts miss boot sector > virus > > > > Thanks for catching that, Alex! Going to the script was my next step, once > I got a better handle on how Fiwalk was actually running. > > > > I will definitely submit the adjustment, though it could be a while before > I manage to do it. > > > > Best, > > > > Christie > > > > > > *From:* Alex Nelson [mailto:ajn...@cs... <ajn...@cs...>] > *Sent:* Wednesday, August 20, 2014 4:10 PM > *To:* Christie Peterson > *Cc:* sle...@li... > *Subject:* Re: [sleuthkit-users] Fiwalk clam scripts miss boot sector > virus > > > > That file object looks fine (though I could be highly pedantic and argue > that $MBR semantically has neither parent nor fs_offset). > > > > I did find why the plugin didn't run, though. Note that <name_type> is v, > which TSK uses for virtual files. There is a specific check in place to > only run plugins on "Regular" files: > > > > > https://github.com/sleuthkit/sleuthkit/blob/develop/tools/fiwalk/src/fiwalk_tsk.cpp#L345 > > > > The correct revision for scanning the MBR would be to add a third boolean > into L347 based on the file's type and name, tweaking the test at L345 to > set the boolean based on matching name. > > > > Would you like to submit that adjustment? > > > > --Alex > > > > On Wed, Aug 20, 2014 at 3:40 PM, Christie Peterson <cpe...@jh...> > wrote: > > Here is the full <fileobject> for $MBR: > > > > <fileobject> > > <parent_object> > > <inode>2</inode> > > </parent_object> > > <filename>$MBR</filename> > > <partition>1</partition> > > <id>36</id> > > <name_type>v</name_type> > > <filesize>512</filesize> > > <alloc>1</alloc> > > <used>1</used> > > <inode>11443</inode> > > <meta_type>10</meta_type> > > <mode>0</mode> > > <nlink>1</nlink> > > <uid>0</uid> > > <gid>0</gid> > > <byte_runs> > > <byte_run file_offset="0" fs_offset="0" img_offset="0" len="512"/> > > </byte_runs> > > <hashdigest type="md5">2094c4ac8d687f7c1476a5ce675229e4</hashdigest> > > <hashdigest > type="sha1">ad3220057082bae3090202d8b1675406304d5d91</hashdigest> > > </fileobject> > > > > If the plugin had run, there would be an entry after the <hashdigest> > entries. > > > > Christie > > > > > > > |
|
From: Christie P. <cpe...@jh...> - 2014-08-20 20:40:30
|
Here is the full <fileobject> for $MBR: <fileobject> <parent_object> <inode>2</inode> </parent_object> <filename>$MBR</filename> <partition>1</partition> <id>36</id> <name_type>v</name_type> <filesize>512</filesize> <alloc>1</alloc> <used>1</used> <inode>11443</inode> <meta_type>10</meta_type> <mode>0</mode> <nlink>1</nlink> <uid>0</uid> <gid>0</gid> <byte_runs> <byte_run file_offset="0" fs_offset="0" img_offset="0" len="512"/> </byte_runs> <hashdigest type="md5">2094c4ac8d687f7c1476a5ce675229e4</hashdigest> <hashdigest type="sha1">ad3220057082bae3090202d8b1675406304d5d91</hashdigest> </fileobject> If the plugin had run, there would be an entry after the <hashdigest> entries. Christie |
|
From: Alex N. <ajn...@cs...> - 2014-08-20 20:36:56
|
That file object looks fine (though I could be highly pedantic and argue that $MBR semantically has neither parent nor fs_offset). I did find why the plugin didn't run, though. Note that <name_type> is v, which TSK uses for virtual files. There is a specific check in place to only run plugins on "Regular" files: https://github.com/sleuthkit/sleuthkit/blob/develop/tools/fiwalk/src/fiwalk_tsk.cpp#L345 The correct revision for scanning the MBR would be to add a third boolean into L347 based on the file's type and name, tweaking the test at L345 to set the boolean based on matching name. Would you like to submit that adjustment? --Alex On Wed, Aug 20, 2014 at 3:40 PM, Christie Peterson <cpe...@jh...> wrote: > Here is the full <fileobject> for $MBR: > > > > <fileobject> > > <parent_object> > > <inode>2</inode> > > </parent_object> > > <filename>$MBR</filename> > > <partition>1</partition> > > <id>36</id> > > <name_type>v</name_type> > > <filesize>512</filesize> > > <alloc>1</alloc> > > <used>1</used> > > <inode>11443</inode> > > <meta_type>10</meta_type> > > <mode>0</mode> > > <nlink>1</nlink> > > <uid>0</uid> > > <gid>0</gid> > > <byte_runs> > > <byte_run file_offset="0" fs_offset="0" img_offset="0" len="512"/> > > </byte_runs> > > <hashdigest type="md5">2094c4ac8d687f7c1476a5ce675229e4</hashdigest> > > <hashdigest > type="sha1">ad3220057082bae3090202d8b1675406304d5d91</hashdigest> > > </fileobject> > > > > If the plugin had run, there would be an entry after the <hashdigest> > entries. > > > > Christie > > > > > |
|
From: Christie P. <cpe...@jh...> - 2014-08-20 20:29:40
|
Actually, I take that back – the adjustment part, not the thanks part. I realized after clicking send that you were pointing to an adjustment to be made in Fiwalk, not in the plugin. I’m afraid C++ is beyond both my skills and my ambition at this point. Best, Christie From: Christie Peterson Sent: Wednesday, August 20, 2014 4:13 PM To: 'Alex Nelson' Cc: sle...@li... Subject: RE: [sleuthkit-users] Fiwalk clam scripts miss boot sector virus Thanks for catching that, Alex! Going to the script was my next step, once I got a better handle on how Fiwalk was actually running. I will definitely submit the adjustment, though it could be a while before I manage to do it. Best, Christie From: Alex Nelson [mailto:ajn...@cs...] Sent: Wednesday, August 20, 2014 4:10 PM To: Christie Peterson Cc: sle...@li...<mailto:sle...@li...> Subject: Re: [sleuthkit-users] Fiwalk clam scripts miss boot sector virus That file object looks fine (though I could be highly pedantic and argue that $MBR semantically has neither parent nor fs_offset). I did find why the plugin didn't run, though. Note that <name_type> is v, which TSK uses for virtual files. There is a specific check in place to only run plugins on "Regular" files: https://github.com/sleuthkit/sleuthkit/blob/develop/tools/fiwalk/src/fiwalk_tsk.cpp#L345 The correct revision for scanning the MBR would be to add a third boolean into L347 based on the file's type and name, tweaking the test at L345 to set the boolean based on matching name. Would you like to submit that adjustment? --Alex On Wed, Aug 20, 2014 at 3:40 PM, Christie Peterson <cpe...@jh...<mailto:cpe...@jh...>> wrote: Here is the full <fileobject> for $MBR: <fileobject> <parent_object> <inode>2</inode> </parent_object> <filename>$MBR</filename> <partition>1</partition> <id>36</id> <name_type>v</name_type> <filesize>512</filesize> <alloc>1</alloc> <used>1</used> <inode>11443</inode> <meta_type>10</meta_type> <mode>0</mode> <nlink>1</nlink> <uid>0</uid> <gid>0</gid> <byte_runs> <byte_run file_offset="0" fs_offset="0" img_offset="0" len="512"/> </byte_runs> <hashdigest type="md5">2094c4ac8d687f7c1476a5ce675229e4</hashdigest> <hashdigest type="sha1">ad3220057082bae3090202d8b1675406304d5d91</hashdigest> </fileobject> If the plugin had run, there would be an entry after the <hashdigest> entries. Christie |
|
From: Christie P. <cpe...@jh...> - 2014-08-20 20:12:40
|
Thanks for catching that, Alex! Going to the script was my next step, once I got a better handle on how Fiwalk was actually running. I will definitely submit the adjustment, though it could be a while before I manage to do it. Best, Christie From: Alex Nelson [mailto:ajn...@cs...] Sent: Wednesday, August 20, 2014 4:10 PM To: Christie Peterson Cc: sle...@li... Subject: Re: [sleuthkit-users] Fiwalk clam scripts miss boot sector virus That file object looks fine (though I could be highly pedantic and argue that $MBR semantically has neither parent nor fs_offset). I did find why the plugin didn't run, though. Note that <name_type> is v, which TSK uses for virtual files. There is a specific check in place to only run plugins on "Regular" files: https://github.com/sleuthkit/sleuthkit/blob/develop/tools/fiwalk/src/fiwalk_tsk.cpp#L345 The correct revision for scanning the MBR would be to add a third boolean into L347 based on the file's type and name, tweaking the test at L345 to set the boolean based on matching name. Would you like to submit that adjustment? --Alex On Wed, Aug 20, 2014 at 3:40 PM, Christie Peterson <cpe...@jh...<mailto:cpe...@jh...>> wrote: Here is the full <fileobject> for $MBR: <fileobject> <parent_object> <inode>2</inode> </parent_object> <filename>$MBR</filename> <partition>1</partition> <id>36</id> <name_type>v</name_type> <filesize>512</filesize> <alloc>1</alloc> <used>1</used> <inode>11443</inode> <meta_type>10</meta_type> <mode>0</mode> <nlink>1</nlink> <uid>0</uid> <gid>0</gid> <byte_runs> <byte_run file_offset="0" fs_offset="0" img_offset="0" len="512"/> </byte_runs> <hashdigest type="md5">2094c4ac8d687f7c1476a5ce675229e4</hashdigest> <hashdigest type="sha1">ad3220057082bae3090202d8b1675406304d5d91</hashdigest> </fileobject> If the plugin had run, there would be an entry after the <hashdigest> entries. Christie |
|
From: Alex N. <ajn...@cs...> - 2014-08-20 19:27:05
|
I think it would be $MBR you'd want to feed to clamscan. I don't suppose you're looking at the XML output from Fiwalk, and see some <byte_runs> elements for $MBR? I recall that being something I wanted to add to Fiwalk when making other tools populate virtual files. --Alex On Wed, Aug 20, 2014 at 3:12 PM, Christie Peterson <cpe...@jh...> wrote: > Hi Alex, > > > > Thanks for the response & the explanation of how Fiwalk runs plugins. > > > > From the Fiwalk XML output, it looks like $MBR, $FAT1, $FAT2 and > $OrphanFiles are being exposed as virtual files, but the plugin is not > running over them. I don’t have anything called $Boot. > > > > Christie > > > > > > *From:* Alex Nelson [mailto:ajn...@cs...] > *Sent:* Tuesday, August 19, 2014 11:21 AM > *To:* Christie Peterson > *Cc:* sle...@li... > *Subject:* Re: [sleuthkit-users] Fiwalk clam scripts miss boot sector > virus > > > > Fiwalk runs plugins against individual files, not against the entire disk > image. For your floppy, is the boot sector being exposed as a virtual > file, like a FAT file system's allocation table is exposed as $FAT1 or > $FAT2? (Offhand I recall Fiwalk doesn't do this for floppies, but I don't > have a floppy handy to test. Fiwalk usually creates all its virtual and > non-virtual files starting at the scope of the file system, after the > partition table is processed.) If the boot sector isn't exposed as a > virtual file, Fiwalk won't clamscan it. > > > > Could you post the names of files with a $ at the beginning? The boot > sector would be $Boot or something similar if it existed. > > > > --Alex > > > > On Mon, Aug 18, 2014 at 3:35 PM, Christie Peterson <cpe...@jh...> > wrote: > > I have some floppy disks known to be infected with the boot sector virus > AntiCMOS.B but when I run ficlam.sh/clamconfig.txt ( > https://github.com/sleuthkit/sleuthkit/tree/master/tools/fiwalk/plugins) against > images of these disks, it returns nothing found. > > > > I’m wondering if this is because of how fiwalk “walks” disk images – would > a malware scan using fiwalk to access the contents of a disk image ever > find something in the boot sector? I’d appreciate any explanation that you > could provide. > > > > Thanks in advance, > > > > > > Christie Peterson > > > > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > > |
|
From: Christie P. <cpe...@jh...> - 2014-08-20 19:12:22
|
Hi Alex, Thanks for the response & the explanation of how Fiwalk runs plugins. From the Fiwalk XML output, it looks like $MBR, $FAT1, $FAT2 and $OrphanFiles are being exposed as virtual files, but the plugin is not running over them. I don’t have anything called $Boot. Christie From: Alex Nelson [mailto:ajn...@cs...] Sent: Tuesday, August 19, 2014 11:21 AM To: Christie Peterson Cc: sle...@li... Subject: Re: [sleuthkit-users] Fiwalk clam scripts miss boot sector virus Fiwalk runs plugins against individual files, not against the entire disk image. For your floppy, is the boot sector being exposed as a virtual file, like a FAT file system's allocation table is exposed as $FAT1 or $FAT2? (Offhand I recall Fiwalk doesn't do this for floppies, but I don't have a floppy handy to test. Fiwalk usually creates all its virtual and non-virtual files starting at the scope of the file system, after the partition table is processed.) If the boot sector isn't exposed as a virtual file, Fiwalk won't clamscan it. Could you post the names of files with a $ at the beginning? The boot sector would be $Boot or something similar if it existed. --Alex On Mon, Aug 18, 2014 at 3:35 PM, Christie Peterson <cpe...@jh...<mailto:cpe...@jh...>> wrote: I have some floppy disks known to be infected with the boot sector virus AntiCMOS.B but when I run ficlam.sh/clamconfig.txt<http://ficlam.sh/clamconfig.txt> (https://github.com/sleuthkit/sleuthkit/tree/master/tools/fiwalk/plugins) against images of these disks, it returns nothing found. I’m wondering if this is because of how fiwalk “walks” disk images – would a malware scan using fiwalk to access the contents of a disk image ever find something in the boot sector? I’d appreciate any explanation that you could provide. Thanks in advance, Christie Peterson ------------------------------------------------------------------------------ _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org |
|
From: Adam M. <mar...@gm...> - 2014-08-20 11:55:08
|
Hello, I have a question regarding the generation of timeline. I'm using Autopsy 3.1.0_Beta2 on Windows. I have the body file and mactime file generated by other means and I'd like to use Autopsy just for generating the timeline when given only those files. I already fooled Autopsy just to parse the given mactime file by storing the mactime file in the directory of the corresponding case. Graph was drawn nicely, but information about the files in Table view were missing. These information are clearly not taken only from those files, however it would be nice to have such functionality that takes only mactime file as input and generates the timeline with some reduced information in Table view. Is it possible to do something like that in Autopsy? Or is it possible to write some module that would offer such functionality? Or do you know about any other simple application that offers such functionality? Thank you very much, Adam |
|
From: Alex N. <ajn...@cs...> - 2014-08-19 15:46:47
|
Fiwalk runs plugins against individual files, not against the entire disk image. For your floppy, is the boot sector being exposed as a virtual file, like a FAT file system's allocation table is exposed as $FAT1 or $FAT2? (Offhand I recall Fiwalk doesn't do this for floppies, but I don't have a floppy handy to test. Fiwalk usually creates all its virtual and non-virtual files starting at the scope of the file system, after the partition table is processed.) If the boot sector isn't exposed as a virtual file, Fiwalk won't clamscan it. Could you post the names of files with a $ at the beginning? The boot sector would be $Boot or something similar if it existed. --Alex On Mon, Aug 18, 2014 at 3:35 PM, Christie Peterson <cpe...@jh...> wrote: > I have some floppy disks known to be infected with the boot sector virus > AntiCMOS.B but when I run ficlam.sh/clamconfig.txt ( > https://github.com/sleuthkit/sleuthkit/tree/master/tools/fiwalk/plugins) against > images of these disks, it returns nothing found. > > > > I’m wondering if this is because of how fiwalk “walks” disk images – would > a malware scan using fiwalk to access the contents of a disk image ever > find something in the boot sector? I’d appreciate any explanation that you > could provide. > > > > Thanks in advance, > > > > > > Christie Peterson > > > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > |
|
From: Erlo H. <erl...@gm...> - 2014-08-18 20:35:31
|
On 14-08-2014 13:27, Bong wrote: > hi i installed autopsy 2.24 on lubuntu 14.04 via synaptic, now where do > i find the shortcuts? > > ------------------------------------------------------------------------------ > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > Start the autopsy application from the shell and access it through your browser. You need to start the indiviual utilities from the shell if you are not using the web interface. Erlo |
|
From: Simson G. <si...@ac...> - 2014-08-18 19:56:46
|
fiwalk uses sleuthkit auto tools On Aug 18, 2014, at 3:35 PM, Christie Peterson <cpe...@jh...> wrote: > I have some floppy disks known to be infected with the boot sector virus AntiCMOS.B but when I run ficlam.sh/clamconfig.txt(https://github.com/sleuthkit/sleuthkit/tree/master/tools/fiwalk/plugins) against images of these disks, it returns nothing found. > > I’m wondering if this is because of how fiwalk “walks” disk images – would a malware scan using fiwalk to access the contents of a disk image ever find something in the boot sector? I’d appreciate any explanation that you could provide. > > Thanks in advance, > > > Christie Peterson > > > ------------------------------------------------------------------------------ > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: Christie P. <cpe...@jh...> - 2014-08-18 19:35:15
|
I have some floppy disks known to be infected with the boot sector virus AntiCMOS.B but when I run ficlam.sh/clamconfig.txt (https://github.com/sleuthkit/sleuthkit/tree/master/tools/fiwalk/plugins) against images of these disks, it returns nothing found. I'm wondering if this is because of how fiwalk "walks" disk images - would a malware scan using fiwalk to access the contents of a disk image ever find something in the boot sector? I'd appreciate any explanation that you could provide. Thanks in advance, Christie Peterson |
|
From: Bong <jab...@gm...> - 2014-08-14 11:27:48
|
hi i installed autopsy 2.24 on lubuntu 14.04 via synaptic, now where do i find the shortcuts? |
|
From: Alessandro F. <at...@gm...> - 2014-08-14 09:42:55
|
Hi I'm analysing an image (EWF) extracted from an IMAC. The disk (image) has 4 partition: 2 HFS+ and 2 NTFS (BOOTCAMP). I'm using Autopsy 3.0.10 on Window 7 SP1. From the partition browser I can't access to one of the HFS+ partition. The image file is ok, infact I can mount and browse all the partition in linux (via ewfmount) without any problem. The same happens if I access the image via ftk mounter on windows. I think there is some sort of problem with Autopsy and I would like to help whith analysis and debug. I can't send to many info on the contents because is part of an ongoing investigation, but I think I can share info on disk and partition structure. Any help will be very appreciated. Thanks in advance Alessandro |
|
From: Jason L. <jle...@ba...> - 2014-08-13 20:33:12
|
Hi Anthony - You can drill down to the day in question in the timeline, select all of the files that appear in the lower left panel (shift + click with the mouse), right-click and select extract files Jason ------------------------------------------------ Jason Letourneau Product Manager, Digital Forensics Basis Technology jle...@ba... 617-386-2000 ext. 152 On Aug 13, 2014, at 1:14 PM, anthony snow <ant...@gm...> wrote: > Good morning, > > I’m using 3.1 and understand the timeline functionality is in beta but is there a way to export the list of files from a particular day? > > > Thank you > ------------------------------------------------------------------------------ > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
38 messages has been excluded from this view by a project administrator.
