sleuthkit-users Mailing List for The Sleuth Kit (Page 41)
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users — List to discuss Autopsy and The Sleuth Kit.
You can subscribe to this list here.
| 2002 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(6) |
Aug
|
Sep
(11) |
Oct
(5) |
Nov
(4) |
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 |
Jan
(1) |
Feb
(20) |
Mar
(60) |
Apr
(40) |
May
(24) |
Jun
(28) |
Jul
(18) |
Aug
(27) |
Sep
(6) |
Oct
(14) |
Nov
(15) |
Dec
(22) |
| 2004 |
Jan
(34) |
Feb
(13) |
Mar
(28) |
Apr
(23) |
May
(27) |
Jun
(26) |
Jul
(37) |
Aug
(19) |
Sep
(20) |
Oct
(39) |
Nov
(17) |
Dec
(9) |
| 2005 |
Jan
(45) |
Feb
(43) |
Mar
(66) |
Apr
(36) |
May
(19) |
Jun
(64) |
Jul
(10) |
Aug
(11) |
Sep
(35) |
Oct
(6) |
Nov
(4) |
Dec
(13) |
| 2006 |
Jan
(52) |
Feb
(34) |
Mar
(39) |
Apr
(39) |
May
(37) |
Jun
(15) |
Jul
(13) |
Aug
(48) |
Sep
(9) |
Oct
(10) |
Nov
(47) |
Dec
(13) |
| 2007 |
Jan
(25) |
Feb
(4) |
Mar
(2) |
Apr
(29) |
May
(11) |
Jun
(19) |
Jul
(13) |
Aug
(15) |
Sep
(30) |
Oct
(12) |
Nov
(10) |
Dec
(13) |
| 2008 |
Jan
(2) |
Feb
(54) |
Mar
(58) |
Apr
(43) |
May
(10) |
Jun
(27) |
Jul
(25) |
Aug
(27) |
Sep
(48) |
Oct
(69) |
Nov
(55) |
Dec
(43) |
| 2009 |
Jan
(26) |
Feb
(36) |
Mar
(28) |
Apr
(27) |
May
(55) |
Jun
(9) |
Jul
(19) |
Aug
(16) |
Sep
(15) |
Oct
(17) |
Nov
(70) |
Dec
(21) |
| 2010 |
Jan
(56) |
Feb
(59) |
Mar
(53) |
Apr
(32) |
May
(25) |
Jun
(31) |
Jul
(36) |
Aug
(11) |
Sep
(37) |
Oct
(19) |
Nov
(23) |
Dec
(6) |
| 2011 |
Jan
(21) |
Feb
(20) |
Mar
(30) |
Apr
(30) |
May
(74) |
Jun
(50) |
Jul
(34) |
Aug
(34) |
Sep
(12) |
Oct
(33) |
Nov
(10) |
Dec
(8) |
| 2012 |
Jan
(23) |
Feb
(57) |
Mar
(26) |
Apr
(14) |
May
(27) |
Jun
(27) |
Jul
(60) |
Aug
(88) |
Sep
(13) |
Oct
(36) |
Nov
(97) |
Dec
(85) |
| 2013 |
Jan
(60) |
Feb
(24) |
Mar
(43) |
Apr
(32) |
May
(22) |
Jun
(38) |
Jul
(51) |
Aug
(50) |
Sep
(76) |
Oct
(65) |
Nov
(25) |
Dec
(30) |
| 2014 |
Jan
(19) |
Feb
(41) |
Mar
(43) |
Apr
(28) |
May
(61) |
Jun
(12) |
Jul
(10) |
Aug
(37) |
Sep
(76) |
Oct
(31) |
Nov
(41) |
Dec
(12) |
| 2015 |
Jan
(33) |
Feb
(28) |
Mar
(53) |
Apr
(22) |
May
(29) |
Jun
(20) |
Jul
(15) |
Aug
(17) |
Sep
(52) |
Oct
(3) |
Nov
(18) |
Dec
(21) |
| 2016 |
Jan
(20) |
Feb
(8) |
Mar
(21) |
Apr
(7) |
May
(13) |
Jun
(35) |
Jul
(34) |
Aug
(11) |
Sep
(14) |
Oct
(22) |
Nov
(31) |
Dec
(23) |
| 2017 |
Jan
(20) |
Feb
(7) |
Mar
(5) |
Apr
(6) |
May
(6) |
Jun
(22) |
Jul
(11) |
Aug
(16) |
Sep
(8) |
Oct
(1) |
Nov
(1) |
Dec
(1) |
| 2018 |
Jan
|
Feb
|
Mar
(16) |
Apr
(2) |
May
(6) |
Jun
(5) |
Jul
|
Aug
(2) |
Sep
(4) |
Oct
|
Nov
(16) |
Dec
(13) |
| 2019 |
Jan
|
Feb
(1) |
Mar
(25) |
Apr
(9) |
May
(2) |
Jun
(1) |
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2020 |
Jan
(2) |
Feb
|
Mar
(1) |
Apr
|
May
(1) |
Jun
(3) |
Jul
(2) |
Aug
|
Sep
|
Oct
(5) |
Nov
|
Dec
|
| 2021 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(4) |
Jul
(1) |
Aug
|
Sep
(1) |
Oct
|
Nov
(1) |
Dec
|
| 2022 |
Jan
|
Feb
(2) |
Mar
|
Apr
|
May
(2) |
Jun
|
Jul
(3) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2023 |
Jan
(2) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
| 2024 |
Jan
|
Feb
(3) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2025 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Donald M. <don...@ny...> - 2014-06-03 17:45:49
|
Thanks, setting the limit higher worked for both tsk and ewf. Don On Tue, Jun 3, 2014 at 1:28 PM, Kalin KOZHUHAROV <me....@gm...> wrote: > Hello, > > On Wed, Jun 4, 2014 at 1:50 AM, Donald Mennerich <don...@ny...> > wrote: > > I recently acquired a large (2 TB) disk image using FTK Imager. The > image of > > an HFS+ drive is partitioned into 1.5gb segments and I had the > compression > > set to 0 while it was imaging. There are over 1,200 segments that make up > > the image. > > > > The disk image loads into FTK fine and seems to be working great. I > cannot > > get any of the the Sleuthkit or EwfTools bins to work with the image > though. > > I've created images of several images of smaller disk drives (60gb, > 100gb, > > 160gb) and they all work fin with the bins. I'd like to know if there is > > something fundamentally wrong with the 2TB disk image. I'm running the > tools > > on a Fedora 20 machine with both libraries having been built from the > > sources. > > > What is the output of `ulimit -a |grep files` with the account you used? > (Standard is 1024 max open files) > > As shown in the error: > > > with error: Too many open files > > > I'd be really curious to know what those more knowledgeable on both > libewf > > and tsk would make of these outputs, hopefully I'm just doing something > > completely stupid. > > > Not completely stupid, just read the error messages :-) > > If you try as root (which I don't recommend for many reasons), there > is usually no limit. > Better set your ulimit for the user before you run the command: > > $ ulimit -n 2000 > $ ulimit -n > 2000 > $ ewfinfo FA_MSS_343_1.E01 > > You can permanently increase ulimit, but check how to do it on Fedora > (or just stick it in .bashrc). > > Cheers, > Kalin. > |
|
From: Kalin K. <me....@gm...> - 2014-06-03 17:29:03
|
Hello, On Wed, Jun 4, 2014 at 1:50 AM, Donald Mennerich <don...@ny...> wrote: > I recently acquired a large (2 TB) disk image using FTK Imager. The image of > an HFS+ drive is partitioned into 1.5gb segments and I had the compression > set to 0 while it was imaging. There are over 1,200 segments that make up > the image. > > The disk image loads into FTK fine and seems to be working great. I cannot > get any of the the Sleuthkit or EwfTools bins to work with the image though. > I've created images of several images of smaller disk drives (60gb, 100gb, > 160gb) and they all work fin with the bins. I'd like to know if there is > something fundamentally wrong with the 2TB disk image. I'm running the tools > on a Fedora 20 machine with both libraries having been built from the > sources. > What is the output of `ulimit -a |grep files` with the account you used? (Standard is 1024 max open files) As shown in the error: > with error: Too many open files > I'd be really curious to know what those more knowledgeable on both libewf > and tsk would make of these outputs, hopefully I'm just doing something > completely stupid. > Not completely stupid, just read the error messages :-) If you try as root (which I don't recommend for many reasons), there is usually no limit. Better set your ulimit for the user before you run the command: $ ulimit -n 2000 $ ulimit -n 2000 $ ewfinfo FA_MSS_343_1.E01 You can permanently increase ulimit, but check how to do it on Fedora (or just stick it in .bashrc). Cheers, Kalin. |
|
From: Donald M. <don...@ny...> - 2014-06-03 17:15:50
|
Hello, I recently acquired a large (2 TB) disk image using FTK Imager. The image of an HFS+ drive is partitioned into 1.5gb segments and I had the compression set to 0 while it was imaging. There are over 1,200 segments that make up the image. The disk image loads into FTK fine and seems to be working great. I cannot get any of the the Sleuthkit or EwfTools bins to work with the image though. I've created images of several images of smaller disk drives (60gb, 100gb, 160gb) and they all work fin with the bins. I'd like to know if there is something fundamentally wrong with the 2TB disk image. I'm running the tools on a Fedora 20 machine with both libraries having been built from the sources. Here's what the verbose output of *ewfinfo* looks like for the image. $ ewfinfo FA_MSS_343_1.E01 ewfinfo 20140227 Unable to open EWF file(s). libcfile_file_open_with_error_code: unable to open file: /mnt/staging/Fales/MSS/343/FA_MSS_343_1/FA_MSS_343_1.FJM with error: Too many open files libcfile_file_open: unable to open file. libbfio_file_open: unable to open file: /mnt/staging/Fales/MSS/343/FA_MSS_343_1/FA_MSS_343_1.FJM. libcfile_file_seek_offset: invalid file - missing descriptor. libbfio_file_seek_offset: unable to find offset in file: /mnt/staging/Fales/MSS/343/FA_MSS_343_1/FA_MSS_343_1.FJM. libbfio_handle_seek_offset: unable to find offset: -1 in handle. libbfio_pool_open_handle: unable to seek offset. libbfio_pool_seek_offset: unable to open entry: 1021. libewf_segment_file_read_file_header: unable to seek file header offset: 0. libewf_handle_open_file_io_pool: unable to read segment file header. libewf_handle_open: unable to open handle using a file IO pool. info_handle_open_input: unable to open file(s). And the verbose output from *mmls*: $ mmls -V The Sleuth Kit ver 4.1.3 $ mmls -v FA_MSS_343_1.E01 tsk_img_open: Type: 0 NumImg: 1 Img1: FA_MSS_343_1.E01 ewf_open: found 1273 segment files via libewf_glob Error opening EWF file tsk_img_findFiles: FA_MSS_343_1.E01 found tsk_img_findFiles: 1 total segments found raw_open: segment: 0 size: 1572786931 max offset: 1572786931 path: FA_MSS_343_1.E01 dos_load_prim: Table Sector: 0 raw_read: byte offset: 0 len: 65536 raw_read: found in image 0 relative offset: 0 len: 65536 raw_read_segment: opening file into slot 0: FA_MSS_343_1.E01 File is not a DOS partition (invalid primary magic) (Sector: 0)bsd_load_table: Table Sector: 1 gpt_load_table: Sector: 0 gpt_open: Trying other sector sizes gpt_open: Trying sector size: 512 gpt_load_table: Sector: 0 gpt_open: Trying sector size: 1024 gpt_load_table: Sector: 0 gpt_open: Trying sector size: 2048 gpt_load_table: Sector: 0 gpt_open: Trying sector size: 4096 gpt_load_table: Sector: 0 gpt_open: Trying sector size: 8192 gpt_load_table: Sector: 0 sun_load_table: Trying sector: 0 sun_load_table: Trying sector: 1 mac_load_table: Sector: 1 mac_load: Missing initial magic value mac_open: Trying 4096-byte sector size instead of 512-byte mac_load_table: Sector: 1 mac_load: Missing initial magic value Cannot determine partition type I'd be really curious to know what those more knowledgeable on both libewf and tsk would make of these outputs, hopefully I'm just doing something completely stupid. Thanks, Don |
|
From: Stefan K. <sk...@bf...> - 2014-06-02 10:27:28
|
Enkidu, > what tool (free and accepted by court) do u suggest for taking volatile > image of ram memory of android devices? is Lime the best? You might want to check out the Lime-related discussion which just took place over at the 'vol-users' list at: http://lists.volatilesystems.com/pipermail/vol-users/2014-May/001254.html Maybe this helps. Cheers, Stefan. -- Stefan Kelm <sk...@bf...> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstrasse 100 Tel: +49-721-96201-1 D-76133 Karlsruhe Fax: +49-721-96201-99 |
|
From: Enkidu Mo S. <vol...@gm...> - 2014-06-02 08:03:50
|
Hello guys, what tool (free and accepted by court) do u suggest for taking volatile image of ram memory of android devices? is Lime the best? and to take image of internal memory, would dd be good enough? thank you *Ehsan Moshiri (Enkidu)* *Digital Forensic Student* *H/P:+96164953954 , +961124249769* *Linkedin: http://my.linkedin.com/pub/enkidu-moshiri/59/baa/90b/ <http://my.linkedin.com/pub/enkidu-moshiri/59/baa/90b/>* *Facebook: Enkidu Mo Shi Ri* *wechat: Enkidu-Moshiri* *Line: Enkidu.Moshiri* |
|
From: <na...@li...> - 2014-05-29 14:39:00
|
Hi all, in Italy many accounts of libero.it are sending spam messages, I see that one has been sent from my account. I only want to communicate this issue. Thanks Nanni Bassetti |
|
From: nannib <na...@li...> - 2014-05-29 13:46:51
|
http://vges18.ru/lkwugbb/blisyguikxuhozkabsadlizkb.inqwimprliapgfcvautkygvegni |
|
From: Brian C. <ca...@sl...> - 2014-05-29 02:12:19
|
It sounds like an Ubuntu packaging issue. I haven't run Autopsy 2 in ages. On May 28, 2014, at 5:05 PM, Alan Brown <al...@ma...> wrote: > Dear all > > > I asked this question almost a month ago - anyone working on it? Got an ideas about it? Offer any solutions to it? > > regards > ADB > > > > On 02/05/2014 11:20, Kalin KOZHUHAROV wrote: >> >> On May 2, 2014 6:56 PM, <al...@ma...> wrote: >> > Both were downloaded from the Ubuntu software repository and installed >> > correctly, in the order SK then autopsy. >> > >> > I ran Autopsy from the Terminal, and got the message about opening an HTML >> > session but then I got the error message (immediately): >> > >> > "Cannot open log: autopsy.log at /usr/share/autopsy/lib//Print.pm at line >> > 383." >> > >> Most probably permission problem, most probably in /tmp ... >> >> What is the output of `ls -lsd /tmp` ? >> Note to devs: The message need to be changed to include the full path IMHO. >> >> Kalin. >> > > ------------------------------------------------------------------------------ > Time is money. Stop wasting it! Get your web API in 5 minutes. > www.restlet.com/download > http://p.sf.net/sfu/restlet_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: Alan B. <al...@ma...> - 2014-05-28 21:05:55
|
Dear all I asked this question almost a month ago - anyone working on it? Got an ideas about it? Offer any solutions to it? regards ADB On 02/05/2014 11:20, Kalin KOZHUHAROV wrote: > > > On May 2, 2014 6:56 PM, <al...@ma... > <mailto:al...@ma...>> wrote: > > Both were downloaded from the Ubuntu software repository and installed > > correctly, in the order SK then autopsy. > > > > I ran Autopsy from the Terminal, and got the message about opening > an HTML > > session but then I got the error message (immediately): > > > > "Cannot open log: autopsy.log at /usr/share/autopsy/lib//Print.pm at > line > > 383." > > > Most probably permission problem, most probably in /tmp ... > > What is the output of `ls -lsd /tmp` ? > > Note to devs: The message need to be changed to include the full path > IMHO. > > Kalin. > |
|
From: Brian C. <ca...@sl...> - 2014-05-27 15:11:40
|
The Open Source Digital Forensics Conference (OSDFCon) CFP submissions are due June 1. This is a unique opportunity to show off your tools and help others learn how to use existing tools. The presentations are short (35 minutes) and presentations that cover tools from years past are always welcome since there will be a new audience and new features to talk about.
http://www.basistech.com/osdfcon/cfp/
And in case you missed it, there is the Autopsy module writing competition for cash prizes. Those submissions are due by Oct 20.
http://www.basistech.com/osdfcon-contest/
thanks,
brian
|
|
From: Derrick K. <dk...@gm...> - 2014-05-26 05:10:24
|
Hello. A bit off topic on this mailing list but take a look at the JTAG documents on the forensicswiki.org. Using JTAG you can read directly into the NAND so you can effectively get a copy of the internal memory without rooting (or even booting) the device. http://www.forensicswiki.org/wiki/JTAG_Forensics Derrick On Sun, May 25, 2014 at 11:01 PM, Enkidu Mo Shiri <vol...@gm...> wrote: > Hi, > i have an android device which i need to take image of its internal memory. > is it possible to do so without rooting the device? i did some research and > found JTAG application can do so. is it true? can i take full image without > rooting device using jtag? > Ehsan Moshiri (Enkidu) > Digital Forensic Student > H/P:+96164953954 , +961124249769 > Linkedin: http://my.linkedin.com/pub/enkidu-moshiri/59/baa/90b/ > Facebook: Enkidu Mo Shi Ri > wechat: Enkidu-Moshiri > Line: Enkidu.Moshiri > > ------------------------------------------------------------------------------ > The best possible search technologies are now affordable for all companies. > Download your FREE open source Enterprise Search Engine today! > Our experts will assist you in its installation for $59/mo, no commitment. > Test it for FREE on our Cloud platform anytime! > http://pubads.g.doubleclick.net/gampad/clk?id=145328191&iu=/4140/ostg.clktrk > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > |
|
From: Enkidu Mo S. <vol...@gm...> - 2014-05-26 05:01:53
|
Hi, i have an android device which i need to take image of its internal memory. is it possible to do so without rooting the device? i did some research and found JTAG application can do so. is it true? can i take full image without rooting device using jtag? *Ehsan Moshiri (Enkidu)* *Digital Forensic Student* *H/P:+96164953954 , +961124249769* *Linkedin: http://my.linkedin.com/pub/enkidu-moshiri/59/baa/90b/ <http://my.linkedin.com/pub/enkidu-moshiri/59/baa/90b/>* *Facebook: Enkidu Mo Shi Ri* *wechat: Enkidu-Moshiri* *Line: Enkidu.Moshiri* |
|
From: Brian C. <ca...@sl...> - 2014-05-22 15:23:10
|
There is a whole set of volume system libraries and classes that you can use to determine partition layout. Checkout the dev docs if you haven't read them already: http://sleuthkit.org/sleuthkit/docs/api-docs/ On May 20, 2014, at 6:50 PM, Mike Goldstein <do...@li...> wrote: > > Hi all, > > I have been writing a program to analyze an image (/dev/sdc for a USB stick ). So far all works. The only thing is: How do I write code to get the starting offset that the file system begins at. > > Let me explain. > So far, my code looks as follows: > TskImgInfo *img_info = new TskImgInfo(); > TSK_TCHAR **temp = (TSK_TCHAR **) argv; > > TSK_OFF_T fsStartBlock = 0x878*512; > > printf("Offset at: %lu \n", fsStartBlock); > > printf("Opening Image %s \n", temp[1]); > > if(img_info->open(argv[1], TSK_IMG_TYPE_DETECT, fsStartBlock) == 0) > { > printf("Image opened successfully\n"); > } > else > { > printf("Error opening image %s \n", temp[1]); > exit(1); > } > > Now, I found the fsStartBlock to be 0x878 by using the mmls on /dev/sdc. Then I can tell where the FAT32 file system begins. But this means that every time I insert another USB or even try to analyze another drive I have to change the code. Is there a function in the Sleuthkit library that can get the offset automatically for the program? > > Many thanks > Mike Goldstein > ------------------------------------------------------------------------------ > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE > Instantly run your Selenium tests across 300+ browser/OS combos. > Get unparalleled scalability from the best Selenium testing platform available > Simple to use. Nothing to install. Get started now for free." > http://p.sf.net/sfu/SauceLabs_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: Mike G. <do...@li...> - 2014-05-20 22:51:05
|
Hi all,
I have been writing a program to analyze an image (/dev/sdc for a USB stick ). So far all works. The only thing is: How do I write code to get the starting offset that the file system begins at.
Let me explain.So far, my code looks as follows: TskImgInfo *img_info = new TskImgInfo(); TSK_TCHAR **temp = (TSK_TCHAR **) argv; TSK_OFF_T fsStartBlock = 0x878*512;
printf("Offset at: %lu \n", fsStartBlock);
printf("Opening Image %s \n", temp[1]); if(img_info->open(argv[1], TSK_IMG_TYPE_DETECT, fsStartBlock) == 0) { printf("Image opened successfully\n"); } else { printf("Error opening image %s \n", temp[1]); exit(1); }
Now, I found the fsStartBlock to be 0x878 by using the mmls on /dev/sdc. Then I can tell where the FAT32 file system begins. But this means that every time I insert another USB or even try to analyze another drive I have to change the code. Is there a function in the Sleuthkit library that can get the offset automatically for the program?
Many thanksMike Goldstein
|
|
From: Derrick K. <dk...@gm...> - 2014-05-20 21:43:20
|
Wow. I totally misread that.....I was thinking about writing patches and committing them upstream, not applying patches to the current source! Ooops. :) Derrick On Tue, May 20, 2014 at 3:33 PM, Willi Ballenthin <wil...@gm...> wrote: > In general, you can use the `patch` command to apply a patch created by > `diff` to source code. kernel.org maintains a nice writeup on how to do it > here: https://www.kernel.org/doc/Documentation/applying-patches.txt > In summary, you can probably navigate to the directory that contains the > unpatched source code, and execute a command like the following: > > patch -p1 < ../patch-x.y.z > > The tool will complain if it cannot patch the files due to conflicts. > > Willi > > > On Tue, May 20, 2014 at 5:00 PM, Derrick Karpo <dk...@gm...> wrote: >> >> Hello. >> >> All of the Sleuthkit development is done via github so grab a copy of >> the repository, make your changes, then submit a pull request. Brian >> recently discussed the time it takes to get a patch merged or looked >> at on the [sleuthkit-users] list. >> >> https://github.com/sleuthkit/sleuthkit >> >> You may also want to take a look at the dev guide: >> >> http://wiki.sleuthkit.org/index.php?title=TSK_Developer%27s_Guide >> >> Derrick >> >> >> On Tue, May 20, 2014 at 2:45 PM, Brandon Lashmet <bla...@gm...> >> wrote: >> > How does one add patches to SleuthKit? Specifically, ones that are only >> > code such as this: >> > >> > diff -aurN sleuthkit-1.69/src/fstools/fls.c >> > sleuthkit-1.69-frss/src/fstools/fls.c >> > --- sleuthkit-1.69/src/fstools/fls.c 2004-01-06 17:50:52.000000000 -0500 >> > +++ sleuthkit-1.69-frss/src/fstools/fls.c 2004-05-20 14:15:51.000000000 >> > -0400 >> > @@ -58,7 +58,7 @@ >> > >> > >> > void usage(char *myProg) { >> > - printf("usage: %s [-adDFlpruvV] [-f fstype] [-m dir/] [-z ZONE] [-s >> > seconds] image >> > [inode]\n", >> > + printf("usage: %s [-adDFlxpruvV] [-f fstype] [-m dir/] [-z ZONE] [-s >> > seconds] >> > image [inode]\n", >> > myProg); >> > printf("\tIf [inode] is not given, the root directory is used\n"); >> > printf("\t-a: Display \".\" and \"..\" entries\n"); >> > @@ -68,6 +68,7 @@ >> > printf("\t-l: Display long version (like ls -l)\n"); >> > printf("\t-m: Display output in mactime input format with\n"); >> > printf("\t dir/ as the actual mount point of the image\n"); >> > + printf("\t-x: Display FRSS Scoring\n"); >> > printf("\t-p: Display full path for each file\n"); >> > printf("\t-r: Recurse on directory entries\n"); >> > printf("\t-u: Display undeleted entries only\n"); >> > @@ -273,7 +274,7 @@ >> > >> > localFlags = LCL_DIR | LCL_FILE; >> > >> > - while ((ch = getopt(argc, argv, "adDf:Fm:lprs:uvVz:")) > 0) { >> > + while ((ch = getopt(argc, argv, "adDf:Fm:lxprs:uvVz:")) > 0) { >> > switch (ch) { >> > case '?': >> > default: >> > @@ -298,6 +299,9 @@ >> > case 'l': >> > localFlags |= LCL_LONG; >> > break; >> > + case 'x': >> > + ent_report =1; >> > + break; >> > case 'm': >> > localFlags |= LCL_MAC; >> > macpre = optarg; >> > diff -aurN sleuthkit-1.69/src/fstools/frss.c >> > sleuthkit-1.69-frss/src/fstools/frss.c >> > --- sleuthkit-1.69/src/fstools/frss.c 1969-12-31 19:00:00.000000000 >> > -0500 >> > +++ sleuthkit-1.69-frss/src/fstools/frss.c 2004-05-23 14:46:48.000000000 >> > -0400 >> > @@ -0,0 +1,233 @@ >> > +/* >> > +** frss >> > +** The Sleuth Kit >> > +** >> > +** Given a block number, compute the Forensic Relative Strength Scoring >> > +** values of the block, return them to calling function. >> > +** >> > +** Matthew Shannon [msh...@ag...] >> > +** Copyright (c) 2004 Matthew Shannon. All rights reserved. >> > +** >> > +** Brian Carrier [ca...@sl...] >> > +** Copyright (c) 2003 Brian Carrier. All rights reserved >> > +** >> > +** TASK >> > +** Copyright (c) 2002 Brian Carrier, @stake Inc. All rights reserved >> > +** >> > +** TCTUTILs >> > >> > >> > ------------------------------------------------------------------------------ >> > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE >> > Instantly run your Selenium tests across 300+ browser/OS combos. >> > Get unparalleled scalability from the best Selenium testing platform >> > available >> > Simple to use. Nothing to install. Get started now for free." >> > http://p.sf.net/sfu/SauceLabs >> > _______________________________________________ >> > sleuthkit-users mailing list >> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> > http://www.sleuthkit.org >> > >> >> >> ------------------------------------------------------------------------------ >> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE >> Instantly run your Selenium tests across 300+ browser/OS combos. >> Get unparalleled scalability from the best Selenium testing platform >> available >> Simple to use. Nothing to install. Get started now for free." >> http://p.sf.net/sfu/SauceLabs >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org > > |
|
From: Willi B. <wil...@gm...> - 2014-05-20 21:33:51
|
In general, you can use the `patch` command to apply a patch created by `diff` to source code. kernel.org maintains a nice writeup on how to do it here: https://www.kernel.org/doc/Documentation/applying-patches.txt In summary, you can probably navigate to the directory that contains the unpatched source code, and execute a command like the following: patch -p1 < ../patch-x.y.z The tool will complain if it cannot patch the files due to conflicts. Willi On Tue, May 20, 2014 at 5:00 PM, Derrick Karpo <dk...@gm...> wrote: > Hello. > > All of the Sleuthkit development is done via github so grab a copy of > the repository, make your changes, then submit a pull request. Brian > recently discussed the time it takes to get a patch merged or looked > at on the [sleuthkit-users] list. > > https://github.com/sleuthkit/sleuthkit > > You may also want to take a look at the dev guide: > > http://wiki.sleuthkit.org/index.php?title=TSK_Developer%27s_Guide > > Derrick > > > On Tue, May 20, 2014 at 2:45 PM, Brandon Lashmet <bla...@gm...> > wrote: > > How does one add patches to SleuthKit? Specifically, ones that are only > > code such as this: > > > > diff -aurN sleuthkit-1.69/src/fstools/fls.c > > sleuthkit-1.69-frss/src/fstools/fls.c > > --- sleuthkit-1.69/src/fstools/fls.c 2004-01-06 17:50:52.000000000 -0500 > > +++ sleuthkit-1.69-frss/src/fstools/fls.c 2004-05-20 14:15:51.000000000 > > -0400 > > @@ -58,7 +58,7 @@ > > > > > > void usage(char *myProg) { > > - printf("usage: %s [-adDFlpruvV] [-f fstype] [-m dir/] [-z ZONE] [-s > > seconds] image > > [inode]\n", > > + printf("usage: %s [-adDFlxpruvV] [-f fstype] [-m dir/] [-z ZONE] [-s > > seconds] > > image [inode]\n", > > myProg); > > printf("\tIf [inode] is not given, the root directory is used\n"); > > printf("\t-a: Display \".\" and \"..\" entries\n"); > > @@ -68,6 +68,7 @@ > > printf("\t-l: Display long version (like ls -l)\n"); > > printf("\t-m: Display output in mactime input format with\n"); > > printf("\t dir/ as the actual mount point of the image\n"); > > + printf("\t-x: Display FRSS Scoring\n"); > > printf("\t-p: Display full path for each file\n"); > > printf("\t-r: Recurse on directory entries\n"); > > printf("\t-u: Display undeleted entries only\n"); > > @@ -273,7 +274,7 @@ > > > > localFlags = LCL_DIR | LCL_FILE; > > > > - while ((ch = getopt(argc, argv, "adDf:Fm:lprs:uvVz:")) > 0) { > > + while ((ch = getopt(argc, argv, "adDf:Fm:lxprs:uvVz:")) > 0) { > > switch (ch) { > > case '?': > > default: > > @@ -298,6 +299,9 @@ > > case 'l': > > localFlags |= LCL_LONG; > > break; > > + case 'x': > > + ent_report =1; > > + break; > > case 'm': > > localFlags |= LCL_MAC; > > macpre = optarg; > > diff -aurN sleuthkit-1.69/src/fstools/frss.c > > sleuthkit-1.69-frss/src/fstools/frss.c > > --- sleuthkit-1.69/src/fstools/frss.c 1969-12-31 19:00:00.000000000 -0500 > > +++ sleuthkit-1.69-frss/src/fstools/frss.c 2004-05-23 14:46:48.000000000 > > -0400 > > @@ -0,0 +1,233 @@ > > +/* > > +** frss > > +** The Sleuth Kit > > +** > > +** Given a block number, compute the Forensic Relative Strength Scoring > > +** values of the block, return them to calling function. > > +** > > +** Matthew Shannon [msh...@ag...] > > +** Copyright (c) 2004 Matthew Shannon. All rights reserved. > > +** > > +** Brian Carrier [ca...@sl...] > > +** Copyright (c) 2003 Brian Carrier. All rights reserved > > +** > > +** TASK > > +** Copyright (c) 2002 Brian Carrier, @stake Inc. All rights reserved > > +** > > +** TCTUTILs > > > > > ------------------------------------------------------------------------------ > > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE > > Instantly run your Selenium tests across 300+ browser/OS combos. > > Get unparalleled scalability from the best Selenium testing platform > > available > > Simple to use. Nothing to install. Get started now for free." > > http://p.sf.net/sfu/SauceLabs > > _______________________________________________ > > sleuthkit-users mailing list > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > http://www.sleuthkit.org > > > > > ------------------------------------------------------------------------------ > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE > Instantly run your Selenium tests across 300+ browser/OS combos. > Get unparalleled scalability from the best Selenium testing platform > available > Simple to use. Nothing to install. Get started now for free." > http://p.sf.net/sfu/SauceLabs > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > |
|
From: Derrick K. <dk...@gm...> - 2014-05-20 21:01:04
|
Hello. All of the Sleuthkit development is done via github so grab a copy of the repository, make your changes, then submit a pull request. Brian recently discussed the time it takes to get a patch merged or looked at on the [sleuthkit-users] list. https://github.com/sleuthkit/sleuthkit You may also want to take a look at the dev guide: http://wiki.sleuthkit.org/index.php?title=TSK_Developer%27s_Guide Derrick On Tue, May 20, 2014 at 2:45 PM, Brandon Lashmet <bla...@gm...> wrote: > How does one add patches to SleuthKit? Specifically, ones that are only > code such as this: > > diff -aurN sleuthkit-1.69/src/fstools/fls.c > sleuthkit-1.69-frss/src/fstools/fls.c > --- sleuthkit-1.69/src/fstools/fls.c 2004-01-06 17:50:52.000000000 -0500 > +++ sleuthkit-1.69-frss/src/fstools/fls.c 2004-05-20 14:15:51.000000000 > -0400 > @@ -58,7 +58,7 @@ > > > void usage(char *myProg) { > - printf("usage: %s [-adDFlpruvV] [-f fstype] [-m dir/] [-z ZONE] [-s > seconds] image > [inode]\n", > + printf("usage: %s [-adDFlxpruvV] [-f fstype] [-m dir/] [-z ZONE] [-s > seconds] > image [inode]\n", > myProg); > printf("\tIf [inode] is not given, the root directory is used\n"); > printf("\t-a: Display \".\" and \"..\" entries\n"); > @@ -68,6 +68,7 @@ > printf("\t-l: Display long version (like ls -l)\n"); > printf("\t-m: Display output in mactime input format with\n"); > printf("\t dir/ as the actual mount point of the image\n"); > + printf("\t-x: Display FRSS Scoring\n"); > printf("\t-p: Display full path for each file\n"); > printf("\t-r: Recurse on directory entries\n"); > printf("\t-u: Display undeleted entries only\n"); > @@ -273,7 +274,7 @@ > > localFlags = LCL_DIR | LCL_FILE; > > - while ((ch = getopt(argc, argv, "adDf:Fm:lprs:uvVz:")) > 0) { > + while ((ch = getopt(argc, argv, "adDf:Fm:lxprs:uvVz:")) > 0) { > switch (ch) { > case '?': > default: > @@ -298,6 +299,9 @@ > case 'l': > localFlags |= LCL_LONG; > break; > + case 'x': > + ent_report =1; > + break; > case 'm': > localFlags |= LCL_MAC; > macpre = optarg; > diff -aurN sleuthkit-1.69/src/fstools/frss.c > sleuthkit-1.69-frss/src/fstools/frss.c > --- sleuthkit-1.69/src/fstools/frss.c 1969-12-31 19:00:00.000000000 -0500 > +++ sleuthkit-1.69-frss/src/fstools/frss.c 2004-05-23 14:46:48.000000000 > -0400 > @@ -0,0 +1,233 @@ > +/* > +** frss > +** The Sleuth Kit > +** > +** Given a block number, compute the Forensic Relative Strength Scoring > +** values of the block, return them to calling function. > +** > +** Matthew Shannon [msh...@ag...] > +** Copyright (c) 2004 Matthew Shannon. All rights reserved. > +** > +** Brian Carrier [ca...@sl...] > +** Copyright (c) 2003 Brian Carrier. All rights reserved > +** > +** TASK > +** Copyright (c) 2002 Brian Carrier, @stake Inc. All rights reserved > +** > +** TCTUTILs > > ------------------------------------------------------------------------------ > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE > Instantly run your Selenium tests across 300+ browser/OS combos. > Get unparalleled scalability from the best Selenium testing platform > available > Simple to use. Nothing to install. Get started now for free." > http://p.sf.net/sfu/SauceLabs > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > |
|
From: Brandon L. <bla...@gm...> - 2014-05-20 20:45:30
|
How does one add patches to SleuthKit? Specifically, ones that are only
code such as this:
diff -aurN sleuthkit-1.69/src/fstools/fls.c
sleuthkit-1.69-frss/src/fstools/fls.c
--- sleuthkit-1.69/src/fstools/fls.c 2004-01-06 17:50:52.000000000 -0500
+++ sleuthkit-1.69-frss/src/fstools/fls.c 2004-05-20 14:15:51.000000000
-0400
@@ -58,7 +58,7 @@
void usage(char *myProg) {
- printf("usage: %s [-adDFlpruvV] [-f fstype] [-m dir/] [-z ZONE] [-s
seconds] image
[inode]\n",
+ printf("usage: %s [-adDFlxpruvV] [-f fstype] [-m dir/] [-z ZONE] [-s
seconds]
image [inode]\n",
myProg);
printf("\tIf [inode] is not given, the root directory is used\n");
printf("\t-a: Display \".\" and \"..\" entries\n");
@@ -68,6 +68,7 @@
printf("\t-l: Display long version (like ls -l)\n");
printf("\t-m: Display output in mactime input format with\n");
printf("\t dir/ as the actual mount point of the image\n");
+ printf("\t-x: Display FRSS Scoring\n");
printf("\t-p: Display full path for each file\n");
printf("\t-r: Recurse on directory entries\n");
printf("\t-u: Display undeleted entries only\n");
@@ -273,7 +274,7 @@
localFlags = LCL_DIR | LCL_FILE;
- while ((ch = getopt(argc, argv, "adDf:Fm:lprs:uvVz:")) > 0) {
+ while ((ch = getopt(argc, argv, "adDf:Fm:lxprs:uvVz:")) > 0) {
switch (ch) {
case '?':
default:
@@ -298,6 +299,9 @@
case 'l':
localFlags |= LCL_LONG;
break;
+ case 'x':
+ ent_report =1;
+ break;
case 'm':
localFlags |= LCL_MAC;
macpre = optarg;
diff -aurN sleuthkit-1.69/src/fstools/frss.c
sleuthkit-1.69-frss/src/fstools/frss.c
--- sleuthkit-1.69/src/fstools/frss.c 1969-12-31 19:00:00.000000000 -0500
+++ sleuthkit-1.69-frss/src/fstools/frss.c 2004-05-23 14:46:48.000000000
-0400
@@ -0,0 +1,233 @@
+/*
+** frss
+** The Sleuth Kit
+**
+** Given a block number, compute the Forensic Relative Strength Scoring
+** values of the block, return them to calling function.
+**
+** Matthew Shannon [msh...@ag...]
+** Copyright (c) 2004 Matthew Shannon. All rights reserved.
+**
+** Brian Carrier [ca...@sl...]
+** Copyright (c) 2003 Brian Carrier. All rights reserved
+**
+** TASK
+** Copyright (c) 2002 Brian Carrier, @stake Inc. All rights reserved
+**
+** TCTUTILs
|
|
From: MichaelStein <do...@li...> - 2014-05-19 12:26:42
|
Ah yes! Thank you. When I specified the offset then it worked. Had to get it using the mmls command. Mike Goldstein Date: Sun, 18 May 2014 23:39:14 -0700 From: ml-...@n3... To: do...@li... Subject: Re: Cannot determine file system type Did you specify the correct offset to the file system using fsstat's -o option? http://www.sleuthkit.org/sleuthkit/man/fsstat.html Ketil On 19 May 2014 04:39, "MichaelStein" <[hidden email]> wrote: Thanks for that Jason. I changed to Hexidecimal and it worked!The only thing still bothering me is - why does fsstat not work on the file? Why do I keep getting "Cannot determine file system type"? Any ideas? Thanks again, Mike Goldstein Date: Sun, 18 May 2014 17:44:38 -0700 From: [hidden email] To: [hidden email] Subject: Re: Cannot determine file system type Michael, It looks like you set your start sector of the volume to 0x2168 * 512. The sector start is in decimal from mmls. 2168 = 0x878 Jason On Sun, May 18, 2014 at 7:53 PM, MichaelStein <[hidden email]> wrote: I have been trying to design a program that opens a file system (/dev/sda) and processes all the files. The image opens fine. But when I use tsk_fs_open_img, it says "cannot determine file system type". And yet I know that when I run mmls on the drive, it says that it's a FAT32 file system. I find also that when I run fsstat on my drive I get the same message. I also noticed that when I view the image I made of the drive in a Hex editor, it says "Invalid partition table. Error loading operating system." What can be done to rectify the problem? This is my code so far: using namespace std; int main(int argc, char **argv) { TSK_IMG_INFO *img; TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT; TSK_TCHAR **temp = (TSK_TCHAR **) argv; if (argc < 1) { printf("You must enter a drive name.\n"); exit(EXIT_FAILURE); } printf("Opening Image %s ...\n", temp[1]); TSK_OFF_T off = 0; TSK_FS_INFO *fs; TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT; TSK_DADDR_T imgOffset = 0x00000000; TSK_VS_INFO *vs; TSK_VS_TYPE_ENUM vstype = TSK_VS_TYPE_DETECT; int numOfDrives = 1; TSK_TCHAR *driveName; if((img = tsk_img_open(numOfDrives, &temp[1], imgtype, 512)) == NULL) { tsk_error_print(stderr); exit(EXIT_FAILURE); } uint sectorSize = img->sector_size; TSK_OFF_T fsStartBlock = 0x00002168*sectorSize; printf("Image opened successfully!\n"); /* Try it as a file system */ printf("Now opening file system...\n"); if((fs = tsk_fs_open_img(img, fsStartBlock, fstype)) == NULL) { tsk_error_print(stderr); img -> close(img); exit(EXIT_FAILURE); } printf("File system opened successfuly!\n\n"); printf("Now opening volume system...\n"); if((vs = tsk_vs_open(img, fsStartBlock, vstype)) == NULL) { tsk_error_print(stderr); img -> close(img); exit(EXIT_FAILURE); } fs -> close(fs); img -> close(img); return 0; } This is what I get when I run mmls on the drive: $ sudo mmls /dev/sdc DOS Partition Table Offset Sector: 0 Units are in 512-byte sectors Slot Start End Length Description 00: Meta 0000000000 0000000000 0000000001 Primary Table (#0) 01: ----- 0000000000 0000002167 0000002168 Unallocated 02: 00:00 0000002168 0031283199 0031281032 Win95 FAT32 (0x0b) This is the file viewed in Hex Editor: <http://filesystems.996266.n3.nabble.com/file/n8606/image558.png> -- View this message in context: http://filesystems.996266.n3.nabble.com/Cannot-determine-file-system-type-tp8606.html Sent from the sleuthkit-users mailing list archive at Nabble.com. ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org If you reply to this email, your message will be added to the discussion below: http://filesystems.996266.n3.nabble.com/Cannot-determine-file-system-type-tp8606p8607.html To unsubscribe from Cannot determine file system type, click here. NAML View this message in context: RE: Cannot determine file system type Sent from the sleuthkit-users mailing list archive at Nabble.com. ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org If you reply to this email, your message will be added to the discussion below: http://filesystems.996266.n3.nabble.com/Cannot-determine-file-system-type-tp8606p8609.html To unsubscribe from Cannot determine file system type, click here. NAML -- View this message in context: http://filesystems.996266.n3.nabble.com/Cannot-determine-file-system-type-tp8606p8610.html Sent from the sleuthkit-users mailing list archive at Nabble.com. |
|
From: Ketil F. <ke...@fr...> - 2014-05-19 06:37:17
|
Did you specify the correct offset to the file system using fsstat's -o option? http://www.sleuthkit.org/sleuthkit/man/fsstat.html Ketil On 19 May 2014 04:39, "MichaelStein" <do...@li...> wrote: > Thanks for that Jason. I changed to Hexidecimal and it worked! > The only thing still bothering me is - why does fsstat not work on the > file? Why do I keep getting "Cannot determine file system type"? Any ideas? > > Thanks again, > > Mike Goldstein > > > ------------------------------ > Date: Sun, 18 May 2014 17:44:38 -0700 > From: [hidden email] <http://user/SendEmail.jtp?type=node&node=8608&i=0> > To: [hidden email] <http://user/SendEmail.jtp?type=node&node=8608&i=1> > Subject: Re: Cannot determine file system type > > Michael, > > It looks like you set your start sector of the volume to 0x2168 * 512. The > sector start is in decimal from mmls. 2168 = 0x878 > > Jason > > > On Sun, May 18, 2014 at 7:53 PM, MichaelStein <[hidden email]<https:///user/SendEmail.jtp?type=node&node=8607&i=0> > > wrote: > > I have been trying to design a program that opens a file system (/dev/sda) > and processes all the files. The image opens fine. But when I use > tsk_fs_open_img, it says "cannot determine file system type". And yet I > know > that when I run mmls on the drive, it says that it's a FAT32 file system. I > find also that when I run fsstat on my drive I get the same message. I also > noticed that when I view the image I made of the drive in a Hex editor, it > says "Invalid partition table. Error loading operating system." What can be > done to rectify the problem? > > This is my code so far: > > using namespace std; > int main(int argc, char **argv) > { > TSK_IMG_INFO *img; > TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT; > TSK_TCHAR **temp = (TSK_TCHAR **) argv; > > if (argc < 1) { > printf("You must enter a drive name.\n"); > exit(EXIT_FAILURE); > } > > printf("Opening Image %s ...\n", temp[1]); > > TSK_OFF_T off = 0; > > TSK_FS_INFO *fs; > TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT; > > > TSK_DADDR_T imgOffset = 0x00000000; > > TSK_VS_INFO *vs; > TSK_VS_TYPE_ENUM vstype = TSK_VS_TYPE_DETECT; > > int numOfDrives = 1; > > TSK_TCHAR *driveName; > > if((img = tsk_img_open(numOfDrives, &temp[1], imgtype, 512)) == > NULL) { > tsk_error_print(stderr); > exit(EXIT_FAILURE); > } > > uint sectorSize = img->sector_size; > TSK_OFF_T fsStartBlock = 0x00002168*sectorSize; > > printf("Image opened successfully!\n"); > /* Try it as a file system */ > > printf("Now opening file system...\n"); > if((fs = tsk_fs_open_img(img, fsStartBlock, fstype)) == NULL) { > tsk_error_print(stderr); > img -> close(img); > exit(EXIT_FAILURE); > } > > printf("File system opened successfuly!\n\n"); > > printf("Now opening volume system...\n"); > if((vs = tsk_vs_open(img, fsStartBlock, vstype)) == NULL) { > tsk_error_print(stderr); > img -> close(img); > exit(EXIT_FAILURE); > } > > fs -> close(fs); > img -> close(img); > return 0; > } > > This is what I get when I run mmls on the drive: > $ sudo mmls /dev/sdc > DOS Partition Table > Offset Sector: 0 > Units are in 512-byte sectors > > Slot Start End Length Description > 00: Meta 0000000000 0000000000 0000000001 Primary Table (#0) > 01: ----- 0000000000 0000002167 0000002168 Unallocated > 02: 00:00 0000002168 0031283199 0031281032 Win95 FAT32 (0x0b) > > > This is the file viewed in Hex Editor: > <http://filesystems.996266.n3.nabble.com/file/n8606/image558.png> > > > > > > -- > View this message in context: > http://filesystems.996266.n3.nabble.com/Cannot-determine-file-system-type-tp8606.html > Sent from the sleuthkit-users mailing list archive at Nabble.com. > > > ------------------------------------------------------------------------------ > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE > Instantly run your Selenium tests across 300+ browser/OS combos. > Get unparalleled scalability from the best Selenium testing platform > available > Simple to use. Nothing to install. Get started now for free." > http://p.sf.net/sfu/SauceLabs > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > > > ------------------------------------------------------------------------------ > > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE > Instantly run your Selenium tests across 300+ browser/OS combos. > Get unparalleled scalability from the best Selenium testing platform > available > Simple to use. Nothing to install. Get started now for free." > http://p.sf.net/sfu/SauceLabs > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > > ------------------------------ > If you reply to this email, your message will be added to the discussion > below: > > http://filesystems.996266.n3.nabble.com/Cannot-determine-file-system-type-tp8606p8607.html > To unsubscribe from Cannot determine file system type, click here. > NAML<http://filesystems.996266.n3.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble:email.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble:email.naml-instant_emails%21nabble:email.naml-send_instant_email%21nabble:email.naml> > > ------------------------------ > View this message in context: RE: Cannot determine file system type<http://filesystems.996266.n3.nabble.com/Cannot-determine-file-system-type-tp8606p8608.html> > Sent from the sleuthkit-users mailing list archive<http://filesystems.996266.n3.nabble.com/sleuthkit-users-f4.html>at Nabble.com. > > > ------------------------------------------------------------------------------ > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE > Instantly run your Selenium tests across 300+ browser/OS combos. > Get unparalleled scalability from the best Selenium testing platform > available > Simple to use. Nothing to install. Get started now for free." > http://p.sf.net/sfu/SauceLabs > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > |
|
From: MichaelStein <do...@li...> - 2014-05-19 02:37:59
|
Thanks for that Jason. I changed to Hexidecimal and it worked!The only thing still bothering me is - why does fsstat not work on the file? Why do I keep getting "Cannot determine file system type"? Any ideas?
Thanks again,
Mike Goldstein
Date: Sun, 18 May 2014 17:44:38 -0700
From: ml-...@n3...
To: do...@li...
Subject: Re: Cannot determine file system type
Michael,
It looks like you set your start sector of the volume to 0x2168 * 512. The sector start is in decimal from mmls. 2168 = 0x878
Jason
On Sun, May 18, 2014 at 7:53 PM, MichaelStein <[hidden email]> wrote:
I have been trying to design a program that opens a file system (/dev/sda)
and processes all the files. The image opens fine. But when I use
tsk_fs_open_img, it says "cannot determine file system type". And yet I know
that when I run mmls on the drive, it says that it's a FAT32 file system. I
find also that when I run fsstat on my drive I get the same message. I also
noticed that when I view the image I made of the drive in a Hex editor, it
says "Invalid partition table. Error loading operating system." What can be
done to rectify the problem?
This is my code so far:
using namespace std;
int main(int argc, char **argv)
{
TSK_IMG_INFO *img;
TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT;
TSK_TCHAR **temp = (TSK_TCHAR **) argv;
if (argc < 1) {
printf("You must enter a drive name.\n");
exit(EXIT_FAILURE);
}
printf("Opening Image %s ...\n", temp[1]);
TSK_OFF_T off = 0;
TSK_FS_INFO *fs;
TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT;
TSK_DADDR_T imgOffset = 0x00000000;
TSK_VS_INFO *vs;
TSK_VS_TYPE_ENUM vstype = TSK_VS_TYPE_DETECT;
int numOfDrives = 1;
TSK_TCHAR *driveName;
if((img = tsk_img_open(numOfDrives, &temp[1], imgtype, 512)) == NULL) {
tsk_error_print(stderr);
exit(EXIT_FAILURE);
}
uint sectorSize = img->sector_size;
TSK_OFF_T fsStartBlock = 0x00002168*sectorSize;
printf("Image opened successfully!\n");
/* Try it as a file system */
printf("Now opening file system...\n");
if((fs = tsk_fs_open_img(img, fsStartBlock, fstype)) == NULL) {
tsk_error_print(stderr);
img -> close(img);
exit(EXIT_FAILURE);
}
printf("File system opened successfuly!\n\n");
printf("Now opening volume system...\n");
if((vs = tsk_vs_open(img, fsStartBlock, vstype)) == NULL) {
tsk_error_print(stderr);
img -> close(img);
exit(EXIT_FAILURE);
}
fs -> close(fs);
img -> close(img);
return 0;
}
This is what I get when I run mmls on the drive:
$ sudo mmls /dev/sdc
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
00: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
01: ----- 0000000000 0000002167 0000002168 Unallocated
02: 00:00 0000002168 0031283199 0031281032 Win95 FAT32 (0x0b)
This is the file viewed in Hex Editor:
<http://filesystems.996266.n3.nabble.com/file/n8606/image558.png>
--
View this message in context: http://filesystems.996266.n3.nabble.com/Cannot-determine-file-system-type-tp8606.html
Sent from the sleuthkit-users mailing list archive at Nabble.com.
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
If you reply to this email, your message will be added to the discussion below:
http://filesystems.996266.n3.nabble.com/Cannot-determine-file-system-type-tp8606p8607.html
To unsubscribe from Cannot determine file system type, click here.
NAML
--
View this message in context: http://filesystems.996266.n3.nabble.com/Cannot-determine-file-system-type-tp8606p8608.html
Sent from the sleuthkit-users mailing list archive at Nabble.com. |
|
From: Jason W. <jwr...@gm...> - 2014-05-19 00:42:29
|
Michael,
It looks like you set your start sector of the volume to 0x2168 * 512. The
sector start is in decimal from mmls. 2168 = 0x878
Jason
On Sun, May 18, 2014 at 7:53 PM, MichaelStein <do...@li...> wrote:
> I have been trying to design a program that opens a file system (/dev/sda)
> and processes all the files. The image opens fine. But when I use
> tsk_fs_open_img, it says "cannot determine file system type". And yet I
> know
> that when I run mmls on the drive, it says that it's a FAT32 file system. I
> find also that when I run fsstat on my drive I get the same message. I also
> noticed that when I view the image I made of the drive in a Hex editor, it
> says "Invalid partition table. Error loading operating system." What can be
> done to rectify the problem?
>
> This is my code so far:
>
> using namespace std;
> int main(int argc, char **argv)
> {
> TSK_IMG_INFO *img;
> TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT;
> TSK_TCHAR **temp = (TSK_TCHAR **) argv;
>
> if (argc < 1) {
> printf("You must enter a drive name.\n");
> exit(EXIT_FAILURE);
> }
>
> printf("Opening Image %s ...\n", temp[1]);
>
> TSK_OFF_T off = 0;
>
> TSK_FS_INFO *fs;
> TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT;
>
>
> TSK_DADDR_T imgOffset = 0x00000000;
>
> TSK_VS_INFO *vs;
> TSK_VS_TYPE_ENUM vstype = TSK_VS_TYPE_DETECT;
>
> int numOfDrives = 1;
>
> TSK_TCHAR *driveName;
>
> if((img = tsk_img_open(numOfDrives, &temp[1], imgtype, 512)) ==
> NULL) {
> tsk_error_print(stderr);
> exit(EXIT_FAILURE);
> }
>
> uint sectorSize = img->sector_size;
> TSK_OFF_T fsStartBlock = 0x00002168*sectorSize;
>
> printf("Image opened successfully!\n");
> /* Try it as a file system */
>
> printf("Now opening file system...\n");
> if((fs = tsk_fs_open_img(img, fsStartBlock, fstype)) == NULL) {
> tsk_error_print(stderr);
> img -> close(img);
> exit(EXIT_FAILURE);
> }
>
> printf("File system opened successfuly!\n\n");
>
> printf("Now opening volume system...\n");
> if((vs = tsk_vs_open(img, fsStartBlock, vstype)) == NULL) {
> tsk_error_print(stderr);
> img -> close(img);
> exit(EXIT_FAILURE);
> }
>
> fs -> close(fs);
> img -> close(img);
> return 0;
> }
>
> This is what I get when I run mmls on the drive:
> $ sudo mmls /dev/sdc
> DOS Partition Table
> Offset Sector: 0
> Units are in 512-byte sectors
>
> Slot Start End Length Description
> 00: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
> 01: ----- 0000000000 0000002167 0000002168 Unallocated
> 02: 00:00 0000002168 0031283199 0031281032 Win95 FAT32 (0x0b)
>
>
> This is the file viewed in Hex Editor:
> <http://filesystems.996266.n3.nabble.com/file/n8606/image558.png>
>
>
>
>
>
> --
> View this message in context:
> http://filesystems.996266.n3.nabble.com/Cannot-determine-file-system-type-tp8606.html
> Sent from the sleuthkit-users mailing list archive at Nabble.com.
>
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform
> available
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
|
|
From: MichaelStein <do...@li...> - 2014-05-19 00:11:19
|
I have been trying to design a program that opens a file system (/dev/sda)
and processes all the files. The image opens fine. But when I use
tsk_fs_open_img, it says "cannot determine file system type". And yet I know
that when I run mmls on the drive, it says that it's a FAT32 file system. I
find also that when I run fsstat on my drive I get the same message. I also
noticed that when I view the image I made of the drive in a Hex editor, it
says "Invalid partition table. Error loading operating system." What can be
done to rectify the problem?
This is my code so far:
using namespace std;
int main(int argc, char **argv)
{
TSK_IMG_INFO *img;
TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT;
TSK_TCHAR **temp = (TSK_TCHAR **) argv;
if (argc < 1) {
printf("You must enter a drive name.\n");
exit(EXIT_FAILURE);
}
printf("Opening Image %s ...\n", temp[1]);
TSK_OFF_T off = 0;
TSK_FS_INFO *fs;
TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT;
TSK_DADDR_T imgOffset = 0x00000000;
TSK_VS_INFO *vs;
TSK_VS_TYPE_ENUM vstype = TSK_VS_TYPE_DETECT;
int numOfDrives = 1;
TSK_TCHAR *driveName;
if((img = tsk_img_open(numOfDrives, &temp[1], imgtype, 512)) == NULL) {
tsk_error_print(stderr);
exit(EXIT_FAILURE);
}
uint sectorSize = img->sector_size;
TSK_OFF_T fsStartBlock = 0x00002168*sectorSize;
printf("Image opened successfully!\n");
/* Try it as a file system */
printf("Now opening file system...\n");
if((fs = tsk_fs_open_img(img, fsStartBlock, fstype)) == NULL) {
tsk_error_print(stderr);
img -> close(img);
exit(EXIT_FAILURE);
}
printf("File system opened successfuly!\n\n");
printf("Now opening volume system...\n");
if((vs = tsk_vs_open(img, fsStartBlock, vstype)) == NULL) {
tsk_error_print(stderr);
img -> close(img);
exit(EXIT_FAILURE);
}
fs -> close(fs);
img -> close(img);
return 0;
}
This is what I get when I run mmls on the drive:
$ sudo mmls /dev/sdc
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
00: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
01: ----- 0000000000 0000002167 0000002168 Unallocated
02: 00:00 0000002168 0031283199 0031281032 Win95 FAT32 (0x0b)
This is the file viewed in Hex Editor:
<http://filesystems.996266.n3.nabble.com/file/n8606/image558.png>
--
View this message in context: http://filesystems.996266.n3.nabble.com/Cannot-determine-file-system-type-tp8606.html
Sent from the sleuthkit-users mailing list archive at Nabble.com.
|
|
From: Yke S. <Yke...@Zy...> - 2014-05-16 13:08:45
|
Hi As stated in the history notes, since version 4.1.1 (Sep 24, 2013), SleuthKit supports .L01 files. But when I try to process one of them with one of the tools, for example ffind or tsk_recover, I get the error message "Cannot determine file system type". TskAuto::openImage works but TskAuto::findFilesInFs fails. Also my own program fails since I call the same functions. Should I use a different function then TskAuto::findFilesInFs or is it just not supported to browse files for L01 files. Yke DISCLAIMER: This e-mail and any attachments are intended only for the individual or company to which it is addressed and may contain information which is privileged, confidential and prohibited from disclosure or unauthorized use under applicable law. If you are not the intended recipient of this e-mail, you are hereby notified than any use, dissemination, or copying of this e-mail or the information contained in this e-mail is strictly prohibited by the sender. If you have received this transmission in error, please return the material received to the sender and delete all copies from your system. ______________________________________________________________________ This email has been scanned by the Email Security.cloud service. ______________________________________________________________________ |
|
From: Brian C. <ca...@sl...> - 2014-05-16 02:45:02
|
The early bird rate for the June Autopsy 19-20 training is ending soon. Register now for the discounted rate.
http://www.basistech.com/digital-forensics/autopsy/training/
The 2-day Autopsy course covers the details on how Autopsy works and how to use it. It provides insight about what each module does and how to configure them. Hands-on exercises and labs are integrated with the lectures. You can also use the course for CPE credits.
As a side question, if you are interested in Autopsy training in your area, let me know and we can see about doing one in your area.
thanks,
brian
|
38 messages has been excluded from this view by a project administrator.
